diff options
-rw-r--r-- | src/firejail/fs_home.c | 10 | ||||
-rw-r--r-- | src/firemon/Makefile.in | 4 | ||||
-rw-r--r-- | src/firemon/cgroup.c | 1 | ||||
-rw-r--r-- | src/firemon/firemon.c | 27 | ||||
-rw-r--r-- | src/firemon/netstats.c | 32 | ||||
-rw-r--r-- | src/firemon/procevent.c | 14 | ||||
-rw-r--r-- | src/firemon/top.c | 14 |
7 files changed, 73 insertions, 29 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index e5e068583..9e3678c33 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -284,9 +284,13 @@ void fs_private(void) { | |||
284 | // mask /home | 284 | // mask /home |
285 | if (arg_debug) | 285 | if (arg_debug) |
286 | printf("Mounting a new /home directory\n"); | 286 | printf("Mounting a new /home directory\n"); |
287 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 287 | if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root |
288 | errExit("mounting home directory"); | 288 | ; |
289 | fs_logger("tmpfs /home"); | 289 | else { |
290 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
291 | errExit("mounting home directory"); | ||
292 | fs_logger("tmpfs /home"); | ||
293 | } | ||
290 | 294 | ||
291 | // mask /root | 295 | // mask /root |
292 | if (arg_debug) | 296 | if (arg_debug) |
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index a7a97cf5a..83a6621fe 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: firemon | 1 | all: firemon |
2 | 2 | ||
3 | PREFIX=@prefix@ | 3 | prefix=@prefix@ |
4 | VERSION=@PACKAGE_VERSION@ | 4 | VERSION=@PACKAGE_VERSION@ |
5 | NAME=@PACKAGE_NAME@ | 5 | NAME=@PACKAGE_NAME@ |
6 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 6 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
@@ -11,7 +11,7 @@ H_FILE_LIST = $(sort $(wildcard *.[h])) | |||
11 | C_FILE_LIST = $(sort $(wildcard *.c)) | 11 | C_FILE_LIST = $(sort $(wildcard *.c)) |
12 | OBJS = $(C_FILE_LIST:.c=.o) | 12 | OBJS = $(C_FILE_LIST:.c=.o) |
13 | BINOBJS = $(foreach file, $(OBJS), $file) | 13 | BINOBJS = $(foreach file, $(OBJS), $file) |
14 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 14 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
15 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 15 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now |
16 | HAVE_GCOV=@HAVE_GCOV@ | 16 | HAVE_GCOV=@HAVE_GCOV@ |
17 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 17 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 41afa41fd..8cf8d14f7 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c | |||
@@ -48,6 +48,7 @@ void cgroup(pid_t pid, int print_procs) { | |||
48 | pid_read(pid); | 48 | pid_read(pid); |
49 | 49 | ||
50 | // print processes | 50 | // print processes |
51 | printf(" cgroup: "); | ||
51 | int i; | 52 | int i; |
52 | for (i = 0; i < max_pids; i++) { | 53 | for (i = 0; i < max_pids; i++) { |
53 | if (pids[i].level == 1) { | 54 | if (pids[i].level == 1) { |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index aaeffdbd2..268cc0b75 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -201,18 +201,32 @@ int main(int argc, char **argv) { | |||
201 | } | 201 | } |
202 | 202 | ||
203 | if (arg_top) { | 203 | if (arg_top) { |
204 | top(); | 204 | top(); // print all sandboxes, --name disregarded |
205 | return 0; | 205 | return 0; |
206 | } | 206 | } |
207 | if (arg_list) { | 207 | if (arg_list) { |
208 | list(); | 208 | list(); // print all sandboxes, --name disregarded |
209 | return 0; | 209 | return 0; |
210 | } | 210 | } |
211 | if (arg_netstats) { | 211 | if (arg_netstats) { |
212 | netstats(); | 212 | netstats(); // print all sandboxes, --name disregarded |
213 | return 0; | 213 | return 0; |
214 | } | 214 | } |
215 | 215 | ||
216 | // if --name requested without other options, print all data | ||
217 | if (pid && !arg_tree && !arg_cpu && !arg_seccomp && !arg_caps && | ||
218 | !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) { | ||
219 | arg_tree = 1; | ||
220 | arg_cpu = 1; | ||
221 | arg_seccomp = 1; | ||
222 | arg_caps = 1; | ||
223 | arg_cgroup = 1; | ||
224 | arg_x11 = 1; | ||
225 | arg_interface = 1; | ||
226 | arg_route = 1; | ||
227 | arg_arp = 1; | ||
228 | } | ||
229 | |||
216 | // cumulative options | 230 | // cumulative options |
217 | int print_procs = 1; | 231 | int print_procs = 1; |
218 | if (arg_tree) { | 232 | if (arg_tree) { |
@@ -239,7 +253,7 @@ int main(int argc, char **argv) { | |||
239 | x11((pid_t) pid, print_procs); | 253 | x11((pid_t) pid, print_procs); |
240 | print_procs = 0; | 254 | print_procs = 0; |
241 | } | 255 | } |
242 | if (arg_interface) { | 256 | if (arg_interface && getuid() == 0) { |
243 | interface((pid_t) pid, print_procs); | 257 | interface((pid_t) pid, print_procs); |
244 | print_procs = 0; | 258 | print_procs = 0; |
245 | } | 259 | } |
@@ -252,8 +266,11 @@ int main(int argc, char **argv) { | |||
252 | print_procs = 0; | 266 | print_procs = 0; |
253 | } | 267 | } |
254 | 268 | ||
255 | if (print_procs) | 269 | if (getuid() == 0) { |
270 | if (!arg_tree) | ||
271 | tree((pid_t) pid); | ||
256 | procevent((pid_t) pid); | 272 | procevent((pid_t) pid); |
273 | } | ||
257 | 274 | ||
258 | return 0; | 275 | return 0; |
259 | } | 276 | } |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index c5e8a242c..f83be9823 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -29,6 +29,20 @@ | |||
29 | // ip -s link: device stats | 29 | // ip -s link: device stats |
30 | // ss -s: socket stats | 30 | // ss -s: socket stats |
31 | 31 | ||
32 | static uid_t cached_uid = 0; | ||
33 | static char *cached_user_name = NULL; | ||
34 | |||
35 | static char *get_user_name(uid_t uid) { | ||
36 | if (cached_user_name == NULL) { | ||
37 | cached_uid = uid; | ||
38 | cached_user_name = pid_get_user_name(uid); | ||
39 | return strdup(cached_user_name); | ||
40 | } | ||
41 | else if (uid == cached_uid) | ||
42 | return strdup(cached_user_name); | ||
43 | else | ||
44 | return pid_get_user_name(uid); | ||
45 | } | ||
32 | 46 | ||
33 | static char *get_header(void) { | 47 | static char *get_header(void) { |
34 | char *rv; | 48 | char *rv; |
@@ -109,7 +123,17 @@ errexit: | |||
109 | } | 123 | } |
110 | 124 | ||
111 | 125 | ||
126 | static char *firejail_exec = NULL; | ||
127 | static int firejail_exec_len = 0; | ||
128 | static int firejail_exec_prefix_len = 0; | ||
112 | static void print_proc(int index, int itv, int col) { | 129 | static void print_proc(int index, int itv, int col) { |
130 | if (!firejail_exec) { | ||
131 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
132 | errExit("asprintf"); | ||
133 | firejail_exec_len = strlen(firejail_exec); | ||
134 | firejail_exec_prefix_len = strlen(PREFIX) + 5; | ||
135 | } | ||
136 | |||
113 | // command | 137 | // command |
114 | char *cmd = pid_proc_cmdline(index); | 138 | char *cmd = pid_proc_cmdline(index); |
115 | char *ptrcmd; | 139 | char *ptrcmd; |
@@ -119,6 +143,8 @@ static void print_proc(int index, int itv, int col) { | |||
119 | else | 143 | else |
120 | ptrcmd = ""; | 144 | ptrcmd = ""; |
121 | } | 145 | } |
146 | else if (strncmp(cmd, firejail_exec, firejail_exec_len) == 0) | ||
147 | ptrcmd = cmd + firejail_exec_prefix_len; | ||
122 | else | 148 | else |
123 | ptrcmd = cmd; | 149 | ptrcmd = cmd; |
124 | 150 | ||
@@ -139,7 +165,7 @@ static void print_proc(int index, int itv, int col) { | |||
139 | snprintf(pidstr, 10, "%u", index); | 165 | snprintf(pidstr, 10, "%u", index); |
140 | 166 | ||
141 | // user | 167 | // user |
142 | char *user = pid_get_user_name(pids[index].uid); | 168 | char *user = get_user_name(pids[index].uid); |
