diff options
| author |  netblue30 <netblue30@protonmail.com> | 2024-04-30 21:26:55 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2024-04-30 21:26:55 -0400 |
| commit | e11949a712c88f91d9dffc0f9797272e515b7df3 (patch) | |
| tree | cfccb2c353af6a3488b386a9c217972ad8960d00 /src | |
| parent | landlock: fix building without landlock.h (diff) | |
| download | firejail-e11949a712c88f91d9dffc0f9797272e515b7df3.tar.gz firejail-e11949a712c88f91d9dffc0f9797272e515b7df3.tar.zst firejail-e11949a712c88f91d9dffc0f9797272e515b7df3.zip | |
add support for comm, coredump, and prctl procevents in firemon
Diffstat (limited to 'src')
| -rw-r--r-- | src/firemon/procevent.c | 57 |
1 files changed, 47 insertions, 10 deletions
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index e17ed659b..430730374 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
| @@ -301,7 +301,9 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 301 | proc_ev = (struct proc_event *)cn_msg->data; | 301 | proc_ev = (struct proc_event *)cn_msg->data; |
| 302 | pid_t pid = 0; | 302 | pid_t pid = 0; |
| 303 | pid_t child = 0; | 303 | pid_t child = 0; |
| 304 | char *new_comm = NULL; | ||
| 304 | int remove_pid = 0; | 305 | int remove_pid = 0; |
| 306 | int nodisplay = 0; | ||
| 305 | switch (proc_ev->what) { | 307 | switch (proc_ev->what) { |
| 306 | case PROC_EVENT_FORK: | 308 | case PROC_EVENT_FORK: |
| 307 | #ifdef DEBUG_PRCTL | 309 | #ifdef DEBUG_PRCTL |
| @@ -322,6 +324,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 322 | pids[child].parent = pid; | 324 | pids[child].parent = pid; |
| 323 | } | 325 | } |
| 324 | sprintf(lineptr, " fork"); | 326 | sprintf(lineptr, " fork"); |
| 327 | nodisplay = 1; | ||
| 325 | break; | 328 | break; |
| 326 | case PROC_EVENT_EXEC: | 329 | case PROC_EVENT_EXEC: |
| 327 | pid = proc_ev->event_data.exec.process_tgid; | 330 | pid = proc_ev->event_data.exec.process_tgid; |
| @@ -363,6 +366,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 363 | sprintf(lineptr, " uid (%d:%d)", | 366 | sprintf(lineptr, " uid (%d:%d)", |
| 364 | proc_ev->event_data.id.r.ruid, | 367 | proc_ev->event_data.id.r.ruid, |
| 365 | proc_ev->event_data.id.e.euid); | 368 | proc_ev->event_data.id.e.euid); |
| 369 | nodisplay = 1; | ||
| 366 | break; | 370 | break; |
| 367 | 371 | ||
| 368 | case PROC_EVENT_GID: | 372 | case PROC_EVENT_GID: |
| @@ -379,6 +383,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 379 | sprintf(lineptr, " gid (%d:%d)", | 383 | sprintf(lineptr, " gid (%d:%d)", |
| 380 | proc_ev->event_data.id.r.rgid, | 384 | proc_ev->event_data.id.r.rgid, |
| 381 | proc_ev->event_data.id.e.egid); | 385 | proc_ev->event_data.id.e.egid); |
| 386 | nodisplay = 1; | ||
| 382 | break; | 387 | break; |
| 383 | 388 | ||
| 384 | 389 | ||
| @@ -391,6 +396,41 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 391 | sprintf(lineptr, " sid "); | 396 | sprintf(lineptr, " sid "); |
| 392 | break; | 397 | break; |
| 393 | 398 | ||
| 399 | case PROC_EVENT_COREDUMP: | ||
| 400 | pid = proc_ev->event_data.coredump.process_tgid; | ||
| 401 | #ifdef DEBUG_PRCTL | ||
| 402 | printf("%s: %d, event coredump, pid %d\n", __FUNCTION__, __LINE__, pid); | ||
| 403 | #endif | ||
| 404 | sprintf(lineptr, " coredump "); | ||
| 405 | break; | ||
| 406 | |||
| 407 | case PROC_EVENT_COMM: | ||
| 408 | pid = proc_ev->event_data.comm.process_tgid; | ||
| 409 | #ifdef DEBUG_PRCTL | ||
| 410 | printf("%s: %d, event comm, pid %d\n", __FUNCTION__, __LINE__, pid); | ||
| 411 | #endif | ||
| 412 | if (proc_ev->event_data.comm.process_pid != | ||
| 413 | proc_ev->event_data.comm.process_tgid) | ||
| 414 | continue; // this is a thread, not a process | ||
| 415 | |||
| 416 | if (pids[pid].level == 1 || | ||
| 417 | pids[pids[pid].parent].level == 1) { | ||
| 418 | sprintf(lineptr, "\n"); | ||
| 419 | continue; | ||
| 420 | } | ||
| 421 | else | ||
| 422 | sprintf(lineptr, " comm %s", proc_ev->event_data.comm.comm); | ||
| 423 | nodisplay = 1; | ||
| 424 | break; | ||
| 425 | |||
| 426 | case PROC_EVENT_PTRACE: | ||
| 427 | pid = proc_ev->event_data.ptrace.process_tgid; | ||
| 428 | #ifdef DEBUG_PRCTL | ||
| 429 | printf("%s: %d, event ptrace, pid %d\n", __FUNCTION__, __LINE__, pid); | ||
| 430 | #endif | ||
| 431 | sprintf(lineptr, " ptrace "); | ||
| 432 | break; | ||
| 433 | |||
| 394 | default: | 434 | default: |
| 395 | #ifdef DEBUG_PRCTL | 435 | #ifdef DEBUG_PRCTL |
| 396 | printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__); | 436 | printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__); |
| @@ -449,7 +489,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 449 | if (!cmd) { | 489 | if (!cmd) { |
| 450 | cmd = pid_proc_cmdline(pid); | 490 | cmd = pid_proc_cmdline(pid); |
| 451 | } | 491 | } |
| 452 | if (cmd == NULL) | 492 | if (cmd == NULL || nodisplay) |
| 453 | sprintf(lineptr, "\n"); | 493 | sprintf(lineptr, "\n"); |
| 454 | else { | 494 | else { |
| 455 | sprintf(lineptr, " %s\n", cmd); | 495 | sprintf(lineptr, " %s\n", cmd); |
| @@ -473,15 +513,12 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
| 473 | } | 513 | } |
| 474 | 514 | ||
| 475 | // print forked child | 515 | // print forked child |
| 476 | if (child) { | 516 | if (child) |
| 477 | cmd = pid_proc_cmdline(child); | 517 | printf("\tchild %u\n", child); |
| 478 | if (cmd) { | 518 | |
| 479 | printf("\tchild %u %s\n", child, cmd); | 519 | // print new comm |
| 480 | free(cmd); | 520 | if (new_comm) |
| 481 | } | 521 | printf("\tnew comm %s\n", new_comm); |
| 482 | else | ||
| 483 | printf("\tchild %u\n", child); | ||
| 484 | } | ||
| 485 | 522 | ||
| 486 | // on uid events the uid is changing | 523 | // on uid events the uid is changing |
| 487 | if (proc_ev->what == PROC_EVENT_UID) { | 524 | if (proc_ev->what == PROC_EVENT_UID) { |