diff options
-rw-r--r-- | README.md | 26 | ||||
-rw-r--r-- | src/profstats/main.c | 24 |
2 files changed, 37 insertions, 13 deletions
@@ -157,18 +157,20 @@ $ make | |||
157 | $ cd etc | 157 | $ cd etc |
158 | $ ./profstats *.profile | 158 | $ ./profstats *.profile |
159 | Stats: | 159 | Stats: |
160 | profiles 925 | 160 | profiles 949 |
161 | include local profile 925 (include profile-name.local) | 161 | include local profile 949 (include profile-name.local) |
162 | include globals 925 (include globals.local) | 162 | include globals 949 (include globals.local) |
163 | blacklist ~/.ssh 910 (include disable-common.inc) | 163 | blacklist ~/.ssh 934 (include disable-common.inc) |
164 | seccomp 868 | 164 | seccomp 892 |
165 | capabilities 924 | 165 | capabilities 948 |
166 | noexec 785 (include disable-exec.inc) | 166 | noexec 813 (include disable-exec.inc) |
167 | apparmor 426 | 167 | apparmor 471 |
168 | private-dev 788 | 168 | private-dev 812 |
169 | private-tmp 687 | 169 | private-tmp 711 |
170 | whitelist var directory 595 (include whitelist-var-common.inc) | 170 | whitelist var 621 (include whitelist-var-common.inc) |
171 | net none 274 | 171 | whitelist run/user 105 (include whitelist-runuser-common.inc) |
172 | whitelist usr/share 257 (include whitelist-usr-share-common.inc) | ||
173 | net none 297 | ||
172 | ````` | 174 | ````` |
173 | 175 | ||
174 | Run ./profstats -h for help. | 176 | Run ./profstats -h for help. |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 76b90f01b..f8818982f 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -35,6 +35,8 @@ static int cnt_noexec = 0; // include disable-exec.inc | |||
35 | static int cnt_privatedev = 0; | 35 | static int cnt_privatedev = 0; |
36 | static int cnt_privatetmp = 0; | 36 | static int cnt_privatetmp = 0; |
37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | 37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc |
38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | ||
39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | ||
38 | static int cnt_ssh = 0; | 40 | static int cnt_ssh = 0; |
39 | 41 | ||
40 | static int level = 0; | 42 | static int level = 0; |
@@ -46,6 +48,8 @@ static int arg_noexec = 0; | |||
46 | static int arg_privatedev = 0; | 48 | static int arg_privatedev = 0; |
47 | static int arg_privatetmp = 0; | 49 | static int arg_privatetmp = 0; |
48 | static int arg_whitelistvar = 0; | 50 | static int arg_whitelistvar = 0; |
51 | static int arg_whitelistrunuser = 0; | ||
52 | static int arg_whitelistusrshare = 0; | ||
49 | static int arg_ssh = 0; | 53 | static int arg_ssh = 0; |
50 | 54 | ||
51 | static char *profile = NULL; | 55 | static char *profile = NULL; |
@@ -63,6 +67,8 @@ static void usage(void) { | |||
63 | printf(" --private-tmp - print profiles without private-tmp\n"); | 67 | printf(" --private-tmp - print profiles without private-tmp\n"); |
64 | printf(" --seccomp - print profiles without seccomp\n"); | 68 | printf(" --seccomp - print profiles without seccomp\n"); |
65 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 69 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
70 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n"); | ||
71 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | ||
66 | printf(" --debug\n"); | 72 | printf(" --debug\n"); |
67 | printf("\n"); | 73 | printf("\n"); |
68 | } | 74 | } |
@@ -102,6 +108,10 @@ void process_file(const char *fname) { | |||
102 | cnt_noexec++; | 108 | cnt_noexec++; |
103 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 109 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
104 | cnt_whitelistvar++; | 110 | cnt_whitelistvar++; |
111 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 32) == 0) | ||
112 | cnt_whitelistrunuser++; | ||
113 | else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 32) == 0) | ||
114 | cnt_whitelistusrshare++; | ||
105 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | 115 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) |
106 | cnt_ssh++; | 116 | cnt_ssh++; |
107 | else if (strncmp(ptr, "net none", 8) == 0) | 117 | else if (strncmp(ptr, "net none", 8) == 0) |
@@ -159,6 +169,10 @@ int main(int argc, char **argv) { | |||
159 | arg_privatetmp = 1; | 169 | arg_privatetmp = 1; |
160 | else if (strcmp(argv[i], "--whitelist-var") == 0) | 170 | else if (strcmp(argv[i], "--whitelist-var") == 0) |
161 | arg_whitelistvar = 1; | 171 | arg_whitelistvar = 1; |
172 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) | ||
173 | arg_whitelistrunuser = 1; | ||
174 | else if (strcmp(argv[i], "--whitelist-usrshare") == 0) | ||
175 | arg_whitelistusrshare = 1; | ||
162 | else if (strcmp(argv[i], "--ssh") == 0) | 176 | else if (strcmp(argv[i], "--ssh") == 0) |
163 | arg_ssh = 1; | 177 | arg_ssh = 1; |
164 | else if (*argv[i] == '-') { | 178 | else if (*argv[i] == '-') { |
@@ -188,6 +202,8 @@ int main(int argc, char **argv) { | |||
188 | int dotlocal = cnt_dotlocal; | 202 | int dotlocal = cnt_dotlocal; |
189 | int globalsdotlocal = cnt_globalsdotlocal; | 203 | int globalsdotlocal = cnt_globalsdotlocal; |
190 | int whitelistvar = cnt_whitelistvar; | 204 | int whitelistvar = cnt_whitelistvar; |
205 | int whitelistrunuser = cnt_whitelistrunuser; | ||
206 | int whitelistusrshare = cnt_whitelistusrshare; | ||
191 | int ssh = cnt_ssh; | 207 | int ssh = cnt_ssh; |
192 | 208 | ||
193 | // process file | 209 | // process file |
@@ -220,6 +236,10 @@ int main(int argc, char **argv) { | |||
220 | printf("No private-tmp found in %s\n", argv[i]); | 236 | printf("No private-tmp found in %s\n", argv[i]); |
221 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | 237 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) |
222 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | 238 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); |
239 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) | ||
240 | printf("No include whitelist-runuser-common.inc found in %s\n", argv[i]); | ||
241 | if (arg_whitelistusrshare && whitelistusrshare == cnt_whitelistusrshare) | ||
242 | printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]); | ||
223 | if (arg_ssh && ssh == cnt_ssh) | 243 | if (arg_ssh && ssh == cnt_ssh) |
224 | printf("No include disable-common.inc found in %s\n", argv[i]); | 244 | printf("No include disable-common.inc found in %s\n", argv[i]); |
225 | 245 | ||
@@ -238,7 +258,9 @@ int main(int argc, char **argv) { | |||
238 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 258 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
239 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 259 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
240 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 260 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |
241 | printf(" whitelist var directory\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | 261 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); |
262 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc)\n", cnt_whitelistrunuser); | ||
263 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc)\n", cnt_whitelistusrshare); | ||
242 | printf(" net none\t\t\t%d\n", cnt_netnone); | 264 | printf(" net none\t\t\t%d\n", cnt_netnone); |
243 | printf("\n"); | 265 | printf("\n"); |
244 | return 0; | 266 | return 0; |