profile stats

author: netblue30 <netblue30@yahoo.com> 2020-03-19 08:28:58 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-03-19 08:28:58 -0400
commit: 61295cefe491504ed50a2046f6cd9e3786370538 (patch)
tree: eead56fd8b0723accf6a72383bde4b3c0866f081 /src/profstats
parent: misc fixes (diff)
download: firejail-61295cefe491504ed50a2046f6cd9e3786370538.tar.gz
firejail-61295cefe491504ed50a2046f6cd9e3786370538.tar.zst
firejail-61295cefe491504ed50a2046f6cd9e3786370538.zip
2 files changed, 254 insertions, 0 deletions
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
new file mode 100644
index 000000000..4ada23c23
--- /dev/null
+++ b/src/profstats/Makefile.in
@@ -0,0 +1,14 @@
+all: ../../etc/profstats
+include ../common.mk
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+../../etc/profstats: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -fr *.o ../../etc/profstats *.gcov *.gcda *.gcno *.plist
+distclean: clean
+        rm -fr Makefile
diff --git a/src/profstats/main.c b/src/profstats/main.c
new file mode 100644
index 000000000..775142643
--- /dev/null
+++ b/src/profstats/main.c
@@ -0,0 +1,240 @@
+ /*
+ * Copyright (C) 2014-2020 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#define MAXBUF 2048
+// stats
+static int cnt_profiles = 0;
+static int cnt_apparmor = 0;
+static int cnt_seccomp = 0;
+static int cnt_caps = 0;
+static int cnt_dotlocal = 0;
+static int cnt_globalsdotlocal = 0;
+static int cnt_netnone = 0;
+static int cnt_noexec = 0;      // include disable-exec.inc
+static int cnt_privatedev = 0;
+static int cnt_privatetmp = 0;
+static int cnt_whitelistvar = 0;        // include whitelist-var-common.inc
+static int cnt_ssh = 0;
+static int level = 0;
+static int arg_debug = 0;
+static int arg_apparmor = 0;
+static int arg_caps = 0;
+static int arg_seccomp = 0;
+static int arg_noexec = 0;
+static int arg_privatedev = 0;
+static int arg_privatetmp = 0;
+static int arg_whitelistvar = 0;
+static int arg_ssh = 0;
+static void usage(void) {
+        printf("proftool - print profile statistics\n");
+        printf("Usage: proftool [options] file[s]\n");
+        printf("Options:\n");
+        printf("   --apparmor - print profiles without apparmor\n");
+        printf("   --caps - print profiles without caps\n");
+        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
+        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
+        printf("   --private-dev - print profiles without private-dev\n");
+        printf("   --private-tmp - print profiles without private-tmp\n");
+        printf("   --seccomp - print profiles without seccomp\n");
+        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
+        printf("   --debug\n");
+        printf("\n");
+}
+void process_file(const char *fname) {
+        assert(fname);
+        if (arg_debug)
+                printf("processing #%s#\n", fname);
+        level++;
+        assert(level < 32); // to do - check in firejail code
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\n' || *ptr == '#')
+                        continue;
+                if (strncmp(ptr, "seccomp", 7) == 0)
+                        cnt_seccomp++;
+                else if (strncmp(ptr, "caps", 4) == 0)
+                        cnt_caps++;
+                else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
+                        cnt_noexec++;
+                else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
+                        cnt_whitelistvar++;
+                else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
+                        cnt_ssh++;
+                else if (strncmp(ptr, "net none", 8) == 0)
+                        cnt_netnone++;
+                else if (strncmp(ptr, "apparmor", 8) == 0)
+                        cnt_apparmor++;
+                else if (strncmp(ptr, "private-dev", 11) == 0)
+                        cnt_privatedev++;
+                else if (strncmp(ptr, "private-tmp", 11) == 0)
+                        cnt_privatetmp++;
+                else if (strncmp(ptr, "include ", 8) == 0) {
+                        // not processing .local files
+                        if (strstr(ptr, ".local")) {
+//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
+                                if (strstr(ptr, "globals.local"))
+                                        cnt_globalsdotlocal++;
