diff options
-rw-r--r-- | README.md | 44 | ||||
-rw-r--r-- | etc/profile-m-z/openarena.profile | 2 | ||||
-rw-r--r-- | src/profstats/main.c | 17 |
3 files changed, 40 insertions, 23 deletions
@@ -160,33 +160,33 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
160 | 160 | ||
161 | ### Profile Statistics | 161 | ### Profile Statistics |
162 | 162 | ||
163 | A small tool to print profile statistics. Compile as usual and run: | 163 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: |
164 | ````` | 164 | ````` |
165 | $ make | ||
166 | $ cd etc | ||
167 | $ ./profstats *.profile | 165 | $ ./profstats *.profile |
168 | profiles 966 | 166 | Warning: multiple caps in transmission-daemon.profile |
169 | include local profile 966 (include profile-name.local) | 167 | |
170 | include globals 966 (include globals.local) | 168 | Stats: |
171 | blacklist ~/.ssh 951 (include disable-common.inc) | 169 | profiles 1025 |
172 | seccomp 908 | 170 | include local profile 1025 (include profile-name.local) |
173 | capabilities 965 | 171 | include globals 1025 (include globals.local) |
174 | noexec 830 (include disable-exec.inc) | 172 | blacklist ~/.ssh 1001 (include disable-common.inc) |
175 | memory-deny-write-execute 214 | 173 | seccomp 971 |
176 | apparmor 488 | 174 | capabilities 1024 |
177 | private-bin 483 | 175 | noexec 895 (include disable-exec.inc) |
178 | private-dev 829 | 176 | memory-deny-write-execute 217 |
179 | private-etc 366 | 177 | apparmor 546 |
180 | private-tmp 726 | 178 | private-bin 537 |
181 | whitelist var 638 (include whitelist-var-common.inc) | 179 | private-dev 893 |
182 | whitelist run/user 282 (include whitelist-runuser-common.inc | 180 | private-etc 426 |
181 | private-tmp 780 | ||
182 | whitelist var 691 (include whitelist-var-common.inc) | ||
183 | whitelist run/user 329 (include whitelist-runuser-common.inc | ||
183 | or blacklist ${RUNUSER}) | 184 | or blacklist ${RUNUSER}) |
184 | whitelist usr/share 275 (include whitelist-usr-share-common.inc | 185 | whitelist usr/share 349 (include whitelist-usr-share-common.inc |
185 | net none 313 | 186 | net none 329 |
187 | dbus-system none 624 | ||
186 | ````` | 188 | ````` |
187 | 189 | ||
188 | Run ./profstats -h for help. | ||
189 | |||
190 | ### New profiles: | 190 | ### New profiles: |
191 | 191 | ||
192 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, | 192 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, |
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 45682fc31..88d5d0e1e 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
@@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena | |||
21 | whitelist /usr/share/openarena | 21 | whitelist /usr/share/openarena |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.in | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | apparmor | 27 | apparmor |
diff --git a/src/profstats/main.c b/src/profstats/main.c index a75ad8e29..194cb210a 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -28,6 +28,7 @@ static int cnt_profiles = 0; | |||
28 | static int cnt_apparmor = 0; | 28 | static int cnt_apparmor = 0; |
29 | static int cnt_seccomp = 0; | 29 | static int cnt_seccomp = 0; |
30 | static int cnt_caps = 0; | 30 | static int cnt_caps = 0; |
31 | static int cnt_dbus_system_none = 0; | ||
31 | static int cnt_dotlocal = 0; | 32 | static int cnt_dotlocal = 0; |
32 | static int cnt_globalsdotlocal = 0; | 33 | static int cnt_globalsdotlocal = 0; |
33 | static int cnt_netnone = 0; | 34 | static int cnt_netnone = 0; |
@@ -57,6 +58,8 @@ static int arg_whitelistrunuser = 0; | |||
57 | static int arg_whitelistusrshare = 0; | 58 | static int arg_whitelistusrshare = 0; |
58 | static int arg_ssh = 0; | 59 | static int arg_ssh = 0; |
59 | static int arg_mdwx = 0; | 60 | static int arg_mdwx = 0; |
61 | static int arg_dbus_system_none = 0; | ||
62 | |||
60 | 63 | ||
61 | static char *profile = NULL; | 64 | static char *profile = NULL; |
62 | 65 | ||
@@ -67,6 +70,7 @@ static void usage(void) { | |||
67 | printf("Options:\n"); | 70 | printf("Options:\n"); |
68 | printf(" --apparmor - print profiles without apparmor\n"); | 71 | printf(" --apparmor - print profiles without apparmor\n"); |
