diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-05 07:24:10 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-05 07:24:10 -0400 |
commit | 3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b (patch) | |
tree | 15b9f2e7810b0812eaa9827a4ee668ee29b6551f /src/faudit | |
parent | src/faudit/dbus.c (diff) | |
download | firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.gz firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.zst firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.zip |
faudit: dbus
Diffstat (limited to 'src/faudit')
-rw-r--r-- | src/faudit/caps.c | 10 | ||||
-rw-r--r-- | src/faudit/dbus.c | 74 | ||||
-rw-r--r-- | src/faudit/files.c | 4 | ||||
-rw-r--r-- | src/faudit/main.c | 2 | ||||
-rw-r--r-- | src/faudit/network.c | 35 | ||||
-rw-r--r-- | src/faudit/pid.c | 6 | ||||
-rw-r--r-- | src/faudit/seccomp.c | 9 | ||||
-rw-r--r-- | src/faudit/syscall.c | 24 |
8 files changed, 131 insertions, 33 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index db1d3266f..d4a62b34f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
@@ -60,20 +60,20 @@ void caps_test(void) { | |||
60 | uint64_t caps_val; | 60 | uint64_t caps_val; |
61 | 61 | ||
62 | if (extract_caps(&caps_val)) { | 62 | if (extract_caps(&caps_val)) { |
63 | printf("SKIP: cannot extract capabilities on this platform\n"); | 63 | printf("SKIP: cannot extract capabilities on this platform.\n"); |
64 | return; | 64 | return; |
65 | } | 65 | } |
66 | 66 | ||
67 | if (caps_val) { | 67 | if (caps_val) { |
68 | printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); | 68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); |
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | 69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); |
70 | 70 | ||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | 71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) |
72 | printf("UGLY: CAP_SYS_ADMIN is enabled\n"); | 72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); |
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | 73 | if (check_capability(caps_val, CAP_SYS_BOOT)) |
74 | printf("UGLY: CAP_SYS_BOOT is enabled\n"); | 74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); |
75 | } | 75 | } |
76 | else | 76 | else |
77 | printf("GOOD: all capabilities are disabled\n"); | 77 | printf("GOOD: all capabilities are disabled.\n"); |
78 | } | 78 | } |
79 | 79 | ||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c new file mode 100644 index 000000000..5f25e7312 --- /dev/null +++ b/src/faudit/dbus.c | |||
@@ -0,0 +1,74 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <sys/un.h> | ||
23 | |||
24 | void check_session_bus(const char *sockfile) { | ||
25 | assert(sockfile); | ||
26 | |||
27 | // open socket | ||
28 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
29 | if (sock == -1) { | ||
30 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | // connect | ||
35 | struct sockaddr_un remote; | ||
36 | memset(&remote, 0, sizeof(struct sockaddr_un)); | ||
37 | remote.sun_family = AF_UNIX; | ||
38 | strcpy(remote.sun_path, sockfile); | ||
39 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); | ||
40 | remote.sun_path[0] = '\0'; | ||
41 | if (connect(sock, (struct sockaddr *)&remote, len) == -1) { | ||
42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | ||
43 | } | ||
44 | else { | ||
45 | printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n"); | ||
46 | } | ||
47 | |||
48 | close(sock); | ||
49 | } | ||
50 | |||
51 | void dbus_test(void) { | ||
52 | // check the session bus | ||
53 | char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); | ||
