diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-08 19:12:30 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-08 19:12:30 -0400 |
commit | 1379851360349d6617ad32944a25ee5e2bb74fc2 (patch) | |
tree | f69b48e90708bfa3c2723d5a27ed3e024c827b43 /src/firemon | |
parent | delete files (diff) | |
download | firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.gz firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.zst firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.zip |
Baseline firejail 0.9.28
Diffstat (limited to 'src/firemon')
-rw-r--r-- | src/firemon/Makefile.in | 24 | ||||
-rw-r--r-- | src/firemon/arp.c | 99 | ||||
-rw-r--r-- | src/firemon/caps.c | 69 | ||||
-rw-r--r-- | src/firemon/cgroup.c | 64 | ||||
-rw-r--r-- | src/firemon/cpu.c | 68 | ||||
-rw-r--r-- | src/firemon/firemon.c | 222 | ||||
-rw-r--r-- | src/firemon/firemon.h | 84 | ||||
-rw-r--r-- | src/firemon/interface.c | 176 | ||||
-rw-r--r-- | src/firemon/list.c | 35 | ||||
-rw-r--r-- | src/firemon/netstats.c | 214 | ||||
-rw-r--r-- | src/firemon/procevent.c | 377 | ||||
-rw-r--r-- | src/firemon/route.c | 213 | ||||
-rw-r--r-- | src/firemon/seccomp.c | 69 | ||||
-rw-r--r-- | src/firemon/top.c | 297 | ||||
-rw-r--r-- | src/firemon/tree.c | 36 | ||||
-rw-r--r-- | src/firemon/usage.c | 77 |
16 files changed, 2124 insertions, 0 deletions
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in new file mode 100644 index 000000000..425289695 --- /dev/null +++ b/src/firemon/Makefile.in | |||
@@ -0,0 +1,24 @@ | |||
1 | all: firemon | ||
2 | |||
3 | PREFIX=@prefix@ | ||
4 | VERSION=@PACKAGE_VERSION@ | ||
5 | NAME=@PACKAGE_NAME@ | ||
6 | |||
7 | H_FILE_LIST = $(wildcard *.[h]) | ||
8 | C_FILE_LIST = $(wildcard *.c) | ||
9 | OBJS = $(C_FILE_LIST:.c=.o) | ||
10 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
11 | CFLAGS += -ggdb -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
12 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | ||
13 | |||
14 | %.o : %.c $(H_FILE_LIST) | ||
15 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
16 | |||
17 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o | ||
18 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) | ||
19 | |||
20 | clean:; rm -f *.o firemon | ||
21 | |||
22 | distclean: clean | ||
23 | rm -fr Makefile | ||
24 | |||
diff --git a/src/firemon/arp.c b/src/firemon/arp.c new file mode 100644 index 000000000..71beb0630 --- /dev/null +++ b/src/firemon/arp.c | |||
@@ -0,0 +1,99 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #define MAXBUF 4096 | ||
22 | |||
23 | static void print_arp(const char *fname) { | ||
24 | FILE *fp = fopen(fname, "r"); | ||
25 | if (!fp) | ||
26 | return; | ||
27 | |||
28 | printf(" ARP Table:\n"); | ||
29 | char buf[MAXBUF]; | ||
30 | while (fgets(buf, MAXBUF, fp)) { | ||
31 | // remove blanks, \n | ||
32 | char *ptr = buf; | ||
33 | while (*ptr == ' ' || *ptr == '\t') | ||
34 | ptr++; | ||
35 | char *start = ptr; | ||
36 | if (*start == '\0') | ||
37 | continue; | ||
38 | ptr = strchr(ptr, '\n'); | ||
39 | if (ptr) | ||
40 | *ptr = '\0'; | ||
41 | |||
42 | // remove table header | ||
43 | //IP address HW type Flags HW address Mask Device | ||
44 | if (strncmp(start, "IP address", 10) == 0) | ||
45 | continue; | ||
46 | |||
47 | // extract data | ||
48 | char ip[64]; | ||
49 | char type[64]; | ||
50 | char flags[64]; | ||
51 | char mac[64]; | ||
52 | char mask[64]; | ||
53 | char device[64]; | ||
54 | int rv = sscanf(start, "%s %s %s %s %s %s\n", ip, type, flags, mac, mask, device); | ||
55 | if (rv != 6) | ||
56 | continue; | ||
57 | |||
58 | // destination ip | ||
59 | unsigned a, b, c, d; | ||
60 | if (sscanf(ip, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) | ||
61 | continue; | ||
62 | uint32_t destip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d; | ||
63 | if (strcmp(flags, "0x0") == 0) | ||
64 | printf(" %d.%d.%d.%d dev %s FAILED\n", | ||
65 | PRINT_IP(destip), device); | ||
66 | else | ||
67 | printf(" %d.%d.%d.%d dev %s lladdr %s REACHABLE\n", | ||
68 | PRINT_IP(destip), device, mac); | ||
69 | } | ||
70 | |||
71 | fclose(fp); | ||
72 | |||
73 | } | ||
74 | |||
75 | void arp(pid_t pid) { | ||
76 | if (getuid() == 0) | ||
77 | firemon_drop_privs(); | ||
78 | |||
79 | pid_read(pid); | ||
80 | |||
81 | // print processes | ||
82 | int i; | ||
83 | for (i = 0; i < max_pids; i++) { | ||
84 | if (pids[i].level == 1) { | ||
85 | pid_print_list(i, 0); | ||
86 | int child = find_child(i); | ||
87 | if (child != -1) { | ||
88 | char *fname; | ||
89 | if (asprintf(&fname, "/proc/%d/net/arp", child) == -1) | ||
90 | errExit("asprintf"); | ||
91 | print_arp(fname); | ||
92 | free(fname); | ||
93 | printf("\n"); | ||
94 | } | ||
95 | } | ||
96 | } | ||
97 | } | ||
98 | |||
99 | |||
diff --git a/src/firemon/caps.c b/src/firemon/caps.c new file mode 100644 index 000000000..4ae9ab28d --- /dev/null +++ b/src/firemon/caps.c | |||
@@ -0,0 +1,69 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #define MAXBUF 4098 | ||
22 | |||
23 | static void print_caps(int pid) { | ||
24 | char *file; | ||
25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) { | ||
26 | errExit("asprintf"); | ||
27 | exit(1); | ||
28 | } | ||
29 | |||
30 | FILE *fp = fopen(file, "r"); | ||
31 | if (!fp) { | ||
32 | printf(" Error: cannot open %s\n", file); | ||
33 | free(file); | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | char buf[MAXBUF]; | ||
38 | while (fgets(buf, MAXBUF, fp)) { | ||
39 | if (strncmp(buf, "CapBnd:", 7) == 0) { | ||
40 | printf(" %s", buf); | ||
41 | fflush(0); | ||
42 | free(file); | ||
43 | fclose(fp); | ||
44 | return; | ||
45 | } | ||
46 | } | ||
47 | fclose(fp); | ||
48 | free(file); | ||
49 | } | ||
50 | |||
51 | void caps(pid_t pid) { | ||
52 | if (getuid() == 0) | ||
53 | firemon_drop_privs(); | ||
54 | |||
55 | pid_read(pid); // include all processes | ||
56 | |||
57 | // print processes | ||
58 | int i; | ||
59 | for (i = 0; i < max_pids; i++) { | ||
60 | if (pids[i].level == 1) { | ||
61 | pid_print_list(i, 0); | ||
62 | int child = find_child(i); | ||
63 | if (child != -1) | ||
64 | print_caps(child); | ||
65 | } | ||
66 | } | ||
67 | printf("\n"); | ||
68 | } | ||
69 | |||
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c new file mode 100644 index 000000000..214aefaf9 --- /dev/null +++ b/src/firemon/cgroup.c | |||
@@ -0,0 +1,64 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #define MAXBUF 4098 | ||
22 | |||
23 | static void print_cgroup(int pid) { | ||
24 | char *file; | ||
25 | if (asprintf(&file, "/proc/%d/cgroup", pid) == -1) { | ||
26 | errExit("asprintf"); | ||
27 | exit(1); | ||
28 | } | ||
29 | |||
30 | FILE *fp = fopen(file, "r"); | ||
31 | if (!fp) { | ||
32 | printf(" Error: cannot open %s\n", file); | ||
33 | free(file); | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | char buf[MAXBUF]; | ||
38 | if (fgets(buf, MAXBUF, fp)) { | ||
39 | printf(" %s", buf); | ||
40 | fflush(0); | ||
41 | } | ||
42 | |||
43 | fclose(fp); | ||
44 | free(file); | ||
45 | } | ||
46 | |||
47 | void cgroup(pid_t pid) { | ||
48 | if (getuid() == 0) | ||
49 | firemon_drop_privs(); | ||
50 | |||
51 | pid_read(pid); | ||
52 | |||
53 | // print processes | ||
54 | int i; | ||
55 | for (i = 0; i < max_pids; i++) { | ||
56 | if (pids[i].level == 1) { | ||
57 | pid_print_list(i, 0); | ||
