audit: seccomp

author: netblue30 <netblue30@yahoo.com> 2016-07-02 14:10:07 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-02 14:10:07 -0400
commit: b14628560a972d9f1709a249207b6595ffe7ed09 (patch)
tree: 868225ffea34f09f8949ef7a13ce03e9dbf65412 /src/faudit/syscall.c
parent: audit: seccomp (diff)
download: firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.gz
firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.zst
firejail-b14628560a972d9f1709a249207b6595ffe7ed09.zip
1 files changed, 91 insertions, 0 deletions
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
new file mode 100644
index 000000000..11fb3730b
--- /dev/null
+++ b/src/faudit/syscall.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+void syscall_helper(int argc, char **argv) {
+        if (strcmp(argv[2], "mount") == 0) {
+                mount(NULL, NULL, NULL, 0, NULL);
+                printf("\nUGLY: mount syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "umount2") == 0) {
+                umount2(NULL, 0);
+                printf("\nUGLY: umount2 syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "ptrace") == 0) {
+                ptrace(0, 0, NULL, NULL);
+                printf("\nUGLY: ptrace syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "swapon") == 0) {
+                swapon(NULL, 0);
+                printf("\nUGLY: swapon syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "swapoff") == 0) {
+                swapoff(NULL);
+                printf("\nUGLY: swapoff syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "init_module") == 0) {
+                init_module(NULL, 0, NULL);
+                printf("\nUGLY: init_moule syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "finit_module") == 0) {
+                swapoff(0, NULL, 0);
+                printf("\nUGLY: finit_moule syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "delete_module") == 0) {
+                delete_module(NULL, 0);
+                printf("\nUGLY: delete_moule syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "chroot") == 0) {
+                int rv = chroot(NULL);
+                (void) rv;
+                printf("\nUGLY: chroot syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "pivot_root") == 0) {
+                pivot_root(NULL, NULL);
+                printf("\nUGLY: pivot_root syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "iopl") == 0) {
+                iopl(0L);
+                printf("\nUGLY: iopl syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "ioperm") == 0) {
+                ioperm(0, 0, 0);
+                printf("\nUGLY: ioperm syscall permitted\n");
+        }
+        exit(0);
+}
+void syscall_run(const char *name) {
+        assert(prog);
+        
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                char *cmd;
+                if (asprintf(&cmd, "%s syscall %s", prog, name) == -1)
+                        errExit("asprintf");
+                execl(prog, prog, "syscall", name, NULL);
+                exit(0);
+        }
+                
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
+\ No newline at end of file
author	netblue30 <netblue30@yahoo.com>	2016-07-02 14:10:07 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-02 14:10:07 -0400
commit	b14628560a972d9f1709a249207b6595ffe7ed09 (patch)
tree	868225ffea34f09f8949ef7a13ce03e9dbf65412 /src/faudit/syscall.c
parent	audit: seccomp (diff)
download	firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.gz firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.zst firejail-b14628560a972d9f1709a249207b6595ffe7ed09.zip

diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c new file mode 100644 index 000000000..11fb3730b --- /dev/null +++ b/src/faudit/syscall.c
@@ -0,0 +1,91 @@
	1	/*
	2	* Copyright (C) 2014-2016 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "faudit.h"
	21
	22	void syscall_helper(int argc, char **argv) {
	23	if (strcmp(argv[2], "mount") == 0) {
	24	mount(NULL, NULL, NULL, 0, NULL);
	25	printf("\nUGLY: mount syscall permitted\n");
	26	}
	27	else if (strcmp(argv[2], "umount2") == 0) {
	28	umount2(NULL, 0);
	29	printf("\nUGLY: umount2 syscall permitted\n");
	30	}
	31	else if (strcmp(argv[2], "ptrace") == 0) {
	32	ptrace(0, 0, NULL, NULL);
	33	printf("\nUGLY: ptrace syscall permitted\n");
	34	}
	35	else if (strcmp(argv[2], "swapon") == 0) {
	36	swapon(NULL, 0);
	37	printf("\nUGLY: swapon syscall permitted\n");
	38	}
	39	else if (strcmp(argv[2], "swapoff") == 0) {
	40	swapoff(NULL);
	41	printf("\nUGLY: swapoff syscall permitted\n");
	42	}
	43	else if (strcmp(argv[2], "init_module") == 0) {
	44	init_module(NULL, 0, NULL);
	45	printf("\nUGLY: init_moule syscall permitted\n");
	46	}
	47	else if (strcmp(argv[2], "finit_module") == 0) {
	48	swapoff(0, NULL, 0);
	49	printf("\nUGLY: finit_moule syscall permitted\n");
	50	}
	51	else if (strcmp(argv[2], "delete_module") == 0) {
	52	delete_module(NULL, 0);
	53	printf("\nUGLY: delete_moule syscall permitted\n");
	54	}
	55	else if (strcmp(argv[2], "chroot") == 0) {
	56	int rv = chroot(NULL);
	57	(void) rv;
	58	printf("\nUGLY: chroot syscall permitted\n");
	59	}
	60	else if (strcmp(argv[2], "pivot_root") == 0) {
	61	pivot_root(NULL, NULL);
	62	printf("\nUGLY: pivot_root syscall permitted\n");
	63	}
	64	else if (strcmp(argv[2], "iopl") == 0) {
	65	iopl(0L);
	66	printf("\nUGLY: iopl syscall permitted\n");
	67	}
	68	else if (strcmp(argv[2], "ioperm") == 0) {
	69	ioperm(0, 0, 0);
	70	printf("\nUGLY: ioperm syscall permitted\n");
	71	}
	72	exit(0);
	73	}
	74
	75	void syscall_run(const char *name) {
	76	assert(prog);
	77
	78	pid_t child = fork();
	79	if (child < 0)
	80	errExit("fork");
	81	if (child == 0) {
	82	char *cmd;
	83	if (asprintf(&cmd, "%s syscall %s", prog, name) == -1)
	84	errExit("asprintf");
	85	execl(prog, prog, "syscall", name, NULL);
	86	exit(0);
	87	}
	88
	89	// wait for the child to finish
	90	waitpid(child, NULL, 0);
	91	} \ No newline at end of file