diff options
author | netblue30 <netblue30@protonmail.com> | 2021-03-01 07:24:29 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-03-01 07:24:29 -0500 |
commit | 5c95f0f9578593b5549a1c8b37693e9f419ef880 (patch) | |
tree | 9e2aa612b9e471f330b5b91272db3e59c15afc49 /src | |
parent | Merge pull request #4019 from glitsj16/protocol (diff) | |
download | firejail-5c95f0f9578593b5549a1c8b37693e9f419ef880.tar.gz firejail-5c95f0f9578593b5549a1c8b37693e9f419ef880.tar.zst firejail-5c95f0f9578593b5549a1c8b37693e9f419ef880.zip |
retiring --audit (replaced by jailtest)
Diffstat (limited to 'src')
-rw-r--r-- | src/faudit/Makefile.in | 14 | ||||
-rw-r--r-- | src/faudit/caps.c | 78 | ||||
-rw-r--r-- | src/faudit/dbus.c | 131 | ||||
-rw-r--r-- | src/faudit/dev.c | 47 | ||||
-rw-r--r-- | src/faudit/faudit.h | 68 | ||||
-rw-r--r-- | src/faudit/files.c | 75 | ||||
-rw-r--r-- | src/faudit/main.c | 98 | ||||
-rw-r--r-- | src/faudit/network.c | 101 | ||||
-rw-r--r-- | src/faudit/pid.c | 99 | ||||
-rw-r--r-- | src/faudit/seccomp.c | 101 | ||||
-rw-r--r-- | src/faudit/syscall.c | 105 | ||||
-rw-r--r-- | src/faudit/x11.c | 63 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 16 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 30 |
18 files changed, 2 insertions, 1053 deletions
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in deleted file mode 100644 index 44c121a4c..000000000 --- a/src/faudit/Makefile.in +++ /dev/null | |||
@@ -1,14 +0,0 @@ | |||
1 | all: faudit | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | faudit: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/faudit/caps.c b/src/faudit/caps.c deleted file mode 100644 index e9547dc8e..000000000 --- a/src/faudit/caps.c +++ /dev/null | |||
@@ -1,78 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "faudit.h" | ||
22 | #include <linux/capability.h> | ||
23 | |||
24 | #define MAXBUF 4098 | ||
25 | static int extract_caps(uint64_t *val) { | ||
26 | FILE *fp = fopen("/proc/self/status", "r"); | ||
27 | if (!fp) | ||
28 | return 1; | ||
29 | |||
30 | char buf[MAXBUF]; | ||
31 | while (fgets(buf, MAXBUF, fp)) { | ||
32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | ||
33 | char *ptr = buf + 8; | ||
34 | unsigned long long tmp; | ||
35 | sscanf(ptr, "%llx", &tmp); | ||
36 | *val = tmp; | ||
37 | fclose(fp); | ||
38 | return 0; | ||
39 | } | ||
40 | } | ||
41 | |||
42 | fclose(fp); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | // return 1 if the capability is in the map | ||
47 | static int check_capability(uint64_t map, int cap) { | ||
48 | int i; | ||
49 | uint64_t mask = 1ULL; | ||
50 | |||
51 | for (i = 0; i < 64; i++, mask <<= 1) { | ||
52 | if ((i == cap) && (mask & map)) | ||
53 | return 1; | ||
54 | } | ||
55 | |||
56 | return 0; | ||
57 | } | ||
58 | |||
59 | void caps_test(void) { | ||
60 | uint64_t caps_val; | ||
61 | |||
62 | if (extract_caps(&caps_val)) { | ||
63 | printf("SKIP: cannot extract capabilities on this platform.\n"); | ||
64 | return; | ||
65 | } | ||
66 | |||
67 | if (caps_val) { | ||
68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); | ||
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | ||
70 | |||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | ||
72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); | ||
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | ||
74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); | ||
75 | } | ||
76 | else | ||
77 | printf("GOOD: all capabilities are disabled.\n"); | ||
78 | } | ||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c deleted file mode 100644 index 389504fb8..000000000 --- a/src/faudit/dbus.c +++ /dev/null | |||
@@ -1,131 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include "../include/rundefs.h" | ||
22 | #include <stdarg.h> | ||
23 | #include <sys/socket.h> | ||
24 | #include <sys/un.h> | ||
25 | |||
26 | // return 0 if the connection is possible | ||
27 | int check_unix(const char *sockfile) { | ||
28 | assert(sockfile); | ||
29 | int rv = -1; | ||
30 | |||
31 | // open socket | ||
32 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
33 | if (sock == -1) | ||
34 | return rv; | ||
35 | |||
36 | // connect | ||
37 | struct sockaddr_un remote; | ||
