audit: seccomp

author: netblue30 <netblue30@yahoo.com> 2016-07-02 14:10:07 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-02 14:10:07 -0400
commit: b14628560a972d9f1709a249207b6595ffe7ed09 (patch)
tree: 868225ffea34f09f8949ef7a13ce03e9dbf65412 /src/faudit/seccomp.c
parent: audit: seccomp (diff)
download: firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.gz
firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.zst
firejail-b14628560a972d9f1709a249207b6595ffe7ed09.zip
1 files changed, 39 insertions, 1 deletions
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
index a50ec1e0c..d88d6a958 100644
--- a/src/faudit/seccomp.c
+++ b/src/faudit/seccomp.c
@@ -18,7 +18,6 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "faudit.h"
-#include <linux/capability.h>
 #define MAXBUF 4098
 static int extract_seccomp(int *val) {
@@ -57,6 +56,45 @@ void seccomp_test(void) {
                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd\n");
        else if (seccomp_status == 2) {
                printf("GOOD: seccomp BPF enababled\n");
+                printf("checking syscalls: "); fflush(0);
+                printf("mount... "); fflush(0);
+                syscall_run("mount");
+                printf("umount2... "); fflush(0);
+                syscall_run("umount2");
+                printf("ptrace... "); fflush(0);
+                syscall_run("ptrace");
+                
+                printf("swapon... "); fflush(0);
+                syscall_run("swapon");
+                
+                printf("swapoff... "); fflush(0);
+                syscall_run("swapoff");
+                printf("init_module... "); fflush(0);
+                syscall_run("init_module");
+                printf("finit_module... "); fflush(0);
+                syscall_run("finit_module");
+                printf("delete_module... "); fflush(0);
+                syscall_run("delete_module");
+                
+                printf("chroot... "); fflush(0);
+                syscall_run("chroot");
+                
+                printf("pivot_root... "); fflush(0);
+                syscall_run("pivot_root");
+                
+                printf("iopl... "); fflush(0);
+                syscall_run("iopl");
+                
+                printf("ioperm... "); fflush(0);
+                syscall_run("ioperm");
+                
+                printf("\n");
        }
        else
                fprintf(stderr, "Error: unrecognized seccomp mode\n");
author	netblue30 <netblue30@yahoo.com>	2016-07-02 14:10:07 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-02 14:10:07 -0400
commit	b14628560a972d9f1709a249207b6595ffe7ed09 (patch)
tree	868225ffea34f09f8949ef7a13ce03e9dbf65412 /src/faudit/seccomp.c
parent	audit: seccomp (diff)
download	firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.gz firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.zst firejail-b14628560a972d9f1709a249207b6595ffe7ed09.zip

diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index a50ec1e0c..d88d6a958 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c
@@ -18,7 +18,6 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "faudit.h"	20	#include "faudit.h"
21	#include <linux/capability.h>
22		21
23	#define MAXBUF 4098	22	#define MAXBUF 4098
24	static int extract_seccomp(int *val) {	23	static int extract_seccomp(int *val) {
@@ -57,6 +56,45 @@ void seccomp_test(void) {
57	printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n");	56	printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n");
58	else if (seccomp_status == 2) {	57	else if (seccomp_status == 2) {
59	printf("GOOD: seccomp BPF enababled\n");	58	printf("GOOD: seccomp BPF enababled\n");
		59
		60	printf("checking syscalls: "); fflush(0);
		61	printf("mount... "); fflush(0);
		62	syscall_run("mount");
		63
		64	printf("umount2... "); fflush(0);
		65	syscall_run("umount2");
		66
		67	printf("ptrace... "); fflush(0);
		68	syscall_run("ptrace");
		69
		70	printf("swapon... "); fflush(0);
		71	syscall_run("swapon");
		72
		73	printf("swapoff... "); fflush(0);
		74	syscall_run("swapoff");
		75
		76	printf("init_module... "); fflush(0);
		77	syscall_run("init_module");
		78
		79	printf("finit_module... "); fflush(0);
		80	syscall_run("finit_module");
		81
		82	printf("delete_module... "); fflush(0);
		83	syscall_run("delete_module");
		84
		85	printf("chroot... "); fflush(0);
		86	syscall_run("chroot");
		87
		88	printf("pivot_root... "); fflush(0);
		89	syscall_run("pivot_root");
		90
		91	printf("iopl... "); fflush(0);
		92	syscall_run("iopl");
		93
		94	printf("ioperm... "); fflush(0);
		95	syscall_run("ioperm");
		96
		97	printf("\n");
60	}	98	}
61	else	99	else
62	fprintf(stderr, "Error: unrecognized seccomp mode\n");	100	fprintf(stderr, "Error: unrecognized seccomp mode\n");