x11 detection support for --audit

author: netblue30 <netblue30@yahoo.com> 2016-10-01 09:36:22 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-10-01 09:36:22 -0400
commit: 74ad73c808ecbd4e0ccdfb1d6893b65c68647c62 (patch)
tree: 44dd0ad9ea6802292f7a5ac4a3e228fa65c61c82 /src/faudit
parent: gimp and inkscape profiles (diff)
download: firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.tar.gz
firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.tar.zst
firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.zip
4 files changed, 110 insertions, 17 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 64f5d8ae4..d17d3922a 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -21,15 +21,15 @@
 #include <sys/socket.h>
 #include <sys/un.h>
-void check_session_bus(const char *sockfile) {
+// return 0 if the connection is possible
+int check_unix(const char *sockfile) {
        assert(sockfile);
-        
+        int rv = -1;
        // open socket
        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (sock == -1) {
+        if (sock == -1) 
-                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
+                return rv;
-                return;
-        }
        // connect
        struct sockaddr_un remote;
@@ -37,35 +37,60 @@ void check_session_bus(const char *sockfile) {
        remote.sun_family = AF_UNIX;
        strcpy(remote.sun_path, sockfile);
        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
-        remote.sun_path[0] = '\0';
+        if (*sockfile == '@')
-        if (connect(sock, (struct sockaddr *)&remote, len) == -1) {
+                remote.sun_path[0] = '\0';
-                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
+        if (connect(sock, (struct sockaddr *)&remote, len) == 0)
-        }
+                rv = 0;
-        else {
+        
-                printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }       
        close(sock);
+        return rv;
 }
 void dbus_test(void) {
        // check the session bus
        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
        if (str) {
+                int rv = 0;
                char *bus = strdup(str);
                if (!bus)
                        errExit("strdup");
-                char *sockfile = strstr(bus, "unix:abstract=");
+                char *sockfile;
-                if (sockfile) {
+                if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
                        sockfile += 13;
                        *sockfile = '@';
                        char *ptr = strchr(sockfile, ',');
                        if (ptr)
                                *ptr = '\0';    
-                        check_session_bus(sockfile);
+                        rv = check_unix(sockfile);
+                        *sockfile = '@';
+                        if (rv == 0)
+                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        else if (rv == -1)
+                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                }
+                else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
+                        sockfile += 10;
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr)
+                                *ptr = '\0';
+                        rv = check_unix(sockfile);
+                        if (rv == 0)
+                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        else if (rv == -1)
+                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                }
+                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) {
+                        printf("UGLY: session bus configured for TCPcommunication.\n");
+                        rv = -2;
                }
+                else
+                        printf("GOOD: cannot find a D-Bus socket\n");
+                        
+                        
                free(bus);
        }
+        else
+                printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
 }
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 93fb4b709..3fddbf1f5 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -56,6 +56,7 @@ void files_test(void);
 void network_test(void);
 // dbus.c
+int check_unix(const char *sockfile);
 void dbus_test(void);
 // dev.c
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 6ff938d98..61005945d 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -69,10 +69,15 @@ int main(int argc, char **argv) {
        dbus_test();
        printf("\n");
+        // x11 test
+        x11_test();
+        printf("\n");
        // /dev test
        dev_test();
        printf("\n");
        free(prog);
        printf("--------------------------------------------------------------------------------\n");
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
new file mode 100644
index 000000000..e1a4bf66e
--- /dev/null
+++ b/src/faudit/x11.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <dirent.h>
+void x11_test(void) {
+        // check regular display 0 sockets
+        if (check_unix("/tmp/.X11-unix/X0") == 0)
+                printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
+        if (check_unix("@/tmp/.X11-unix/X0") == 0)
+                printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
+                
+        // check all unix sockets in /tmp/.X11-unix directory
+        DIR *dir;
+        if (!(dir = opendir("/tmp/.X11-unix"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/tmp/.X11-unix")))
+                        ;
+        }
+        
+        if (dir == NULL)
+                printf("GOOD: cannot open /tmp/.X11-unix directory\n");
+        else {
+                struct dirent *entry;
+                while ((entry = readdir(dir)) != NULL) {
+                        if (strcmp(entry->d_name, "X0") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, ".") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, "..") == 0)
+                                continue;
+                        char *name;
+                        if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
+                                errExit("asprintf");
+                        if (check_unix(name) == 0)
+                                printf("MAYBE: X11 socket %s is available\n", name);
+                        free(name);
+                }
+                closedir(dir);
+        }
+}
author	netblue30 <netblue30@yahoo.com>	2016-10-01 09:36:22 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-10-01 09:36:22 -0400
commit	74ad73c808ecbd4e0ccdfb1d6893b65c68647c62 (patch)
tree	44dd0ad9ea6802292f7a5ac4a3e228fa65c61c82 /src/faudit
parent	gimp and inkscape profiles (diff)
download	firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.tar.gz firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.tar.zst firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.zip

diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 64f5d8ae4..d17d3922a 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c
@@ -21,15 +21,15 @@
21	#include <sys/socket.h>	21	#include <sys/socket.h>
22	#include <sys/un.h>	22	#include <sys/un.h>
23		23
24	void check_session_bus(const char *sockfile) {	24	// return 0 if the connection is possible
		25	int check_unix(const char *sockfile) {
25	assert(sockfile);	26	assert(sockfile);
26		27	int rv = -1;
		28
27	// open socket	29	// open socket
28	int sock = socket(AF_UNIX, SOCK_STREAM, 0);	30	int sock = socket(AF_UNIX, SOCK_STREAM, 0);
29	if (sock == -1) {	31	if (sock == -1)
30	printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");	32	return rv;
31	return;
32	}
33		33
34	// connect	34	// connect
35	struct sockaddr_un remote;	35	struct sockaddr_un remote;
@@ -37,35 +37,60 @@ void check_session_bus(const char *sockfile) {
37	remote.sun_family = AF_UNIX;	37	remote.sun_family = AF_UNIX;
38	strcpy(remote.sun_path, sockfile);	38	strcpy(remote.sun_path, sockfile);
39	int len = strlen(remote.sun_path) + sizeof(remote.sun_family);	39	int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
40	remote.sun_path[0] = '\0';	40	if (*sockfile == '@')
41	if (connect(sock, (struct sockaddr *)&remote, len) == -1) {	41	remote.sun_path[0] = '\0';
42	printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");	42	if (connect(sock, (struct sockaddr *)&remote, len) == 0)
43	}	43	rv = 0;
44	else {	44
45	printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
46	}
47
48	close(sock);	45	close(sock);
		46	return rv;
49	}	47	}
50		48
51	void dbus_test(void) {	49	void dbus_test(void) {
52	// check the session bus	50	// check the session bus
53	char *str = getenv("DBUS_SESSION_BUS_ADDRESS");	51	char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
54	if (str) {	52	if (str) {
		53	int rv = 0;
55	char *bus = strdup(str);	54	char *bus = strdup(str);
56	if (!bus)	55	if (!bus)
57	errExit("strdup");	56	errExit("strdup");
58	char *sockfile = strstr(bus, "unix:abstract=");	57	char *sockfile;
59	if (sockfile) {	58	if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
60	sockfile += 13;	59	sockfile += 13;
61	*sockfile = '@';	60	*sockfile = '@';
62	char *ptr = strchr(sockfile, ',');	61	char *ptr = strchr(sockfile, ',');
63	if (ptr)	62	if (ptr)
64	*ptr = '\0';	63	*ptr = '\0';
65	check_session_bus(sockfile);	64	rv = check_unix(sockfile);
		65	*sockfile = '@';
		66	if (rv == 0)
		67	printf("MAYBE: D-Bus socket %s is available\n", sockfile);
		68	else if (rv == -1)
		69	printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
		70	}
		71	else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
		72	sockfile += 10;
		73	char *ptr = strchr(sockfile, ',');
		74	if (ptr)
		75	*ptr = '\0';
		76	rv = check_unix(sockfile);
		77	if (rv == 0)
		78	printf("MAYBE: D-Bus socket %s is available\n", sockfile);
		79	else if (rv == -1)
		80	printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
		81	}
		82	else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) {
		83	printf("UGLY: session bus configured for TCPcommunication.\n");
		84	rv = -2;
66	}	85	}
		86	else
		87	printf("GOOD: cannot find a D-Bus socket\n");
		88
		89
67	free(bus);	90	free(bus);
68	}	91	}
		92	else
		93	printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
69	}	94	}
70		95
71		96


diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 93fb4b709..3fddbf1f5 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h
@@ -56,6 +56,7 @@ void files_test(void);
56	void network_test(void);	56	void network_test(void);
57		57
58	// dbus.c	58	// dbus.c
		59	int check_unix(const char *sockfile);
59	void dbus_test(void);	60	void dbus_test(void);
60		61
61	// dev.c	62	// dev.c


diff --git a/src/faudit/main.c b/src/faudit/main.c index 6ff938d98..61005945d 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -69,10 +69,15 @@ int main(int argc, char **argv) {
69	dbus_test();	69	dbus_test();
70	printf("\n");	70	printf("\n");
71		71
		72	// x11 test
		73	x11_test();
		74	printf("\n");
		75
72	// /dev test	76	// /dev test
73	dev_test();	77	dev_test();
74	printf("\n");	78	printf("\n");
75		79
		80
76	free(prog);	81	free(prog);
77	printf("--------------------------------------------------------------------------------\n");	82	printf("--------------------------------------------------------------------------------\n");
78		83


diff --git a/src/faudit/x11.c b/src/faudit/x11.c new file mode 100644 index 000000000..e1a4bf66e --- /dev/null +++ b/src/faudit/x11.c
@@ -0,0 +1,62 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "faudit.h"
		21	#include <sys/socket.h>
		22	#include <dirent.h>
		23
		24
		25	void x11_test(void) {
		26	// check regular display 0 sockets
		27	if (check_unix("/tmp/.X11-unix/X0") == 0)
		28	printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
		29
		30	if (check_unix("@/tmp/.X11-unix/X0") == 0)
		31	printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
		32
		33	// check all unix sockets in /tmp/.X11-unix directory
		34	DIR *dir;
		35	if (!(dir = opendir("/tmp/.X11-unix"))) {
		36	// sleep 2 seconds and try again
		37	sleep(2);
		38	if (!(dir = opendir("/tmp/.X11-unix")))
		39	;
		40	}
		41
		42	if (dir == NULL)
		43	printf("GOOD: cannot open /tmp/.X11-unix directory\n");
		44	else {
		45	struct dirent *entry;
		46	while ((entry = readdir(dir)) != NULL) {
		47	if (strcmp(entry->d_name, "X0") == 0)
		48	continue;
		49	if (strcmp(entry->d_name, ".") == 0)
		50	continue;
		51	if (strcmp(entry->d_name, "..") == 0)
		52	continue;
		53	char *name;
		54	if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
		55	errExit("asprintf");
		56	if (check_unix(name) == 0)
		57	printf("MAYBE: X11 socket %s is available\n", name);
		58	free(name);
		59	}
		60	closedir(dir);
		61	}
		62	}