69 | printf(" --caps - print profiles without caps\n"); | 72 | printf(" --caps - print profiles without caps\n"); |
73 | printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); | ||
70 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | 74 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); |
71 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | 75 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); |
72 | printf(" --private-bin - print profiles without private-bin\n"); | 76 | printf(" --private-bin - print profiles without private-bin\n"); |
@@ -138,6 +142,8 @@ void process_file(const char *fname) { | |||
138 | cnt_privatetmp++; | 142 | cnt_privatetmp++; |
139 | else if (strncmp(ptr, "private-etc", 11) == 0) | 143 | else if (strncmp(ptr, "private-etc", 11) == 0) |
140 | cnt_privateetc++; | 144 | cnt_privateetc++; |
145 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | ||
146 | cnt_dbus_system_none++; | ||
141 | else if (strncmp(ptr, "include ", 8) == 0) { | 147 | else if (strncmp(ptr, "include ", 8) == 0) { |
142 | // not processing .local files | 148 | // not processing .local files |
143 | if (strstr(ptr, ".local")) { | 149 | if (strstr(ptr, ".local")) { |
@@ -148,6 +154,11 @@ void process_file(const char *fname) { | |||
148 | cnt_dotlocal++; | 154 | cnt_dotlocal++; |
149 | continue; | 155 | continue; |
150 | } | 156 | } |
157 | // clean blanks | ||
158 | char *ptr = buf + 8; | ||
159 | while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t') | ||
160 | ptr++; | ||
161 | *ptr = '\0'; | ||
151 | process_file(buf + 8); | 162 | process_file(buf + 8); |
152 | } | 163 | } |
153 | } | 164 | } |
@@ -197,6 +208,8 @@ int main(int argc, char **argv) { | |||
197 | arg_whitelistusrshare = 1; | 208 | arg_whitelistusrshare = 1; |
198 | else if (strcmp(argv[i], "--ssh") == 0) | 209 | else if (strcmp(argv[i], "--ssh") == 0) |
199 | arg_ssh = 1; | 210 | arg_ssh = 1; |
211 | else if (strcmp(argv[i], "--dbus-system-none") == 0) | ||
212 | arg_dbus_system_none = 1; | ||
200 | else if (*argv[i] == '-') { | 213 | else if (*argv[i] == '-') { |
201 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | 214 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); |
202 | return 1; | 215 | return 1; |
@@ -228,6 +241,7 @@ int main(int argc, char **argv) { | |||
228 | int whitelistvar = cnt_whitelistvar; | 241 | int whitelistvar = cnt_whitelistvar; |
229 | int whitelistrunuser = cnt_whitelistrunuser; | 242 | int whitelistrunuser = cnt_whitelistrunuser; |
230 | int whitelistusrshare = cnt_whitelistusrshare; | 243 | int whitelistusrshare = cnt_whitelistusrshare; |
244 | int dbussystemnone = cnt_dbus_system_none; | ||
231 | int ssh = cnt_ssh; | 245 | int ssh = cnt_ssh; |
232 | int mdwx = cnt_mdwx; | 246 | int mdwx = cnt_mdwx; |
233 | 247 | ||
@@ -249,6 +263,8 @@ int main(int argc, char **argv) { | |||
249 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) | 263 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) |
250 | cnt_whitelistrunuser = whitelistrunuser + 1; | 264 | cnt_whitelistrunuser = whitelistrunuser + 1; |
251 | 265 | ||
266 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) | ||
267 | printf("No dbus-system none found in %s\n", argv[i]); | ||
252 | if (arg_apparmor && apparmor == cnt_apparmor) | 268 | if (arg_apparmor && apparmor == cnt_apparmor) |
253 | printf("No apparmor found in %s\n", argv[i]); | 269 | printf("No apparmor found in %s\n", argv[i]); |
254 | if (arg_caps && caps == cnt_caps) | 270 | if (arg_caps && caps == cnt_caps) |
@@ -299,6 +315,7 @@ int main(int argc, char **argv) { | |||
299 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); | 315 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); |
300 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | 316 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); |
301 | printf(" net none\t\t\t%d\n", cnt_netnone); | 317 | printf(" net none\t\t\t%d\n", cnt_netnone); |
318 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); | ||
302 | printf("\n"); | 319 | printf("\n"); |
303 | return 0; | 320 | return 0; |
304 | } | 321 | } |