diff options
-rw-r--r-- | README.md | 46 | ||||
-rw-r--r-- | src/profstats/main.c | 14 |
2 files changed, 37 insertions, 23 deletions
@@ -306,31 +306,33 @@ No include .local found in /etc/firejail/noprofile.profile | |||
306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
307 | 307 | ||
308 | Stats: | 308 | Stats: |
309 | profiles 1196 | 309 | profiles 1205 |
310 | include local profile 1195 (include profile-name.local) | 310 | include local profile 1204 (include profile-name.local) |
311 | include globals 1169 (include globals.local) | 311 | include globals 1178 (include globals.local) |
312 | blacklist ~/.ssh 1067 (include disable-common.inc) | 312 | blacklist ~/.ssh 1076 (include disable-common.inc) |
313 | seccomp 1087 | 313 | seccomp 1095 |
314 | capabilities 1190 | 314 | capabilities 1199 |
315 | noexec 1075 (include disable-exec.inc) | 315 | noexec 1084 (include disable-exec.inc) |
316 | noroot 995 | 316 | noroot 1002 |
317 | memory-deny-write-execute 269 | 317 | memory-deny-write-execute 272 |
318 | apparmor 713 | 318 | restrict-namespaces 962 |
319 | private-bin 695 | 319 | apparmor 720 |
320 | private-dev 1045 | 320 | private-bin 704 |
321 | private-etc 542 | 321 | private-dev 1055 |
322 | private-lib 70 | 322 | private-etc 546 |
323 | private-tmp 918 | 323 | private-lib 71 |
324 | whitelist home directory 575 | 324 | private-tmp 929 |
325 | whitelist var 858 (include whitelist-var-common.inc) | 325 | whitelist home directory 581 |
326 | whitelist run/user 1164 (include whitelist-runuser-common.inc | 326 | whitelist var 867 (include whitelist-var-common.inc) |
327 | whitelist run/user 1173 (include whitelist-runuser-common.inc | ||
327 | or blacklist ${RUNUSER}) | 328 | or blacklist ${RUNUSER}) |
328 | whitelist usr/share 630 (include whitelist-usr-share-common.inc | 329 | whitelist usr/share 637 (include whitelist-usr-share-common.inc |
329 | net none 404 | 330 | net none 410 |
330 | dbus-user none 677 | 331 | dbus-user none 677 |
331 | dbus-user filter 123 | 332 | dbus-user filter 137 |
332 | dbus-system none 837 | 333 | dbus-system none 848 |
333 | dbus-system filter 12 | 334 | dbus-system filter 12 |
335 | |||
334 | ``` | 336 | ``` |
335 | 337 | ||
336 | ### New profiles: | 338 | ### New profiles: |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 9deb72f7e..310319c69 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -25,6 +25,7 @@ | |||
25 | static int cnt_profiles = 0; | 25 | static int cnt_profiles = 0; |
26 | static int cnt_apparmor = 0; | 26 | static int cnt_apparmor = 0; |
27 | static int cnt_seccomp = 0; | 27 | static int cnt_seccomp = 0; |
28 | static int cnt_restrict_namespaces = 0; | ||
28 | static int cnt_caps = 0; | 29 | static int cnt_caps = 0; |
29 | static int cnt_dbus_system_none = 0; | 30 | static int cnt_dbus_system_none = 0; |
30 | static int cnt_dbus_user_none = 0; | 31 | static int cnt_dbus_user_none = 0; |
@@ -69,6 +70,7 @@ static int arg_whitelisthome = 0; | |||
69 | static int arg_noroot = 0; | 70 | static int arg_noroot = 0; |
70 | static int arg_print_blacklist = 0; | 71 | static int arg_print_blacklist = 0; |
71 | static int arg_print_whitelist = 0; | 72 | static int arg_print_whitelist = 0; |
73 | static int arg_restrict_namespaces = 0; | ||
72 | 74 | ||
73 | static char *profile = NULL; | 75 | static char *profile = NULL; |
74 | 76 | ||
@@ -91,6 +93,7 @@ static void usage(void) { | |||
91 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); | 93 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); |
92 | printf(" --seccomp - print profiles without seccomp\n"); | 94 | printf(" --seccomp - print profiles without seccomp\n"); |
93 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); | 95 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); |
96 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | ||
94 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | 97 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); |
95 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 98 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