54 | if (str) { | ||
55 | char *bus = strdup(str); | ||
56 | if (!bus) | ||
57 | errExit("strdup"); | ||
58 | char *sockfile = strstr(bus, "unix:abstract="); | ||
59 | if (sockfile) { | ||
60 | sockfile += 13; | ||
61 | *sockfile = '@'; | ||
62 | char *ptr = strchr(sockfile, ','); | ||
63 | if (ptr) { | ||
64 | *ptr = '\0'; | ||
65 | check_session_bus(sockfile); | ||
66 | } | ||
67 | sockfile -= 13; | ||
68 | free(sockfile); | ||
69 | } | ||
70 | } | ||
71 | } | ||
72 | |||
73 | |||
74 | |||
diff --git a/src/faudit/files.c b/src/faudit/files.c index 9a230d7e5..c27973358 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c | |||
@@ -32,11 +32,11 @@ static void check_home_file(const char *name) { | |||
32 | errExit("asprintf"); | 32 | errExit("asprintf"); |
33 | 33 | ||
34 | if (access(fname, R_OK) == 0) { | 34 | if (access(fname, R_OK) == 0) { |
35 | printf("UGLY: I can access files in %s directory\n", fname); | 35 | printf("UGLY: I can access files in %s directory. ", fname); |
36 | printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); | 36 | printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); |
37 | } | 37 | } |
38 | else | 38 | else |
39 | printf("GOOD: I cannot access files in %s directory\n", fname); | 39 | printf("GOOD: I cannot access files in %s directory.\n", fname); |
40 | 40 | ||
41 | free(fname); | 41 | free(fname); |
42 | } | 42 | } |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 81672fd62..df549ac3e 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -41,7 +41,7 @@ int main(int argc, char **argv) { | |||
41 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); | 41 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); |
42 | return 1; | 42 | return 1; |
43 | } | 43 | } |
44 | printf("INFO: starting %s\n", prog); | 44 | printf("INFO: Starting %s.\n", prog); |
45 | 45 | ||
46 | 46 | ||
47 | // check pid namespace | 47 | // check pid namespace |
diff --git a/src/faudit/network.c b/src/faudit/network.c index 697b1d1fb..bb3116c3b 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c | |||
@@ -20,14 +20,14 @@ | |||
20 | #include "faudit.h" | 20 | #include "faudit.h" |
21 | #include <sys/socket.h> | 21 | #include <sys/socket.h> |
22 | #include <arpa/inet.h> | 22 | #include <arpa/inet.h> |
23 | #include <linux/netlink.h> | ||
24 | #include <linux/rtnetlink.h> | ||
23 | 25 | ||
24 | void check_ssh(void) { | 26 | void check_ssh(void) { |
25 | printf("INFO: looking for ssh servers running on localhost\n"); | ||
26 | |||
27 | // open socket | 27 | // open socket |
28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | 28 | int sock = socket(AF_INET, SOCK_STREAM, 0); |
29 | if (sock == -1) { | 29 | if (sock == -1) { |
30 | printf("Error: cannot create an IPv4 socket\n"); | 30 | printf("GOOD: SSH server not available on localhost.\n"); |
31 | return; | 31 | return; |
32 | } | 32 | } |
33 | 33 | ||
@@ -38,15 +38,40 @@ void check_ssh(void) { | |||
38 | server.sin_port = htons(22); | 38 | server.sin_port = htons(22); |
39 | 39 | ||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | 40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) |
41 | printf("GOOD: SSH server not available on localhost\n"); | 41 | printf("GOOD: SSH server not available on localhost.\n"); |
42 | else { | 42 | else { |
43 | printf("MAYBE: an SSH server is accessible on localhost\n"); | 43 | printf("MAYBE: An SSH server is accessible on localhost. "); |
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
45 | } | 45 | } |
46 | 46 | ||
47 | close(sock); | 47 | close(sock); |
48 | } | 48 | } |
49 | |||
50 | void check_netlink(void) { | ||
51 | socklen_t addr_len; | ||