38 | memset(&remote, 0, sizeof(struct sockaddr_un)); | ||
39 | remote.sun_family = AF_UNIX; | ||
40 | strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); | ||
41 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); | ||
42 | if (*sockfile == '@') | ||
43 | remote.sun_path[0] = '\0'; | ||
44 | if (connect(sock, (struct sockaddr *)&remote, len) == 0) | ||
45 | rv = 0; | ||
46 | |||
47 | close(sock); | ||
48 | return rv; | ||
49 | } | ||
50 | |||
51 | static char *test_dbus_env(char *env_var_name) { | ||
52 | // check the session bus | ||
53 | char *str = getenv(env_var_name); | ||
54 | char *found = NULL; | ||
55 | if (str) { | ||
56 | int rv = 0; | ||
57 | char *bus = strdup(str); | ||
58 | if (!bus) | ||
59 | errExit("strdup"); | ||
60 | char *sockfile; | ||
61 | if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { | ||
62 | sockfile += 13; | ||
63 | *sockfile = '@'; | ||
64 | char *ptr = strchr(sockfile, ','); | ||
65 | if (ptr) | ||
66 | *ptr = '\0'; | ||
67 | rv = check_unix(sockfile); | ||
68 | *sockfile = '@'; | ||
69 | if (rv == 0) | ||
70 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
71 | else if (rv == -1) | ||
72 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
73 | } | ||
74 | else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { | ||
75 | sockfile += 10; | ||
76 | char *ptr = strchr(sockfile, ','); | ||
77 | if (ptr) | ||
78 | *ptr = '\0'; | ||
79 | rv = check_unix(sockfile); | ||
80 | if (rv == 0) { | ||
81 | if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 || | ||
82 | strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) { | ||
83 | printf("GOOD: D-Bus filtering is active on %s\n", sockfile); | ||
84 | } else { | ||
85 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
86 | } | ||
87 | } | ||
88 | else if (rv == -1) | ||
89 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
90 | found = strdup(sockfile); | ||
91 | if (!found) | ||
92 | errExit("strdup"); | ||
93 | } | ||
94 | else if (strstr(bus, "tcp:host=") != NULL) | ||
95 | printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); | ||
96 | else | ||
97 | printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); | ||
98 | free(bus); | ||
99 | } | ||
100 | else | ||
101 | printf("MAYBE: %s environment variable not configured.\n", env_var_name); | ||
102 | return found; | ||
103 | } | ||
104 | |||
105 | static void test_default_socket(const char *found, const char *format, ...) { | ||
106 | va_list ap; | ||
107 | va_start(ap, format); | ||
108 | char *sockfile; | ||
109 | if (vasprintf(&sockfile, format, ap) == -1) | ||
110 | errExit("vasprintf"); | ||
111 | va_end(ap); | ||
112 | if (found != NULL && strcmp(found, sockfile) == 0) | ||
113 | goto end; | ||
114 | int rv = check_unix(sockfile); | ||
115 | if (rv == 0) | ||
116 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
117 | end: | ||
118 | free(sockfile); | ||
119 | } | ||
120 | |||
121 | void dbus_test(void) { | ||
122 | char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS"); | ||
123 | test_default_socket(found_user, "/run/user/%d/bus", (int) getuid()); | ||
124 | test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid()); | ||
125 | if (found_user != NULL) | ||
126 | free(found_user); | ||
127 | char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS"); | ||
128 | test_default_socket(found_system, "/run/dbus/system_bus_socket"); | ||
129 | if (found_system != NULL) | ||
130 | free(found_system); | ||
131 | } | ||
diff --git a/src/faudit/dev.c b/src/faudit/dev.c deleted file mode 100644 index 61cb1cabe..000000000 --- a/src/faudit/dev.c +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <dirent.h> | ||
22 | |||
23 | void dev_test(void) { | ||
24 | DIR *dir; | ||
25 | if (!(dir = opendir("/dev"))) { | ||
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | ||
27 | return; | ||
28 | } | ||
29 | |||
30 | struct dirent *entry; | ||
31 | printf("INFO: files visible in /dev directory: "); | ||
32 | int cnt = 0; | ||
33 | while ((entry = readdir(dir)) != NULL) { | ||
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
35 | continue; | ||
36 | |||
37 | printf("%s, ", entry->d_name); | ||
38 | cnt++; | ||
39 | } | ||
40 | printf("\n"); | ||
41 | |||
42 | if (cnt > 20) | ||
