4 files changed, 50 insertions, 38 deletions
diff --git a/Makefile.in b/Makefile.in
index abc86c2c3..d39c2b0ba 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
-SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
@@ -138,8 +138,6 @@ endif
        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        # program used track profile statistics during development - no manpage, this is not a user program
-        install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats
 ifeq ($(BUSYBOX_WORKAROUND),yes)
        ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif
diff --git a/README.md b/README.md
index 6cd1f761f..b16b55d6a 100644
--- a/README.md
+++ b/README.md
@@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS)
 ### Profile Statistics
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
-$ cd /etc/firejail
+No include .local found in /etc/firejail/noprofile.profile
-$ ./profstats *.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
-    profiles                    1167
-    include local profile       1167   (include profile-name.local)
+Stats:
-    include globals             1136   (include globals.local)
+    profiles                    1176
-    blacklist ~/.ssh            1042   (include disable-common.inc)
+    include local profile       1175   (include profile-name.local)
-    seccomp                     1062
+    include globals             1144   (include globals.local)
-    capabilities                1163
+    blacklist ~/.ssh            1050   (include disable-common.inc)
-    noexec                      1049   (include disable-exec.inc)
+    seccomp                     1070
-    noroot                      971
+    capabilities                1171
-    memory-deny-write-execute   256
+    noexec                      1057   (include disable-exec.inc)
-    apparmor                    693
+    noroot                      979
-    private-bin                 677
+    memory-deny-write-execute   258
-    private-dev                 1027
+    apparmor                    700
-    private-etc                 532
+    private-bin                 681
-    private-tmp                 897
+    private-dev                 1033
-    whitelist home directory    557
+    private-etc                 533
-    whitelist var               836   (include whitelist-var-common.inc)
+    private-tmp                 905
-    whitelist run/user          1137   (include whitelist-runuser-common.inc
+    whitelist home directory    562
+    whitelist var               842   (include whitelist-var-common.inc)
+    whitelist run/user          1145   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         609   (include whitelist-usr-share-common.inc
+    whitelist usr/share         614   (include whitelist-usr-share-common.inc
-    net none                    396
+    net none                    399
-    dbus-user none              656
+    dbus-user none              662
-    dbus-user filter            108
+    dbus-user filter            113
-    dbus-system none            808
+    dbus-system none            816
    dbus-system filter          10
 ```
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
index e025f5939..fa1b4f200 100644
--- a/src/profstats/Makefile.in
+++ b/src/profstats/Makefile.in
@@ -3,7 +3,7 @@ all: profstats
 include ../common.mk
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 profstats: $(OBJS)
diff --git a/src/profstats/main.c b/src/profstats/main.c
index a472ce259..bc5047bfe 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -17,10 +17,8 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <stdio.h>
-#include <stdlib.h>
+#include "../include/common.h"
-#include <string.h>
-#include <assert.h>
 #define MAXBUF 2048
 // stats
@@ -99,8 +97,9 @@ static void usage(void) {
        printf("\n");
 }
-void process_file(const char *fname) {
+static void process_file(char *fname) {
        assert(fname);
+        char *tmpfname = NULL;
        if (arg_debug)
                printf("processing #%s#\n", fname);
@@ -109,9 +108,19 @@ void process_file(const char *fname) {
        FILE *fp = fopen(fname, "r");
        if (!fp) {
-                fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
+                // the file was not found in the current directory
-                level--;
+                // look for it in /etc/firejail directory
-                return;
+                if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+                        errExit("asprintf");
+                fp = fopen(tmpfname, "r");
+                if (!fp) {
+                        fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+                        free(tmpfname);
+                        level--;
+                        return;
+                }
+                fname = tmpfname;
        }
        int have_include_local = 0;
@@ -204,6 +213,8 @@ void process_file(const char *fname) {
        if (!have_include_local)
                printf("No include .local found in %s\n", fname);
        level--;
+        if (tmpfname)
+                free(tmpfname);
 }
 int main(int argc, char **argv) {

diff --git a/Makefile.in b/Makefile.in index abc86c2c3..d39c2b0ba 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
27	all: all_items mydirs $(MAN_TARGET) filters	27	all: all_items mydirs $(MAN_TARGET) filters
28	APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck	28	APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
29	SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids	29	SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
30	SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter	30	SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats
31	MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)	31	MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
32	MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so	32	MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