58 | int child = find_child(i); | ||
59 | if (child != -1) | ||
60 | print_cgroup(child); | ||
61 | } | ||
62 | } | ||
63 | } | ||
64 | |||
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c new file mode 100644 index 000000000..d5d20d1b8 --- /dev/null +++ b/src/firemon/cpu.c | |||
@@ -0,0 +1,68 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #define MAXBUF 4098 | ||
22 | |||
23 | static void print_cpu(int pid) { | ||
24 | char *file; | ||
25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) { | ||
26 | errExit("asprintf"); | ||
27 | exit(1); | ||
28 | } | ||
29 | |||
30 | FILE *fp = fopen(file, "r"); | ||
31 | if (!fp) { | ||
32 | printf(" Error: cannot open %s\n", file); | ||
33 | free(file); | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | char buf[MAXBUF]; | ||
38 | while (fgets(buf, MAXBUF, fp)) { | ||
39 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { | ||
40 | printf(" %s", buf); | ||
41 | fflush(0); | ||
42 | free(file); | ||
43 | fclose(fp); | ||
44 | return; | ||
45 | } | ||
46 | } | ||
47 | fclose(fp); | ||
48 | free(file); | ||
49 | } | ||
50 | |||
51 | void cpu(pid_t pid) { | ||
52 | if (getuid() == 0) | ||
53 | firemon_drop_privs(); | ||
54 | |||
55 | pid_read(pid); | ||
56 | |||
57 | // print processes | ||
58 | int i; | ||
59 | for (i = 0; i < max_pids; i++) { | ||
60 | if (pids[i].level == 1) { | ||
61 | pid_print_list(i, 0); | ||
62 | int child = find_child(i); | ||
63 | if (child != -1) | ||
64 | print_cpu(child); | ||
65 | } | ||
66 | } | ||
67 | } | ||
68 | |||
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c new file mode 100644 index 000000000..d77d11a7a --- /dev/null +++ b/src/firemon/firemon.c | |||
@@ -0,0 +1,222 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <signal.h> | ||
22 | #include <termios.h> | ||
23 | #include <sys/ioctl.h> | ||
24 | #include <sys/prctl.h> | ||
25 | #include <grp.h> | ||
26 | |||
27 | |||
28 | static int arg_route = 0; | ||
29 | static int arg_arp = 0; | ||
30 | static int arg_tree = 0; | ||
31 | static int arg_interface = 0; | ||
32 | static int arg_seccomp = 0; | ||
33 | static int arg_caps = 0; | ||
34 | static int arg_cpu = 0; | ||
35 | static int arg_cgroup = 0; | ||
36 | int arg_nowrap = 0; | ||
37 | |||
38 | static struct termios tlocal; // startup terminal setting | ||
39 | static struct termios twait; // no wait on key press | ||
40 | static int terminal_set = 0; | ||
41 | |||
42 | static void my_handler(int s){ | ||
43 | if (terminal_set) | ||
44 | tcsetattr(0, TCSANOW, &tlocal); | ||
45 | exit(0); | ||
46 | } | ||
47 | |||
48 | // find the first child process for the specified pid | ||
49 | // return -1 if not found | ||
50 | int find_child(int id) { | ||
51 | int i; | ||
52 | for (i = 0; i < max_pids; i++) { | ||
53 | if (pids[i].level == 2 && pids[i].parent == id) | ||
54 | return i; | ||
55 | } | ||
56 | |||
57 | return -1; | ||
58 | } | ||
59 | |||
60 | // drop privileges | ||
61 | void firemon_drop_privs(void) { | ||
62 | // drop privileges | ||
63 | if (setgroups(0, NULL) < 0) | ||
64 | errExit("setgroups"); | ||
65 | if (setgid(getgid()) < 0) | ||
66 | errExit("setgid/getgid"); | ||
67 | if (setuid(getuid()) < 0) | ||
68 | errExit("setuid/getuid"); | ||
69 | } | ||
70 | |||
71 | // sleep and wait for a key to be pressed | ||
72 | void firemon_sleep(int st) { | ||
73 | if (terminal_set == 0) { | ||
74 | tcgetattr(0, &twait); // get current terminal attirbutes; 0 is the file descriptor for stdin | ||
75 | memcpy(&tlocal, &twait, sizeof(tlocal)); | ||
76 | twait.c_lflag &= ~ICANON; // disable canonical mode | ||
77 | twait.c_lflag &= ~ECHO; // no echo | ||
78 | twait.c_cc[VMIN] = 1; // wait until at least one keystroke available | ||
79 | twait.c_cc[VTIME] = 0; // no timeout | ||
80 | terminal_set = 1; | ||
81 | } | ||
82 | tcsetattr(0, TCSANOW, &twait); | ||
83 | |||
84 | |||
85 | fd_set fds; | ||
86 | FD_ZERO(&fds); | ||
87 | FD_SET(0,&fds); | ||
88 | int maxfd = 1; | ||
89 | |||
90 | struct timeval ts; | ||
91 | ts.tv_sec = st; | ||
92 | ts.tv_usec = 0; | ||
93 | |||
94 | int ready = select(maxfd, &fds, (fd_set *) 0, (fd_set *) 0, &ts); | ||
95 | (void) ready; | ||
96 | if( FD_ISSET(0, &fds)) { | ||
97 | getchar(); | ||
98 | tcsetattr(0, TCSANOW, &tlocal); | ||
99 | printf("\n"); | ||
100 | exit(0); | ||
101 | } | ||
102 | tcsetattr(0, TCSANOW, &tlocal); | ||
103 | } | ||
104 | |||
105 | |||
106 | int main(int argc, char **argv) { | ||
107 | unsigned pid = 0; | ||
108 | int i; | ||
109 | |||
110 | // handle CTRL-C | ||
111 | signal (SIGINT, my_handler); | ||
112 | signal (SIGTERM, my_handler); | ||
113 | |||
114 | for (i = 1; i < argc; i++) { | ||
115 | // default options | ||
116 | if (strcmp(argv[i], "--help") == 0 || | ||
117 | strcmp(argv[i], "-?") == 0) { | ||
118 | usage(); | ||
119 | return 0; | ||
120 | } | ||
121 | else if (strcmp(argv[i], "--version") == 0) { | ||
122 | printf("firemon version %s\n\n", VERSION); | ||
123 | return 0; | ||
124 | } | ||
125 | |||
126 | // options without a pid argument | ||
127 | else if (strcmp(argv[i], "--top") == 0) { | ||
128 | top(); // never to return | ||
129 | } | ||
130 | else if (strcmp(argv[i], "--list") == 0) { | ||
131 | list(); | ||
132 | return 0; | ||
133 | } | ||
134 | else if (strcmp(argv[i], "--netstats") == 0) { | ||
135 | netstats(); | ||
136 | return 0; | ||
137 | } | ||
138 | |||
139 | |||
140 | // cumulative options with or without a pid argument | ||
141 | else if (strcmp(argv[i], "--cgroup") == 0) { | ||
142 | arg_cgroup = 1; | ||
143 | } | ||
144 | else if (strcmp(argv[i], "--cpu") == 0) { | ||
145 | arg_cpu = 1; | ||
146 | } | ||
147 | else if (strcmp(argv[i], "--seccomp") == 0) { | ||
148 | arg_seccomp = 1; | ||
149 | } | ||
150 | else if (strcmp(argv[i], "--caps") == 0) { | ||
151 | arg_caps = 1; | ||
152 | } | ||
153 | else if (strcmp(argv[i], "--tree") == 0) { | ||
154 | arg_tree = 1; | ||
155 | } | ||
156 | else if (strcmp(argv[i], "--interface") == 0) { | ||
157 | arg_interface = 1; | ||
158 | } | ||
159 | else if (strcmp(argv[i], "--route") == 0) { | ||
160 | arg_route = 1; | ||
161 | } | ||
162 | else if (strcmp(argv[i], "--arp") == 0) { | ||
163 | arg_arp = 1; | ||
164 | } | ||
165 | |||
166 | else if (strncmp(argv[i], "--name=", 7) == 0) { | ||
167 | char *name = argv[i] + 7; | ||
168 | if (name2pid(name, (pid_t *) &pid)) { | ||
169 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
170 | return 1; | ||
171 | } | ||
172 | } | ||
173 | |||
174 | // etc | ||
175 | else if (strcmp(argv[i], "--nowrap") == 0) | ||
176 | arg_nowrap = 1; | ||
177 | |||
178 | // invalid option | ||
179 | else if (*argv[i] == '-') { | ||
180 | fprintf(stderr, "Error: invalid option\n"); | ||
181 | return 1; | ||
182 | } | ||
183 | |||
184 | // PID argument | ||
185 | else { | ||
186 | // this should be a pid number | ||
187 | char *ptr = argv[i]; | ||
188 | while (*ptr != '\0') { | ||
189 | if (!isdigit(*ptr)) { | ||
190 | fprintf(stderr, "Error: not a valid PID number\n"); | ||
191 | exit(1); | ||
192 | } | ||
193 | ptr++; | ||
194 | } | ||
195 | |||
196 | sscanf(argv[i], "%u", &pid); | ||
197 | break; | ||
198 | } | ||
199 | } | ||
200 | |||
201 | if (arg_tree) | ||
202 | tree((pid_t) pid); | ||
203 | if (arg_interface) | ||
204 | interface((pid_t) pid); | ||
205 | if (arg_route) | ||
206 | route((pid_t) pid); | ||
