diff options
-rw-r--r-- | src/faudit/caps.c | 1 | ||||
-rw-r--r-- | src/faudit/faudit.h | 6 | ||||
-rw-r--r-- | src/faudit/files.c | 4 | ||||
-rw-r--r-- | src/faudit/main.c | 7 | ||||
-rw-r--r-- | src/faudit/pid.c | 1 | ||||
-rw-r--r-- | src/faudit/seccomp.c | 4 |
6 files changed, 19 insertions, 4 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index f98d45ec8..db1d3266f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
@@ -66,6 +66,7 @@ void caps_test(void) { | |||
66 | 66 | ||
67 | if (caps_val) { | 67 | if (caps_val) { |
68 | printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); | 68 | printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); |
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | ||
69 | 70 | ||
70 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | 71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) |
71 | printf("UGLY: CAP_SYS_ADMIN is enabled\n"); | 72 | printf("UGLY: CAP_SYS_ADMIN is enabled\n"); |
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index fdb4556c3..f8d9b709d 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
@@ -48,4 +48,10 @@ void seccomp_test(void); | |||
48 | void syscall_helper(int argc, char **argv); | 48 | void syscall_helper(int argc, char **argv); |
49 | void syscall_run(const char *name); | 49 | void syscall_run(const char *name); |
50 | 50 | ||
51 | // files.c | ||
52 | void files_test(void); | ||
53 | |||
54 | // network.c | ||
55 | void network_test(void); | ||
56 | |||
51 | #endif \ No newline at end of file | 57 | #endif \ No newline at end of file |
diff --git a/src/faudit/files.c b/src/faudit/files.c index 0463af66d..9a230d7e5 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c | |||
@@ -31,8 +31,10 @@ static void check_home_file(const char *name) { | |||
31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | 31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) |
32 | errExit("asprintf"); | 32 | errExit("asprintf"); |
33 | 33 | ||
34 | if (access(fname, R_OK) == 0) | 34 | if (access(fname, R_OK) == 0) { |
35 | printf("UGLY: I can access files in %s directory\n", fname); | 35 | printf("UGLY: I can access files in %s directory\n", fname); |
36 | printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); | ||
37 | } | ||
36 | else | 38 | else |
37 | printf("GOOD: I cannot access files in %s directory\n", fname); | 39 | printf("GOOD: I cannot access files in %s directory\n", fname); |
38 | 40 | ||
diff --git a/src/faudit/main.c b/src/faudit/main.c index 2ed3aa2e1..6758f5671 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -33,7 +33,7 @@ int main(int argc, char **argv) { | |||
33 | return 1; | 33 | return 1; |
34 | } | 34 | } |
35 | 35 | ||
36 | printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n"); | 36 | printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); |
37 | 37 | ||
38 | // extract program name | 38 | // extract program name |
39 | prog = realpath(argv[0], NULL); | 39 | prog = realpath(argv[0], NULL); |
@@ -53,9 +53,12 @@ int main(int argc, char **argv) { | |||
53 | // check seccomp | 53 | // check seccomp |
54 | seccomp_test(); | 54 | seccomp_test(); |
55 | 55 | ||
56 | // check some well-known problematic files | 56 | // check some well-known problematic files and directories |
57 | files_test(); | 57 | files_test(); |
58 | 58 | ||
59 | // network | ||
60 | network_test(); | ||
61 | |||
59 | free(prog); | 62 | free(prog); |
60 | printf("--------------------------------------------------------------------------------\n"); | 63 | printf("--------------------------------------------------------------------------------\n"); |
61 | return 0; | 64 | return 0; |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 53b59a838..57947418e 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -70,6 +70,7 @@ void pid_test(void) { | |||
70 | fclose(fp); | 70 | fclose(fp); |
71 | free(fname); | 71 | free(fname); |
72 | printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); | 72 | printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); |
73 | printf("Are you sure you're running in a sandbox?\n"); | ||
73 | return; | 74 | return; |
74 | } | 75 | } |
75 | j++; | 76 | j++; |
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index d88d6a958..9cc1a20f6 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c | |||
@@ -50,8 +50,10 @@ void seccomp_test(void) { | |||
50 | return; | 50 | return; |
51 | } | 51 | } |
52 | 52 | ||
53 | if (seccomp_status == 0) | 53 | if (seccomp_status == 0) { |
54 | printf("BAD: seccomp disabled\n"); | 54 | printf("BAD: seccomp disabled\n"); |
55 | printf("Use \"firejail --seccomp\" to fix it.\n"); | ||
56 | } | ||
55 | else if (seccomp_status == 1) | 57 | else if (seccomp_status == 1) |
56 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); | 58 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); |
57 | else if (seccomp_status == 2) { | 59 | else if (seccomp_status == 2) { |