33	COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion	33	COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
@@ -138,8 +138,6 @@ endif
138	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config	138	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
139	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/.profile etc/profile-m-z/.profile etc/inc/.inc etc/net/.net etc/firejail.config etc/ids.config	139	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/.profile etc/profile-m-z/.profile etc/inc/.inc etc/net/.net etc/firejail.config etc/ids.config
140	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"	140	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
141	# program used track profile statistics during development - no manpage, this is not a user program
142	install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats
143	ifeq ($(BUSYBOX_WORKAROUND),yes)	141	ifeq ($(BUSYBOX_WORKAROUND),yes)
144	./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc	142	./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
145	endif	143	endif


diff --git a/README.md b/README.md index 6cd1f761f..b16b55d6a 100644 --- a/README.md +++ b/README.md
@@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS)
298		298
299	### Profile Statistics	299	### Profile Statistics
300		300
301	A small tool to print profile statistics. Compile as usual and run in /etc/profiles:	301	A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
		302	Run it over the profiles in /etc/profiles:
302	```	303	```
303	$ sudo cp src/profstats/profstats /etc/firejail/.	304	$ /usr/lib/firejail/profstats /etc/firejail/*.profile
304	$ cd /etc/firejail	305	No include .local found in /etc/firejail/noprofile.profile
305	$ ./profstats *.profile	306	Warning: multiple caps in /etc/firejail/transmission-daemon.profile
306	profiles 1167	307
307	include local profile 1167 (include profile-name.local)	308	Stats:
308	include globals 1136 (include globals.local)	309	profiles 1176
309	blacklist ~/.ssh 1042 (include disable-common.inc)	310	include local profile 1175 (include profile-name.local)
310	seccomp 1062	311	include globals 1144 (include globals.local)
311	capabilities 1163	312	blacklist ~/.ssh 1050 (include disable-common.inc)
312	noexec 1049 (include disable-exec.inc)	313	seccomp 1070
313	noroot 971	314	capabilities 1171
314	memory-deny-write-execute 256	315	noexec 1057 (include disable-exec.inc)
315	apparmor 693	316	noroot 979
316	private-bin 677	317	memory-deny-write-execute 258
317	private-dev 1027	318	apparmor 700
318	private-etc 532	319	private-bin 681
319	private-tmp 897	320	private-dev 1033
320	whitelist home directory 557	321	private-etc 533
321	whitelist var 836 (include whitelist-var-common.inc)	322	private-tmp 905
322	whitelist run/user 1137 (include whitelist-runuser-common.inc	323	whitelist home directory 562
		324	whitelist var 842 (include whitelist-var-common.inc)
		325	whitelist run/user 1145 (include whitelist-runuser-common.inc
323	or blacklist ${RUNUSER})	326	or blacklist ${RUNUSER})
324	whitelist usr/share 609 (include whitelist-usr-share-common.inc	327	whitelist usr/share 614 (include whitelist-usr-share-common.inc
325	net none 396	328	net none 399
326	dbus-user none 656	329	dbus-user none 662
327	dbus-user filter 108	330	dbus-user filter 113
328	dbus-system none 808	331	dbus-system none 816
329	dbus-system filter 10	332	dbus-system filter 10
330	```	333	```
331		334


diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index e025f5939..fa1b4f200 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in
@@ -3,7 +3,7 @@ all: profstats
3		3
4	include ../common.mk	4	include ../common.mk
5		5
6	%.o : %.c $(H_FILE_LIST)	6	%.o : %.c $(H_FILE_LIST) ../include/common.h
7	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@	7	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
8		8
9	profstats: $(OBJS)	9	profstats: $(OBJS)


diff --git a/src/profstats/main.c b/src/profstats/main.c index a472ce259..bc5047bfe 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c
@@ -17,10 +17,8 @@
17	* with this program; if not, write to the Free Software Foundation, Inc.,	17	* with this program; if not, write to the Free Software Foundation, Inc.,
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include <stdio.h>	20
21	#include <stdlib.h>	21	#include "../include/common.h"
22	#include <string.h>
23	#include <assert.h>
24		22
25	#define MAXBUF 2048	23	#define MAXBUF 2048
26	// stats	24	// stats
@@ -99,8 +97,9 @@ static void usage(void) {
99	printf("\n");	97	printf("\n");
100	}	98	}
101		99
102	void process_file(const char *fname) {	100	static void process_file(char *fname) {
103	assert(fname);	101	assert(fname);
		102	char *tmpfname = NULL;
104		103
105	if (arg_debug)	104	if (arg_debug)
106	printf("processing #%s#\n", fname);	105	printf("processing #%s#\n", fname);
@@ -109,9 +108,19 @@ void process_file(const char *fname) {
109		108
110	FILE *fp = fopen(fname, "r");	109	FILE *fp = fopen(fname, "r");
111	if (!fp) {	110	if (!fp) {
112	fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);	111	// the file was not found in the current directory
113	level--;	112	// look for it in /etc/firejail directory
114	return;	113	if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
		114	errExit("asprintf");
		115
		116	fp = fopen(tmpfname, "r");
		117	if (!fp) {
		118	fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
		119	free(tmpfname);
		120	level--;
		121	return;
		122	}
		123	fname = tmpfname;
115	}	124	}
116		125
117	int have_include_local = 0;	126	int have_include_local = 0;
@@ -204,6 +213,8 @@ void process_file(const char *fname) {
204	if (!have_include_local)	213	if (!have_include_local)
205	printf("No include .local found in %s\n", fname);	214	printf("No include .local found in %s\n", fname);
206	level--;	215	level--;
		216	if (tmpfname)
		217	free(tmpfname);
207	}	218	}
208		219
209	int main(int argc, char **argv) {	220	int main(int argc, char **argv) {