143 | char *ptruser; | 169 | char *ptruser; |
144 | if (user) | 170 | if (user) |
145 | ptruser = user; | 171 | ptruser = user; |
@@ -178,7 +204,7 @@ void netstats(void) { | |||
178 | while (1) { | 204 | while (1) { |
179 | // set pid table | 205 | // set pid table |
180 | int i; | 206 | int i; |
181 | int itv = 5; // 5 second interval | 207 | int itv = 1; // 1 second interval |
182 | pid_read(0); | 208 | pid_read(0); |
183 | 209 | ||
184 | // start rx/tx measurements | 210 | // start rx/tx measurements |
@@ -187,7 +213,7 @@ void netstats(void) { | |||
187 | get_stats(i); | 213 | get_stats(i); |
188 | } | 214 | } |
189 | 215 | ||
190 | // wait 5 seconds | 216 | // wait 1 seconds |
191 | firemon_sleep(itv); | 217 | firemon_sleep(itv); |
192 | 218 | ||
193 | // grab screen size | 219 | // grab screen size |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index d6afed93a..27c0e2b3f 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -449,16 +449,6 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
449 | return 0; | 449 | return 0; |
450 | } | 450 | } |
451 | 451 | ||
452 | static void procevent_print_pids(void) { | ||
453 | // print files | ||
454 | int i; | ||
455 | for (i = 0; i < max_pids; i++) { | ||
456 | if (pids[i].level == 1) | ||
457 | pid_print_tree(i, 0, 1); | ||
458 | } | ||
459 | printf("\n"); | ||
460 | } | ||
461 | |||
462 | void procevent(pid_t pid) { | 452 | void procevent(pid_t pid) { |
463 | // need to be root for this | 453 | // need to be root for this |
464 | if (getuid() != 0) { | 454 | if (getuid() != 0) { |
@@ -466,10 +456,6 @@ void procevent(pid_t pid) { | |||
466 | exit(1); | 456 | exit(1); |
467 | } | 457 | } |
468 | 458 | ||
469 | // read and print sandboxed processes | ||
470 | pid_read(pid); | ||
471 | procevent_print_pids(); | ||
472 | |||
473 | // monitor using netlink | 459 | // monitor using netlink |
474 | int sock = procevent_netlink_setup(); | 460 | int sock = procevent_netlink_setup(); |
475 | if (sock < 0) { | 461 | if (sock < 0) { |
diff --git a/src/firemon/top.c b/src/firemon/top.c index 3a79a5260..3d657a6a6 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -54,6 +54,9 @@ static char *get_header(void) { | |||
54 | } | 54 | } |
55 | 55 | ||
56 | 56 | ||
57 | static char *firejail_exec = NULL; | ||
58 | static int firejail_exec_len = 0; | ||
59 | static int firejail_exec_prefix_len = 0; | ||
57 | // recursivity!!! | 60 | // recursivity!!! |
58 | static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigned *stime, unsigned itv, float *cpu, int *cnt) { | 61 | static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigned *stime, unsigned itv, float *cpu, int *cnt) { |
59 | char *rv = NULL; | 62 | char *rv = NULL; |
@@ -90,6 +93,13 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
90 | print_top(i, index, utime, stime, itv, cpu, cnt); | 93 | print_top(i, index, utime, stime, itv, cpu, cnt); |
91 | } | 94 | } |
92 | 95 | ||
96 | if (!firejail_exec) { | ||
97 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
98 | errExit("asprintf"); | ||
99 | firejail_exec_len = strlen(firejail_exec); | ||
100 | firejail_exec_prefix_len = strlen(PREFIX) + 5; | ||
101 | } | ||
102 | |||
93 | if (pids[index].level == 1) { | 103 | if (pids[index].level == 1) { |
94 | // pid | 104 | // pid |
95 | char pidstr[10]; | 105 | char pidstr[10]; |
@@ -104,8 +114,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
104 | else | 114 | else |
105 | ptrcmd = ""; | 115 | ptrcmd = ""; |
106 | } | 116 | } |
107 | else if (strncmp(cmd, "/usr/bin/firejail", 17) == 0) | 117 | else if (strncmp(cmd, firejail_exec, firejail_exec_len) == 0) |
108 | ptrcmd = cmd + 9; | 118 | ptrcmd = cmd + firejail_exec_prefix_len; |
109 | else | 119 | else |
110 | ptrcmd = cmd; | 120 | ptrcmd = cmd; |
111 | 121 | ||