5 files changed, 94 insertions, 10 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
index 364cfcd03..3cf4a076f 100644
--- a/src/faudit/caps.c
+++ b/src/faudit/caps.c
@@ -55,7 +55,7 @@ static int check_capability(uint64_t map, int cap) {
        return 0;
 }
-void caps(void) {
+void caps_test(void) {
        uint64_t caps_val;
        
        if (extract_caps(&caps_val)) {
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 74426ac0a..50d75c2a4 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -32,10 +32,16 @@
 #define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
+// main.c
+extern char *prog;
 // pid.c
-void pid(void);
+void pid_test(void);
 // caps.c
-void caps(void);
+void caps_test(void);
+// seccomp.c
+void seccomp_test(void);
 #endif
 \ No newline at end of file
diff --git a/src/faudit/main.c b/src/faudit/main.c
index a3407caa1..0724a7ec9 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -18,17 +18,31 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "faudit.h"
+#include <limits.h>
+char *prog;
 int main(int argc, char **argv) {
-        printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n");
+        printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n");
+        // extract program name
+        prog = realpath(argv[0], NULL);
+        if (prog == NULL) {
+                fprintf(stderr, "Error: cannot extract the path of the audit program\n");
+                return 1;
+        }
+        printf("Running %s\n", prog);
+        
+        
        // check pid namespace
-        pid();
+        pid_test();
        
-        // chack capabilities
+        // check capabilities
-        caps();
+        caps_test();
-        printf("----------------------------------------------------------\n");
+        // check seccomp
-        return 0;
+        seccomp_test();
        
+        free(prog);
+        printf("----------------------------------------------------------------\n");
+        return 0;
 }
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index a6f02c051..5744ab244 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -19,7 +19,7 @@
 */
 #include "faudit.h"
-void pid(void) {
+void pid_test(void) {
        char *kern_proc[] = {
                "kthreadd",
                "ksoftirqd",
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
new file mode 100644
index 000000000..a50ec1e0c
--- /dev/null
+++ b/src/faudit/seccomp.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <linux/capability.h>
+#define MAXBUF 4098
+static int extract_seccomp(int *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        int tmp;
+                        sscanf(ptr, "%d", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+        fclose(fp);
+        return 1;
+}
+void seccomp_test(void) {
+        int seccomp_status;
+        int rv = extract_seccomp(&seccomp_status);
+        
+        if (rv) {
+                printf("SKIP: cannot extract seccomp configuration on this platform\n");
+                return;
+        }
+        
+        if (seccomp_status == 0)
+                printf("BAD: seccomp disabled\n");
+        else if (seccomp_status == 1)
+                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd\n");
+        else if (seccomp_status == 2) {
+                printf("GOOD: seccomp BPF enababled\n");
+        }
+        else
+                fprintf(stderr, "Error: unrecognized seccomp mode\n");
+}
+\ No newline at end of file

diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 364cfcd03..3cf4a076f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c
@@ -55,7 +55,7 @@ static int check_capability(uint64_t map, int cap) {
55	return 0;	55	return 0;
56	}	56	}
57		57
58	void caps(void) {	58	void caps_test(void) {
59	uint64_t caps_val;	59	uint64_t caps_val;
60		60
61	if (extract_caps(&caps_val)) {	61	if (extract_caps(&caps_val)) {


diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 74426ac0a..50d75c2a4 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h
@@ -32,10 +32,16 @@
32		32
33	#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)	33	#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
34		34
		35	// main.c
		36	extern char *prog;
		37
35	// pid.c	38	// pid.c
36	void pid(void);	39	void pid_test(void);
37		40
38	// caps.c	41	// caps.c
39	void caps(void);	42	void caps_test(void);
		43
		44	// seccomp.c
		45	void seccomp_test(void);
40		46
41	#endif \ No newline at end of file	47	#endif \ No newline at end of file


diff --git a/src/faudit/main.c b/src/faudit/main.c index a3407caa1..0724a7ec9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -18,17 +18,31 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "faudit.h"	20	#include "faudit.h"
		21	#include <limits.h>
		22	char *prog;
21		23
22	int main(int argc, char **argv) {	24	int main(int argc, char **argv) {
23	printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n");	25	printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n");
24		26
		27	// extract program name
		28	prog = realpath(argv[0], NULL);
		29	if (prog == NULL) {
		30	fprintf(stderr, "Error: cannot extract the path of the audit program\n");
		31	return 1;
		32	}
		33	printf("Running %s\n", prog);
		34
		35
25	// check pid namespace	36	// check pid namespace
26	pid();	37	pid_test();
27		38
28	// chack capabilities	39	// check capabilities
29	caps();	40	caps_test();
30		41
31	printf("----------------------------------------------------------\n");	42	// check seccomp
32	return 0;	43	seccomp_test();
33		44
		45	free(prog);
		46	printf("----------------------------------------------------------------\n");
		47	return 0;
34	}	48	}


diff --git a/src/faudit/pid.c b/src/faudit/pid.c index a6f02c051..5744ab244 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c
@@ -19,7 +19,7 @@
19	*/	19	*/
20	#include "faudit.h"	20	#include "faudit.h"
21		21
22	void pid(void) {	22	void pid_test(void) {
23	char *kern_proc[] = {	23	char *kern_proc[] = {
24	"kthreadd",	24	"kthreadd",
25	"ksoftirqd",	25	"ksoftirqd",


diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c new file mode 100644 index 000000000..a50ec1e0c --- /dev/null +++ b/src/faudit/seccomp.c
@@ -0,0 +1,64 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "faudit.h"
		21	#include <linux/capability.h>
		22
		23	#define MAXBUF 4098
		24	static int extract_seccomp(int *val) {
		25	FILE *fp = fopen("/proc/self/status", "r");
		26	if (!fp)
		27	return 1;
		28
		29	char buf[MAXBUF];
		30	while (fgets(buf, MAXBUF, fp)) {
		31	if (strncmp(buf, "Seccomp:\t", 8) == 0) {
		32	char *ptr = buf + 8;
		33	int tmp;
		34	sscanf(ptr, "%d", &tmp);
		35	*val = tmp;
		36	fclose(fp);
		37	return 0;
		38	}
		39	}
		40
		41	fclose(fp);
		42	return 1;
		43	}
		44
		45	void seccomp_test(void) {
		46	int seccomp_status;
		47	int rv = extract_seccomp(&seccomp_status);
		48
		49	if (rv) {
		50	printf("SKIP: cannot extract seccomp configuration on this platform\n");
		51	return;
		52	}
		53
		54	if (seccomp_status == 0)
		55	printf("BAD: seccomp disabled\n");
		56	else if (seccomp_status == 1)
		57	printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n");
		58	else if (seccomp_status == 2) {
		59	printf("GOOD: seccomp BPF enababled\n");
		60	}
		61	else
		62	fprintf(stderr, "Error: unrecognized seccomp mode\n");
		63
		64	} \ No newline at end of file