52 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | ||
53 | if (sock == -1) { | ||
54 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | struct sockaddr_nl local; | ||
59 | memset(&local, 0, sizeof(local)); | ||
60 | local.nl_family = AF_NETLINK; | ||
61 | local.nl_groups = 0; //subscriptions; | ||
62 | |||
63 | if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { | ||
64 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
65 | close(sock); | ||
66 | return; | ||
67 | } | ||
68 | |||
69 | close(sock); | ||
70 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | ||
71 | printf("You can use \"--protocol\" to disable the socket.\n"); | ||
72 | } | ||
49 | 73 | ||
50 | void network_test(void) { | 74 | void network_test(void) { |
51 | check_ssh(); | 75 | check_ssh(); |
76 | check_netlink(); | ||
52 | } | 77 | } |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 57947418e..2770daece 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -69,7 +69,7 @@ void pid_test(void) { | |||
69 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | 69 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { |
70 | fclose(fp); | 70 | fclose(fp); |
71 | free(fname); | 71 | free(fname); |
72 | printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); | 72 | printf("BAD: Process %d, not running in a PID namespace. ", getpid()); |
73 | printf("Are you sure you're running in a sandbox?\n"); | 73 | printf("Are you sure you're running in a sandbox?\n"); |
74 | return; | 74 | return; |
75 | } | 75 | } |
@@ -81,10 +81,10 @@ void pid_test(void) { | |||
81 | } | 81 | } |
82 | 82 | ||
83 | 83 | ||
84 | printf("GOOD: process PID %d, running in a PID namespace\n", getpid()); | 84 | printf("GOOD: process %d running in a PID namespace.\n", getpid()); |
85 | 85 | ||
86 | // try to guess the type of container/sandbox | 86 | // try to guess the type of container/sandbox |
87 | char *str = getenv("container"); | 87 | char *str = getenv("container"); |
88 | if (str) | 88 | if (str) |
89 | printf("INFO: container/sandbox %s\n", str); | 89 | printf("INFO: container/sandbox %s.\n", str); |
90 | } | 90 | } |
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 9cc1a20f6..099e0e420 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c | |||
@@ -46,18 +46,17 @@ void seccomp_test(void) { | |||
46 | int rv = extract_seccomp(&seccomp_status); | 46 | int rv = extract_seccomp(&seccomp_status); |
47 | 47 | ||
48 | if (rv) { | 48 | if (rv) { |
49 | printf("SKIP: cannot extract seccomp configuration on this platform\n"); | 49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); |
50 | return; | 50 | return; |
51 | } | 51 | } |
52 | 52 | ||
53 | if (seccomp_status == 0) { | 53 | if (seccomp_status == 0) { |
54 | printf("BAD: seccomp disabled\n"); | 54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); |
55 | printf("Use \"firejail --seccomp\" to fix it.\n"); | ||
56 | } | 55 | } |
57 | else if (seccomp_status == 1) | 56 | else if (seccomp_status == 1) |
58 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); | 57 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd.\n"); |
59 | else if (seccomp_status == 2) { | 58 | else if (seccomp_status == 2) { |
60 | printf("GOOD: seccomp BPF enababled\n"); | 59 | printf("GOOD: seccomp BPF enabled.\n"); |
61 | 60 | ||
62 | printf("checking syscalls: "); fflush(0); | 61 | printf("checking syscalls: "); fflush(0); |
63 | printf("mount... "); fflush(0); | 62 | printf("mount... "); fflush(0); |
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 11fb3730b..84d73a03f 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -22,52 +22,52 @@ | |||