207 | if (arg_arp) | ||
208 | arp((pid_t) pid); | ||
209 | if (arg_seccomp) | ||
210 | seccomp((pid_t) pid); | ||
211 | if (arg_caps) | ||
212 | caps((pid_t) pid); | ||
213 | if (arg_cpu) | ||
214 | cpu((pid_t) pid); | ||
215 | if (arg_cgroup) | ||
216 | cgroup((pid_t) pid); | ||
217 | |||
218 | if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp) | ||
219 | procevent((pid_t) pid); // never to return | ||
220 | |||
221 | return 0; | ||
222 | } | ||
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h new file mode 100644 index 000000000..59b1f352c --- /dev/null +++ b/src/firemon/firemon.h | |||
@@ -0,0 +1,84 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef FIREMON_H | ||
21 | #define FIREMON_H | ||
22 | #define _GNU_SOURCE | ||
23 | #include <stdlib.h> | ||
24 | #include <stdio.h> | ||
25 | #include <ctype.h> | ||
26 | #include <string.h> | ||
27 | #include <errno.h> | ||
28 | #include <stdint.h> | ||
29 | #include "../include/pid.h" | ||
30 | #include "../include/common.h" | ||
31 | |||
32 | // clear screen | ||
33 | static inline void firemon_clrscr(void) { | ||
34 | printf("\033[2J\033[1;1H"); | ||
35 | fflush(0); | ||
36 | } | ||
37 | |||
38 | // firemon.c | ||
39 | extern int arg_nowrap; | ||
40 | int find_child(int id); | ||
41 | void firemon_drop_privs(void); | ||
42 | void firemon_sleep(int st); | ||
43 | |||
44 | |||
45 | // procevent.c | ||
46 | void procevent(pid_t pid); | ||
47 | |||
48 | // usage.c | ||
49 | void usage(void); | ||
50 | |||
51 | // top.c | ||
52 | void top(void); | ||
53 | |||
54 | // list.c | ||
55 | void list(void); | ||
56 | |||
57 | // interface.c | ||
58 | void interface(pid_t pid); | ||
59 | |||
60 | // arp.c | ||
61 | void arp(pid_t pid); | ||
62 | |||
63 | // route.c | ||
64 | void route(pid_t pid); | ||
65 | |||
66 | // caps.c | ||
67 | void caps(pid_t pid); | ||
68 | |||
69 | // seccomp.c | ||
70 | void seccomp(pid_t pid); | ||
71 | |||
72 | // cpu.c | ||
73 | void cpu(pid_t pid); | ||
74 | |||
75 | // cgroup.c | ||
76 | void cgroup(pid_t pid); | ||
77 | |||
78 | // tree.c | ||
79 | void tree(pid_t pid); | ||
80 | |||
81 | // netstats.c | ||
82 | void netstats(void); | ||
83 | |||
84 | #endif | ||
diff --git a/src/firemon/interface.c b/src/firemon/interface.c new file mode 100644 index 000000000..52a9c33cd --- /dev/null +++ b/src/firemon/interface.c | |||
@@ -0,0 +1,176 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/wait.h> | ||
23 | #include <netdb.h> | ||
24 | #include <arpa/inet.h> | ||
25 | #include <ifaddrs.h> | ||
26 | #include <net/if.h> | ||
27 | #include <linux/connector.h> | ||
28 | #include <linux/netlink.h> | ||
29 | #include <linux/if_link.h> | ||
30 | #include <linux/sockios.h> | ||
31 | #include <sys/ioctl.h> | ||
32 | |||
33 | //#include <net/route.h> | ||
34 | //#include <linux/if_bridge.h> | ||
35 | |||
36 | // print IP addresses for all interfaces | ||
37 | static void net_ifprint(void) { | ||
38 | uint32_t ip; | ||
39 | uint32_t mask; | ||
40 | struct ifaddrs *ifaddr, *ifa; | ||
41 | |||
42 | int fd; | ||
43 | if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { | ||
44 | fprintf(stderr, "Error: cannot open AF_INET socket\n"); | ||
45 | exit(1); | ||
46 | } | ||
47 | |||
48 | if (getifaddrs(&ifaddr) == -1) | ||
49 | errExit("getifaddrs"); | ||
50 | |||
51 | // walk through the linked list | ||
52 | printf(" Link status:\n"); | ||
53 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
54 | if (ifa->ifa_addr == NULL) | ||
55 | continue; | ||
56 | |||
57 | if (ifa->ifa_addr->sa_family == AF_PACKET) { | ||
58 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) { | ||
59 | if (ifa->ifa_data != NULL) { | ||
60 | struct rtnl_link_stats *stats = ifa->ifa_data; | ||
61 | |||
62 | // extract mac address | ||
63 | struct ifreq ifr; | ||
64 | memset(&ifr, 0, sizeof(ifr)); | ||
65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); | ||
66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); | ||
67 | |||
68 | if (rv == 0) | ||
69 | printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n", | ||
70 | ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data)); | ||
71 | else | ||
72 | printf(" %s UP\n", ifa->ifa_name); | ||
73 | |||
74 | printf(" tx/rx: %u/%u packets, %u/%u bytes\n", | ||
75 | stats->tx_packets, stats->rx_packets, | ||
76 | stats->tx_bytes, stats->rx_bytes); | ||
77 | } | ||
78 | } | ||
79 | else | ||
80 | printf(" %s DOWN\n", ifa->ifa_name); | ||
81 | } | ||
82 | } | ||
83 | |||
84 | |||
85 | // walk through the linked list | ||
86 | printf(" IPv4 status:\n"); | ||
87 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
88 | if (ifa->ifa_addr == NULL) | ||
89 | continue; | ||
90 | |||
91 | if (ifa->ifa_addr->sa_family == AF_INET) { | ||
92 | struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask; | ||
93 | mask = ntohl(si->sin_addr.s_addr); | ||
94 | si = (struct sockaddr_in *) ifa->ifa_addr; | ||
95 | ip = ntohl(si->sin_addr.s_addr); | ||
96 | |||
97 | char *status; | ||
98 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) | ||
99 | status = "UP"; | ||
100 | else | ||
101 | status = "DOWN"; | ||
102 | |||
103 | printf(" %s %s, %d.%d.%d.%d/%u\n", | ||
104 | ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask)); | ||
105 | } | ||
106 | } | ||
107 | |||
108 | |||
109 | // walk through the linked list | ||
110 | printf(" IPv6 status:\n"); | ||
111 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
112 | if (ifa->ifa_addr == NULL) | ||
113 | continue; | ||
114 | |||
115 | if (ifa->ifa_addr->sa_family == AF_INET6) { | ||
116 | char host[NI_MAXHOST]; | ||
117 | int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6), | ||
118 | host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST); | ||
119 | if (s == 0) { | ||
120 | char *ptr; | ||
121 | if ((ptr = strchr(host, '%')) != NULL) | ||
122 | *ptr = '\0'; | ||
123 | char *status; | ||
124 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) | ||
125 | status = "UP"; | ||
126 | else | ||
127 | status = "DOWN"; | ||
128 | |||
129 | printf(" %s %s, %s\n", ifa->ifa_name, status, host); | ||
130 | } | ||
131 | } | ||
132 | } | ||
133 | |||
134 | freeifaddrs(ifaddr); | ||
135 | close(fd); | ||
136 | } | ||
137 | |||
138 | static void print_sandbox(pid_t pid) { | ||
139 | pid_t child = fork(); | ||
140 | if (child == -1) | ||
141 | return; | ||
142 | |||
143 | if (child == 0) { | ||
144 | int rv = join_namespace(pid, "net"); | ||
145 | if (rv) | ||
146 | return; | ||
147 | net_ifprint(); | ||
148 | printf("\n"); | ||
149 | exit(0); | ||
150 | } | ||
151 | |||
152 | // wait for the child to finish | ||
153 | waitpid(child, NULL, 0); | ||
154 | } | ||
155 | |||
156 | void interface(pid_t pid) { | ||
157 | if (getuid() != 0) { | ||
158 | fprintf(stderr, "Error: you need to be root to run this command\n"); | ||
159 | exit(1); | ||
160 | } | ||
161 | |||
162 | pid_read(pid); // a pid of 0 will include all processes | ||
163 | |||
164 | // print processes | ||
165 | int i; | ||
166 | for (i = 0; i < max_pids; i++) { | ||
167 | if (pids[i].level == 1) { | ||
168 | pid_print_list(i, 0); | ||
169 | int child = find_child(i); | ||
170 | if (child != -1) { | ||
171 | print_sandbox(child); | ||
172 | } | ||
173 | } | ||
174 | } | ||
175 | } | ||
176 | |||
