faudit: dbus

author: netblue30 <netblue30@yahoo.com> 2016-07-05 07:24:10 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-05 07:24:10 -0400
commit: 3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b (patch)
tree: 15b9f2e7810b0812eaa9827a4ee668ee29b6551f /src/faudit
parent: src/faudit/dbus.c (diff)
download: firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.gz
firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.zst
firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.zip
8 files changed, 131 insertions, 33 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
index db1d3266f..d4a62b34f 100644
--- a/src/faudit/caps.c
+++ b/src/faudit/caps.c
@@ -60,20 +60,20 @@ void caps_test(void) {
        uint64_t caps_val;
        
        if (extract_caps(&caps_val)) {
-                printf("SKIP: cannot extract capabilities on this platform\n");
+                printf("SKIP: cannot extract capabilities on this platform.\n");
                return;
        }
        
        if (caps_val) {
-                printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val);
+                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
                
                if (check_capability(caps_val, CAP_SYS_ADMIN))
-                        printf("UGLY: CAP_SYS_ADMIN is enabled\n");
+                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
                if (check_capability(caps_val, CAP_SYS_BOOT))
-                        printf("UGLY: CAP_SYS_BOOT is enabled\n");
+                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
        }
        else
-                printf("GOOD: all capabilities are disabled\n"); 
+                printf("GOOD: all capabilities are disabled.\n"); 
 }
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
new file mode 100644
index 000000000..5f25e7312
--- /dev/null
+++ b/src/faudit/dbus.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <sys/un.h>
+void check_session_bus(const char *sockfile) {
+        assert(sockfile);
+        
+        // open socket
+        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
+                return;
+        }
+        // connect
+        struct sockaddr_un remote;
+        memset(&remote, 0, sizeof(struct sockaddr_un));
+        remote.sun_family = AF_UNIX;
+        strcpy(remote.sun_path, sockfile);
+        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
+        remote.sun_path[0] = '\0';
+        if (connect(sock, (struct sockaddr *)&remote, len) == -1) {
+                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
+        }
+        else {
+                printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n");
+        }       
+        close(sock);
+}
+void dbus_test(void) {
+        // check the session bus
+        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
+        if (str) {
+                char *bus = strdup(str);
+                if (!bus)
+                        errExit("strdup");
+                char *sockfile = strstr(bus, "unix:abstract=");
+                if (sockfile) {
+                        sockfile += 13;
+                        *sockfile = '@';
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr) {
+                                *ptr = '\0';    
+                                check_session_bus(sockfile);
+                        }
+                        sockfile -= 13;
+                        free(sockfile);
+                }
+        }
+}
diff --git a/src/faudit/files.c b/src/faudit/files.c
index 9a230d7e5..c27973358 100644
--- a/src/faudit/files.c
+++ b/src/faudit/files.c
@@ -32,11 +32,11 @@ static void check_home_file(const char *name) {
                errExit("asprintf");
        if (access(fname, R_OK) == 0) {
-                printf("UGLY: I can access files in %s directory\n", fname);
+                printf("UGLY: I can access files in %s directory. ", fname);
                printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname);
        }
        else
-                printf("GOOD: I cannot access files in %s directory\n", fname);
+                printf("GOOD: I cannot access files in %s directory.\n", fname);
        
        free(fname);
 }
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 81672fd62..df549ac3e 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -41,7 +41,7 @@ int main(int argc, char **argv) {
                fprintf(stderr, "Error: cannot extract the path of the audit program\n");
                return 1;
        }
-        printf("INFO: starting %s\n", prog);
+        printf("INFO: Starting %s.\n", prog);
        
        
        // check pid namespace
diff --git a/src/faudit/network.c b/src/faudit/network.c
index 697b1d1fb..bb3116c3b 100644
--- a/src/faudit/network.c
+++ b/src/faudit/network.c
@@ -20,14 +20,14 @@
 #include "faudit.h"
 #include <sys/socket.h>
 #include <arpa/inet.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
 void check_ssh(void) {
-        printf("INFO: looking for ssh servers running on localhost\n");
-        
        // open socket
        int sock = socket(AF_INET, SOCK_STREAM, 0);
        if (sock == -1) {
-                printf("Error: cannot create an IPv4 socket\n");
+                printf("GOOD: SSH server not available on localhost.\n");
                return;
        }
@@ -38,15 +38,40 @@ void check_ssh(void) {
        server.sin_port = htons(22);    
        
        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: SSH server not available on localhost\n");
+                printf("GOOD: SSH server not available on localhost.\n");
        else {
-                printf("MAYBE: an SSH server is accessible on localhost\n");
+                printf("MAYBE: An SSH server is accessible on localhost. ");
                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
        }
        
        close(sock);
 }
+void check_netlink(void) {
+        socklen_t addr_len;
+        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
+        if (sock == -1) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                return;
+        }
+        struct sockaddr_nl local;
+        memset(&local, 0, sizeof(local));
+        local.nl_family = AF_NETLINK;
+        local.nl_groups = 0; //subscriptions;
+        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                close(sock);
+                return;
+        }
+        
+        close(sock);
+        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
+        printf("You can use \"--protocol\" to disable the socket.\n");
+}
        
 void network_test(void) {
        check_ssh();
+        check_netlink();
 }
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index 57947418e..2770daece 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -69,7 +69,7 @@ void pid_test(void) {
                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
                                fclose(fp);
                                free(fname);
-                                printf("BAD: Process PID %d, not running in a PID namespace\n", getpid());
+                                printf("BAD: Process %d, not running in a PID namespace. ", getpid());
                                printf("Are you sure you're running in a sandbox?\n");
                                return;
                        }
@@ -81,10 +81,10 @@ void pid_test(void) {
        }
-        printf("GOOD: process PID %d, running in a PID namespace\n", getpid());
+        printf("GOOD: process %d running in a PID namespace.\n", getpid());
        
