diff options
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | README.md | 55 | ||||
-rw-r--r-- | src/profstats/Makefile.in | 2 | ||||
-rw-r--r-- | src/profstats/main.c | 27 |
4 files changed, 50 insertions, 38 deletions
diff --git a/Makefile.in b/Makefile.in index abc86c2c3..d39c2b0ba 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion | |||
27 | all: all_items mydirs $(MAN_TARGET) filters | 27 | all: all_items mydirs $(MAN_TARGET) filters |
28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck | 28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck |
29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids | 29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids |
30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats |
31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
@@ -138,8 +138,6 @@ endif | |||
138 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 138 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
139 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config | 139 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config |
140 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 140 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
141 | # program used track profile statistics during development - no manpage, this is not a user program | ||
142 | install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats | ||
143 | ifeq ($(BUSYBOX_WORKAROUND),yes) | 141 | ifeq ($(BUSYBOX_WORKAROUND),yes) |
144 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc | 142 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc |
145 | endif | 143 | endif |
@@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS) | |||
298 | 298 | ||
299 | ### Profile Statistics | 299 | ### Profile Statistics |
300 | 300 | ||
301 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: | 301 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
302 | Run it over the profiles in /etc/profiles: | ||
302 | ``` | 303 | ``` |
303 | $ sudo cp src/profstats/profstats /etc/firejail/. | 304 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
304 | $ cd /etc/firejail | 305 | No include .local found in /etc/firejail/noprofile.profile |
305 | $ ./profstats *.profile | 306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
306 | profiles 1167 | 307 | |
307 | include local profile 1167 (include profile-name.local) | 308 | Stats: |
308 | include globals 1136 (include globals.local) | 309 | profiles 1176 |
309 | blacklist ~/.ssh 1042 (include disable-common.inc) | 310 | include local profile 1175 (include profile-name.local) |
310 | seccomp 1062 | 311 | include globals 1144 (include globals.local) |
311 | capabilities 1163 | 312 | blacklist ~/.ssh 1050 (include disable-common.inc) |
312 | noexec 1049 (include disable-exec.inc) | 313 | seccomp 1070 |
313 | noroot 971 | 314 | capabilities 1171 |
314 | memory-deny-write-execute 256 | 315 | noexec 1057 (include disable-exec.inc) |
315 | apparmor 693 | 316 | noroot 979 |
316 | private-bin 677 | 317 | memory-deny-write-execute 258 |
317 | private-dev 1027 | 318 | apparmor 700 |
318 | private-etc 532 | 319 | private-bin 681 |
319 | private-tmp 897 | 320 | private-dev 1033 |
320 | whitelist home directory 557 | 321 | private-etc 533 |
321 | whitelist var 836 (include whitelist-var-common.inc) | 322 | private-tmp 905 |
322 | whitelist run/user 1137 (include whitelist-runuser-common.inc | 323 | whitelist home directory 562 |
324 | whitelist var 842 (include whitelist-var-common.inc) | ||
325 | whitelist run/user 1145 (include whitelist-runuser-common.inc | ||
323 | or blacklist ${RUNUSER}) | 326 | or blacklist ${RUNUSER}) |
324 | whitelist usr/share 609 (include whitelist-usr-share-common.inc | 327 | whitelist usr/share 614 (include whitelist-usr-share-common.inc |
325 | net none 396 | 328 | net none 399 |
326 | dbus-user none 656 | 329 | dbus-user none 662 |
327 | dbus-user filter 108 | 330 | dbus-user filter 113 |
328 | dbus-system none 808 | 331 | dbus-system none 816 |
329 | dbus-system filter 10 | 332 | dbus-system filter 10 |
330 | ``` | 333 | ``` |
331 | 334 | ||
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index e025f5939..fa1b4f200 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in | |||
@@ -3,7 +3,7 @@ all: profstats | |||
3 | 3 | ||
4 | include ../common.mk | 4 | include ../common.mk |
5 | 5 | ||
6 | %.o : %.c $(H_FILE_LIST) | 6 | %.o : %.c $(H_FILE_LIST) ../include/common.h |
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
8 | 8 | ||
9 | profstats: $(OBJS) | 9 | profstats: $(OBJS) |
diff --git a/src/profstats/main.c b/src/profstats/main.c index a472ce259..bc5047bfe 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -17,10 +17,8 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include <stdio.h> | 20 | |
21 | #include <stdlib.h> | 21 | #include "../include/common.h" |
22 | #include <string.h> | ||
23 | #include <assert.h> | ||
24 | 22 | ||
25 | #define MAXBUF 2048 | 23 | #define MAXBUF 2048 |
26 | // stats | 24 | // stats |
@@ -99,8 +97,9 @@ static void usage(void) { | |||
99 | printf("\n"); | 97 | printf("\n"); |
100 | } | 98 | } |
101 | 99 | ||
102 | void process_file(const char *fname) { | 100 | static void process_file(char *fname) { |
103 | assert(fname); | 101 | assert(fname); |
102 | char *tmpfname = NULL; | ||
104 | 103 | ||
105 | if (arg_debug) | 104 | if (arg_debug) |
106 | printf("processing #%s#\n", fname); | 105 | printf("processing #%s#\n", fname); |
@@ -109,9 +108,19 @@ void process_file(const char *fname) { | |||
109 | 108 | ||
110 | FILE *fp = fopen(fname, "r"); | 109 | FILE *fp = fopen(fname, "r"); |
111 | if (!fp) { | 110 | if (!fp) { |
112 | fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile); | 111 | // the file was not found in the current directory |
113 | level--; | 112 | // look for it in /etc/firejail directory |
114 | return; | 113 | if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1) |
114 | errExit("asprintf"); | ||
115 | |||
116 | fp = fopen(tmpfname, "r"); | ||
117 | if (!fp) { | ||
118 | fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile); | ||
119 | free(tmpfname); | ||
120 | level--; | ||
121 | return; | ||
122 | } | ||
123 | fname = tmpfname; | ||
115 | } | 124 | } |
116 | 125 | ||
117 | int have_include_local = 0; | 126 | int have_include_local = 0; |
@@ -204,6 +213,8 @@ void process_file(const char *fname) { | |||
204 | if (!have_include_local) | 213 | if (!have_include_local) |
205 | printf("No include .local found in %s\n", fname); | 214 | printf("No include .local found in %s\n", fname); |
206 | level--; | 215 | level--; |
216 | if (tmpfname) | ||
217 | free(tmpfname); | ||
207 | } | 218 | } |
208 | 219 | ||
209 | int main(int argc, char **argv) { | 220 | int main(int argc, char **argv) { |