diff --git a/src/firemon/list.c b/src/firemon/list.c new file mode 100644 index 000000000..6a997bde1 --- /dev/null +++ b/src/firemon/list.c | |||
@@ -0,0 +1,35 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | |||
22 | void list(void) { | ||
23 | if (getuid() == 0) | ||
24 | firemon_drop_privs(); | ||
25 | |||
26 | pid_read(0); // include all processes | ||
27 | |||
28 | // print processes | ||
29 | int i; | ||
30 | for (i = 0; i < max_pids; i++) { | ||
31 | if (pids[i].level == 1) | ||
32 | pid_print_list(i, 0); | ||
33 | } | ||
34 | } | ||
35 | |||
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c new file mode 100644 index 000000000..6c4a767f1 --- /dev/null +++ b/src/firemon/netstats.c | |||
@@ -0,0 +1,214 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <termios.h> | ||
22 | #include <sys/ioctl.h> | ||
23 | #include <sys/types.h> | ||
24 | #include <sys/stat.h> | ||
25 | #include <unistd.h> | ||
26 | |||
27 | #define MAXBUF 4096 | ||
28 | |||
29 | static char *get_header(void) { | ||
30 | char *rv; | ||
31 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", | ||
32 | "PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1) | ||
33 | errExit("asprintf"); | ||
34 | |||
35 | return rv; | ||
36 | } | ||
37 | |||
38 | void get_stats(int parent) { | ||
39 | // find the first child | ||
40 | int child = -1; | ||
41 | for (child = parent + 1; child < max_pids; child++) { | ||
42 | if (pids[child].parent == parent) | ||
43 | break; | ||
44 | } | ||
45 | |||
46 | if (child == -1) | ||
47 | goto errexit; | ||
48 | |||
49 | // open /proc/child/net/dev file and read rx and tx | ||
50 | char *fname; | ||
51 | if (asprintf(&fname, "/proc/%d/net/dev", child) == -1) | ||
52 | errExit("asprintf"); | ||
53 | FILE *fp = fopen(fname, "r"); | ||
54 | if (!fp) { | ||
55 | free(fname); | ||
56 | goto errexit; | ||
57 | } | ||
58 | |||
59 | char buf[MAXBUF]; | ||
60 | long long unsigned rx = 0; | ||
61 | long long unsigned tx = 0; | ||
62 | while (fgets(buf, MAXBUF, fp)) { | ||
63 | if (strncmp(buf, "Inter", 5) == 0) | ||
64 | continue; | ||
65 | if (strncmp(buf, " face", 5) == 0) | ||
66 | continue; | ||
67 | |||
68 | char *ptr = buf; | ||
69 | while (*ptr != '\0' && *ptr != ':') { | ||
70 | ptr++; | ||
71 | } | ||
72 | |||
73 | if (*ptr == '\0') { | ||
74 | fclose(fp); | ||
75 | free(fname); | ||
76 | goto errexit; | ||
77 | } | ||
78 | ptr++; | ||
79 | |||
80 | long long unsigned rxval; | ||
81 | long long unsigned txval; | ||
82 | unsigned a, b, c, d, e, f, g; | ||
83 | sscanf(ptr, "%llu %u %u %u %u %u %u %u %llu", | ||
84 | &rxval, &a, &b, &c, &d, &e, &f, &g, &txval); | ||
85 | rx += rxval; | ||
86 | tx += txval; | ||
87 | } | ||
88 | |||
89 | // store data | ||
90 | pids[parent].rx_delta = rx - pids[parent].rx; | ||
91 | pids[parent].rx = rx; | ||
92 | pids[parent].tx_delta = tx - pids[parent].tx; | ||
93 | pids[parent].tx = tx; | ||
94 | |||
95 | |||
96 | free(fname); | ||
97 | fclose(fp); | ||
98 | return; | ||
99 | |||
100 | errexit: | ||
101 | pids[parent].rx = 0; | ||
102 | pids[parent].tx = 0; | ||
103 | pids[parent].rx_delta = 0; | ||
104 | pids[parent].tx_delta = 0; | ||
105 | } | ||
106 | |||
107 | |||
108 | static void print_proc(int index, int itv, int col) { | ||
109 | // command | ||
110 | char *cmd = pid_proc_cmdline(index); | ||
111 | char *ptrcmd; | ||
112 | if (cmd == NULL) { | ||
113 | if (pids[index].zombie) | ||
114 | ptrcmd = "(zombie)"; | ||
115 | else | ||
116 | ptrcmd = ""; | ||
117 | } | ||
118 | else | ||
119 | ptrcmd = cmd; | ||
120 | // if the command doesn't have a --net= option, don't print | ||
121 | if (strstr(ptrcmd, "--net=") == NULL) { | ||
122 | if (cmd) | ||
123 | free(cmd); | ||
124 | return; | ||
125 | } | ||
126 | |||
127 | // pid | ||
128 | char pidstr[10]; | ||
129 | snprintf(pidstr, 10, "%u", index); | ||
130 | |||
131 | // user | ||
132 | char *user = pid_get_user_name(pids[index].uid); | ||
133 | char *ptruser; | ||
134 | if (user) | ||
135 | ptruser = user; | ||
136 | else | ||
137 | ptruser = ""; | ||
138 | |||
139 | |||
140 | float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv; | ||
141 | char ptrrx[15]; | ||
142 | sprintf(ptrrx, "%.03f", rx_kbps); | ||
143 | |||
144 | float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv; | ||
145 | char ptrtx[15]; | ||
146 | sprintf(ptrtx, "%.03f", tx_kbps); | ||
147 | |||
148 | char buf[1024 + 1]; | ||
149 | snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s", | ||
150 | pidstr, ptruser, ptrrx, ptrtx, ptrcmd); | ||
151 | if (col < 1024) | ||
152 | buf[col] = '\0'; | ||
153 | printf("%s\n", buf); | ||
154 | |||
155 | if (cmd) | ||
156 | free(cmd); | ||
157 | if (user) | ||
158 | free(user); | ||
159 | |||
160 | } | ||
161 | |||
162 | void netstats(void) { | ||
163 | if (getuid() == 0) | ||
164 | firemon_drop_privs(); | ||
165 | |||
166 | pid_read(0); // include all processes | ||
167 | |||
168 | printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); | ||
169 | |||
170 | // print processes | ||
171 | while (1) { | ||
172 | // set pid table | ||
173 | int i; | ||
174 | int itv = 5; // 5 second interval | ||
175 | pid_read(0); // todo: preserve the last calculation if any, so we don't have to do get_stats() | ||
176 | |||
177 | // start rx/tx measurements | ||
178 | for (i = 0; i < max_pids; i++) { | ||
179 | if (pids[i].level == 1) | ||
180 | get_stats(i); | ||
181 | } | ||
182 | |||
183 | // wait 5 seconds | ||
184 | firemon_sleep(itv); | ||
185 | |||
186 | // grab screen size | ||
187 | struct winsize sz; | ||
188 | int row = 24; | ||
189 | int col = 80; | ||
190 | if (!ioctl(0, TIOCGWINSZ, &sz)) { | ||
191 | col = sz.ws_col; | ||
192 | row = sz.ws_row; | ||
193 | } | ||
194 | |||
195 | // start printing | ||
196 | firemon_clrscr(); | ||
197 | char *header = get_header(); | ||
198 | if (strlen(header) > col) | ||
199 | header[col] = '\0'; | ||
200 | printf("%s\n", header); | ||
201 | if (row > 0) | ||
202 | row--; | ||
203 | free(header); | ||
204 | |||
205 | // start rx/tx measurements | ||
206 | for (i = 0; i < max_pids; i++) { | ||
207 | if (pids[i].level == 1) { | ||
208 | get_stats(i); | ||
209 | print_proc(i, itv, col); | ||
210 | } | ||
211 | } | ||
212 | } | ||
213 | } | ||
214 | |||
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c new file mode 100644 index 000000000..d2b5f7bbf --- /dev/null +++ b/src/firemon/procevent.c | |||
@@ -0,0 +1,377 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <linux/connector.h> | ||
23 | #include <linux/netlink.h> | ||
24 | #include <linux/cn_proc.h> | ||
25 | #include <sys/types.h> | ||
26 | #include <sys/stat.h> | ||
27 | #include <unistd.h> | ||
28 | #include <arpa/inet.h> | ||
29 | #include <time.h> | ||
30 | #define PIDS_BUFLEN 4096 | ||
31 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA | ||
32 | |||
33 | static int pid_is_firejail(pid_t pid) { | ||
34 | uid_t rv = 0; | ||
35 | |||
36 | // open stat file | ||
37 | char *file; | ||
38 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | ||
39 | perror("asprintf"); | ||
40 | exit(1); | ||
41 | } | ||
42 | FILE *fp = fopen(file, "r"); | ||
43 | if (!fp) { | ||
44 | free(file); | ||
45 | return 0; | ||
46 | } | ||
47 | |||
48 | // look for firejail executable name | ||
49 | char buf[PIDS_BUFLEN]; | ||
50 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | ||
51 | if (strncmp(buf, "Name:", 5) == 0) { | ||
