audit: seccomp

author: netblue30 <netblue30@yahoo.com> 2016-07-02 14:10:07 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-02 14:10:07 -0400
commit: b14628560a972d9f1709a249207b6595ffe7ed09 (patch)
tree: 868225ffea34f09f8949ef7a13ce03e9dbf65412 /src
parent: audit: seccomp (diff)
download: firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.gz
firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.zst
firejail-b14628560a972d9f1709a249207b6595ffe7ed09.zip
6 files changed, 152 insertions, 7 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
index 3cf4a076f..f98d45ec8 100644
--- a/src/faudit/caps.c
+++ b/src/faudit/caps.c
@@ -17,6 +17,7 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "faudit.h"
 #include <linux/capability.h>
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 50d75c2a4..fdb4556c3 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -44,4 +44,8 @@ void caps_test(void);
 // seccomp.c
 void seccomp_test(void);
+// syscall.c
+void syscall_helper(int argc, char **argv);
+void syscall_run(const char *name);
 #endif
 \ No newline at end of file
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 0724a7ec9..cd358cc1a 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -18,11 +18,22 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "faudit.h"
-#include <limits.h>
 char *prog;
 int main(int argc, char **argv) {
-        printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n");
+        if (argc != 1) {
+                int i;
+                
+                for (i = 1; i < argc; i++) {
+                        if (strcmp(argv[i], "syscall")) {
+                                syscall_helper(argc, argv);
+                                return 0;
+                        }
+                }
+                return 1;
+        }
+        printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n");
        // extract program name
        prog = realpath(argv[0], NULL);
@@ -30,7 +41,7 @@ int main(int argc, char **argv) {
                fprintf(stderr, "Error: cannot extract the path of the audit program\n");
                return 1;
        }
-        printf("Running %s\n", prog);
+        printf("INFO: starting %s\n", prog);
        
        
        // check pid namespace
@@ -43,6 +54,6 @@ int main(int argc, char **argv) {
        seccomp_test();
        
        free(prog);
-        printf("----------------------------------------------------------------\n");
+        printf("--------------------------------------------------------------------------------\n");
        return 0;
 }
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index 5744ab244..53b59a838 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -80,10 +80,10 @@ void pid_test(void) {
        }
-        printf("GOOD: Process PID %d, running in a PID namespace\n", getpid());
+        printf("GOOD: process PID %d, running in a PID namespace\n", getpid());
        
        // try to guess the type of container/sandbox
        char *str = getenv("container");
        if (str)
-                printf("Container/sandbox: %s\n", str);
+                printf("INFO: container/sandbox %s\n", str);
 }
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
index a50ec1e0c..d88d6a958 100644
--- a/src/faudit/seccomp.c
+++ b/src/faudit/seccomp.c
@@ -18,7 +18,6 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "faudit.h"
-#include <linux/capability.h>
 #define MAXBUF 4098
 static int extract_seccomp(int *val) {
@@ -57,6 +56,45 @@ void seccomp_test(void) {
                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd\n");
        else if (seccomp_status == 2) {
                printf("GOOD: seccomp BPF enababled\n");
+                printf("checking syscalls: "); fflush(0);
+                printf("mount... "); fflush(0);
+                syscall_run("mount");
+                printf("umount2... "); fflush(0);
+                syscall_run("umount2");
+                printf("ptrace... "); fflush(0);
+                syscall_run("ptrace");
+                
+                printf("swapon... "); fflush(0);
+                syscall_run("swapon");
+                
+                printf("swapoff... "); fflush(0);
+                syscall_run("swapoff");
+                printf("init_module... "); fflush(0);
+                syscall_run("init_module");
+                printf("finit_module... "); fflush(0);
+                syscall_run("finit_module");
+                printf("delete_module... "); fflush(0);
+                syscall_run("delete_module");
+                
+                printf("chroot... "); fflush(0);
+                syscall_run("chroot");
+                
+                printf("pivot_root... "); fflush(0);
+                syscall_run("pivot_root");
+                
+                printf("iopl... "); fflush(0);
+                syscall_run("iopl");
+                
+                printf("ioperm... "); fflush(0);
+                syscall_run("ioperm");
+                
+                printf("\n");
        }
        else
                fprintf(stderr, "Error: unrecognized seccomp mode\n");
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
new file mode 100644
index 000000000..11fb3730b
--- /dev/null
+++ b/src/faudit/syscall.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+void syscall_helper(int argc, char **argv) {
+        if (strcmp(argv[2], "mount") == 0) {
+                mount(NULL, NULL, NULL, 0, NULL);
+                printf("\nUGLY: mount syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "umount2") == 0) {
+                umount2(NULL, 0);
+                printf("\nUGLY: umount2 syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "ptrace") == 0) {
+                ptrace(0, 0, NULL, NULL);
+                printf("\nUGLY: ptrace syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "swapon") == 0) {
+                swapon(NULL, 0);
+                printf("\nUGLY: swapon syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "swapoff") == 0) {
+                swapoff(NULL);
+                printf("\nUGLY: swapoff syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "init_module") == 0) {
+                init_module(NULL, 0, NULL);
+                printf("\nUGLY: init_moule syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "finit_module") == 0) {
+                swapoff(0, NULL, 0);
+                printf("\nUGLY: finit_moule syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "delete_module") == 0) {
+                delete_module(NULL, 0);
+                printf("\nUGLY: delete_moule syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "chroot") == 0) {
+                int rv = chroot(NULL);
+                (void) rv;
+                printf("\nUGLY: chroot syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "pivot_root") == 0) {
+                pivot_root(NULL, NULL);
+                printf("\nUGLY: pivot_root syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "iopl") == 0) {
+                iopl(0L);
+                printf("\nUGLY: iopl syscall permitted\n");
+        }
+        else if (strcmp(argv[2], "ioperm") == 0) {
+                ioperm(0, 0, 0);
+                printf("\nUGLY: ioperm syscall permitted\n");
+        }
+        exit(0);
+}
+void syscall_run(const char *name) {
+        assert(prog);
+        
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                char *cmd;
+                if (asprintf(&cmd, "%s syscall %s", prog, name) == -1)
+                        errExit("asprintf");
+                execl(prog, prog, "syscall", name, NULL);
+                exit(0);
+        }
+                
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
+\ No newline at end of file
author	netblue30 <netblue30@yahoo.com>	2016-07-02 14:10:07 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-02 14:10:07 -0400
commit	b14628560a972d9f1709a249207b6595ffe7ed09 (patch)
tree	868225ffea34f09f8949ef7a13ce03e9dbf65412 /src
parent	audit: seccomp (diff)
download	firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.gz firejail-b14628560a972d9f1709a249207b6595ffe7ed09.tar.zst firejail-b14628560a972d9f1709a249207b6595ffe7ed09.zip

diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 3cf4a076f..f98d45ec8 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c
@@ -17,6 +17,7 @@
17	* with this program; if not, write to the Free Software Foundation, Inc.,	17	* with this program; if not, write to the Free Software Foundation, Inc.,
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
		20
20	#include "faudit.h"	21	#include "faudit.h"
21	#include <linux/capability.h>	22	#include <linux/capability.h>
22		23


diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 50d75c2a4..fdb4556c3 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h
@@ -44,4 +44,8 @@ void caps_test(void);
44	// seccomp.c	44	// seccomp.c
45	void seccomp_test(void);	45	void seccomp_test(void);
46		46
		47	// syscall.c
		48	void syscall_helper(int argc, char **argv);
		49	void syscall_run(const char *name);
		50
47	#endif \ No newline at end of file	51	#endif \ No newline at end of file


diff --git a/src/faudit/main.c b/src/faudit/main.c index 0724a7ec9..cd358cc1a 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -18,11 +18,22 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "faudit.h"	20	#include "faudit.h"
21	#include <limits.h>
22	char *prog;	21	char *prog;
23		22
24	int main(int argc, char **argv) {	23	int main(int argc, char **argv) {
25	printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n");	24	if (argc != 1) {
		25	int i;
		26
		27	for (i = 1; i < argc; i++) {
		28	if (strcmp(argv[i], "syscall")) {
		29	syscall_helper(argc, argv);
		30	return 0;
		31	}
		32	}
		33	return 1;
		34	}
		35
		36	printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n");
26		37
27	// extract program name	38	// extract program name
28	prog = realpath(argv[0], NULL);	39	prog = realpath(argv[0], NULL);
@@ -30,7 +41,7 @@ int main(int argc, char **argv) {
30	fprintf(stderr, "Error: cannot extract the path of the audit program\n");	41	fprintf(stderr, "Error: cannot extract the path of the audit program\n");
31	return 1;	42	return 1;
32	}	43	}
33	printf("Running %s\n", prog);	44	printf("INFO: starting %s\n", prog);
34		45
35		46
36	// check pid namespace	47	// check pid namespace
@@ -43,6 +54,6 @@ int main(int argc, char **argv) {
43	seccomp_test();	54	seccomp_test();
44		55
45	free(prog);	56	free(prog);
46	printf("----------------------------------------------------------------\n");	57	printf("--------------------------------------------------------------------------------\n");
47	return 0;	58	return 0;
48	}	59	}


diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 5744ab244..53b59a838 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c
@@ -80,10 +80,10 @@ void pid_test(void) {
80	}	80	}
81		81
82		82
83	printf("GOOD: Process PID %d, running in a PID namespace\n", getpid());	83	printf("GOOD: process PID %d, running in a PID namespace\n", getpid());
84		84
85	// try to guess the type of container/sandbox	85	// try to guess the type of container/sandbox
86	char *str = getenv("container");	86	char *str = getenv("container");
87	if (str)	87	if (str)
88	printf("Container/sandbox: %s\n", str);	88	printf("INFO: container/sandbox %s\n", str);
89	}	89	}


diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index a50ec1e0c..d88d6a958 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c
@@ -18,7 +18,6 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "faudit.h"	20	#include "faudit.h"
21	#include <linux/capability.h>
22		21
23	#define MAXBUF 4098	22	#define MAXBUF 4098
24	static int extract_seccomp(int *val) {	23	static int extract_seccomp(int *val) {
@@ -57,6 +56,45 @@ void seccomp_test(void) {
57	printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n");	56	printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n");
58	else if (seccomp_status == 2) {	57	else if (seccomp_status == 2) {
59	printf("GOOD: seccomp BPF enababled\n");	58	printf("GOOD: seccomp BPF enababled\n");
		59
		60	printf("checking syscalls: "); fflush(0);
		61	printf("mount... "); fflush(0);
		62	syscall_run("mount");
		63
		64	printf("umount2... "); fflush(0);
		65	syscall_run("umount2");
		66
		67	printf("ptrace... "); fflush(0);
		68	syscall_run("ptrace");
		69
		70	printf("swapon... "); fflush(0);
		71	syscall_run("swapon");
		72
		73	printf("swapoff... "); fflush(0);
		74	syscall_run("swapoff");
		75
		76	printf("init_module... "); fflush(0);
		77	syscall_run("init_module");
		78
		79	printf("finit_module... "); fflush(0);
		80	syscall_run("finit_module");
		81
		82	printf("delete_module... "); fflush(0);
		83	syscall_run("delete_module");
		84
		85	printf("chroot... "); fflush(0);
		86	syscall_run("chroot");
		87
		88	printf("pivot_root... "); fflush(0);
		89	syscall_run("pivot_root");
		90
		91	printf("iopl... "); fflush(0);
		92	syscall_run("iopl");
		93
		94	printf("ioperm... "); fflush(0);
		95	syscall_run("ioperm");
		96
		97	printf("\n");
60	}	98	}
61	else	99	else
62	fprintf(stderr, "Error: unrecognized seccomp mode\n");	100	fprintf(stderr, "Error: unrecognized seccomp mode\n");


diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c new file mode 100644 index 000000000..11fb3730b --- /dev/null +++ b/src/faudit/syscall.c
@@ -0,0 +1,91 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "faudit.h"
		21
		22	void syscall_helper(int argc, char **argv) {
		23	if (strcmp(argv[2], "mount") == 0) {
		24	mount(NULL, NULL, NULL, 0, NULL);
		25	printf("\nUGLY: mount syscall permitted\n");
		26	}
		27	else if (strcmp(argv[2], "umount2") == 0) {
		28	umount2(NULL, 0);
		29	printf("\nUGLY: umount2 syscall permitted\n");
		30	}
		31	else if (strcmp(argv[2], "ptrace") == 0) {
		32	ptrace(0, 0, NULL, NULL);
		33	printf("\nUGLY: ptrace syscall permitted\n");
		34	}
		35	else if (strcmp(argv[2], "swapon") == 0) {
		36	swapon(NULL, 0);
		37	printf("\nUGLY: swapon syscall permitted\n");
		38	}
		39	else if (strcmp(argv[2], "swapoff") == 0) {
		40	swapoff(NULL);
		41	printf("\nUGLY: swapoff syscall permitted\n");
		42	}
		43	else if (strcmp(argv[2], "init_module") == 0) {
		44	init_module(NULL, 0, NULL);
		45	printf("\nUGLY: init_moule syscall permitted\n");
		46	}
		47	else if (strcmp(argv[2], "finit_module") == 0) {
		48	swapoff(0, NULL, 0);
		49	printf("\nUGLY: finit_moule syscall permitted\n");
		50	}
		51	else if (strcmp(argv[2], "delete_module") == 0) {
		52	delete_module(NULL, 0);
		53	printf("\nUGLY: delete_moule syscall permitted\n");
		54	}
		55	else if (strcmp(argv[2], "chroot") == 0) {
		56	int rv = chroot(NULL);
		57	(void) rv;
		58	printf("\nUGLY: chroot syscall permitted\n");
		59	}
		60	else if (strcmp(argv[2], "pivot_root") == 0) {
		61	pivot_root(NULL, NULL);
		62	printf("\nUGLY: pivot_root syscall permitted\n");
		63	}
		64	else if (strcmp(argv[2], "iopl") == 0) {
		65	iopl(0L);
		66	printf("\nUGLY: iopl syscall permitted\n");
		67	}
		68	else if (strcmp(argv[2], "ioperm") == 0) {
		69	ioperm(0, 0, 0);
		70	printf("\nUGLY: ioperm syscall permitted\n");
		71	}
		72	exit(0);
		73	}
		74
		75	void syscall_run(const char *name) {
		76	assert(prog);
		77
		78	pid_t child = fork();
		79	if (child < 0)
		80	errExit("fork");
		81	if (child == 0) {
		82	char *cmd;
		83	if (asprintf(&cmd, "%s syscall %s", prog, name) == -1)
		84	errExit("asprintf");
		85	execl(prog, prog, "syscall", name, NULL);
		86	exit(0);
		87	}
		88
		89	// wait for the child to finish
		90	waitpid(child, NULL, 0);
		91	} \ No newline at end of file