diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-11 10:01:45 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-11 10:01:45 -0400 |
commit | 5bef777f30c7d5c2640486d33453b8648beb1eee (patch) | |
tree | f5cdf663f1a2ba44febaac9fb14588583fa825e8 /src/faudit | |
parent | snap platform (diff) | |
download | firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.tar.gz firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.tar.zst firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.zip |
audit work
Diffstat (limited to 'src/faudit')
-rw-r--r-- | src/faudit/dbus.c | 6 | ||||
-rw-r--r-- | src/faudit/main.c | 13 | ||||
-rw-r--r-- | src/faudit/network.c | 27 | ||||
-rw-r--r-- | src/faudit/pid.c | 21 |
4 files changed, 55 insertions, 12 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index f7b5a221d..1ead2aa38 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -60,10 +60,10 @@ void dbus_test(void) { | |||
60 | sockfile += 13; | 60 | sockfile += 13; |
61 | *sockfile = '@'; | 61 | *sockfile = '@'; |
62 | char *ptr = strchr(sockfile, ','); | 62 | char *ptr = strchr(sockfile, ','); |
63 | if (ptr) { | 63 | if (ptr) |
64 | *ptr = '\0'; | 64 | *ptr = '\0'; |
65 | check_session_bus(sockfile); | 65 | check_session_bus(sockfile); |
66 | } | 66 | |
67 | sockfile -= 13; | 67 | sockfile -= 13; |
68 | free(sockfile); | 68 | free(sockfile); |
69 | } | 69 | } |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 86d3fe4a9..14794719d 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -46,23 +46,30 @@ int main(int argc, char **argv) { | |||
46 | 46 | ||
47 | // check pid namespace | 47 | // check pid namespace |
48 | pid_test(); | 48 | pid_test(); |
49 | printf("\n"); | ||
49 | 50 | ||
50 | // check capabilities | ||
51 | caps_test(); | ||
52 | |||
53 | // check seccomp | 51 | // check seccomp |
54 | seccomp_test(); | 52 | seccomp_test(); |
53 | printf("\n"); | ||
55 | 54 | ||
55 | // check capabilities | ||
56 | caps_test(); | ||
57 | printf("\n"); | ||
58 | |||
56 | // check some well-known problematic files and directories | 59 | // check some well-known problematic files and directories |
57 | files_test(); | 60 | files_test(); |
61 | printf("\n"); | ||
58 | 62 | ||
59 | // network | 63 | // network |
60 | network_test(); | 64 | network_test(); |
65 | printf("\n"); | ||
61 | 66 | ||
62 | // dbus | 67 | // dbus |
63 | dbus_test(); | 68 | dbus_test(); |
69 | printf("\n"); | ||
64 | 70 | ||
65 | free(prog); | 71 | free(prog); |
66 | printf("--------------------------------------------------------------------------------\n"); | 72 | printf("--------------------------------------------------------------------------------\n"); |
73 | |||
67 | return 0; | 74 | return 0; |
68 | } | 75 | } |
diff --git a/src/faudit/network.c b/src/faudit/network.c index 0e0ad1844..cf1eede69 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c | |||
@@ -23,7 +23,7 @@ | |||
23 | #include <linux/netlink.h> | 23 | #include <linux/netlink.h> |
24 | #include <linux/rtnetlink.h> | 24 | #include <linux/rtnetlink.h> |
25 | 25 | ||
26 | void check_ssh(void) { | 26 | static void check_ssh(void) { |
27 | // open socket | 27 | // open socket |
28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | 28 | int sock = socket(AF_INET, SOCK_STREAM, 0); |
29 | if (sock == -1) { | 29 | if (sock == -1) { |
@@ -47,6 +47,30 @@ void check_ssh(void) { | |||
47 | close(sock); | 47 | close(sock); |
48 | } | 48 | } |
49 | 49 | ||
50 | static void check_http(void) { | ||
51 | // open socket | ||
52 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
53 | if (sock == -1) { | ||
54 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | // connect to localhost | ||
59 | struct sockaddr_in server; | ||
60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
61 | server.sin_family = AF_INET; | ||
62 | server.sin_port = htons(80); | ||
