diff options
author | netblue30 <netblue30@yahoo.com> | 2020-10-02 12:43:56 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-10-02 12:43:56 -0400 |
commit | 2b0fe9759501818b10e0654e7f83383bb4b8e8a4 (patch) | |
tree | 998e9a852ca75eba18c145f1f9e27bb50d4d829a /src | |
parent | splitting up media players whitelists in whitelist-players.inc - relnotes (diff) | |
download | firejail-2b0fe9759501818b10e0654e7f83383bb4b8e8a4.tar.gz firejail-2b0fe9759501818b10e0654e7f83383bb4b8e8a4.tar.zst firejail-2b0fe9759501818b10e0654e7f83383bb4b8e8a4.zip |
profstats - add count for whitelisted home dir, dbus-user none
Diffstat (limited to 'src')
-rw-r--r-- | src/profstats/main.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/profstats/main.c b/src/profstats/main.c index 194cb210a..4c1221464 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -29,6 +29,7 @@ static int cnt_apparmor = 0; | |||
29 | static int cnt_seccomp = 0; | 29 | static int cnt_seccomp = 0; |
30 | static int cnt_caps = 0; | 30 | static int cnt_caps = 0; |
31 | static int cnt_dbus_system_none = 0; | 31 | static int cnt_dbus_system_none = 0; |
32 | static int cnt_dbus_user_none = 0; | ||
32 | static int cnt_dotlocal = 0; | 33 | static int cnt_dotlocal = 0; |
33 | static int cnt_globalsdotlocal = 0; | 34 | static int cnt_globalsdotlocal = 0; |
34 | static int cnt_netnone = 0; | 35 | static int cnt_netnone = 0; |
@@ -42,6 +43,7 @@ static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | |||
42 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | 43 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc |
43 | static int cnt_ssh = 0; | 44 | static int cnt_ssh = 0; |
44 | static int cnt_mdwx = 0; | 45 | static int cnt_mdwx = 0; |
46 | static int cnt_whitelisthome = 0; | ||
45 | 47 | ||
46 | static int level = 0; | 48 | static int level = 0; |
47 | static int arg_debug = 0; | 49 | static int arg_debug = 0; |
@@ -59,6 +61,8 @@ static int arg_whitelistusrshare = 0; | |||
59 | static int arg_ssh = 0; | 61 | static int arg_ssh = 0; |
60 | static int arg_mdwx = 0; | 62 | static int arg_mdwx = 0; |
61 | static int arg_dbus_system_none = 0; | 63 | static int arg_dbus_system_none = 0; |
64 | static int arg_dbus_user_none = 0; | ||
65 | static int arg_whitelisthome = 0; | ||
62 | 66 | ||
63 | 67 | ||
64 | static char *profile = NULL; | 68 | static char *profile = NULL; |
@@ -71,6 +75,7 @@ static void usage(void) { | |||
71 | printf(" --apparmor - print profiles without apparmor\n"); | 75 | printf(" --apparmor - print profiles without apparmor\n"); |
72 | printf(" --caps - print profiles without caps\n"); | 76 | printf(" --caps - print profiles without caps\n"); |
73 | printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); | 77 | printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); |
78 | printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); | ||
74 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | 79 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); |
75 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | 80 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); |
76 | printf(" --private-bin - print profiles without private-bin\n"); | 81 | printf(" --private-bin - print profiles without private-bin\n"); |
@@ -79,6 +84,7 @@ static void usage(void) { | |||
79 | printf(" --private-tmp - print profiles without private-tmp\n"); | 84 | printf(" --private-tmp - print profiles without private-tmp\n"); |
80 | printf(" --seccomp - print profiles without seccomp\n"); | 85 | printf(" --seccomp - print profiles without seccomp\n"); |
81 | printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); | 86 | printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); |
87 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | ||
82 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 88 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
83 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | 89 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
84 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | 90 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); |
@@ -124,6 +130,8 @@ void process_file(const char *fname) { | |||
124 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 130 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
125 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) | 131 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) |
126 | cnt_whitelistrunuser++; | 132 | cnt_whitelistrunuser++; |
133 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) | ||
134 | cnt_whitelisthome++; | ||
127 | else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) | 135 | else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) |
128 | cnt_whitelistusrshare++; | 136 | cnt_whitelistusrshare++; |
129 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | 137 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) |
@@ -144,6 +152,8 @@ void process_file(const char *fname) { | |||
144 | cnt_privateetc++; | 152 | cnt_privateetc++; |
145 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | 153 | else if (strncmp(ptr, "dbus-system none", 16) == 0) |
146 | cnt_dbus_system_none++; | 154 | cnt_dbus_system_none++; |
155 | else if (strncmp(ptr, "dbus-user none", 14) == 0) | ||
156 | cnt_dbus_user_none++; | ||
147 | else if (strncmp(ptr, "include ", 8) == 0) { | 157 | else if (strncmp(ptr, "include ", 8) == 0) { |
148 | // not processing .local files | 158 | // not processing .local files |
149 | if (strstr(ptr, ".local")) { | 159 | if (strstr(ptr, ".local")) { |
@@ -200,6 +210,8 @@ int main(int argc, char **argv) { | |||
200 | arg_privatetmp = 1; | 210 | arg_privatetmp = 1; |
201 | else if (strcmp(argv[i], "--private-etc") == 0) | 211 | else if (strcmp(argv[i], "--private-etc") == 0) |
202 | arg_privateetc = 1; | 212 | arg_privateetc = 1; |
213 | else if (strcmp(argv[i], "--whitelist-home") == 0) | ||
214 | arg_whitelisthome = 1; | ||
203 | else if (strcmp(argv[i], "--whitelist-var") == 0) | 215 | else if (strcmp(argv[i], "--whitelist-var") == 0) |
204 | arg_whitelistvar = 1; | 216 | arg_whitelistvar = 1; |
205 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) | 217 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) |
@@ -210,6 +222,8 @@ int main(int argc, char **argv) { | |||
210 | arg_ssh = 1; | 222 | arg_ssh = 1; |
211 | else if (strcmp(argv[i], "--dbus-system-none") == 0) | 223 | else if (strcmp(argv[i], "--dbus-system-none") == 0) |
212 | arg_dbus_system_none = 1; | 224 | arg_dbus_system_none = 1; |
225 | else if (strcmp(argv[i], "--dbus-user-none") == 0) | ||
226 | arg_dbus_user_none = 1; | ||
213 | else if (*argv[i] == '-') { | 227 | else if (*argv[i] == '-') { |
214 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | 228 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); |
215 | return 1; | 229 | return 1; |
@@ -238,10 +252,12 @@ int main(int argc, char **argv) { | |||
238 | int privateetc = cnt_privateetc; | 252 | int privateetc = cnt_privateetc; |
239 | int dotlocal = cnt_dotlocal; | 253 | int dotlocal = cnt_dotlocal; |
240 | int globalsdotlocal = cnt_globalsdotlocal; | 254 | int globalsdotlocal = cnt_globalsdotlocal; |
255 | int whitelisthome = cnt_whitelisthome; | ||
241 | int whitelistvar = cnt_whitelistvar; | 256 | int whitelistvar = cnt_whitelistvar; |
242 | int whitelistrunuser = cnt_whitelistrunuser; | 257 | int whitelistrunuser = cnt_whitelistrunuser; |
243 | int whitelistusrshare = cnt_whitelistusrshare; | 258 | int whitelistusrshare = cnt_whitelistusrshare; |
244 | int dbussystemnone = cnt_dbus_system_none; | 259 | int dbussystemnone = cnt_dbus_system_none; |
260 | int dbususernone = cnt_dbus_user_none; | ||
245 | int ssh = cnt_ssh; | 261 | int ssh = cnt_ssh; |
246 | int mdwx = cnt_mdwx; | 262 | int mdwx = cnt_mdwx; |
247 | 263 | ||
@@ -265,6 +281,8 @@ int main(int argc, char **argv) { | |||
265 | 281 | ||
266 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) | 282 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) |
267 | printf("No dbus-system none found in %s\n", argv[i]); | 283 | printf("No dbus-system none found in %s\n", argv[i]); |
284 | if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none) | ||
285 | printf("No dbus-user none found in %s\n", argv[i]); | ||
268 | if (arg_apparmor && apparmor == cnt_apparmor) | 286 | if (arg_apparmor && apparmor == cnt_apparmor) |
269 | printf("No apparmor found in %s\n", argv[i]); | 287 | printf("No apparmor found in %s\n", argv[i]); |
270 | if (arg_caps && caps == cnt_caps) | 288 | if (arg_caps && caps == cnt_caps) |
@@ -281,6 +299,8 @@ int main(int argc, char **argv) { | |||
281 | printf("No private-tmp found in %s\n", argv[i]); | 299 | printf("No private-tmp found in %s\n", argv[i]); |
282 | if (arg_privateetc && privateetc == cnt_privateetc) | 300 | if (arg_privateetc && privateetc == cnt_privateetc) |
283 | printf("No private-etc found in %s\n", argv[i]); | 301 | printf("No private-etc found in %s\n", argv[i]); |
302 | if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) | ||
303 | printf("Home directory not whitelisted in %s\n", argv[i]); | ||
284 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | 304 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) |
285 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | 305 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); |
286 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) | 306 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) |
@@ -310,11 +330,13 @@ int main(int argc, char **argv) { | |||
310 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 330 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
311 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); | 331 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); |
312 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 332 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |
333 | printf(" whitelist home directory\t%d\n", cnt_whitelisthome); | ||
313 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | 334 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); |
314 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); | 335 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); |
315 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); | 336 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); |
316 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | 337 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); |
317 | printf(" net none\t\t\t%d\n", cnt_netnone); | 338 | printf(" net none\t\t\t%d\n", cnt_netnone); |
339 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); | ||
318 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); | 340 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); |
319 | printf("\n"); | 341 | printf("\n"); |
320 | return 0; | 342 | return 0; |