+                                else
+                                        cnt_dotlocal++;
+                                continue;
+                        }
+                        process_file(buf + 8);
+                }
+        }
+        fclose(fp);
+        level--;
+}
+int main(int argc, char **argv) {
+        if (argc <= 1) {
+                usage();
+                return 1;
+        }
+        int start = 1;
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+                else if (strcmp(argv[i], "--caps") == 0)
+                        arg_caps = 1;
+                else if (strcmp(argv[i], "--seccomp") == 0)
+                        arg_seccomp = 1;
+                else if (strcmp(argv[i], "--noexec") == 0)
+                        arg_noexec = 1;
+                else if (strcmp(argv[i], "--private-dev") == 0)
+                        arg_privatedev = 1;
+                else if (strcmp(argv[i], "--private-tmp") == 0)
+                        arg_privatetmp = 1;
+                else if (strcmp(argv[i], "--whitelist-var") == 0)
+                        arg_whitelistvar = 1;
+                else if (strcmp(argv[i], "--ssh") == 0)
+                        arg_ssh = 1;
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid option %s\n", argv[i]);
+                        return 1;
+                 }
+                 else
+                        break;
+        }
+        start = i;
+        if (i == argc) {
+                fprintf(stderr, "Error: no porfile file specified\n");
+                return 1;
+        }
+        for (i = start; i < argc; i++) {
+                cnt_profiles++;
+                // watch seccomp
+                int seccomp = cnt_seccomp;
+                int caps = cnt_caps;
+                int apparmor = cnt_apparmor;
+                int noexec = cnt_noexec;
+                int privatetmp = cnt_privatetmp;
+                int privatedev = cnt_privatedev;
+                int dotlocal = cnt_dotlocal;
+                int globalsdotlocal = cnt_globalsdotlocal;
+                int whitelistvar = cnt_whitelistvar;
+                int ssh = cnt_ssh;
+                // process file
+                process_file(argv[i]);
+                // warnings
+                if ((caps + 2) <= cnt_caps) {
+                        printf("Warning: multiple caps in %s\n", argv[i]);
+                        cnt_caps = caps + 1;
+                }
+                // fix redirections
+                if (cnt_dotlocal > (dotlocal + 1))
+                        cnt_dotlocal = dotlocal + 1;
+                if (cnt_globalsdotlocal > (globalsdotlocal + 1))
+                        cnt_globalsdotlocal = globalsdotlocal + 1;
+                if (arg_apparmor && apparmor == cnt_apparmor)
+                        printf("No apparmor found in %s\n", argv[i]);
+                if (arg_caps && caps == cnt_caps)
+                        printf("No caps found in %s\n", argv[i]);
+                if (arg_seccomp && seccomp == cnt_seccomp)
+                        printf("No seccomp found in %s\n", argv[i]);
+                if (arg_noexec && noexec == cnt_noexec)
+                        printf("No include disable-exec.inc found in %s\n", argv[i]);
+                if (arg_privatedev && privatedev == cnt_privatedev)
+                        printf("No private-dev found in %s\n", argv[i]);
+                if (arg_privatetmp && privatetmp == cnt_privatetmp)
+                        printf("No private-tmp found in %s\n", argv[i]);
+                if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
+                        printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
+                if (arg_ssh && ssh == cnt_ssh)
+                        printf("No include disable-common.inc found in %s\n", argv[i]);
+                assert(level == 0);
+        }
+        printf("\n");
+        printf("Stats:\n");
+        printf("    profiles\t\t\t%d\n", cnt_profiles);
+        printf("    include local profile\t%d   (include profile-name.local)\n", cnt_dotlocal);
+        printf("    include globals\t\t%d   (include globals.local)\n", cnt_dotlocal);
+        printf("    blacklist ~/.ssh\t\t%d   (include disable-common.inc)\n", cnt_ssh);
+        printf("    seccomp\t\t\t%d\n", cnt_seccomp);