        // try to guess the type of container/sandbox
        char *str = getenv("container");
        if (str)
-                printf("INFO: container/sandbox %s\n", str);
+                printf("INFO: container/sandbox %s.\n", str);
 }
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
index 9cc1a20f6..099e0e420 100644
--- a/src/faudit/seccomp.c
+++ b/src/faudit/seccomp.c
@@ -46,18 +46,17 @@ void seccomp_test(void) {
        int rv = extract_seccomp(&seccomp_status);
        
        if (rv) {
-                printf("SKIP: cannot extract seccomp configuration on this platform\n");
+                printf("INFO: cannot extract seccomp configuration on this platform.\n");
                return;
        }
        
        if (seccomp_status == 0) {
-                printf("BAD: seccomp disabled\n");
+                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
-                printf("Use \"firejail --seccomp\" to fix it.\n");
        }
        else if (seccomp_status == 1)
-                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd\n");
+                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd.\n");
        else if (seccomp_status == 2) {
-                printf("GOOD: seccomp BPF enababled\n");
+                printf("GOOD: seccomp BPF enabled.\n");
                printf("checking syscalls: "); fflush(0);
                printf("mount... "); fflush(0);
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 11fb3730b..84d73a03f 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -22,52 +22,52 @@
 void syscall_helper(int argc, char **argv) {
        if (strcmp(argv[2], "mount") == 0) {
                mount(NULL, NULL, NULL, 0, NULL);
-                printf("\nUGLY: mount syscall permitted\n");
+                printf("\nUGLY: mount syscall permitted.\n");
        }
        else if (strcmp(argv[2], "umount2") == 0) {
                umount2(NULL, 0);
-                printf("\nUGLY: umount2 syscall permitted\n");
+                printf("\nUGLY: umount2 syscall permitted.\n");
        }
        else if (strcmp(argv[2], "ptrace") == 0) {
                ptrace(0, 0, NULL, NULL);
-                printf("\nUGLY: ptrace syscall permitted\n");
+                printf("\nUGLY: ptrace syscall permitted.\n");
        }
        else if (strcmp(argv[2], "swapon") == 0) {
                swapon(NULL, 0);
-                printf("\nUGLY: swapon syscall permitted\n");
+                printf("\nUGLY: swapon syscall permitted.\n");
        }
        else if (strcmp(argv[2], "swapoff") == 0) {
                swapoff(NULL);
-                printf("\nUGLY: swapoff syscall permitted\n");
+                printf("\nUGLY: swapoff syscall permitted.\n");
        }
        else if (strcmp(argv[2], "init_module") == 0) {
                init_module(NULL, 0, NULL);
-                printf("\nUGLY: init_moule syscall permitted\n");
+                printf("\nUGLY: init_module syscall permitted.\n");
        }
        else if (strcmp(argv[2], "finit_module") == 0) {
                swapoff(0, NULL, 0);
-                printf("\nUGLY: finit_moule syscall permitted\n");
+                printf("\nUGLY: finit_module syscall permitted.\n");
        }
        else if (strcmp(argv[2], "delete_module") == 0) {
                delete_module(NULL, 0);
-                printf("\nUGLY: delete_moule syscall permitted\n");
+                printf("\nUGLY: delete_module syscall permitted.\n");
        }
        else if (strcmp(argv[2], "chroot") == 0) {
                int rv = chroot(NULL);
                (void) rv;
-                printf("\nUGLY: chroot syscall permitted\n");
+                printf("\nUGLY: chroot syscall permitted.\n");
        }
        else if (strcmp(argv[2], "pivot_root") == 0) {
                pivot_root(NULL, NULL);
-                printf("\nUGLY: pivot_root syscall permitted\n");
+                printf("\nUGLY: pivot_root syscall permitted.\n");
        }
        else if (strcmp(argv[2], "iopl") == 0) {
                iopl(0L);
-                printf("\nUGLY: iopl syscall permitted\n");
+                printf("\nUGLY: iopl syscall permitted.\n");
        }
        else if (strcmp(argv[2], "ioperm") == 0) {
                ioperm(0, 0, 0);
-                printf("\nUGLY: ioperm syscall permitted\n");
+                printf("\nUGLY: ioperm syscall permitted.\n");
        }
        exit(0);
 }
author	netblue30 <netblue30@yahoo.com>	2016-07-05 07:24:10 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-05 07:24:10 -0400
commit	3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b (patch)
tree	15b9f2e7810b0812eaa9827a4ee668ee29b6551f /src/faudit
parent	src/faudit/dbus.c (diff)
download	firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.gz firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.zst firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.zip