22 | void syscall_helper(int argc, char **argv) { | 22 | void syscall_helper(int argc, char **argv) { |
23 | if (strcmp(argv[2], "mount") == 0) { | 23 | if (strcmp(argv[2], "mount") == 0) { |
24 | mount(NULL, NULL, NULL, 0, NULL); | 24 | mount(NULL, NULL, NULL, 0, NULL); |
25 | printf("\nUGLY: mount syscall permitted\n"); | 25 | printf("\nUGLY: mount syscall permitted.\n"); |
26 | } | 26 | } |
27 | else if (strcmp(argv[2], "umount2") == 0) { | 27 | else if (strcmp(argv[2], "umount2") == 0) { |
28 | umount2(NULL, 0); | 28 | umount2(NULL, 0); |
29 | printf("\nUGLY: umount2 syscall permitted\n"); | 29 | printf("\nUGLY: umount2 syscall permitted.\n"); |
30 | } | 30 | } |
31 | else if (strcmp(argv[2], "ptrace") == 0) { | 31 | else if (strcmp(argv[2], "ptrace") == 0) { |
32 | ptrace(0, 0, NULL, NULL); | 32 | ptrace(0, 0, NULL, NULL); |
33 | printf("\nUGLY: ptrace syscall permitted\n"); | 33 | printf("\nUGLY: ptrace syscall permitted.\n"); |
34 | } | 34 | } |
35 | else if (strcmp(argv[2], "swapon") == 0) { | 35 | else if (strcmp(argv[2], "swapon") == 0) { |
36 | swapon(NULL, 0); | 36 | swapon(NULL, 0); |
37 | printf("\nUGLY: swapon syscall permitted\n"); | 37 | printf("\nUGLY: swapon syscall permitted.\n"); |
38 | } | 38 | } |
39 | else if (strcmp(argv[2], "swapoff") == 0) { | 39 | else if (strcmp(argv[2], "swapoff") == 0) { |
40 | swapoff(NULL); | 40 | swapoff(NULL); |
41 | printf("\nUGLY: swapoff syscall permitted\n"); | 41 | printf("\nUGLY: swapoff syscall permitted.\n"); |
42 | } | 42 | } |
43 | else if (strcmp(argv[2], "init_module") == 0) { | 43 | else if (strcmp(argv[2], "init_module") == 0) { |
44 | init_module(NULL, 0, NULL); | 44 | init_module(NULL, 0, NULL); |
45 | printf("\nUGLY: init_moule syscall permitted\n"); | 45 | printf("\nUGLY: init_module syscall permitted.\n"); |
46 | } | 46 | } |
47 | else if (strcmp(argv[2], "finit_module") == 0) { | 47 | else if (strcmp(argv[2], "finit_module") == 0) { |
48 | swapoff(0, NULL, 0); | 48 | swapoff(0, NULL, 0); |
49 | printf("\nUGLY: finit_moule syscall permitted\n"); | 49 | printf("\nUGLY: finit_module syscall permitted.\n"); |
50 | } | 50 | } |
51 | else if (strcmp(argv[2], "delete_module") == 0) { | 51 | else if (strcmp(argv[2], "delete_module") == 0) { |
52 | delete_module(NULL, 0); | 52 | delete_module(NULL, 0); |
53 | printf("\nUGLY: delete_moule syscall permitted\n"); | 53 | printf("\nUGLY: delete_module syscall permitted.\n"); |
54 | } | 54 | } |
55 | else if (strcmp(argv[2], "chroot") == 0) { | 55 | else if (strcmp(argv[2], "chroot") == 0) { |
56 | int rv = chroot(NULL); | 56 | int rv = chroot(NULL); |
57 | (void) rv; | 57 | (void) rv; |
58 | printf("\nUGLY: chroot syscall permitted\n"); | 58 | printf("\nUGLY: chroot syscall permitted.\n"); |
59 | } | 59 | } |
60 | else if (strcmp(argv[2], "pivot_root") == 0) { | 60 | else if (strcmp(argv[2], "pivot_root") == 0) { |
61 | pivot_root(NULL, NULL); | 61 | pivot_root(NULL, NULL); |
62 | printf("\nUGLY: pivot_root syscall permitted\n"); | 62 | printf("\nUGLY: pivot_root syscall permitted.\n"); |
63 | } | 63 | } |
64 | else if (strcmp(argv[2], "iopl") == 0) { | 64 | else if (strcmp(argv[2], "iopl") == 0) { |
65 | iopl(0L); | 65 | iopl(0L); |
66 | printf("\nUGLY: iopl syscall permitted\n"); | 66 | printf("\nUGLY: iopl syscall permitted.\n"); |
67 | } | 67 | } |
68 | else if (strcmp(argv[2], "ioperm") == 0) { | 68 | else if (strcmp(argv[2], "ioperm") == 0) { |
69 | ioperm(0, 0, 0); | 69 | ioperm(0, 0, 0); |
70 | printf("\nUGLY: ioperm syscall permitted\n"); | 70 | printf("\nUGLY: ioperm syscall permitted.\n"); |
71 | } | 71 | } |
72 | exit(0); | 72 | exit(0); |
73 | } | 73 | } |