96 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | 99 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
@@ -152,6 +155,8 @@ static void process_file(char *fname) { | |||
152 | 155 | ||
153 | if (strncmp(ptr, "seccomp", 7) == 0) | 156 | if (strncmp(ptr, "seccomp", 7) == 0) |
154 | cnt_seccomp++; | 157 | cnt_seccomp++; |
158 | if (strncmp(ptr, "restrict-namespaces", 19) == 0) | ||
159 | cnt_restrict_namespaces++; | ||
155 | else if (strncmp(ptr, "caps", 4) == 0) | 160 | else if (strncmp(ptr, "caps", 4) == 0) |
156 | cnt_caps++; | 161 | cnt_caps++; |
157 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | 162 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
@@ -242,6 +247,8 @@ int main(int argc, char **argv) { | |||
242 | arg_caps = 1; | 247 | arg_caps = 1; |
243 | else if (strcmp(argv[i], "--seccomp") == 0) | 248 | else if (strcmp(argv[i], "--seccomp") == 0) |
244 | arg_seccomp = 1; | 249 | arg_seccomp = 1; |
250 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) | ||
251 | arg_restrict_namespaces = 1; | ||
245 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) | 252 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) |
246 | arg_mdwx = 1; | 253 | arg_mdwx = 1; |
247 | else if (strcmp(argv[i], "--noexec") == 0) | 254 | else if (strcmp(argv[i], "--noexec") == 0) |
@@ -291,7 +298,7 @@ int main(int argc, char **argv) { | |||
291 | for (i = start; i < argc; i++) { | 298 | for (i = start; i < argc; i++) { |
292 | cnt_profiles++; | 299 | cnt_profiles++; |
293 | 300 | ||
294 | // watch seccomp | 301 | int restrict_namespaces = cnt_restrict_namespaces; |
295 | int seccomp = cnt_seccomp; | 302 | int seccomp = cnt_seccomp; |
296 | int caps = cnt_caps; | 303 | int caps = cnt_caps; |
297 | int apparmor = cnt_apparmor; | 304 | int apparmor = cnt_apparmor; |
@@ -334,6 +341,8 @@ int main(int argc, char **argv) { | |||
334 | cnt_whitelistrunuser = whitelistrunuser + 1; | 341 | cnt_whitelistrunuser = whitelistrunuser + 1; |
335 | if (cnt_seccomp > (seccomp + 1)) | 342 | if (cnt_seccomp > (seccomp + 1)) |
336 | cnt_seccomp = seccomp + 1; | 343 | cnt_seccomp = seccomp + 1; |
344 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | ||
345 | cnt_seccomp = restrict_namespaces + 1; | ||
337 | if (cnt_dbus_user_none > (dbususernone + 1)) | 346 | if (cnt_dbus_user_none > (dbususernone + 1)) |
338 | cnt_dbus_user_none = dbususernone + 1; | 347 | cnt_dbus_user_none = dbususernone + 1; |
339 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | 348 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
@@ -353,6 +362,8 @@ int main(int argc, char **argv) { | |||
353 | printf("No caps found in %s\n", argv[i]); | 362 | printf("No caps found in %s\n", argv[i]); |
354 | if (arg_seccomp && seccomp == cnt_seccomp) | 363 | if (arg_seccomp && seccomp == cnt_seccomp) |
355 | printf("No seccomp found in %s\n", argv[i]); | 364 | printf("No seccomp found in %s\n", argv[i]); |
365 | if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces) | ||
366 | printf("No restrict-namespaces found in %s\n", argv[i]); | ||
356 | if (arg_noexec && noexec == cnt_noexec) | 367 | if (arg_noexec && noexec == cnt_noexec) |
357 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 368 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
358 | if (arg_noroot && noroot == cnt_noroot) | 369 | if (arg_noroot && noroot == cnt_noroot) |
@@ -397,6 +408,7 @@ int main(int argc, char **argv) { | |||
397 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 408 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
398 | printf(" noroot\t\t\t%d\n", cnt_noroot); | 409 | printf(" noroot\t\t\t%d\n", cnt_noroot); |
399 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 410 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
411 | printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces); | ||
400 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 412 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
401 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 413 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
402 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 414 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |