diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-07-03 19:55:47 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-07-03 19:55:47 -0400 |
| commit | 8cc23dbc8f6b48a3d7eb3cfe8d589d78ce34a62a (patch) | |
| tree | adcca80ae21af46bb03ca23cf90db3cdc7371ba3 /src | |
| parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
| download | firejail-8cc23dbc8f6b48a3d7eb3cfe8d589d78ce34a62a.tar.gz firejail-8cc23dbc8f6b48a3d7eb3cfe8d589d78ce34a62a.tar.zst firejail-8cc23dbc8f6b48a3d7eb3cfe8d589d78ce34a62a.zip | |
faudit network
Diffstat (limited to 'src')
| -rw-r--r-- | src/faudit/caps.c | 1 | ||||
| -rw-r--r-- | src/faudit/faudit.h | 6 | ||||
| -rw-r--r-- | src/faudit/files.c | 4 | ||||
| -rw-r--r-- | src/faudit/main.c | 7 | ||||
| -rw-r--r-- | src/faudit/pid.c | 1 | ||||
| -rw-r--r-- | src/faudit/seccomp.c | 4 |
6 files changed, 19 insertions, 4 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index f98d45ec8..db1d3266f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
| @@ -66,6 +66,7 @@ void caps_test(void) { | |||
| 66 | 66 | ||
| 67 | if (caps_val) { | 67 | if (caps_val) { |
| 68 | printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); | 68 | printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); |
| 69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | ||
| 69 | 70 | ||
| 70 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | 71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) |
| 71 | printf("UGLY: CAP_SYS_ADMIN is enabled\n"); | 72 | printf("UGLY: CAP_SYS_ADMIN is enabled\n"); |
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index fdb4556c3..f8d9b709d 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
| @@ -48,4 +48,10 @@ void seccomp_test(void); | |||
| 48 | void syscall_helper(int argc, char **argv); | 48 | void syscall_helper(int argc, char **argv); |
| 49 | void syscall_run(const char *name); | 49 | void syscall_run(const char *name); |
| 50 | 50 | ||
| 51 | // files.c | ||
| 52 | void files_test(void); | ||
| 53 | |||
| 54 | // network.c | ||
| 55 | void network_test(void); | ||
| 56 | |||
| 51 | #endif \ No newline at end of file | 57 | #endif \ No newline at end of file |
diff --git a/src/faudit/files.c b/src/faudit/files.c index 0463af66d..9a230d7e5 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c | |||
| @@ -31,8 +31,10 @@ static void check_home_file(const char *name) { | |||
| 31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | 31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) |
| 32 | errExit("asprintf"); | 32 | errExit("asprintf"); |
| 33 | 33 | ||
| 34 | if (access(fname, R_OK) == 0) | 34 | if (access(fname, R_OK) == 0) { |
| 35 | printf("UGLY: I can access files in %s directory\n", fname); | 35 | printf("UGLY: I can access files in %s directory\n", fname); |
| 36 | printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); | ||
| 37 | } | ||
| 36 | else | 38 | else |
| 37 | printf("GOOD: I cannot access files in %s directory\n", fname); | 39 | printf("GOOD: I cannot access files in %s directory\n", fname); |
| 38 | 40 | ||
diff --git a/src/faudit/main.c b/src/faudit/main.c index 2ed3aa2e1..6758f5671 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
| @@ -33,7 +33,7 @@ int main(int argc, char **argv) { | |||
| 33 | return 1; | 33 | return 1; |
| 34 | } | 34 | } |
| 35 | 35 | ||
| 36 | printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n"); | 36 | printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); |
| 37 | 37 | ||
| 38 | // extract program name | 38 | // extract program name |
| 39 | prog = realpath(argv[0], NULL); | 39 | prog = realpath(argv[0], NULL); |
| @@ -53,9 +53,12 @@ int main(int argc, char **argv) { | |||
| 53 | // check seccomp | 53 | // check seccomp |
| 54 | seccomp_test(); | 54 | seccomp_test(); |
| 55 | 55 | ||
| 56 | // check some well-known problematic files | 56 | // check some well-known problematic files and directories |
| 57 | files_test(); | 57 | files_test(); |
| 58 | 58 | ||
| 59 | // network | ||
| 60 | network_test(); | ||
| 61 | |||
| 59 | free(prog); | 62 | free(prog); |
| 60 | printf("--------------------------------------------------------------------------------\n"); | 63 | printf("--------------------------------------------------------------------------------\n"); |
| 61 | return 0; | 64 | return 0; |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 53b59a838..57947418e 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
| @@ -70,6 +70,7 @@ void pid_test(void) { | |||
| 70 | fclose(fp); | 70 | fclose(fp); |
| 71 | free(fname); | 71 | free(fname); |
| 72 | printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); | 72 | printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); |
| 73 | printf("Are you sure you're running in a sandbox?\n"); | ||
| 73 | return; | 74 | return; |
| 74 | } | 75 | } |
| 75 | j++; | 76 | j++; |
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index d88d6a958..9cc1a20f6 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c | |||
| @@ -50,8 +50,10 @@ void seccomp_test(void) { | |||
| 50 | return; | 50 | return; |
| 51 | } | 51 | } |
| 52 | 52 | ||
| 53 | if (seccomp_status == 0) | 53 | if (seccomp_status == 0) { |
| 54 | printf("BAD: seccomp disabled\n"); | 54 | printf("BAD: seccomp disabled\n"); |
| 55 | printf("Use \"firejail --seccomp\" to fix it.\n"); | ||
| 56 | } | ||
| 55 | else if (seccomp_status == 1) | 57 | else if (seccomp_status == 1) |
| 56 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); | 58 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); |
| 57 | else if (seccomp_status == 2) { | 59 | else if (seccomp_status == 2) { |