52 | char *ptr = buf + 5; | ||
53 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | ||
54 | ptr++; | ||
55 | } | ||
56 | if (*ptr == '\0') | ||
57 | goto doexit; | ||
58 | if (strncmp(ptr, "firejail", 8) == 0) | ||
59 | rv = 1; | ||
60 | // if (strncmp(ptr, "lxc-execute", 11) == 0) | ||
61 | // rv = 1; | ||
62 | break; | ||
63 | } | ||
64 | } | ||
65 | doexit: | ||
66 | fclose(fp); | ||
67 | free(file); | ||
68 | return rv; | ||
69 | } | ||
70 | |||
71 | |||
72 | static int procevent_netlink_setup(void) { | ||
73 | // open socket for process event connector | ||
74 | int sock; | ||
75 | if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR)) < 0) { | ||
76 | fprintf(stderr, "Error: cannot open netlink socket\n"); | ||
77 | exit(1); | ||
78 | } | ||
79 | |||
80 | // bind socket | ||
81 | struct sockaddr_nl addr; | ||
82 | memset(&addr, 0, sizeof(addr)); | ||
83 | addr.nl_pid = getpid(); | ||
84 | addr.nl_family = AF_NETLINK; | ||
85 | addr.nl_groups = CN_IDX_PROC; | ||
86 | if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { | ||
87 | fprintf(stderr, "Error: cannot bind to netlink socket\n"); | ||
88 | exit(1); | ||
89 | } | ||
90 | |||
91 | // send monitoring message | ||
92 | struct nlmsghdr nlmsghdr; | ||
93 | memset(&nlmsghdr, 0, sizeof(nlmsghdr)); | ||
94 | nlmsghdr.nlmsg_len = NLMSG_LENGTH(sizeof(struct cn_msg) + sizeof(enum proc_cn_mcast_op)); | ||
95 | nlmsghdr.nlmsg_pid = getpid(); | ||
96 | nlmsghdr.nlmsg_type = NLMSG_DONE; | ||
97 | |||
98 | struct cn_msg cn_msg; | ||
99 | memset(&cn_msg, 0, sizeof(cn_msg)); | ||
100 | cn_msg.id.idx = CN_IDX_PROC; | ||
101 | cn_msg.id.val = CN_VAL_PROC; | ||
102 | cn_msg.len = sizeof(enum proc_cn_mcast_op); | ||
103 | |||
104 | struct iovec iov[3]; | ||
105 | iov[0].iov_base = &nlmsghdr; | ||
106 | iov[0].iov_len = sizeof(nlmsghdr); | ||
107 | iov[1].iov_base = &cn_msg; | ||
108 | iov[1].iov_len = sizeof(cn_msg); | ||
109 | |||
110 | enum proc_cn_mcast_op op = PROC_CN_MCAST_LISTEN; | ||
111 | iov[2].iov_base = &op; | ||
112 | iov[2].iov_len = sizeof(op); | ||
113 | |||
114 | if (writev(sock, iov, 3) == -1) { | ||
115 | fprintf(stderr, "Error: cannot write to netlink socket\n"); | ||
116 | exit(1); | ||
117 | } | ||
118 | |||
119 | return sock; | ||
120 | } | ||
121 | |||
122 | |||
123 | static int procevent_monitor(const int sock, pid_t mypid) { | ||
124 | ssize_t len; | ||
125 | struct nlmsghdr *nlmsghdr; | ||
126 | |||
127 | // timeout in order to re-enable firejail module trace | ||
128 | struct timeval tv; | ||
129 | tv.tv_sec = 30; | ||
130 | tv.tv_usec = 0; | ||
131 | |||
132 | while (1) { | ||
133 | #define BUFFSIZE 4096 | ||
134 | char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; | ||
135 | |||
136 | fd_set readfds; | ||
137 | int max; | ||
138 | FD_ZERO(&readfds); | ||
139 | FD_SET(sock, &readfds); | ||
140 | max = sock; | ||
141 | max++; | ||
142 | |||
143 | int rv = select(max, &readfds, NULL, NULL, &tv); | ||
144 | if (rv == -1) { | ||
145 | fprintf(stderr, "recv: %s\n", strerror(errno)); | ||
146 | return -1; | ||
147 | } | ||
148 | |||
149 | // timeout | ||
150 | if (rv == 0) { | ||
151 | tv.tv_sec = 30; | ||
152 | tv.tv_usec = 0; | ||
153 | continue; | ||
154 | } | ||
155 | |||
156 | |||
157 | if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) { | ||
158 | return 0; | ||
159 | } | ||
160 | if (len == -1) { | ||
161 | if (errno == EINTR) { | ||
162 | return 0; | ||
163 | } else { | ||
164 | fprintf(stderr,"recv: %s\n", strerror(errno)); | ||
165 | return -1; | ||
166 | } | ||
167 | } | ||
168 | |||
169 | for (nlmsghdr = (struct nlmsghdr *)buf; | ||
170 | NLMSG_OK (nlmsghdr, len); | ||
171 | nlmsghdr = NLMSG_NEXT (nlmsghdr, len)) { | ||
172 | |||
173 | struct cn_msg *cn_msg; | ||
174 | struct proc_event *proc_ev; | ||
175 | struct tm tm; | ||
176 | time_t now; | ||
177 | |||
178 | if ((nlmsghdr->nlmsg_type == NLMSG_ERROR) || | ||
179 | (nlmsghdr->nlmsg_type == NLMSG_NOOP)) | ||
180 | continue; | ||
181 | |||
182 | cn_msg = NLMSG_DATA(nlmsghdr); | ||
183 | if ((cn_msg->id.idx != CN_IDX_PROC) || | ||
184 | (cn_msg->id.val != CN_VAL_PROC)) | ||
185 | continue; | ||
186 | |||
187 | (void)time(&now); | ||
188 | (void)localtime_r(&now, &tm); | ||
189 | char line[PIDS_BUFLEN]; | ||
190 | char *lineptr = line; | ||
191 | sprintf(lineptr, "%2.2d:%2.2d:%2.2d", tm.tm_hour, tm.tm_min, tm.tm_sec); | ||
192 | lineptr += strlen(lineptr); | ||
193 | |||
194 | proc_ev = (struct proc_event *)cn_msg->data; | ||
195 | pid_t pid = 0; | ||
196 | pid_t child = 0; | ||
197 | int remove_pid = 0; | ||
198 | switch (proc_ev->what) { | ||
199 | case PROC_EVENT_FORK: | ||
200 | if (proc_ev->event_data.fork.child_pid != | ||
201 | proc_ev->event_data.fork.child_tgid) | ||
202 | continue; // this is a thread, not a process | ||
203 | pid = proc_ev->event_data.fork.parent_tgid; | ||
204 | if (pids[pid].level > 0) { | ||
205 | child = proc_ev->event_data.fork.child_tgid; | ||
206 | child %= max_pids; | ||
207 | pids[child].level = pids[pid].level + 1; | ||
208 | pids[child].uid = pid_get_uid(child); | ||
209 | } | ||
210 | sprintf(lineptr, " fork"); | ||
211 | break; | ||
212 | case PROC_EVENT_EXEC: | ||
213 | pid = proc_ev->event_data.exec.process_tgid; | ||
214 | sprintf(lineptr, " exec"); | ||
215 | break; | ||
216 | |||
217 | case PROC_EVENT_EXIT: | ||
218 | if (proc_ev->event_data.exit.process_pid != | ||
219 | proc_ev->event_data.exit.process_tgid) | ||
220 | continue; // this is a thread, not a process | ||
221 | |||
222 | pid = proc_ev->event_data.exit.process_tgid; | ||
223 | remove_pid = 1; | ||
224 | sprintf(lineptr, " exit"); | ||
225 | break; | ||
226 | |||
227 | case PROC_EVENT_UID: | ||
228 | pid = proc_ev->event_data.id.process_tgid; | ||
229 | sprintf(lineptr, " uid "); | ||
230 | break; | ||
231 | |||
232 | case PROC_EVENT_GID: | ||
233 | pid = proc_ev->event_data.id.process_tgid; | ||
234 | sprintf(lineptr, " gid "); | ||
235 | break; | ||
236 | |||
237 | case PROC_EVENT_SID: | ||
238 | pid = proc_ev->event_data.sid.process_tgid; | ||
239 | sprintf(lineptr, " sid "); | ||
240 | break; | ||
241 | |||
242 | default: | ||
243 | sprintf(lineptr, "\n"); | ||
244 | continue; | ||
245 | } | ||
246 | |||
247 | int add_new = 0; | ||
248 | if (pids[pid].level < 0) // not a firejail process | ||
249 | continue; | ||
250 | else if (pids[pid].level == 0) { // new porcess, do we track it? | ||
251 | if (pid_is_firejail(pid) && mypid == 0) { | ||
252 | pids[pid].level = 1; | ||
253 | add_new = 1; | ||
254 | } | ||
255 | else { | ||
256 | pids[pid].level = -1; | ||
257 | continue; | ||
258 | } | ||
259 | } | ||
260 | |||
261 | lineptr += strlen(lineptr); | ||
262 | sprintf(lineptr, " %u", pid); | ||
263 | lineptr += strlen(lineptr); | ||
264 | |||
265 | char *user = pids[pid].user; | ||
266 | if (!user) | ||
267 | user = pid_get_user_name(pids[pid].uid); | ||
268 | if (user) { | ||
269 | pids[pid].user = user; | ||
270 | sprintf(lineptr, " (%s)", user); | ||
271 | lineptr += strlen(lineptr); | ||
272 | } | ||
273 | |||
274 | |||
275 | int sandbox_closed = 0; // exit sandbox flag | ||
276 | char *cmd = pids[pid].cmd; | ||
277 | if (!cmd) { | ||
278 | cmd = pid_proc_cmdline(pid); | ||
279 | } | ||
280 | if (add_new) { | ||
281 | if (!cmd) | ||
282 | sprintf(lineptr, " NEW SANDBOX\n"); | ||
283 | else | ||
284 | sprintf(lineptr, " NEW SANDBOX: %s\n", cmd); | ||