63 | |||
64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
65 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
66 | else { | ||
67 | printf("MAYBE: an HTTP server is accessible on localhost. "); | ||
68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
69 | } | ||
70 | |||
71 | close(sock); | ||
72 | } | ||
73 | |||
50 | void check_netlink(void) { | 74 | void check_netlink(void) { |
51 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | 75 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); |
52 | if (sock == -1) { | 76 | if (sock == -1) { |
@@ -72,5 +96,6 @@ void check_netlink(void) { | |||
72 | 96 | ||
73 | void network_test(void) { | 97 | void network_test(void) { |
74 | check_ssh(); | 98 | check_ssh(); |
99 | check_http(); | ||
75 | check_netlink(); | 100 | check_netlink(); |
76 | } | 101 | } |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 2770daece..a0fb1d921 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -31,6 +31,7 @@ void pid_test(void) { | |||
31 | int i; | 31 | int i; |
32 | 32 | ||
33 | // look at the first 10 processes | 33 | // look at the first 10 processes |
34 | int not_visible = 1; | ||
34 | for (i = 1; i <= 10; i++) { | 35 | for (i = 1; i <= 10; i++) { |
35 | struct stat s; | 36 | struct stat s; |
36 | char *fname; | 37 | char *fname; |
@@ -45,7 +46,7 @@ void pid_test(void) { | |||
45 | /* coverity[toctou] */ | 46 | /* coverity[toctou] */ |
46 | FILE *fp = fopen(fname, "r"); | 47 | FILE *fp = fopen(fname, "r"); |
47 | if (!fp) { | 48 | if (!fp) { |
48 | fprintf(stderr, "Warning: cannot open %s\n", fname); | 49 | // fprintf(stderr, "Warning: cannot open %s\n", fname); |
49 | free(fname); | 50 | free(fname); |
50 | continue; | 51 | continue; |
51 | } | 52 | } |
@@ -53,11 +54,13 @@ void pid_test(void) { | |||
53 | // read file | 54 | // read file |
54 | char buf[100]; | 55 | char buf[100]; |
55 | if (fgets(buf, 10, fp) == NULL) { | 56 | if (fgets(buf, 10, fp) == NULL) { |
56 | fprintf(stderr, "Warning: cannot read %s\n", fname); | 57 | // fprintf(stderr, "Warning: cannot read %s\n", fname); |
57 | fclose(fp); | 58 | fclose(fp); |
58 | free(fname); | 59 | free(fname); |
59 | continue; | 60 | continue; |
60 | } | 61 | } |
62 | not_visible = 0; | ||
63 | |||
61 | // clean /n | 64 | // clean /n |
62 | char *ptr; | 65 | char *ptr; |
63 | if ((ptr = strchr(buf, '\n')) != NULL) | 66 | if ((ptr = strchr(buf, '\n')) != NULL) |
@@ -69,7 +72,7 @@ void pid_test(void) { | |||
69 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | 72 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { |
70 | fclose(fp); | 73 | fclose(fp); |
71 | free(fname); | 74 | free(fname); |
72 | printf("BAD: Process %d, not running in a PID namespace. ", getpid()); | 75 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); |
73 | printf("Are you sure you're running in a sandbox?\n"); | 76 | printf("Are you sure you're running in a sandbox?\n"); |
74 | return; | 77 | return; |
75 | } | 78 | } |
@@ -80,11 +83,19 @@ void pid_test(void) { | |||
80 | free(fname); | 83 | free(fname); |
81 | } | 84 | } |
82 | 85 | ||
83 | 86 | pid_t pid = getpid(); | |
84 | printf("GOOD: process %d running in a PID namespace.\n", getpid()); | 87 | if (not_visible && pid > 100) |
88 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
89 | else | ||
90 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
85 | 91 | ||
86 | // try to guess the type of container/sandbox | 92 | // try to guess the type of container/sandbox |
87 | char *str = getenv("container"); | 93 | char *str = getenv("container"); |
88 | if (str) | 94 | if (str) |
89 | printf("INFO: container/sandbox %s.\n", str); | 95 | printf("INFO: container/sandbox %s.\n", str); |
96 | else { | ||
97 | str = getenv("SNAP"); | ||
98 | if (str) | ||
99 | printf("INFO: this is a snap package\n"); | ||
100 | } | ||
90 | } | 101 | } |