+        printf("    capabilities\t\t%d\n", cnt_caps);
+        printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    apparmor\t\t\t%d\n", cnt_apparmor);
+        printf("    private-dev\t\t\t%d\n", cnt_privatedev);
+        printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
+        printf("    whitelist var directory\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("\n");
+        return 0;
+}
+\ No newline at end of file
author	netblue30 <netblue30@yahoo.com>	2020-03-19 08:28:58 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-03-19 08:28:58 -0400
commit	61295cefe491504ed50a2046f6cd9e3786370538 (patch)
tree	eead56fd8b0723accf6a72383bde4b3c0866f081 /src/profstats
parent	misc fixes (diff)
download	firejail-61295cefe491504ed50a2046f6cd9e3786370538.tar.gz firejail-61295cefe491504ed50a2046f6cd9e3786370538.tar.zst firejail-61295cefe491504ed50a2046f6cd9e3786370538.zip

diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in new file mode 100644 index 000000000..4ada23c23 --- /dev/null +++ b/src/profstats/Makefile.in
@@ -0,0 +1,14 @@
	1	all: ../../etc/profstats
	2
	3	include ../common.mk
	4
	5	%.o : %.c $(H_FILE_LIST)
	6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
	7
	8	../../etc/profstats: $(OBJS)
	9	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
	10
	11	clean:; rm -fr .o ../../etc/profstats .gcov .gcda .gcno *.plist
	12
	13	distclean: clean
	14	rm -fr Makefile


diff --git a/src/profstats/main.c b/src/profstats/main.c new file mode 100644 index 000000000..775142643 --- /dev/null +++ b/src/profstats/main.c
@@ -0,0 +1,240 @@
	1	/*
	2	* Copyright (C) 2014-2020 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include <stdio.h>
	21	#include <stdlib.h>
	22	#include <string.h>
	23	#include <assert.h>
	24
	25	#define MAXBUF 2048
	26	// stats
	27	static int cnt_profiles = 0;
	28	static int cnt_apparmor = 0;
	29	static int cnt_seccomp = 0;
	30	static int cnt_caps = 0;
	31	static int cnt_dotlocal = 0;
	32	static int cnt_globalsdotlocal = 0;
	33	static int cnt_netnone = 0;
	34	static int cnt_noexec = 0; // include disable-exec.inc
	35	static int cnt_privatedev = 0;
	36	static int cnt_privatetmp = 0;
	37	static int cnt_whitelistvar = 0; // include whitelist-var-common.inc
	38	static int cnt_ssh = 0;
	39
	40	static int level = 0;
	41	static int arg_debug = 0;
	42	static int arg_apparmor = 0;
	43	static int arg_caps = 0;
	44	static int arg_seccomp = 0;
	45	static int arg_noexec = 0;
	46	static int arg_privatedev = 0;
	47	static int arg_privatetmp = 0;
	48	static int arg_whitelistvar = 0;
	49	static int arg_ssh = 0;
	50
	51	static void usage(void) {
	52	printf("proftool - print profile statistics\n");
	53	printf("Usage: proftool [options] file[s]\n");
	54	printf("Options:\n");
	55	printf(" --apparmor - print profiles without apparmor\n");
	56	printf(" --caps - print profiles without caps\n");
	57	printf(" --ssh - print profiles without \"include disable-common.inc\"\n");
	58	printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");
	59	printf(" --private-dev - print profiles without private-dev\n");
	60	printf(" --private-tmp - print profiles without private-tmp\n");
	61	printf(" --seccomp - print profiles without seccomp\n");
	62	printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
	63	printf(" --debug\n");
	64	printf("\n");
	65	}
	66
	67	void process_file(const char *fname) {
	68	assert(fname);
	69
	70	if (arg_debug)
	71	printf("processing #%s#\n", fname);
	72	level++;
	73	assert(level < 32); // to do - check in firejail code
	74
	75	FILE *fp = fopen(fname, "r");
	76	if (!fp) {
	77	fprintf(stderr, "Error: cannot open %s\n", fname);
	78	exit(1);
	79	}
	80
	81	char buf[MAXBUF];
	82	while (fgets(buf, MAXBUF, fp)) {
	83	char *ptr = strchr(buf, '\n');
	84	if (ptr)
	85	*ptr = '\0';
	86	ptr = buf;
	87
	88	while (ptr == ' ' \|\| ptr == '\t')
	89	ptr++;
	90	if (ptr == '\n' \|\| ptr == '#')
	91	continue;
	92
	93	if (strncmp(ptr, "seccomp", 7) == 0)
	94	cnt_seccomp++;
	95	else if (strncmp(ptr, "caps", 4) == 0)
	96	cnt_caps++;
	97	else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
	98	cnt_noexec++;
	99	else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
	100	cnt_whitelistvar++;
	101	else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
	102	cnt_ssh++;
	103	else if (strncmp(ptr, "net none", 8) == 0)
	104	cnt_netnone++;
	105	else if (strncmp(ptr, "apparmor", 8) == 0)
	106	cnt_apparmor++;
	107	else if (strncmp(ptr, "private-dev", 11) == 0)
	108	cnt_privatedev++;
	109	else if (strncmp(ptr, "private-tmp", 11) == 0)
	110	cnt_privatetmp++;
	111	else if (strncmp(ptr, "include ", 8) == 0) {
	112	// not processing .local files
	113	if (strstr(ptr, ".local")) {
	114	//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
	115	if (strstr(ptr, "globals.local"))
	116	cnt_globalsdotlocal++;
	117	else
	118	cnt_dotlocal++;
	119	continue;
	120	}
	121	process_file(buf + 8);
	122	}
	123	}
	124
	125	fclose(fp);
	126	level--;
	127	}
	128
	129	int main(int argc, char **argv) {
	130	if (argc <= 1) {
	131	usage();
	132	return 1;
	133	}
	134
	135	int start = 1;
	136	int i;
	137	for (i = 1; i < argc; i++) {
	138	if (strcmp(argv[i], "--help") == 0) {
	139	usage();
	140	return 0;
	141	}
	142	else if (strcmp(argv[i], "--debug") == 0)
	143	arg_debug = 1;
	144	else if (strcmp(argv[i], "--apparmor") == 0)
	145	arg_apparmor = 1;
	146	else if (strcmp(argv[i], "--caps") == 0)
	147	arg_caps = 1;
	148	else if (strcmp(argv[i], "--seccomp") == 0)
	149	arg_seccomp = 1;
	150	else if (strcmp(argv[i], "--noexec") == 0)
	151	arg_noexec = 1;
	152	else if (strcmp(argv[i], "--private-dev") == 0)
	153	arg_privatedev = 1;
	154	else if (strcmp(argv[i], "--private-tmp") == 0)
	155	arg_privatetmp = 1;
	156	else if (strcmp(argv[i], "--whitelist-var") == 0)
	157	arg_whitelistvar = 1;
	158	else if (strcmp(argv[i], "--ssh") == 0)
	159	arg_ssh = 1;
	160	else if (*argv[i] == '-') {
	161	fprintf(stderr, "Error: invalid option %s\n", argv[i]);
	162	return 1;
	163	}
	164	else
	165	break;
	166	}
	167
	168	start = i;
	169	if (i == argc) {
	170	fprintf(stderr, "Error: no porfile file specified\n");
	171	return 1;
	172	}
	173
	174	for (i = start; i < argc; i++) {
	175	cnt_profiles++;
	176
	177	// watch seccomp
	178	int seccomp = cnt_seccomp;
	179	int caps = cnt_caps;
	180	int apparmor = cnt_apparmor;
	181	int noexec = cnt_noexec;
	182	int privatetmp = cnt_privatetmp;
	183	int privatedev = cnt_privatedev;
	184	int dotlocal = cnt_dotlocal;
	185	int globalsdotlocal = cnt_globalsdotlocal;
	186	int whitelistvar = cnt_whitelistvar;
	187	int ssh = cnt_ssh;
	188
	189	// process file
	190	process_file(argv[i]);
	191
	192	// warnings
	193	if ((caps + 2) <= cnt_caps) {
	194	printf("Warning: multiple caps in %s\n", argv[i]);
	195	cnt_caps = caps + 1;
	196	}
	197
	198	// fix redirections
	199	if (cnt_dotlocal > (dotlocal + 1))
	200	cnt_dotlocal = dotlocal + 1;
	201	if (cnt_globalsdotlocal > (globalsdotlocal + 1))
	202	cnt_globalsdotlocal = globalsdotlocal + 1;
	203
	204	if (arg_apparmor && apparmor == cnt_apparmor)
	205	printf("No apparmor found in %s\n", argv[i]);
	206	if (arg_caps && caps == cnt_caps)
	207	printf("No caps found in %s\n", argv[i]);
	208	if (arg_seccomp && seccomp == cnt_seccomp)
	209	printf("No seccomp found in %s\n", argv[i]);
	210	if (arg_noexec && noexec == cnt_noexec)
	211	printf("No include disable-exec.inc found in %s\n", argv[i]);
	212	if (arg_privatedev && privatedev == cnt_privatedev)
	213	printf("No private-dev found in %s\n", argv[i]);
	214	if (arg_privatetmp && privatetmp == cnt_privatetmp)
	215	printf("No private-tmp found in %s\n", argv[i]);
	216	if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
	217	printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
	218	if (arg_ssh && ssh == cnt_ssh)
	219	printf("No include disable-common.inc found in %s\n", argv[i]);
	220
	221	assert(level == 0);
	222	}
	223
	224	printf("\n");
	225	printf("Stats:\n");
	226	printf(" profiles\t\t\t%d\n", cnt_profiles);
	227	printf(" include local profile\t%d (include profile-name.local)\n", cnt_dotlocal);
	228	printf(" include globals\t\t%d (include globals.local)\n", cnt_dotlocal);
	229	printf(" blacklist ~/.ssh\t\t%d (include disable-common.inc)\n", cnt_ssh);
	230	printf(" seccomp\t\t\t%d\n", cnt_seccomp);
	231	printf(" capabilities\t\t%d\n", cnt_caps);
	232	printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec);
	233	printf(" apparmor\t\t\t%d\n", cnt_apparmor);
	234	printf(" private-dev\t\t\t%d\n", cnt_privatedev);
	235	printf(" private-tmp\t\t\t%d\n", cnt_privatetmp);
	236	printf(" whitelist var directory\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar);
	237	printf(" net none\t\t\t%d\n", cnt_netnone);
	238	printf("\n");
	239	return 0;
	240	} \ No newline at end of file