285 | lineptr += strlen(lineptr); | ||
286 | } | ||
287 | else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) { | ||
288 | sprintf(lineptr, " EXIT SANDBOX\n"); | ||
289 | lineptr += strlen(lineptr); | ||
290 | if (mypid == pid) | ||
291 | sandbox_closed = 1; | ||
292 | } | ||
293 | else { | ||
294 | if (!cmd) { | ||
295 | cmd = pid_proc_cmdline(pid); | ||
296 | } | ||
297 | if (cmd == NULL) | ||
298 | sprintf(lineptr, "\n"); | ||
299 | else { | ||
300 | sprintf(lineptr, " %s\n", cmd); | ||
301 | free(cmd); | ||
302 | } | ||
303 | lineptr += strlen(lineptr); | ||
304 | } | ||
305 | (void) lineptr; | ||
306 | |||
307 | // print the event | ||
308 | printf("%s", line); | ||
309 | fflush(0); | ||
310 | |||
311 | // unflag pid for exit events | ||
312 | if (remove_pid) { | ||
313 | if (pids[pid].user) | ||
314 | free(pids[pid].user); | ||
315 | if (pids[pid].cmd) | ||
316 | free(pids[pid].cmd); | ||
317 | memset(&pids[pid], 0, sizeof(Process)); | ||
318 | } | ||
319 | |||
320 | // print forked child | ||
321 | if (child) { | ||
322 | cmd = pid_proc_cmdline(child); | ||
323 | if (cmd) { | ||
324 | printf("\tchild %u %s\n", child, cmd); | ||
325 | free(cmd); | ||
326 | } | ||
327 | else | ||
328 | printf("\tchild %u\n", child); | ||
329 | } | ||
330 | |||
331 | // on uid events the uid is changing | ||
332 | if (proc_ev->what == PROC_EVENT_UID) { | ||
333 | if (pids[pid].user) | ||
334 | free(pids[pid].user); | ||
335 | pids[pid].user = 0; | ||
336 | pids[pid].uid = pid_get_uid(pid); | ||
337 | } | ||
338 | |||
339 | if (sandbox_closed) | ||
340 | exit(0); | ||
341 | } | ||
342 | } | ||
343 | return 0; | ||
344 | } | ||
345 | |||
346 | static void procevent_print_pids(void) { | ||
347 | // print files | ||
348 | int i; | ||
349 | for (i = 0; i < max_pids; i++) { | ||
350 | if (pids[i].level == 1) | ||
351 | pid_print_tree(i, 0, 1); | ||
352 | } | ||
353 | printf("\n"); | ||
354 | } | ||
355 | |||
356 | void procevent(pid_t pid) { | ||
357 | // need to be root for this | ||
358 | if (getuid() != 0) { | ||
359 | fprintf(stderr, "Error: you need to be root to get process events\n"); | ||
360 | exit(1); | ||
361 | } | ||
362 | |||
363 | // read and print sandboxed processes | ||
364 | pid_read(pid); | ||
365 | procevent_print_pids(); | ||
366 | |||
367 | // monitor using netlink | ||
368 | int sock = procevent_netlink_setup(); | ||
369 | if (sock < 0) { | ||
370 | fprintf(stderr, "Error: cannot open netlink socket\n"); | ||
371 | exit(1); | ||
372 | } | ||
373 | |||
374 | procevent_monitor(sock, pid); // it will never return from here | ||
375 | assert(0); | ||
376 | close(sock); // quiet static analyzers | ||
377 | } | ||
diff --git a/src/firemon/route.c b/src/firemon/route.c new file mode 100644 index 000000000..7f559c7b5 --- /dev/null +++ b/src/firemon/route.c | |||
@@ -0,0 +1,213 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <assert.h> | ||
22 | #include <arpa/inet.h> | ||
23 | #define MAXBUF 4096 | ||
24 | |||
25 | typedef struct iflist_t { | ||
26 | struct iflist_t *next; | ||
27 | uint32_t ip; | ||
28 | } IfList; | ||
29 | static IfList *ifs = NULL; | ||
30 | static char last_start[MAXBUF + 1]; | ||
31 | |||
32 | static IfList *list_find(uint32_t ip, uint32_t mask) { | ||
33 | IfList *ptr = ifs; | ||
34 | while (ptr) { | ||
35 | if ((ptr->ip & mask) == (ip & mask)) | ||
36 | return ptr; | ||
37 | ptr = ptr->next; | ||
38 | } | ||
39 | |||
40 | return NULL; | ||
41 | } | ||
42 | |||
43 | static void extract_if(const char *fname) { | ||
44 | // clear interface list | ||
45 | while (ifs) { | ||
46 | IfList *tmp = ifs->next; | ||
47 | free(ifs); | ||
48 | ifs = tmp; | ||
49 | } | ||
50 | assert(ifs == NULL); | ||
51 | |||
52 | FILE *fp = fopen(fname, "r"); | ||
53 | if (!fp) | ||
54 | return; | ||
55 | |||
56 | char buf[MAXBUF]; | ||
57 | int state = 0; // 0 -wait for Local | ||
58 | // | ||
59 | while (fgets(buf, MAXBUF, fp)) { | ||
60 | // remove blanks, \n | ||
61 | char *ptr = buf; | ||
62 | while (*ptr == ' ' || *ptr == '\t') | ||
63 | ptr++; | ||
64 | char *start = ptr; | ||
65 | if (*start == '\0') | ||
66 | continue; | ||
67 | ptr = strchr(ptr, '\n'); | ||
68 | if (ptr) | ||
69 | *ptr = '\0'; | ||
70 | |||
71 | if (state == 0) { | ||
72 | if (strncmp(buf, "Local:", 6) == 0) { | ||
73 | state = 1; | ||
74 | continue; | ||
75 | } | ||
76 | } | ||
77 | else if (state == 1) { | ||
78 | // remove broadcast addresses | ||
79 | if (strstr(start,"BROADCAST")) | ||
80 | continue; | ||
81 | else if (*start == '+') | ||
82 | continue; | ||
83 | else if (*start == '|') { | ||
84 | memset(last_start, 0, MAXBUF + 1); | ||
85 | strncpy(last_start, start, MAXBUF); | ||
86 | continue; | ||
87 | } | ||
88 | else if (strstr(buf, "LOCAL")) { | ||
89 | // printf("%s %s\n", last_start, start); | ||
90 | unsigned mbits; | ||
91 | sscanf(start, "/%u", &mbits); | ||
92 | if (mbits != 32) | ||
93 | continue; | ||
94 | |||
95 | unsigned a, b, c, d; | ||
96 | if (sscanf(last_start, "|-- %u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) | ||
97 | continue; | ||
98 | |||
99 | IfList *newif = malloc(sizeof(IfList)); | ||
100 | if (!newif) | ||
101 | errExit("malloc"); | ||
102 | newif->ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d; | ||
103 | newif->next = ifs; | ||
104 | ifs = newif; | ||
105 | } | ||
106 | } | ||
107 | } | ||
108 | |||
109 | fclose(fp); | ||
110 | |||
111 | |||
112 | } | ||
113 | |||
114 | static void print_route(const char *fname) { | ||
115 | FILE *fp = fopen(fname, "r"); | ||
116 | if (!fp) | ||
117 | return; | ||
118 | |||
119 | printf(" Route table:\n"); | ||
120 | char buf[MAXBUF]; | ||
121 | while (fgets(buf, MAXBUF, fp)) { | ||
122 | // remove blanks, \n | ||
123 | char *ptr = buf; | ||
124 | while (*ptr == ' ' || *ptr == '\t') | ||
125 | ptr++; | ||
126 | char *start = ptr; | ||
127 | if (*start == '\0') | ||
128 | continue; | ||
129 | ptr = strchr(ptr, '\n'); | ||
130 | if (ptr) | ||
131 | *ptr = '\0'; | ||
132 | |||
133 | // remove table header | ||
134 | //Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT | ||
135 | if (strncmp(start, "Iface", 5) == 0) | ||
136 | continue; | ||
137 | |||
138 | // extract data | ||
139 | char ifname[64]; | ||
140 | char destination[64]; | ||
141 | char gateway[64]; | ||
142 | char flags[64]; | ||
143 | char refcnt[64]; | ||
144 | char use[64]; | ||
145 | char metric[64]; | ||
146 | char mask[64]; | ||
147 | int rv = sscanf(start, "%s %s %s %s %s %s %s %s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); | ||
148 | if (rv != 8) | ||
149 | continue; | ||
150 | |||
151 | // destination ip | ||
152 | uint32_t destip; | ||
153 | sscanf(destination, "%x", &destip); | ||
154 | destip = ntohl(destip); | ||
155 | uint32_t destmask; | ||
156 | sscanf(mask, "%x", &destmask); | ||
157 | destmask = ntohl(destmask); | ||
158 | uint32_t gw; | ||
159 | sscanf(gateway, "%x", &gw); | ||
160 | gw = ntohl(gw); | ||
161 | |||
162 | // printf("#%s# #%s# #%s# #%s# #%s# #%s# #%s# #%s#\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); | ||
163 | if (gw != 0) | ||
164 | printf(" %u.%u.%u.%u/%u via %u.%u.%u.%u, dev %s, metric %s\n", | ||
165 | PRINT_IP(destip), mask2bits(destmask), | ||
166 | PRINT_IP(gw), | ||
167 | ifname, | ||
168 | metric); | ||
169 | else { // this is an interface | ||
170 | IfList *ifentry = list_find(destip, destmask); | ||
171 | if (ifentry) { | ||
172 | printf(" %u.%u.%u.%u/%u, dev %s, scope link src %d.%d.%d.%d\n", | ||
173 | PRINT_IP(destip), mask2bits(destmask), | ||
174 | ifname, | ||
175 | PRINT_IP(ifentry->ip)); | ||
176 | } | ||
177 | } | ||
178 | } | ||
179 | |||
180 | fclose(fp); | ||
181 | |||
182 | } | ||
183 | |||
184 | void route(pid_t pid) { | ||
185 | if (getuid() == 0) | ||
186 | firemon_drop_privs(); | ||
187 | |||
188 | pid_read(pid); | ||
189 | |||
190 | // print processes | ||
191 | int i; | ||
192 | for (i = 0; i < max_pids; i++) { | ||
193 | if (pids[i].level == 1) { | ||
194 | pid_print_list(i, 0); | ||
195 | int child = find_child(i); | ||
196 | if (child != -1) { | ||
197 | char *fname; | ||
198 | if (asprintf(&fname, "/proc/%d/net/fib_trie", child) == -1) | ||
199 | errExit("asprintf"); | ||
200 | extract_if(fname); | ||
201 | free(fname); | ||
202 | |||
203 | if (asprintf(&fname, "/proc/%d/net/route", child) == -1) | ||
204 | errExit("asprintf"); | ||
205 | print_route(fname); | ||
206 | free(fname); | ||
207 | printf("\n"); | ||
208 | } | ||
209 | } | ||
210 | } | ||
211 | } | ||
212 | |||
213 | |||
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c new file mode 100644 index 000000000..4ffc93f2e --- /dev/null +++ b/src/firemon/seccomp.c | |||
@@ -0,0 +1,69 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | |||
22 | #define MAXBUF 4098 | ||
23 | static void print_seccomp(int pid) { | ||
24 | char *file; | ||
25 | if (asprintf(&file, "/proc/%d/status", pid) == -1) { | ||
26 | errExit("asprintf"); | ||
27 | exit(1); | ||
28 | } | ||
29 | |||
30 | FILE *fp = fopen(file, "r"); | ||
31 | if (!fp) { | ||
32 | printf(" Error: cannot open %s\n", file); | ||
33 | free(file); | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | char buf[MAXBUF]; | ||
38 | while (fgets(buf, MAXBUF, fp)) { | ||
39 | if (strncmp(buf, "Seccomp:", 8) == 0) { | ||
40 | printf(" %s", buf); | ||
41 | fflush(0); | ||
42 | fclose(fp); | ||
43 | free(file); | ||
44 | return; | ||
45 | } | ||
46 | } | ||
47 | fclose(fp); | ||
48 | free(file); | ||
49 | } | ||
50 | |||
51 | void seccomp(pid_t pid) { | ||
52 | if (getuid() == 0) | ||
53 | firemon_drop_privs(); | ||
54 | |||
55 | pid_read(pid); // include all processes | ||
56 | |||
57 | // print processes | ||
58 | int i; | ||
59 | for (i = 0; i < max_pids; i++) { | ||
60 | if (pids[i].level == 1) { | ||
61 | pid_print_list(i, 0); | ||
62 | int child = find_child(i); | ||
63 | if (child != -1) | ||
64 | print_seccomp(child); | ||
65 | } | ||
66 | } | ||
67 | printf("\n"); | ||
68 | } | ||
69 | |||
diff --git a/src/firemon/top.c b/src/firemon/top.c new file mode 100644 index 000000000..1eb753694 --- /dev/null +++ b/src/firemon/top.c | |||
@@ -0,0 +1,297 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <termios.h> | ||
22 | #include <sys/ioctl.h> | ||
23 | #include <sys/types.h> | ||
24 | #include <sys/stat.h> | ||
25 | #include <unistd.h> | ||
26 | |||
27 | static unsigned pgs_rss = 0; | ||
28 | static unsigned pgs_shared = 0; | ||
29 | static unsigned clocktick = 0; | ||
30 | static unsigned long long sysuptime = 0; | ||
31 | |||
32 | static char *get_header(void) { | ||
33 | char *rv; | ||
34 | if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | ||
35 | "PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1) | ||
36 | errExit("asprintf"); | ||
37 | |||
38 | return rv; | ||
39 | } | ||
40 | |||
41 | |||
42 | // recursivity!!! | ||
43 | static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigned *stime, unsigned itv, float *cpu, int *cnt) { | ||
44 | char *rv = NULL; | ||
45 | |||
46 | char procdir[20]; | ||
47 | snprintf(procdir, 20, "/proc/%u", index); | ||
48 | struct stat s; | ||
49 | if (stat(procdir, &s) == -1) | ||
50 | return NULL; | ||
51 | |||
52 | if (pids[index].level == 1) { | ||
53 | pgs_rss = 0; | ||
54 | pgs_shared = 0; | ||
55 | *utime = 0; | ||
56 | *stime = 0; | ||
57 | *cnt = 0; | ||
58 | } | ||
59 | |||
60 | (*cnt)++; | ||
61 | pid_getmem(index, &pgs_rss, &pgs_shared); | ||
62 | unsigned utmp; | ||
63 | unsigned stmp; | ||
64 | pid_get_cpu_time(index, &utmp, &stmp); | ||
65 | *utime += utmp; | ||
66 | *stime += stmp; | ||
67 | |||
68 | |||
69 | int i; | ||
70 | for (i = index + 1; i < max_pids; i++) { | ||
71 | if (pids[i].parent == index) | ||
72 | print_top(i, index, utime, stime, itv, cpu, cnt); | ||
73 | } | ||
74 | |||
75 | if (pids[index].level == 1) { | ||
76 | // pid | ||
77 | char pidstr[10]; | ||
78 | snprintf(pidstr, 10, "%u", index); | ||
79 | |||
80 | // command | ||
81 | char *cmd = pid_proc_cmdline(index); | ||
82 | char *ptrcmd; | ||
83 | if (cmd == NULL) { | ||
84 | if (pids[index].zombie) | ||
85 | ptrcmd = "(zombie)"; | ||
86 | else | ||
87 | ptrcmd = ""; | ||
88 | } | ||
89 | else | ||
90 | ptrcmd = cmd; | ||
91 | |||
92 | // user | ||
93 | char *user = pid_get_user_name(pids[index].uid); | ||
94 | char *ptruser; | ||
95 | if (user) | ||
96 | ptruser = user; | ||
97 | else | ||
98 | ptruser = ""; | ||
99 | |||
100 | // memory | ||
101 | int pgsz = getpagesize(); | ||
102 | char rss[10]; | ||
103 | snprintf(rss, 10, "%u", pgs_rss * pgsz / 1024); | ||
104 | char shared[10]; | ||
105 | snprintf(shared, 10, "%u", pgs_shared * pgsz / 1024); | ||
106 | |||
107 | // uptime | ||
108 | unsigned long long uptime = pid_get_start_time(index); | ||
109 | if (clocktick == 0) | ||
110 | clocktick = sysconf(_SC_CLK_TCK); | ||
111 | uptime /= clocktick; | ||
112 | uptime = sysuptime - uptime; | ||
113 | unsigned sec = uptime % 60; | ||
114 | uptime -= sec; | ||
115 | uptime /= 60; | ||
116 | unsigned min = uptime % 60; | ||
117 | uptime -= min; | ||
118 | uptime /= 60; | ||
119 | unsigned hour = uptime; | ||
120 | char uptime_str[50]; | ||
121 | snprintf(uptime_str, 50, "%02u:%02u:%02u", hour, min, sec); | ||
122 | |||
123 | // cpu | ||
124 | itv *= clocktick; | ||
125 | float ud = (float) (*utime - pids[index].utime) / itv * 100; | ||
126 | float sd = (float) (*stime - pids[index].stime) / itv * 100; | ||
127 | float cd = ud + sd; | ||
128 | *cpu = cd; | ||
129 | char cpu_str[10]; | ||
130 | snprintf(cpu_str, 10, "%2.1f", cd); | ||
131 | |||
132 | // process count | ||
133 | char prcs_str[10]; | ||
134 | snprintf(prcs_str, 10, "%d", *cnt); | ||
135 | |||
136 | if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | ||
137 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) | ||
138 | errExit("asprintf"); | ||
139 | |||
140 | if (cmd) | ||
141 | free(cmd); | ||
142 | if (user) | ||
143 | free(user); | ||
144 | |||
145 | } | ||
146 | |||
147 | return rv; | ||
148 | } | ||
149 | |||
150 | |||
151 | typedef struct node_t { | ||
152 | struct node_t *next; | ||
153 | char *line; | ||
154 | float cpu; | ||
155 | } Node; | ||
156 | |||
157 | static Node *head = NULL; | ||
158 | |||
159 | static void head_clear(void) { | ||
160 | Node *ptr = head; | ||
161 | while (ptr) { | ||
162 | if (ptr->line) | ||
163 | free(ptr->line); | ||
164 | Node *next = ptr->next; | ||
165 | free(ptr); | ||
166 | ptr = next; | ||
167 | } | ||
168 | |||
169 | head = NULL; | ||
170 | } | ||
171 | |||
172 | static void head_add(float cpu, char *line) { | ||
173 | // allocate a new node structure | ||
174 | Node *node = malloc(sizeof(Node)); | ||
175 | if (!node) | ||
176 | errExit("malloc"); | ||