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | ||
44 | else | ||
45 | printf("GOOD: Access to /dev directory is restricted.\n"); | ||
46 | closedir(dir); | ||
47 | } | ||
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h deleted file mode 100644 index cfed1504b..000000000 --- a/src/faudit/faudit.h +++ /dev/null | |||
@@ -1,68 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifndef FAUDIT_H | ||
22 | #define FAUDIT_H | ||
23 | #define _GNU_SOURCE | ||
24 | #include <stdio.h> | ||
25 | #include <stdlib.h> | ||
26 | #include <stdint.h> | ||
27 | #include <string.h> | ||
28 | #include <unistd.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/stat.h> | ||
31 | #include <sys/mount.h> | ||
32 | #include <assert.h> | ||
33 | |||
34 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) | ||
35 | |||
36 | // main.c | ||
37 | extern char *prog; | ||
38 | |||
39 | // pid.c | ||
40 | void pid_test(void); | ||
41 | |||
42 | // caps.c | ||
43 | void caps_test(void); | ||
44 | |||
45 | // seccomp.c | ||
46 | void seccomp_test(void); | ||
47 | |||
48 | // syscall.c | ||
49 | void syscall_helper(int argc, char **argv); | ||
50 | void syscall_run(const char *name); | ||
51 | |||
52 | // files.c | ||
53 | void files_test(void); | ||
54 | |||
55 | // network.c | ||
56 | void network_test(void); | ||
57 | |||
58 | // dbus.c | ||
59 | int check_unix(const char *sockfile); | ||
60 | void dbus_test(void); | ||
61 | |||
62 | // dev.c | ||
63 | void dev_test(void); | ||
64 | |||
65 | // x11.c | ||
66 | void x11_test(void); | ||
67 | |||
68 | #endif | ||
diff --git a/src/faudit/files.c b/src/faudit/files.c deleted file mode 100644 index 73e0a387d..000000000 --- a/src/faudit/files.c +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <fcntl.h> | ||
22 | #include <pwd.h> | ||
23 | |||
24 | static char *username = NULL; | ||
25 | static char *homedir = NULL; | ||
26 | |||
27 | static void check_home_file(const char *name) { | ||
28 | assert(homedir); | ||
29 | |||
30 | char *fname; | ||
31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | ||
32 | errExit("asprintf"); | ||
33 | |||
34 | if (access(fname, R_OK) == 0) { | ||
35 | printf("UGLY: I can access files in %s directory. ", fname); | ||
36 | printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); | ||
37 | } | ||
38 | else | ||
39 | printf("GOOD: I cannot access files in %s directory.\n", fname); | ||
40 | |||
41 | free(fname); | ||
42 | } | ||
43 | |||
44 | void files_test(void) { | ||
45 | struct passwd *pw = getpwuid(getuid()); | ||
46 | if (!pw) { | ||
47 | fprintf(stderr, "Error: cannot retrieve user account information\n"); | ||
48 | return; | ||
49 | } | ||
50 | |||
51 | username = strdup(pw->pw_name); | ||
52 | if (!username) | ||
53 | errExit("strdup"); | ||
54 | homedir = strdup(pw->pw_dir); | ||
55 | if (!homedir) | ||
56 | errExit("strdup"); | ||
57 | |||
58 | // check access to .ssh directory | ||
59 | check_home_file(".ssh"); | ||
60 | |||
61 | // check access to .gnupg directory | ||
62 | check_home_file(".gnupg"); | ||
63 | |||
64 | // check access to Firefox browser directory | ||
65 | check_home_file(".mozilla"); | ||
66 | |||
67 | // check access to Chromium browser directory | ||
68 | check_home_file(".config/chromium"); | ||
69 | |||
70 | // check access to Debian Icedove directory | ||
71 | check_home_file(".icedove"); | ||
72 | |||
73 | // check access to Thunderbird directory | ||
74 | check_home_file(".thunderbird"); | ||
75 | } | ||
diff --git a/src/faudit/main.c b/src/faudit/main.c deleted file mode 100644 index 605d5ff7b..000000000 --- a/src/faudit/main.c +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | char *prog; | ||
22 | |||
23 | int main(int argc, char **argv) { | ||
24 | // make test-arguments helper | ||
25 | if (getenv("FIREJAIL_TEST_ARGUMENTS")) { | ||
26 | printf("Arguments:\n"); | ||
27 | |||
28 | int i; | ||
29 | for (i = 0; i < argc; i++) { | ||
30 | printf("#%s#\n", argv[i]); | ||
31 | } | ||
32 | |||
33 | return 0; | ||
34 | } | ||
35 | |||
36 | |||
37 | if (argc != 1) { | ||
38 | int i; | ||
39 | |||
40 | for (i = 1; i < argc; i++) { | ||
41 | if (strcmp(argv[i], "syscall") == 0) { | ||
42 | syscall_helper(argc, argv); | ||
43 | return 0; | ||
44 | } | ||
45 | } | ||
46 | return 1; | ||
