faudit work

author: netblue30 <netblue30@yahoo.com> 2016-07-15 12:10:58 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-15 12:10:58 -0400
commit: 80ccd124b6e510f820f5ccca7dd6b8acc3671e6a (patch)
tree: 94a4d9fc68154410bc947fe8dac923979d4eec06 /src
parent: todo (diff)
download: firejail-80ccd124b6e510f820f5ccca7dd6b8acc3671e6a.tar.gz
firejail-80ccd124b6e510f820f5ccca7dd6b8acc3671e6a.tar.zst
firejail-80ccd124b6e510f820f5ccca7dd6b8acc3671e6a.zip
4 files changed, 56 insertions, 1 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 1ead2aa38..979617001 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) {
                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
        }
        else {
-                printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+                printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
        }       
        close(sock);
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
new file mode 100644
index 000000000..52506a258
--- /dev/null
+++ b/src/faudit/dev.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <dirent.h>
+void dev_test(void) {
+        DIR *dir;
+        if (!(dir = opendir("/dev"))) {
+                fprintf(stderr, "Error: cannot open /dev directory\n");
+                return;
+        }
+        
+        struct dirent *entry;
+        char *end;
+        printf("INFO: files visible in /dev directory: ");
+        int cnt = 0;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                printf("%s, ", entry->d_name);
+                cnt++;
+        }
+        printf("\n");
+        
+        if (cnt > 20)
+                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
+        else
+                printf("GOOD: Access to /dev directory is restricted.\n");
+        closedir(dir);
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 3c08a3eab..93fb4b709 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -58,4 +58,7 @@ void network_test(void);
 // dbus.c
 void dbus_test(void);
+// dev.c
+void dev_test(void);
 #endif
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 14794719d..72c386cd1 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -68,6 +68,10 @@ int main(int argc, char **argv) {
        dbus_test();
        printf("\n");
        
+        // /dev test
+        dev_test();
+        printf("\n");
+        
        free(prog);
        printf("--------------------------------------------------------------------------------\n");
author	netblue30 <netblue30@yahoo.com>	2016-07-15 12:10:58 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-15 12:10:58 -0400
commit	80ccd124b6e510f820f5ccca7dd6b8acc3671e6a (patch)
tree	94a4d9fc68154410bc947fe8dac923979d4eec06 /src
parent	todo (diff)
download	firejail-80ccd124b6e510f820f5ccca7dd6b8acc3671e6a.tar.gz firejail-80ccd124b6e510f820f5ccca7dd6b8acc3671e6a.tar.zst firejail-80ccd124b6e510f820f5ccca7dd6b8acc3671e6a.zip

diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1ead2aa38..979617001 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) {
42	printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");	42	printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
43	}	43	}
44	else {	44	else {
45	printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");	45	printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
46	}	46	}
47		47
48	close(sock);	48	close(sock);


diff --git a/src/faudit/dev.c b/src/faudit/dev.c new file mode 100644 index 000000000..52506a258 --- /dev/null +++ b/src/faudit/dev.c
@@ -0,0 +1,48 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "faudit.h"
		21	#include <dirent.h>
		22
		23	void dev_test(void) {
		24	DIR *dir;
		25	if (!(dir = opendir("/dev"))) {
		26	fprintf(stderr, "Error: cannot open /dev directory\n");
		27	return;
		28	}
		29
		30	struct dirent *entry;
		31	char *end;
		32	printf("INFO: files visible in /dev directory: ");
		33	int cnt = 0;
		34	while ((entry = readdir(dir)) != NULL) {
		35	if (strcmp(entry->d_name, ".") == 0 \|\| strcmp(entry->d_name, "..") == 0)
		36	continue;
		37
		38	printf("%s, ", entry->d_name);
		39	cnt++;
		40	}
		41	printf("\n");
		42
		43	if (cnt > 20)
		44	printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
		45	else
		46	printf("GOOD: Access to /dev directory is restricted.\n");
		47	closedir(dir);
		48	}


diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 3c08a3eab..93fb4b709 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h
@@ -58,4 +58,7 @@ void network_test(void);
58	// dbus.c	58	// dbus.c
59	void dbus_test(void);	59	void dbus_test(void);
60		60
		61	// dev.c
		62	void dev_test(void);
		63
61	#endif	64	#endif


diff --git a/src/faudit/main.c b/src/faudit/main.c index 14794719d..72c386cd1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -68,6 +68,10 @@ int main(int argc, char **argv) {
68	dbus_test();	68	dbus_test();
69	printf("\n");	69	printf("\n");
70		70
		71	// /dev test
		72	dev_test();
		73	printf("\n");
		74
71	free(prog);	75	free(prog);
72	printf("--------------------------------------------------------------------------------\n");	76	printf("--------------------------------------------------------------------------------\n");
73		77