177 | node->line = line; | ||
178 | node->cpu = cpu; | ||
179 | node->next = NULL; | ||
180 | |||
181 | // insert in first list position | ||
182 | if (head == NULL || head->cpu < cpu) { | ||
183 | node->next = head; | ||
184 | head = node; | ||
185 | return; | ||
186 | } | ||
187 | |||
188 | // insert in the right place | ||
189 | Node *ptr = head; | ||
190 | while (1) { | ||
191 | // last position | ||
192 | Node *current = ptr->next; | ||
193 | if (current == NULL) { | ||
194 | ptr->next = node; | ||
195 | return; | ||
196 | } | ||
197 | |||
198 | // current position | ||
199 | if (current->cpu < cpu) { | ||
200 | ptr->next = node; | ||
201 | node->next = current; | ||
202 | return; | ||
203 | } | ||
204 | |||
205 | ptr = current; | ||
206 | } | ||
207 | } | ||
208 | |||
209 | void head_print(int col, int row) { | ||
210 | Node *ptr = head; | ||
211 | int current = 0; | ||
212 | while (ptr) { | ||
213 | if (current >= row) | ||
214 | break; | ||
215 | |||
216 | if (strlen(ptr->line) > col) | ||
217 | ptr->line[col] = '\0'; | ||
218 | |||
219 | if (ptr->next == NULL || current == (row - 1)) { | ||
220 | printf("%s", ptr->line); | ||
221 | fflush(0); | ||
222 | } | ||
223 | else | ||
224 | printf("%s\n", ptr->line); | ||
225 | |||
226 | ptr = ptr->next; | ||
227 | current++; | ||
228 | } | ||
229 | } | ||
230 | |||
231 | void top(void) { | ||
232 | if (getuid() == 0) | ||
233 | firemon_drop_privs(); | ||
234 | |||
235 | while (1) { | ||
236 | // clear linked list | ||
237 | head_clear(); | ||
238 | |||
239 | // set pid table | ||
240 | int i; | ||
241 | int itv = 5; // 5 second interval | ||
242 | pid_read(0); | ||
243 | |||
244 | // start cpu measurements | ||
245 | unsigned utime = 0; | ||
246 | unsigned stime = 0; | ||
247 | for (i = 0; i < max_pids; i++) { | ||
248 | if (pids[i].level == 1) | ||
249 | pid_store_cpu(i, 0, &utime, &stime); | ||
250 | } | ||
251 | |||
252 | // wait 5 seconds | ||
253 | firemon_sleep(itv); | ||
254 | |||
255 | // grab screen size | ||
256 | struct winsize sz; | ||
257 | int row = 24; | ||
258 | int col = 80; | ||
259 | if (!ioctl(0, TIOCGWINSZ, &sz)) { | ||
260 | col = sz.ws_col; | ||
261 | row = sz.ws_row; | ||
262 | } | ||
263 | |||
264 | // start printing | ||
265 | firemon_clrscr(); | ||
266 | char *header = get_header(); | ||
267 | if (strlen(header) > col) | ||
268 | header[col] = '\0'; | ||
269 | printf("%s\n", header); | ||
270 | if (row > 0) | ||
271 | row--; | ||
272 | free(header); | ||
273 | |||
274 | // find system uptime | ||
275 | FILE *fp = fopen("/proc/uptime", "r"); | ||
276 | if (fp) { | ||
277 | float f; | ||
278 | int rv = fscanf(fp, "%f", &f); | ||
279 | (void) rv; | ||
280 | sysuptime = (unsigned long long) f; | ||
281 | fclose(fp); | ||
282 | } | ||
283 | |||
284 | // print processes | ||
285 | for (i = 0; i < max_pids; i++) { | ||
286 | if (pids[i].level == 1) { | ||
287 | float cpu = 0; | ||
288 | int cnt = 0; // process count | ||
289 | char *line = print_top(i, 0, &utime, &stime, itv, &cpu, &cnt); | ||
290 | if (line) | ||
291 | head_add(cpu, line); | ||
292 | } | ||
293 | } | ||
294 | head_print(col, row); | ||
295 | } | ||
296 | } | ||
297 | |||
diff --git a/src/firemon/tree.c b/src/firemon/tree.c new file mode 100644 index 000000000..97e0e1f13 --- /dev/null +++ b/src/firemon/tree.c | |||
@@ -0,0 +1,36 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | |||
22 | void tree(pid_t pid) { | ||
23 | if (getuid() == 0) | ||
24 | firemon_drop_privs(); | ||
25 | |||
26 | pid_read(pid); // include all processes | ||
27 | |||
28 | // print processes | ||
29 | int i; | ||
30 | for (i = 0; i < max_pids; i++) { | ||
31 | if (pids[i].level == 1) | ||
32 | pid_print_tree(i, 0, arg_nowrap); | ||
33 | } | ||
34 | printf("\n"); | ||
35 | } | ||
36 | |||
diff --git a/src/firemon/usage.c b/src/firemon/usage.c new file mode 100644 index 000000000..52788807a --- /dev/null +++ b/src/firemon/usage.c | |||
@@ -0,0 +1,77 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | |||
22 | void usage(void) { | ||
23 | printf("firemon - version %s\n", VERSION); | ||
24 | printf("Usage: firemon [OPTIONS] [PID]\n\n"); | ||
25 | printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); | ||
26 | printf("all processes started by Firejail are monitored. Descendants of these processes\n"); | ||
27 | printf("are also being monitored.\n\n"); | ||
28 | printf("Options:\n"); | ||
29 | printf("\t--arp - print ARP table for each sandbox.\n\n"); | ||
30 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); | ||
31 | printf("\t--cgroup - print control group information for each sandbox.\n\n"); | ||
32 | printf("\t--cpu - print CPU affinity for each sandbox.\n\n"); | ||
33 | printf("\t--help, -? - this help screen.\n\n"); | ||
34 | printf("\t--interface - print network interface information for each sandbox.\n\n"); | ||
35 | printf("\t--list - list all sandboxes.\n\n"); | ||
36 | printf("\t--name=name - print information only about named sandbox.\n\n"); | ||
37 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | ||
38 | printf("\t\tnetwork namespace.\n\n"); | ||
39 | printf("\t--route - print route table for each sandbox.\n\n"); | ||
40 | printf("\t--seccomp - print seccomp configuration for each sandbox.\n\n"); | ||
41 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | ||
42 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | ||
43 | printf("\t--version - print program version and exit.\n\n"); | ||
44 | |||
45 | printf("Without any options, firemon monitors all fork, exec, id change, and exit events\n"); | ||
46 | printf("in the sandbox. Monitoring a specific PID is also supported.\n\n"); | ||
47 | |||
48 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); | ||
49 | printf("follows:\n\n"); | ||
50 | printf("\tPID:USER:Command\n\n"); | ||
51 | |||
52 | printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); | ||
53 | printf("for each process entry is as follows:\n\n"); | ||
54 | printf("\tPID:USER:Command\n\n"); | ||
55 | |||
56 | printf("Option --top is similar to the UNIX top command, however it applies only to\n"); | ||
57 | printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); | ||
58 | printf("order:\n\n"); | ||
59 | printf("\tCommand - command used to start the sandbox.\n"); | ||
60 | printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); | ||
61 | printf("\t last screen update\n"); | ||
62 | printf("\tPID - Unique process ID for the task controlling the sandbox.\n"); | ||
63 | printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); | ||
64 | printf("\t process.\n"); | ||
65 | printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); | ||
66 | printf("\t It is a sum of the RES values for all processes running in the\n"); | ||
67 | printf("\t sandbox.\n"); | ||
68 | printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); | ||
69 | printf("\t processes. It is a sum of the SHR values for all processes running\n"); | ||
70 | printf("\t in the sandbox, including the controlling process.\n"); | ||
71 | printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n"); | ||
72 | printf("\tUser - The owner of the sandbox.\n"); | ||
73 | printf("\n"); | ||
74 | printf("License GPL version 2 or later\n"); | ||
75 | printf("Homepage: http://firejail.sourceforge.net\n"); | ||
76 | printf("\n"); | ||
77 | } | ||