47 | } | ||
48 | |||
49 | printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); | ||
50 | |||
51 | // extract program name | ||
52 | prog = realpath(argv[0], NULL); | ||
53 | if (prog == NULL) { | ||
54 | prog = strdup("faudit"); | ||
55 | if (!prog) | ||
56 | errExit("strdup"); | ||
57 | } | ||
58 | printf("INFO: starting %s.\n", prog); | ||
59 | |||
60 | |||
61 | // check pid namespace | ||
62 | pid_test(); | ||
63 | printf("\n"); | ||
64 | |||
65 | // check seccomp | ||
66 | seccomp_test(); | ||
67 | printf("\n"); | ||
68 | |||
69 | // check capabilities | ||
70 | caps_test(); | ||
71 | printf("\n"); | ||
72 | |||
73 | // check some well-known problematic files and directories | ||
74 | files_test(); | ||
75 | printf("\n"); | ||
76 | |||
77 | // network | ||
78 | network_test(); | ||
79 | printf("\n"); | ||
80 | |||
81 | // dbus | ||
82 | dbus_test(); | ||
83 | printf("\n"); | ||
84 | |||
85 | // x11 test | ||
86 | x11_test(); | ||
87 | printf("\n"); | ||
88 | |||
89 | // /dev test | ||
90 | dev_test(); | ||
91 | printf("\n"); | ||
92 | |||
93 | |||
94 | free(prog); | ||
95 | printf("--------------------------------------------------------------------------------\n"); | ||
96 | |||
97 | return 0; | ||
98 | } | ||
diff --git a/src/faudit/network.c b/src/faudit/network.c deleted file mode 100644 index 8e799dc19..000000000 --- a/src/faudit/network.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <arpa/inet.h> | ||
23 | #include <linux/netlink.h> | ||
24 | #include <linux/rtnetlink.h> | ||
25 | |||
26 | static void check_ssh(void) { | ||
27 | // open socket | ||
28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
29 | if (sock == -1) { | ||
30 | printf("GOOD: SSH server not available on localhost.\n"); | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | // connect to localhost | ||
35 | struct sockaddr_in server; | ||
36 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
37 | server.sin_family = AF_INET; | ||
38 | server.sin_port = htons(22); | ||
39 | |||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
41 | printf("GOOD: SSH server not available on localhost.\n"); | ||
42 | else { | ||
43 | printf("MAYBE: an SSH server is accessible on localhost. "); | ||
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
45 | } | ||
46 | |||
47 | close(sock); | ||
48 | } | ||
49 | |||
50 | static void check_http(void) { | ||
51 | // open socket | ||
52 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
53 | if (sock == -1) { | ||
54 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | // connect to localhost | ||
59 | struct sockaddr_in server; | ||
60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
61 | server.sin_family = AF_INET; | ||
62 | server.sin_port = htons(80); | ||
63 | |||
64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
65 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
66 | else { | ||
67 | printf("MAYBE: an HTTP server is accessible on localhost. "); | ||
68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
69 | } | ||
70 | |||
71 | close(sock); | ||
72 | } | ||
73 | |||
74 | void check_netlink(void) { | ||
75 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | ||
76 | if (sock == -1) { | ||
77 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
78 | return; | ||
79 | } | ||
80 | |||
81 | struct sockaddr_nl local; | ||
82 | memset(&local, 0, sizeof(local)); | ||
83 | local.nl_family = AF_NETLINK; | ||
84 | local.nl_groups = 0; //subscriptions; | ||
85 | |||
86 | if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { | ||
87 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
88 | close(sock); | ||
89 | return; | ||
90 | } | ||
91 | |||
92 | close(sock); | ||
93 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | ||
94 | printf("You can use \"--protocol\" to disable the socket.\n"); | ||
95 | } | ||
96 | |||
97 | void network_test(void) { | ||
98 | check_ssh(); | ||
99 | check_http(); | ||
100 | check_netlink(); | ||
101 | } | ||
diff --git a/src/faudit/pid.c b/src/faudit/pid.c deleted file mode 100644 index ec8c37dc7..000000000 --- a/src/faudit/pid.c +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | void pid_test(void) { | ||
23 | static char *kern_proc[] = { | ||
24 | "kthreadd", | ||
25 | "ksoftirqd", | ||
26 | "kworker", | ||
27 | "rcu_sched", | ||
28 | "rcu_bh", | ||
29 | NULL // NULL terminated list | ||
30 | }; | ||
31 | int i; | ||
32 | |||
33 | // look at the first 10 processes | ||
34 | int not_visible = 1; | ||
35 | for (i = 1; i <= 10; i++) { | ||
36 | struct stat s; | ||
37 | char *fname; | ||
38 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | ||
39 | errExit("asprintf"); | ||
40 | if (stat(fname, &s) == -1) { | ||
41 | free(fname); | ||
42 | continue; | ||
43 | } | ||
44 | |||
45 | // open file | ||
46 | /* coverity[toctou] */ | ||
47 | FILE *fp = fopen(fname, "r"); | ||
48 | if (!fp) { | ||
49 | free(fname); | ||
50 | continue; | ||
51 | } | ||
52 | |||
53 | // read file | ||
54 | char buf[100]; | ||
55 | if (fgets(buf, 10, fp) == NULL) { | ||
56 | fclose(fp); | ||
57 | free(fname); | ||
58 | continue; | ||
59 | } | ||
60 | not_visible = 0; | ||
61 | |||
62 | // clean /n | ||
63 | char *ptr; | ||
64 | if ((ptr = strchr(buf, '\n')) != NULL) | ||
65 | *ptr = '\0'; | ||
66 | |||
67 | // check process name against the kernel list | ||
68 | int j = 0; | ||
69 | while (kern_proc[j] != NULL) { | ||
70 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | ||
71 | fclose(fp); | ||
72 | free(fname); | ||
73 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); | ||
74 | printf("Are you sure you're running in a sandbox?\n"); | ||
75 | return; | ||
76 | } | ||
77 | j++; | ||
78 | } | ||
79 | |||
80 | fclose(fp); | ||
81 | free(fname); | ||
82 | } | ||
83 | |||
84 | pid_t pid = getpid(); | ||
85 | if (not_visible && pid > 100) | ||
86 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
87 | else | ||
88 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
89 | |||
90 | // try to guess the type of container/sandbox | ||
91 | char *str = getenv("container"); | ||
92 | if (str) | ||
93 | printf("INFO: container/sandbox %s.\n", str); | ||
94 | else { | ||
95 | str = getenv("SNAP"); | ||
96 | if (str) | ||
97 | printf("INFO: this is a snap package\n"); | ||
98 | } | ||
99 | } | ||
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c deleted file mode 100644 index d8acee160..000000000 --- a/src/faudit/seccomp.c +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | #define MAXBUF 4098 | ||
23 | static int extract_seccomp(int *val) { | ||
24 | FILE *fp = fopen("/proc/self/status", "r"); | ||
25 | if (!fp) | ||
26 | return 1; | ||
27 | |||
28 | char buf[MAXBUF]; | ||
29 | while (fgets(buf, MAXBUF, fp)) { | ||
30 | if (strncmp(buf, "Seccomp:\t", 9) == 0) { | ||
31 | char *ptr = buf + 9; | ||
32 | int tmp; | ||
33 | sscanf(ptr, "%d", &tmp); | ||
34 | *val = tmp; | ||
35 | fclose(fp); | ||
36 | return 0; | ||
37 | } | ||
38 | } | ||
39 | |||
40 | fclose(fp); | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | void seccomp_test(void) { | ||
45 | int seccomp_status; | ||
46 | int rv = extract_seccomp(&seccomp_status); | ||
47 | |||
48 | if (rv) { | ||
49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); | ||
50 | return; | ||
51 | } | ||
52 | |||
53 | if (seccomp_status == 0) { | ||
54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); | ||
55 | } | ||
56 | else if (seccomp_status == 1) | ||
57 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); | ||
58 | else if (seccomp_status == 2) { | ||
59 | printf("GOOD: seccomp BPF enabled.\n"); | ||
60 | |||
61 | printf("checking syscalls: "); fflush(0); | ||
62 | printf("mount... "); fflush(0); | ||
63 | syscall_run("mount"); | ||
64 | |||
65 | printf("umount2... "); fflush(0); | ||
66 | syscall_run("umount2"); | ||
67 | |||
68 | printf("ptrace... "); fflush(0); | ||
69 | syscall_run("ptrace"); | ||
70 | |||
71 | printf("swapon... "); fflush(0); | ||
72 | syscall_run("swapon"); | ||
73 | |||
74 | printf("swapoff... "); fflush(0); | ||
75 | syscall_run("swapoff"); | ||
76 | |||
77 | printf("init_module... "); fflush(0); | ||
78 | syscall_run("init_module"); | ||
79 | |||
80 | printf("delete_module... "); fflush(0); | ||
81 | syscall_run("delete_module"); | ||
82 | |||
83 | printf("chroot... "); fflush(0); | ||
84 | syscall_run("chroot"); | ||
85 | |||
86 | printf("pivot_root... "); fflush(0); | ||
87 | syscall_run("pivot_root"); | ||
88 | |||
89 | #if defined(__i386__) || defined(__x86_64__) | ||
90 | printf("iopl... "); fflush(0); | ||
91 | syscall_run("iopl"); | ||
92 | |||
93 | printf("ioperm... "); fflush(0); | ||
94 | syscall_run("ioperm"); | ||
95 | #endif | ||
96 | printf("\n"); | ||
97 | } | ||
98 | else | ||
99 | fprintf(stderr, "Error: unrecognized seccomp mode\n"); | ||
100 | |||
101 | } | ||
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c deleted file mode 100644 index 11e83a0f5..000000000 --- a/src/faudit/syscall.c +++ /dev/null | |||
@@ -1,105 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/ptrace.h> | ||
22 | #include <sys/swap.h> | ||
23 | #if defined(__i386__) || defined(__x86_64__) | ||
24 | #include <sys/io.h> | ||
25 | #endif | ||
26 | #include <sys/wait.h> | ||
27 | extern int init_module(void *module_image, unsigned long len, | ||
28 | const char *param_values); | ||
29 | extern int finit_module(int fd, const char *param_values, | ||
30 | int flags); | ||
31 | extern int delete_module(const char *name, int flags); | ||
32 | extern int pivot_root(const char *new_root, const char *put_old); | ||
33 | |||
34 | void syscall_helper(int argc, char **argv) { | ||
35 | (void) argc; | ||
36 | |||
37 | if (argc < 3) | ||
38 | return; | ||
39 | |||
40 | if (strcmp(argv[2], "mount") == 0) { | ||
41 | int rv = mount(NULL, NULL, NULL, 0, NULL); | ||
42 | (void) rv; | ||
43 | printf("\nUGLY: mount syscall permitted.\n"); | ||
44 | } | ||
45 | else if (strcmp(argv[2], "umount2") == 0) { | ||
46 | umount2(NULL, 0); | ||
47 | printf("\nUGLY: umount2 syscall permitted.\n"); | ||
48 | } | ||
49 | else if (strcmp(argv[2], "ptrace") == 0) { | ||
50 | ptrace(0, 0, NULL, NULL); | ||
51 | printf("\nUGLY: ptrace syscall permitted.\n"); | ||
52 | } | ||
53 | else if (strcmp(argv[2], "swapon") == 0) { | ||
54 | swapon(NULL, 0); | ||
55 | printf("\nUGLY: swapon syscall permitted.\n"); | ||
56 | } | ||
57 | else if (strcmp(argv[2], "swapoff") == 0) { | ||
58 | swapoff(NULL); | ||
59 | printf("\nUGLY: swapoff syscall permitted.\n"); | ||
60 | } | ||
61 | else if (strcmp(argv[2], "init_module") == 0) { | ||
62 | init_module(NULL, 0, NULL); | ||
63 | printf("\nUGLY: init_module syscall permitted.\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[2], "delete_module") == 0) { | ||
66 | delete_module(NULL, 0); | ||
67 | printf("\nUGLY: delete_module syscall permitted.\n"); | ||
68 | } | ||
69 | else if (strcmp(argv[2], "chroot") == 0) { | ||
70 | int rv = chroot("/blablabla-57281292"); | ||
71 | (void) rv; | ||
72 | printf("\nUGLY: chroot syscall permitted.\n"); | ||
73 | } | ||
74 | else if (strcmp(argv[2], "pivot_root") == 0) { | ||
75 | pivot_root(NULL, NULL); | ||
76 | printf("\nUGLY: pivot_root syscall permitted.\n"); | ||
77 | } | ||
78 | #if defined(__i386__) || defined(__x86_64__) | ||
79 | else if (strcmp(argv[2], "iopl") == 0) { | ||
80 | iopl(0L); | ||
81 | printf("\nUGLY: iopl syscall permitted.\n"); | ||
82 | } | ||
83 | else if (strcmp(argv[2], "ioperm") == 0) { | ||
84 | ioperm(0, 0, 0); | ||
85 | printf("\nUGLY: ioperm syscall permitted.\n"); | ||
86 | } | ||
87 | #endif | ||
88 | exit(0); | ||
89 | } | ||
90 | |||
91 | void syscall_run(const char *name) { | ||
92 | assert(prog); | ||
93 | |||
94 | pid_t child = fork(); | ||
95 | if (child < 0) | ||
96 | errExit("fork"); | ||
97 | if (child == 0) { | ||
98 | execl(prog, prog, "syscall", name, NULL); | ||
99 | perror("execl"); | ||
100 | _exit(1); | ||
101 | } | ||
102 | |||
103 | // wait for the child to finish | ||
104 | waitpid(child, NULL, 0); | ||
105 | } | ||
diff --git a/src/faudit/x11.c b/src/faudit/x11.c deleted file mode 100644 index 2ffd7bac7..000000000 --- a/src/faudit/x11.c +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <dirent.h> | ||
23 | |||
24 | |||
25 | void x11_test(void) { | ||
26 | // check regular display 0 sockets | ||
27 | if (check_unix("/tmp/.X11-unix/X0") == 0) | ||
28 | printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); | ||
29 | |||
30 | if (check_unix("@/tmp/.X11-unix/X0") == 0) | ||
31 | printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); | ||
32 | |||
33 | // check all unix sockets in /tmp/.X11-unix directory | ||
34 | DIR *dir; | ||
35 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
36 | // sleep 2 seconds and try again | ||
37 | sleep(2); | ||
38 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
39 | ; | ||
40 | } | ||
41 | } | ||
42 | |||
43 | if (dir == NULL) | ||
44 | printf("GOOD: cannot open /tmp/.X11-unix directory\n"); | ||
45 | else { | ||
46 | struct dirent *entry; | ||
47 | while ((entry = readdir(dir)) != NULL) { | ||
48 | if (strcmp(entry->d_name, "X0") == 0) | ||
49 | continue; | ||
50 | if (strcmp(entry->d_name, ".") == 0) | ||
51 | continue; | ||
52 | if (strcmp(entry->d_name, "..") == 0) | ||
53 | continue; | ||
54 | char *name; | ||
55 | if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) | ||
56 | errExit("asprintf"); | ||
57 | if (check_unix(name) == 0) | ||
58 | printf("MAYBE: X11 socket %s is available\n", name); | ||
59 | free(name); | ||
60 | } | ||
61 | closedir(dir); | ||
62 | } | ||
63 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c8080f778..b21b5bef6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp | |||
328 | extern int arg_writable_run_user; // writable /run/user | 328 | extern int arg_writable_run_user; // writable /run/user |
329 | extern int arg_writable_var_log; // writable /var/log | 329 | extern int arg_writable_var_log; // writable /var/log |
330 | extern int arg_appimage; // appimage | 330 | extern int arg_appimage; // appimage |
331 | extern int arg_audit; // audit | ||
332 | extern char *arg_audit_prog; // audit | ||
333 | extern int arg_apparmor; // apparmor | 331 | extern int arg_apparmor; // apparmor |
334 | extern int arg_allow_debuggers; // allow debuggers | 332 | extern int arg_allow_debuggers; // allow debuggers |
335 | extern int arg_x11_block; // block X11 | 333 | extern int arg_x11_block; // block X11 |
diff --git a/src/firejail/join.c b/src/firejail/join.c index a8011aa14..1575a7469 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
411 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
412 | 412 | ||
413 | int shfd = -1; | 413 | int shfd = -1; |
414 | if (!arg_shell_none && !arg_audit) | 414 | if (!arg_shell_none) |
415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
416 | 416 | ||
417 | EUID_ROOT(); | 417 | EUID_ROOT(); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index fe806dcdb..9705c2436 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | |||
130 | int arg_writable_run_user = 0; // writable /run/user | 130 | int arg_writable_run_user = 0; // writable /run/user |
131 | int arg_writable_var_log = 0; // writable /var/log | 131 | int arg_writable_var_log = 0; // writable /var/log |
132 | int arg_appimage = 0; // appimage | 132 | int arg_appimage = 0; // appimage |
133 | int arg_audit = 0; // audit | ||
134 | char *arg_audit_prog = NULL; // audit | ||
135 | int arg_apparmor = 0; // apparmor | 133 | int arg_apparmor = 0; // apparmor |
136 | int arg_allow_debuggers = 0; // allow debuggers | 134 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 135 | int arg_x11_block = 0; // block X11 |
@@ -2608,28 +2606,6 @@ int main(int argc, char **argv, char **envp) { | |||
2608 | //************************************* | 2606 | //************************************* |
2609 | else if (strncmp(argv[i], "--timeout=", 10) == 0) | 2607 | else if (strncmp(argv[i], "--timeout=", 10) == 0) |
2610 | cfg.timeout = extract_timeout(argv[i] + 10); | 2608 | cfg.timeout = extract_timeout(argv[i] + 10); |
2611 | else if (strcmp(argv[i], "--audit") == 0) { | ||
2612 | arg_audit_prog = LIBDIR "/firejail/faudit"; | ||
2613 | profile_add_ignore("shell none"); | ||
2614 | arg_audit = 1; | ||
2615 | } | ||
2616 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | ||
2617 | if (strlen(argv[i] + 8) == 0) { | ||
2618 | fprintf(stderr, "Error: invalid audit program\n"); | ||
2619 | exit(1); | ||
2620 | } | ||
2621 | arg_audit_prog = strdup(argv[i] + 8); | ||
2622 | if (!arg_audit_prog) | ||
2623 | errExit("strdup"); | ||
2624 | |||
2625 | struct stat s; | ||
2626 | if (stat(arg_audit_prog, &s) != 0) { | ||
2627 | fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); | ||
2628 | exit(1); | ||
2629 | } | ||
2630 | profile_add_ignore("shell none"); | ||
2631 | arg_audit = 1; | ||
2632 | } | ||
2633 | else if (strcmp(argv[i], "--appimage") == 0) | 2609 | else if (strcmp(argv[i], "--appimage") == 0) |
