diff options
-rw-r--r-- | src/faudit/caps.c | 2 | ||||
-rw-r--r-- | src/faudit/faudit.h | 10 | ||||
-rw-r--r-- | src/faudit/main.c | 26 | ||||
-rw-r--r-- | src/faudit/pid.c | 2 | ||||
-rw-r--r-- | src/faudit/seccomp.c | 64 |
5 files changed, 94 insertions, 10 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 364cfcd03..3cf4a076f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
@@ -55,7 +55,7 @@ static int check_capability(uint64_t map, int cap) { | |||
55 | return 0; | 55 | return 0; |
56 | } | 56 | } |
57 | 57 | ||
58 | void caps(void) { | 58 | void caps_test(void) { |
59 | uint64_t caps_val; | 59 | uint64_t caps_val; |
60 | 60 | ||
61 | if (extract_caps(&caps_val)) { | 61 | if (extract_caps(&caps_val)) { |
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 74426ac0a..50d75c2a4 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
@@ -32,10 +32,16 @@ | |||
32 | 32 | ||
33 | #define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) | 33 | #define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) |
34 | 34 | ||
35 | // main.c | ||
36 | extern char *prog; | ||
37 | |||
35 | // pid.c | 38 | // pid.c |
36 | void pid(void); | 39 | void pid_test(void); |
37 | 40 | ||
38 | // caps.c | 41 | // caps.c |
39 | void caps(void); | 42 | void caps_test(void); |
43 | |||
44 | // seccomp.c | ||
45 | void seccomp_test(void); | ||
40 | 46 | ||
41 | #endif \ No newline at end of file | 47 | #endif \ No newline at end of file |
diff --git a/src/faudit/main.c b/src/faudit/main.c index a3407caa1..0724a7ec9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -18,17 +18,31 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "faudit.h" | 20 | #include "faudit.h" |
21 | #include <limits.h> | ||
22 | char *prog; | ||
21 | 23 | ||
22 | int main(int argc, char **argv) { | 24 | int main(int argc, char **argv) { |
23 | printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n"); | 25 | printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n"); |
24 | 26 | ||
27 | // extract program name | ||
28 | prog = realpath(argv[0], NULL); | ||
29 | if (prog == NULL) { | ||
30 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); | ||
31 | return 1; | ||
32 | } | ||
33 | printf("Running %s\n", prog); | ||
34 | |||
35 | |||
25 | // check pid namespace | 36 | // check pid namespace |
26 | pid(); | 37 | pid_test(); |
27 | 38 | ||
28 | // chack capabilities | 39 | // check capabilities |
29 | caps(); | 40 | caps_test(); |
30 | 41 | ||
31 | printf("----------------------------------------------------------\n"); | 42 | // check seccomp |
32 | return 0; | 43 | seccomp_test(); |
33 | 44 | ||
45 | free(prog); | ||
46 | printf("----------------------------------------------------------------\n"); | ||
47 | return 0; | ||
34 | } | 48 | } |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index a6f02c051..5744ab244 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "faudit.h" | 20 | #include "faudit.h" |
21 | 21 | ||
22 | void pid(void) { | 22 | void pid_test(void) { |
23 | char *kern_proc[] = { | 23 | char *kern_proc[] = { |
24 | "kthreadd", | 24 | "kthreadd", |
25 | "ksoftirqd", | 25 | "ksoftirqd", |
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c new file mode 100644 index 000000000..a50ec1e0c --- /dev/null +++ b/src/faudit/seccomp.c | |||
@@ -0,0 +1,64 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <linux/capability.h> | ||
22 | |||
23 | #define MAXBUF 4098 | ||
24 | static int extract_seccomp(int *val) { | ||
25 | FILE *fp = fopen("/proc/self/status", "r"); | ||
26 | if (!fp) | ||
27 | return 1; | ||
28 | |||
29 | char buf[MAXBUF]; | ||
30 | while (fgets(buf, MAXBUF, fp)) { | ||
31 | if (strncmp(buf, "Seccomp:\t", 8) == 0) { | ||
32 | char *ptr = buf + 8; | ||
33 | int tmp; | ||
34 | sscanf(ptr, "%d", &tmp); | ||
35 | *val = tmp; | ||
36 | fclose(fp); | ||
37 | return 0; | ||
38 | } | ||
39 | } | ||
40 | |||
41 | fclose(fp); | ||
42 | return 1; | ||
43 | } | ||
44 | |||
45 | void seccomp_test(void) { | ||
46 | int seccomp_status; | ||
47 | int rv = extract_seccomp(&seccomp_status); | ||
48 | |||
49 | if (rv) { | ||
50 | printf("SKIP: cannot extract seccomp configuration on this platform\n"); | ||
51 | return; | ||
52 | } | ||
53 | |||
54 | if (seccomp_status == 0) | ||
55 | printf("BAD: seccomp disabled\n"); | ||
56 | else if (seccomp_status == 1) | ||
57 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); | ||
58 | else if (seccomp_status == 2) { | ||
59 | printf("GOOD: seccomp BPF enababled\n"); | ||
60 | } | ||
61 | else | ||
62 | fprintf(stderr, "Error: unrecognized seccomp mode\n"); | ||
63 | |||
64 | } \ No newline at end of file | ||