diff options
-rw-r--r-- | src/faudit/dbus.c | 2 | ||||
-rw-r--r-- | src/faudit/files.c | 2 | ||||
-rw-r--r-- | src/faudit/main.c | 2 | ||||
-rw-r--r-- | src/faudit/network.c | 2 | ||||
-rw-r--r-- | src/faudit/syscall.c | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 11 | ||||
-rw-r--r-- | src/firejail/usage.c | 16 | ||||
-rw-r--r-- | src/man/firejail.txt | 31 |
10 files changed, 62 insertions, 13 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 5f25e7312..f7b5a221d 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) { | |||
42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | 42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); |
43 | } | 43 | } |
44 | else { | 44 | else { |
45 | printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n"); | 45 | printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
46 | } | 46 | } |
47 | 47 | ||
48 | close(sock); | 48 | close(sock); |
diff --git a/src/faudit/files.c b/src/faudit/files.c index c27973358..e27d3436a 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c | |||
@@ -33,7 +33,7 @@ static void check_home_file(const char *name) { | |||
33 | 33 | ||
34 | if (access(fname, R_OK) == 0) { | 34 | if (access(fname, R_OK) == 0) { |
35 | printf("UGLY: I can access files in %s directory. ", fname); | 35 | printf("UGLY: I can access files in %s directory. ", fname); |
36 | printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); | 36 | printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); |
37 | } | 37 | } |
38 | else | 38 | else |
39 | printf("GOOD: I cannot access files in %s directory.\n", fname); | 39 | printf("GOOD: I cannot access files in %s directory.\n", fname); |
diff --git a/src/faudit/main.c b/src/faudit/main.c index df549ac3e..86d3fe4a9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -41,7 +41,7 @@ int main(int argc, char **argv) { | |||
41 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); | 41 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); |
42 | return 1; | 42 | return 1; |
43 | } | 43 | } |
44 | printf("INFO: Starting %s.\n", prog); | 44 | printf("INFO: starting %s.\n", prog); |
45 | 45 | ||
46 | 46 | ||
47 | // check pid namespace | 47 | // check pid namespace |
diff --git a/src/faudit/network.c b/src/faudit/network.c index bb3116c3b..39821cd25 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c | |||
@@ -40,7 +40,7 @@ void check_ssh(void) { | |||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | 40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) |
41 | printf("GOOD: SSH server not available on localhost.\n"); | 41 | printf("GOOD: SSH server not available on localhost.\n"); |
42 | else { | 42 | else { |
43 | printf("MAYBE: An SSH server is accessible on localhost. "); | 43 | printf("MAYBE: an SSH server is accessible on localhost. "); |
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
45 | } | 45 | } |
46 | 46 | ||
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 84d73a03f..7088ad340 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -79,11 +79,8 @@ void syscall_run(const char *name) { | |||
79 | if (child < 0) | 79 | if (child < 0) |
80 | errExit("fork"); | 80 | errExit("fork"); |
81 | if (child == 0) { | 81 | if (child == 0) { |
82 | char *cmd; | ||
83 | if (asprintf(&cmd, "%s syscall %s", prog, name) == -1) | ||
84 | errExit("asprintf"); | ||
85 | execl(prog, prog, "syscall", name, NULL); | 82 | execl(prog, prog, "syscall", name, NULL); |
86 | exit(0); | 83 | exit(1); |
87 | } | 84 | } |
88 | 85 | ||
89 | // wait for the child to finish | 86 | // wait for the child to finish |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0b6e2e181..39013de56 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -260,6 +260,7 @@ extern int arg_ipc; // enable ipc namespace | |||
260 | extern int arg_writable_etc; // writable etc | 260 | extern int arg_writable_etc; // writable etc |
261 | extern int arg_writable_var; // writable var | 261 | extern int arg_writable_var; // writable var |
262 | extern int arg_appimage; // appimage | 262 | extern int arg_appimage; // appimage |
263 | extern int arg_audit; // audit | ||
263 | 264 | ||
264 | extern int parent_to_child_fds[2]; | 265 | extern int parent_to_child_fds[2]; |
265 | extern int child_to_parent_fds[2]; | 266 | extern int child_to_parent_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7b956bf64..34cc38cd5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -100,6 +100,7 @@ int arg_ipc = 0; // enable ipc namespace | |||
100 | int arg_writable_etc = 0; // writable etc | 100 | int arg_writable_etc = 0; // writable etc |
101 | int arg_writable_var = 0; // writable var | 101 | int arg_writable_var = 0; // writable var |
102 | int arg_appimage = 0; // appimage | 102 | int arg_appimage = 0; // appimage |
103 | int arg_audit = 0; // audit | ||
103 | 104 | ||
104 | int parent_to_child_fds[2]; | 105 | int parent_to_child_fds[2]; |
105 | int child_to_parent_fds[2]; | 106 | int child_to_parent_fds[2]; |
@@ -1830,6 +1831,8 @@ int main(int argc, char **argv) { | |||
1830 | //************************************* | 1831 | //************************************* |
1831 | // command | 1832 | // command |
1832 | //************************************* | 1833 | //************************************* |
1834 | else if (strcmp(argv[i], "--audit") == 0) | ||
1835 | arg_audit = 1; | ||
1833 | else if (strcmp(argv[i], "--appimage") == 0) | 1836 | else if (strcmp(argv[i], "--appimage") == 0) |
1834 | arg_appimage = 1; | 1837 | arg_appimage = 1; |
1835 | else if (strcmp(argv[i], "--csh") == 0) { | 1838 | else if (strcmp(argv[i], "--csh") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0e3d722b7..8cf2486b3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -275,9 +275,18 @@ static int monitor_application(pid_t app_pid) { | |||
275 | 275 | ||
276 | static void start_application(void) { | 276 | static void start_application(void) { |
277 | //**************************************** | 277 | //**************************************** |
278 | // audit | ||
279 | //**************************************** | ||
280 | if (arg_audit) { | ||
281 | char *audit_prog; | ||
282 | if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
283 | errExit("asprintf"); | ||
284 | execl(audit_prog, audit_prog, NULL); | ||
285 | } | ||
286 | //**************************************** | ||
278 | // start the program without using a shell | 287 | // start the program without using a shell |
279 | //**************************************** | 288 | //**************************************** |
280 | if (arg_shell_none) { | 289 | else if (arg_shell_none) { |
281 | if (arg_debug) { | 290 | if (arg_debug) { |
282 | int i; | 291 | int i; |
283 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 292 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 82b1affcc..e31867351 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -35,6 +35,8 @@ void usage(void) { | |||
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); | 36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); |
37 | printf(" --appimage - sandbox an AppImage application\n\n"); | 37 | printf(" --appimage - sandbox an AppImage application\n\n"); |
38 | printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); | ||
39 | printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); | ||
38 | #ifdef HAVE_NETWORK | 40 | #ifdef HAVE_NETWORK |
39 | printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); | 41 | printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); |
40 | printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); | 42 | printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); |
@@ -298,7 +300,19 @@ void usage(void) { | |||
298 | printf("\n"); | 300 | printf("\n"); |
299 | #endif | 301 | #endif |
300 | 302 | ||
301 | 303 | printf("Audit\n\n"); | |
304 | printf("Audit feature allows the user to point out gaps in security profiles. The\n"); | ||
305 | printf("implementation replaces the program to be sandboxed with a test program. By\n"); | ||
306 | printf("default, we use faudit program distributed with Firejail. A custom test program\n"); | ||
307 | printf("can also be supplied by the user. Examples:\n\n"); | ||
308 | printf("Running the default audit program:\n"); | ||
309 | printf(" $ firejail --audit transmission-gtk\n\n"); | ||
310 | printf("Running a custom audit program:\n"); | ||
311 | printf(" $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); | ||
312 | printf("In the examples above, the sandbox configures transmission-gtk profile and\n"); | ||
313 | printf("starts the test program. The real program, transmission-gtk, will not be\n"); | ||
314 | printf("started.\n\n\n"); | ||
315 | |||
302 | printf("Monitoring\n\n"); | 316 | printf("Monitoring\n\n"); |
303 | 317 | ||
304 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); | 318 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bb8c64dc9..a523e51cb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -88,6 +88,12 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage | |||
88 | .br | 88 | .br |
89 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 89 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
90 | .TP | 90 | .TP |
91 | \fB\-\-audit | ||
92 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
93 | .TP | ||
94 | \fB\-\-audit=test-program | ||
95 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
96 | .TP | ||
91 | \fB\-\-bandwidth=name|pid | 97 | \fB\-\-bandwidth=name|pid |
92 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 98 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
93 | .TP | 99 | .TP |
@@ -1691,15 +1697,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured | |||
1691 | 1697 | ||
1692 | Set rate-limits: | 1698 | Set rate-limits: |
1693 | 1699 | ||
1694 | firejail --bandwidth=name|pid set network download upload | 1700 | $ firejail --bandwidth=name|pid set network download upload |
1695 | 1701 | ||
1696 | Clear rate-limits: | 1702 | Clear rate-limits: |
1697 | 1703 | ||
1698 | firejail --bandwidth=name|pid clear network | 1704 | $ firejail --bandwidth=name|pid clear network |
1699 | 1705 | ||
1700 | Status: | 1706 | Status: |
1701 | 1707 | ||
1702 | firejail --bandwidth=name|pid status | 1708 | $ firejail --bandwidth=name|pid status |
1703 | 1709 | ||
1704 | where: | 1710 | where: |
1705 | .br | 1711 | .br |
@@ -1723,6 +1729,25 @@ Example: | |||
1723 | .br | 1729 | .br |
1724 | $ firejail \-\-bandwidth=mybrowser clear eth0 | 1730 | $ firejail \-\-bandwidth=mybrowser clear eth0 |
1725 | 1731 | ||
1732 | .SH AUDIT | ||
1733 | Audit feature allows the user to point out gaps in security profiles. The | ||
1734 | implementation replaces the program to be sandboxed with a test program. By | ||
1735 | default, we use faudit program distributed with Firejail. A custom test program | ||
1736 | can also be supplied by the user. Examples: | ||
1737 | |||
1738 | Running the default audit program: | ||
1739 | .br | ||
1740 | $ firejail --audit transmission-gtk | ||
1741 | |||
1742 | Running a custom audit program: | ||
1743 | .br | ||
1744 | $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); | ||
1745 | |||
1746 | In the examples above, the sandbox configures transmission-gtk profile and | ||
1747 | starts the test program. The real program, transmission-gtk, will not be | ||
1748 | started. | ||
1749 | |||
1750 | |||
1726 | .SH MONITORING | 1751 | .SH MONITORING |
1727 | Option \-\-list prints a list of all sandboxes. The format | 1752 | Option \-\-list prints a list of all sandboxes. The format |
1728 | for each process entry is as follows: | 1753 | for each process entry is as follows: |