2634 | arg_appimage = 1; | 2610 | arg_appimage = 1; |
2635 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2611 | else if (strcmp(argv[i], "--shell=none") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f1ab895db..a04551ed4 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -475,23 +475,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
475 | } | 475 | } |
476 | 476 | ||
477 | //**************************************** | 477 | //**************************************** |
478 | // audit | ||
479 | //**************************************** | ||
480 | if (arg_audit) { | ||
481 | assert(arg_audit_prog); | ||
482 | |||
483 | #ifdef HAVE_GCOV | ||
484 | __gcov_dump(); | ||
485 | #endif | ||
486 | seccomp_install_filters(); | ||
487 | if (set_sandbox_status) | ||
488 | *set_sandbox_status = SANDBOX_DONE; | ||
489 | execl(arg_audit_prog, arg_audit_prog, NULL); | ||
490 | } | ||
491 | //**************************************** | ||
492 | // start the program without using a shell | 478 | // start the program without using a shell |
493 | //**************************************** | 479 | //**************************************** |
494 | else if (arg_shell_none) { | 480 | if (arg_shell_none) { |
495 | if (arg_debug) { | 481 | if (arg_debug) { |
496 | int i; | 482 | int i; |
497 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 483 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index adba5da40..8f9cc065f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -33,7 +33,6 @@ static char *usage_str = | |||
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 35 | " --appimage - sandbox an AppImage application.\n" |
36 | " --audit[=test-program] - audit the sandbox.\n" | ||
37 | #ifdef HAVE_NETWORK | 36 | #ifdef HAVE_NETWORK |
38 | " --bandwidth=name|pid - set bandwidth limits.\n" | 37 | " --bandwidth=name|pid - set bandwidth limits.\n" |
39 | #endif | 38 | #endif |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 639b171cd..f9111ae7b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -155,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage | |||
155 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 155 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
156 | #endif | 156 | #endif |
157 | .TP | 157 | .TP |
158 | \fB\-\-audit | ||
159 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
160 | .TP | ||
161 | \fB\-\-audit=test-program | ||
162 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
163 | .TP | ||
164 | \fB\-\-bandwidth=name|pid | 158 | \fB\-\-bandwidth=name|pid |
165 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 159 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
166 | .TP | 160 | .TP |
@@ -2972,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2972 | $ firejail --apparmor firefox | 2966 | $ firejail --apparmor firefox |
2973 | #endif | 2967 | #endif |
2974 | 2968 | ||
2975 | .SH AUDIT | ||
2976 | Audit feature allows the user to point out gaps in security profiles. The | ||
2977 | implementation replaces the program to be sandboxed with a test program. By | ||
2978 | default, we use faudit program distributed with Firejail. A custom test program | ||
2979 | can also be supplied by the user. Examples: | ||
2980 | |||
2981 | Running the default audit program: | ||
2982 | .br | ||
2983 | $ firejail --audit transmission-gtk | ||
2984 | |||
2985 | Running a custom audit program: | ||
2986 | .br | ||
2987 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
2988 | |||
2989 | In the examples above, the sandbox configures transmission-gtk profile and | ||
2990 | starts the test program. The real program, transmission-gtk, will not be | ||
2991 | started. | ||
2992 | |||
2993 | You can also audit a specific profile without specifying a program. | ||
2994 | .br | ||
2995 | $ firejail --audit --profile=/etc/firejail/zoom.profile | ||
2996 | |||
2997 | Limitations: audit feature is not implemented for --x11 commands. | ||
2998 | |||
2999 | .SH DESKTOP INTEGRATION | 2969 | .SH DESKTOP INTEGRATION |
3000 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2970 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
3001 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2971 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |