diff options
| author |  netblue30 <netblue30@protonmail.com> | 2022-12-26 09:49:42 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2022-12-26 09:49:42 -0500 |
| commit | e80fae7472b090ebf7ac007c26a2063dfc56006a (patch) | |
| tree | 8ce88c6e0eb5e51746c982de4cee36d708b02fc1 /src/profstats | |
| parent | testing (diff) | |
| download | firejail-e80fae7472b090ebf7ac007c26a2063dfc56006a.tar.gz firejail-e80fae7472b090ebf7ac007c26a2063dfc56006a.tar.zst firejail-e80fae7472b090ebf7ac007c26a2063dfc56006a.zip | |
restrict-namespaces stats
Diffstat (limited to 'src/profstats')
| -rw-r--r-- | src/profstats/main.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/profstats/main.c b/src/profstats/main.c index 9deb72f7e..310319c69 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
| @@ -25,6 +25,7 @@ | |||
| 25 | static int cnt_profiles = 0; | 25 | static int cnt_profiles = 0; |
| 26 | static int cnt_apparmor = 0; | 26 | static int cnt_apparmor = 0; |
| 27 | static int cnt_seccomp = 0; | 27 | static int cnt_seccomp = 0; |
| 28 | static int cnt_restrict_namespaces = 0; | ||
| 28 | static int cnt_caps = 0; | 29 | static int cnt_caps = 0; |
| 29 | static int cnt_dbus_system_none = 0; | 30 | static int cnt_dbus_system_none = 0; |
| 30 | static int cnt_dbus_user_none = 0; | 31 | static int cnt_dbus_user_none = 0; |
| @@ -69,6 +70,7 @@ static int arg_whitelisthome = 0; | |||
| 69 | static int arg_noroot = 0; | 70 | static int arg_noroot = 0; |
| 70 | static int arg_print_blacklist = 0; | 71 | static int arg_print_blacklist = 0; |
| 71 | static int arg_print_whitelist = 0; | 72 | static int arg_print_whitelist = 0; |
| 73 | static int arg_restrict_namespaces = 0; | ||
| 72 | 74 | ||
| 73 | static char *profile = NULL; | 75 | static char *profile = NULL; |
| 74 | 76 | ||
| @@ -91,6 +93,7 @@ static void usage(void) { | |||
| 91 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); | 93 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); |
| 92 | printf(" --seccomp - print profiles without seccomp\n"); | 94 | printf(" --seccomp - print profiles without seccomp\n"); |
| 93 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); | 95 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); |
| 96 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | ||
| 94 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | 97 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); |
| 95 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 98 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
| 96 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | 99 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
| @@ -152,6 +155,8 @@ static void process_file(char *fname) { | |||
| 152 | 155 | ||
| 153 | if (strncmp(ptr, "seccomp", 7) == 0) | 156 | if (strncmp(ptr, "seccomp", 7) == 0) |
| 154 | cnt_seccomp++; | 157 | cnt_seccomp++; |
| 158 | if (strncmp(ptr, "restrict-namespaces", 19) == 0) | ||
| 159 | cnt_restrict_namespaces++; | ||
| 155 | else if (strncmp(ptr, "caps", 4) == 0) | 160 | else if (strncmp(ptr, "caps", 4) == 0) |
| 156 | cnt_caps++; | 161 | cnt_caps++; |
| 157 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | 162 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
| @@ -242,6 +247,8 @@ int main(int argc, char **argv) { | |||
| 242 | arg_caps = 1; | 247 | arg_caps = 1; |
| 243 | else if (strcmp(argv[i], "--seccomp") == 0) | 248 | else if (strcmp(argv[i], "--seccomp") == 0) |
| 244 | arg_seccomp = 1; | 249 | arg_seccomp = 1; |
| 250 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) | ||
| 251 | arg_restrict_namespaces = 1; | ||
| 245 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) | 252 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) |
| 246 | arg_mdwx = 1; | 253 | arg_mdwx = 1; |
| 247 | else if (strcmp(argv[i], "--noexec") == 0) | 254 | else if (strcmp(argv[i], "--noexec") == 0) |
| @@ -291,7 +298,7 @@ int main(int argc, char **argv) { | |||
| 291 | for (i = start; i < argc; i++) { | 298 | for (i = start; i < argc; i++) { |
| 292 | cnt_profiles++; | 299 | cnt_profiles++; |
| 293 | 300 | ||
| 294 | // watch seccomp | 301 | int restrict_namespaces = cnt_restrict_namespaces; |
| 295 | int seccomp = cnt_seccomp; | 302 | int seccomp = cnt_seccomp; |
| 296 | int caps = cnt_caps; | 303 | int caps = cnt_caps; |
| 297 | int apparmor = cnt_apparmor; | 304 | int apparmor = cnt_apparmor; |
| @@ -334,6 +341,8 @@ int main(int argc, char **argv) { | |||
| 334 | cnt_whitelistrunuser = whitelistrunuser + 1; | 341 | cnt_whitelistrunuser = whitelistrunuser + 1; |
| 335 | if (cnt_seccomp > (seccomp + 1)) | 342 | if (cnt_seccomp > (seccomp + 1)) |
| 336 | cnt_seccomp = seccomp + 1; | 343 | cnt_seccomp = seccomp + 1; |
| 344 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | ||
| 345 | cnt_seccomp = restrict_namespaces + 1; | ||
| 337 | if (cnt_dbus_user_none > (dbususernone + 1)) | 346 | if (cnt_dbus_user_none > (dbususernone + 1)) |
| 338 | cnt_dbus_user_none = dbususernone + 1; | 347 | cnt_dbus_user_none = dbususernone + 1; |
| 339 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | 348 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
| @@ -353,6 +362,8 @@ int main(int argc, char **argv) { | |||
| 353 | printf("No caps found in %s\n", argv[i]); | 362 | printf("No caps found in %s\n", argv[i]); |
| 354 | if (arg_seccomp && seccomp == cnt_seccomp) | 363 | if (arg_seccomp && seccomp == cnt_seccomp) |
| 355 | printf("No seccomp found in %s\n", argv[i]); | 364 | printf("No seccomp found in %s\n", argv[i]); |
| 365 | if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces) | ||
| 366 | printf("No restrict-namespaces found in %s\n", argv[i]); | ||
| 356 | if (arg_noexec && noexec == cnt_noexec) | 367 | if (arg_noexec && noexec == cnt_noexec) |
| 357 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 368 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
| 358 | if (arg_noroot && noroot == cnt_noroot) | 369 | if (arg_noroot && noroot == cnt_noroot) |
| @@ -397,6 +408,7 @@ int main(int argc, char **argv) { | |||
| 397 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 408 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
| 398 | printf(" noroot\t\t\t%d\n", cnt_noroot); | 409 | printf(" noroot\t\t\t%d\n", cnt_noroot); |
| 399 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 410 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
| 411 | printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces); | ||
| 400 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 412 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
| 401 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 413 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
| 402 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 414 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |