7 files changed, 297 insertions, 4 deletions
diff --git a/.gitignore b/.gitignore
index 9995da44c..661370b02 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,7 @@ src/fsec-optimize/fsec-optimize
 src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
+etc/profstats
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index 0285d8592..f7c94aa09 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,7 @@
 all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
+APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee \
+src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp src/profstats
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
diff --git a/README.md b/README.md
index 8fc636194..58db16108 100644
--- a/README.md
+++ b/README.md
@@ -149,6 +149,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.63
+### Profile Statistics
+A small tool to print profile statistics. Compile as usual (the executable is placed in etc directory( and run:
+`````
+$ make
+$ cd etc
+$ ./profstats *.profile
+Stats:
+    profiles                    925
+    include local profile       925   (include profile-name.local)
+    include globals             925   (include globals.local)
+    blacklist ~/.ssh            910   (include disable-common.inc)
+    seccomp                     868
+    capabilities                924
+    noexec                      785   (include disable-exec.inc)
+    apparmor                    426
+    private-dev                 788
+    private-tmp                 687
+    whitelist var directory     595   (include whitelist-var-common.inc)
+    net none                    274
+Run ./profstats -h for help.
 ### New profiles:
 gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, gnome-screenshot
diff --git a/configure b/configure
index 53ea8f19d..f587bb25e 100755
--- a/configure
+++ b/configure
@@ -683,6 +683,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -776,6 +777,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1028,6 +1030,15 @@ do
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1165,7 +1176,7 @@ fi
 for ac_var in   exec_prefix prefix bindir sbindir libexecdir datarootdir \
                datadir sysconfdir sharedstatedir localstatedir includedir \
                oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-                libdir localedir mandir
+                libdir localedir mandir runstatedir
 do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
@@ -1318,6 +1329,7 @@ Fine tuning of the installation directories:
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -4174,7 +4186,7 @@ if test "$prefix" = /usr; then
        test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4902,6 +4914,7 @@ do
    "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
    "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
    "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
+    "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
diff --git a/configure.ac b/configure.ac
index 3c9f901cb..8cf170c80 100644
--- a/configure.ac
+++ b/configure.ac
@@ -206,7 +206,8 @@ fi
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile)
+src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
+src/profstats/Makefile)
 echo
 echo "Configuration options:"
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
new file mode 100644
index 000000000..4ada23c23
--- /dev/null
+++ b/src/profstats/Makefile.in
@@ -0,0 +1,14 @@
+all: ../../etc/profstats
+include ../common.mk
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+../../etc/profstats: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -fr *.o ../../etc/profstats *.gcov *.gcda *.gcno *.plist
+distclean: clean
+        rm -fr Makefile
diff --git a/src/profstats/main.c b/src/profstats/main.c
new file mode 100644
index 000000000..775142643
--- /dev/null
+++ b/src/profstats/main.c
@@ -0,0 +1,240 @@
+ /*
+ * Copyright (C) 2014-2020 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#define MAXBUF 2048
+// stats
+static int cnt_profiles = 0;
+static int cnt_apparmor = 0;
+static int cnt_seccomp = 0;
+static int cnt_caps = 0;
+static int cnt_dotlocal = 0;
+static int cnt_globalsdotlocal = 0;
+static int cnt_netnone = 0;
+static int cnt_noexec = 0;      // include disable-exec.inc
+static int cnt_privatedev = 0;
+static int cnt_privatetmp = 0;
+static int cnt_whitelistvar = 0;        // include whitelist-var-common.inc
+static int cnt_ssh = 0;
+static int level = 0;
+static int arg_debug = 0;
+static int arg_apparmor = 0;
+static int arg_caps = 0;
+static int arg_seccomp = 0;
+static int arg_noexec = 0;
+static int arg_privatedev = 0;
+static int arg_privatetmp = 0;
+static int arg_whitelistvar = 0;
+static int arg_ssh = 0;
+static void usage(void) {
+        printf("proftool - print profile statistics\n");
+        printf("Usage: proftool [options] file[s]\n");
+        printf("Options:\n");
+        printf("   --apparmor - print profiles without apparmor\n");
+        printf("   --caps - print profiles without caps\n");
+        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
+        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
+        printf("   --private-dev - print profiles without private-dev\n");
+        printf("   --private-tmp - print profiles without private-tmp\n");
+        printf("   --seccomp - print profiles without seccomp\n");
+        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
+        printf("   --debug\n");
+        printf("\n");
+}
+void process_file(const char *fname) {
+        assert(fname);
+        if (arg_debug)
+                printf("processing #%s#\n", fname);
+        level++;
+        assert(level < 32); // to do - check in firejail code
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\n' || *ptr == '#')
+                        continue;
+                if (strncmp(ptr, "seccomp", 7) == 0)
+                        cnt_seccomp++;
+                else if (strncmp(ptr, "caps", 4) == 0)
+                        cnt_caps++;
+                else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
+                        cnt_noexec++;
+                else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
+                        cnt_whitelistvar++;
+                else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
+                        cnt_ssh++;
+                else if (strncmp(ptr, "net none", 8) == 0)
+                        cnt_netnone++;
+                else if (strncmp(ptr, "apparmor", 8) == 0)
+                        cnt_apparmor++;
+                else if (strncmp(ptr, "private-dev", 11) == 0)
+                        cnt_privatedev++;
+                else if (strncmp(ptr, "private-tmp", 11) == 0)
+                        cnt_privatetmp++;
+                else if (strncmp(ptr, "include ", 8) == 0) {
+                        // not processing .local files
+                        if (strstr(ptr, ".local")) {
+//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
+                                if (strstr(ptr, "globals.local"))
+                                        cnt_globalsdotlocal++;
+                                else
+                                        cnt_dotlocal++;
+                                continue;
+                        }
+                        process_file(buf + 8);
+                }
+        }
+        fclose(fp);
+        level--;
+}
+int main(int argc, char **argv) {
+        if (argc <= 1) {
+                usage();
+                return 1;
+        }
+        int start = 1;
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+                else if (strcmp(argv[i], "--caps") == 0)
+                        arg_caps = 1;
+                else if (strcmp(argv[i], "--seccomp") == 0)
+                        arg_seccomp = 1;
+                else if (strcmp(argv[i], "--noexec") == 0)
+                        arg_noexec = 1;
+                else if (strcmp(argv[i], "--private-dev") == 0)
+                        arg_privatedev = 1;
+                else if (strcmp(argv[i], "--private-tmp") == 0)
+                        arg_privatetmp = 1;
+                else if (strcmp(argv[i], "--whitelist-var") == 0)
+                        arg_whitelistvar = 1;
+                else if (strcmp(argv[i], "--ssh") == 0)
+                        arg_ssh = 1;
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid option %s\n", argv[i]);
+                        return 1;
+                 }
+                 else
+                        break;
+        }
+        start = i;
+        if (i == argc) {
+                fprintf(stderr, "Error: no porfile file specified\n");
+                return 1;
+        }
+        for (i = start; i < argc; i++) {
+                cnt_profiles++;
+                // watch seccomp
+                int seccomp = cnt_seccomp;
+                int caps = cnt_caps;
+                int apparmor = cnt_apparmor;
+                int noexec = cnt_noexec;
+                int privatetmp = cnt_privatetmp;
+                int privatedev = cnt_privatedev;
+                int dotlocal = cnt_dotlocal;
+                int globalsdotlocal = cnt_globalsdotlocal;
+                int whitelistvar = cnt_whitelistvar;
+                int ssh = cnt_ssh;
+                // process file
+                process_file(argv[i]);
+                // warnings
+                if ((caps + 2) <= cnt_caps) {
+                        printf("Warning: multiple caps in %s\n", argv[i]);
+                        cnt_caps = caps + 1;
+                }
+                // fix redirections
+                if (cnt_dotlocal > (dotlocal + 1))
+                        cnt_dotlocal = dotlocal + 1;
+                if (cnt_globalsdotlocal > (globalsdotlocal + 1))
+                        cnt_globalsdotlocal = globalsdotlocal + 1;
+                if (arg_apparmor && apparmor == cnt_apparmor)
+                        printf("No apparmor found in %s\n", argv[i]);
+                if (arg_caps && caps == cnt_caps)
+                        printf("No caps found in %s\n", argv[i]);
+                if (arg_seccomp && seccomp == cnt_seccomp)
+                        printf("No seccomp found in %s\n", argv[i]);
+                if (arg_noexec && noexec == cnt_noexec)
+                        printf("No include disable-exec.inc found in %s\n", argv[i]);
+                if (arg_privatedev && privatedev == cnt_privatedev)
+                        printf("No private-dev found in %s\n", argv[i]);
+                if (arg_privatetmp && privatetmp == cnt_privatetmp)
+                        printf("No private-tmp found in %s\n", argv[i]);
+                if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
+                        printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
+                if (arg_ssh && ssh == cnt_ssh)
+                        printf("No include disable-common.inc found in %s\n", argv[i]);
+                assert(level == 0);
+        }
+        printf("\n");
+        printf("Stats:\n");
+        printf("    profiles\t\t\t%d\n", cnt_profiles);
+        printf("    include local profile\t%d   (include profile-name.local)\n", cnt_dotlocal);
+        printf("    include globals\t\t%d   (include globals.local)\n", cnt_dotlocal);
+        printf("    blacklist ~/.ssh\t\t%d   (include disable-common.inc)\n", cnt_ssh);
+        printf("    seccomp\t\t\t%d\n", cnt_seccomp);
+        printf("    capabilities\t\t%d\n", cnt_caps);
+        printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    apparmor\t\t\t%d\n", cnt_apparmor);
+        printf("    private-dev\t\t\t%d\n", cnt_privatedev);
+        printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
+        printf("    whitelist var directory\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("\n");
+        return 0;
+}
+\ No newline at end of file

diff --git a/.gitignore b/.gitignore index 9995da44c..661370b02 100644 --- a/.gitignore +++ b/.gitignore
@@ -33,6 +33,7 @@ src/fsec-optimize/fsec-optimize
33	src/fcopy/fcopy	33	src/fcopy/fcopy
34	src/fldd/fldd	34	src/fldd/fldd
35	src/fbuilder/fbuilder	35	src/fbuilder/fbuilder
		36	etc/profstats
36	uids.h	37	uids.h
37	seccomp	38	seccomp
38	seccomp.debug	39	seccomp.debug


diff --git a/Makefile.in b/Makefile.in index 0285d8592..f7c94aa09 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -1,6 +1,7 @@
1	all: apps man filters	1	all: apps man filters
2	MYLIBS = src/lib	2	MYLIBS = src/lib
3	APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp	3	APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee \
		4	src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp src/profstats
4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5	5	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
5	SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx	6	SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
6		7


diff --git a/README.md b/README.md index 8fc636194..58db16108 100644 --- a/README.md +++ b/README.md
@@ -149,6 +149,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
149		149
150	## Current development version: 0.9.63	150	## Current development version: 0.9.63
151		151
		152	### Profile Statistics
		153
		154	A small tool to print profile statistics. Compile as usual (the executable is placed in etc directory( and run:
		155	`````
		156	$ make
		157	$ cd etc
		158	$ ./profstats *.profile
		159	Stats:
		160	profiles 925
		161	include local profile 925 (include profile-name.local)
		162	include globals 925 (include globals.local)
		163	blacklist ~/.ssh 910 (include disable-common.inc)
		164	seccomp 868
		165	capabilities 924
		166	noexec 785 (include disable-exec.inc)
		167	apparmor 426
		168	private-dev 788
		169	private-tmp 687
		170	whitelist var directory 595 (include whitelist-var-common.inc)
		171	net none 274
		172
		173	Run ./profstats -h for help.
		174
152	### New profiles:	175	### New profiles:
153		176
154	gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, gnome-screenshot	177	gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, gnome-screenshot


diff --git a/configure b/configure index 53ea8f19d..f587bb25e 100755 --- a/configure +++ b/configure
@@ -683,6 +683,7 @@ infodir
683	docdir	683	docdir
684	oldincludedir	684	oldincludedir
685	includedir	685	includedir
		686	runstatedir
686	localstatedir	687	localstatedir
687	sharedstatedir	688	sharedstatedir
688	sysconfdir	689	sysconfdir
@@ -776,6 +777,7 @@ datadir='${datarootdir}'
776	sysconfdir='${prefix}/etc'	777	sysconfdir='${prefix}/etc'
777	sharedstatedir='${prefix}/com'	778	sharedstatedir='${prefix}/com'
778	localstatedir='${prefix}/var'	779	localstatedir='${prefix}/var'
		780	runstatedir='${localstatedir}/run'
779	includedir='${prefix}/include'	781	includedir='${prefix}/include'
780	oldincludedir='/usr/include'	782	oldincludedir='/usr/include'
781	docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'	783	docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1028,6 +1030,15 @@ do
1028	\| -silent \| --silent \| --silen \| --sile \| --sil)	1030	\| -silent \| --silent \| --silen \| --sile \| --sil)
1029	silent=yes ;;	1031	silent=yes ;;
1030		1032
		1033	-runstatedir \| --runstatedir \| --runstatedi \| --runstated \
		1034	\| --runstate \| --runstat \| --runsta \| --runst \| --runs \
		1035	\| --run \| --ru \| --r)
		1036	ac_prev=runstatedir ;;
		1037	-runstatedir=* \| --runstatedir=* \| --runstatedi=* \| --runstated=* \
		1038	\| --runstate=* \| --runstat=* \| --runsta=* \| --runst=* \| --runs=* \
		1039	\| --run=* \| --ru=* \| --r=*)
		1040	runstatedir=$ac_optarg ;;
		1041
1031	-sbindir \| --sbindir \| --sbindi \| --sbind \| --sbin \| --sbi \| --sb)	1042	-sbindir \| --sbindir \| --sbindi \| --sbind \| --sbin \| --sbi \| --sb)
1032	ac_prev=sbindir ;;	1043	ac_prev=sbindir ;;
1033	-sbindir=* \| --sbindir=* \| --sbindi=* \| --sbind=* \| --sbin=* \	1044	-sbindir=* \| --sbindir=* \| --sbindi=* \| --sbind=* \| --sbin=* \
@@ -1165,7 +1176,7 @@ fi
1165	for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \	1176	for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
1166	datadir sysconfdir sharedstatedir localstatedir includedir \	1177	datadir sysconfdir sharedstatedir localstatedir includedir \
1167	oldincludedir docdir infodir htmldir dvidir pdfdir psdir \	1178	oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
1168	libdir localedir mandir	1179	libdir localedir mandir runstatedir
1169	do	1180	do
1170	eval ac_val=\$$ac_var	1181	eval ac_val=\$$ac_var
1171	# Remove trailing slashes.	1182	# Remove trailing slashes.
@@ -1318,6 +1329,7 @@ Fine tuning of the installation directories:
1318	--sysconfdir=DIR read-only single-machine data [PREFIX/etc]	1329	--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
1319	--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]	1330	--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
1320	--localstatedir=DIR modifiable single-machine data [PREFIX/var]	1331	--localstatedir=DIR modifiable single-machine data [PREFIX/var]
		1332	--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
1321	--libdir=DIR object code libraries [EPREFIX/lib]	1333	--libdir=DIR object code libraries [EPREFIX/lib]
1322	--includedir=DIR C header files [PREFIX/include]	1334	--includedir=DIR C header files [PREFIX/include]
1323	--oldincludedir=DIR C header files for non-gcc [/usr/include]	1335	--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -4174,7 +4186,7 @@ if test "$prefix" = /usr; then
4174	test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"	4186	test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
4175	fi	4187	fi
4176		4188
4177	ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"	4189	ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
4178		4190
4179	cat >confcache <<\_ACEOF	4191	cat >confcache <<\_ACEOF
4180	# This file is a shell script that caches the results of configure	4192	# This file is a shell script that caches the results of configure
@@ -4902,6 +4914,7 @@ do
4902	"src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;	4914	"src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
4903	"src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;	4915	"src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
4904	"src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;	4916	"src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
		4917	"src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
4905		4918
4906	*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;	4919	*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
4907	esac	4920	esac


diff --git a/configure.ac b/configure.ac index 3c9f901cb..8cf170c80 100644 --- a/configure.ac +++ b/configure.ac
@@ -206,7 +206,8 @@ fi
206		206
207	AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \	207	AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
208	src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \	208	src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
209	src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile)	209	src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
		210	src/profstats/Makefile)
210		211
211	echo	212	echo
212	echo "Configuration options:"	213	echo "Configuration options:"


diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in new file mode 100644 index 000000000..4ada23c23 --- /dev/null +++ b/src/profstats/Makefile.in
@@ -0,0 +1,14 @@
		1	all: ../../etc/profstats
		2
		3	include ../common.mk
		4
		5	%.o : %.c $(H_FILE_LIST)
		6	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
		7
		8	../../etc/profstats: $(OBJS)
		9	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
		10
		11	clean:; rm -fr .o ../../etc/profstats .gcov .gcda .gcno *.plist
		12
		13	distclean: clean
		14	rm -fr Makefile


diff --git a/src/profstats/main.c b/src/profstats/main.c new file mode 100644 index 000000000..775142643 --- /dev/null +++ b/src/profstats/main.c
@@ -0,0 +1,240 @@
		1	/*
		2	* Copyright (C) 2014-2020 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include <stdio.h>
		21	#include <stdlib.h>
		22	#include <string.h>
		23	#include <assert.h>
		24
		25	#define MAXBUF 2048
		26	// stats
		27	static int cnt_profiles = 0;
		28	static int cnt_apparmor = 0;
		29	static int cnt_seccomp = 0;
		30	static int cnt_caps = 0;
		31	static int cnt_dotlocal = 0;
		32	static int cnt_globalsdotlocal = 0;
		33	static int cnt_netnone = 0;
		34	static int cnt_noexec = 0; // include disable-exec.inc
		35	static int cnt_privatedev = 0;
		36	static int cnt_privatetmp = 0;
		37	static int cnt_whitelistvar = 0; // include whitelist-var-common.inc
		38	static int cnt_ssh = 0;
		39
		40	static int level = 0;
		41	static int arg_debug = 0;
		42	static int arg_apparmor = 0;
		43	static int arg_caps = 0;
		44	static int arg_seccomp = 0;
		45	static int arg_noexec = 0;
		46	static int arg_privatedev = 0;
		47	static int arg_privatetmp = 0;
		48	static int arg_whitelistvar = 0;
		49	static int arg_ssh = 0;
		50
		51	static void usage(void) {
		52	printf("proftool - print profile statistics\n");
		53	printf("Usage: proftool [options] file[s]\n");
		54	printf("Options:\n");
		55	printf(" --apparmor - print profiles without apparmor\n");
		56	printf(" --caps - print profiles without caps\n");
		57	printf(" --ssh - print profiles without \"include disable-common.inc\"\n");
		58	printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");
		59	printf(" --private-dev - print profiles without private-dev\n");
		60	printf(" --private-tmp - print profiles without private-tmp\n");
		61	printf(" --seccomp - print profiles without seccomp\n");
		62	printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
		63	printf(" --debug\n");
		64	printf("\n");
		65	}
		66
		67	void process_file(const char *fname) {
		68	assert(fname);
		69
		70	if (arg_debug)
		71	printf("processing #%s#\n", fname);
		72	level++;
		73	assert(level < 32); // to do - check in firejail code
		74
		75	FILE *fp = fopen(fname, "r");
		76	if (!fp) {
		77	fprintf(stderr, "Error: cannot open %s\n", fname);
		78	exit(1);
		79	}
		80
		81	char buf[MAXBUF];
		82	while (fgets(buf, MAXBUF, fp)) {
		83	char *ptr = strchr(buf, '\n');
		84	if (ptr)
		85	*ptr = '\0';
		86	ptr = buf;
		87
		88	while (ptr == ' ' \|\| ptr == '\t')
		89	ptr++;
		90	if (ptr == '\n' \|\| ptr == '#')
		91	continue;
		92
		93	if (strncmp(ptr, "seccomp", 7) == 0)
		94	cnt_seccomp++;
		95	else if (strncmp(ptr, "caps", 4) == 0)
		96	cnt_caps++;
		97	else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
		98	cnt_noexec++;
		99	else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
		100	cnt_whitelistvar++;
		101	else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
		102	cnt_ssh++;
		103	else if (strncmp(ptr, "net none", 8) == 0)
		104	cnt_netnone++;
		105	else if (strncmp(ptr, "apparmor", 8) == 0)
		106	cnt_apparmor++;
		107	else if (strncmp(ptr, "private-dev", 11) == 0)
		108	cnt_privatedev++;
		109	else if (strncmp(ptr, "private-tmp", 11) == 0)
		110	cnt_privatetmp++;
		111	else if (strncmp(ptr, "include ", 8) == 0) {
		112	// not processing .local files
		113	if (strstr(ptr, ".local")) {
		114	//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
		115	if (strstr(ptr, "globals.local"))
		116	cnt_globalsdotlocal++;
		117	else
		118	cnt_dotlocal++;
		119	continue;
		120	}
		121	process_file(buf + 8);
		122	}
		123	}
		124
		125	fclose(fp);
		126	level--;
		127	}
		128
		129	int main(int argc, char **argv) {
		130	if (argc <= 1) {
		131	usage();
		132	return 1;
		133	}
		134
		135	int start = 1;
		136	int i;
		137	for (i = 1; i < argc; i++) {
		138	if (strcmp(argv[i], "--help") == 0) {
		139	usage();
		140	return 0;
		141	}
		142	else if (strcmp(argv[i], "--debug") == 0)
		143	arg_debug = 1;
		144	else if (strcmp(argv[i], "--apparmor") == 0)
		145	arg_apparmor = 1;
		146	else if (strcmp(argv[i], "--caps") == 0)
		147	arg_caps = 1;
		148	else if (strcmp(argv[i], "--seccomp") == 0)
		149	arg_seccomp = 1;
		150	else if (strcmp(argv[i], "--noexec") == 0)
		151	arg_noexec = 1;
		152	else if (strcmp(argv[i], "--private-dev") == 0)
		153	arg_privatedev = 1;
		154	else if (strcmp(argv[i], "--private-tmp") == 0)
		155	arg_privatetmp = 1;
		156	else if (strcmp(argv[i], "--whitelist-var") == 0)
		157	arg_whitelistvar = 1;
		158	else if (strcmp(argv[i], "--ssh") == 0)
		159	arg_ssh = 1;
		160	else if (*argv[i] == '-') {
		161	fprintf(stderr, "Error: invalid option %s\n", argv[i]);
		162	return 1;
		163	}
		164	else
		165	break;
		166	}
		167
		168	start = i;
		169	if (i == argc) {
		170	fprintf(stderr, "Error: no porfile file specified\n");
		171	return 1;
		172	}
		173
		174	for (i = start; i < argc; i++) {
		175	cnt_profiles++;
		176
		177	// watch seccomp
		178	int seccomp = cnt_seccomp;
		179	int caps = cnt_caps;
		180	int apparmor = cnt_apparmor;
		181	int noexec = cnt_noexec;
		182	int privatetmp = cnt_privatetmp;
		183	int privatedev = cnt_privatedev;
		184	int dotlocal = cnt_dotlocal;
		185	int globalsdotlocal = cnt_globalsdotlocal;
		186	int whitelistvar = cnt_whitelistvar;
		187	int ssh = cnt_ssh;
		188
		189	// process file
		190	process_file(argv[i]);
		191
		192	// warnings
		193	if ((caps + 2) <= cnt_caps) {
		194	printf("Warning: multiple caps in %s\n", argv[i]);
		195	cnt_caps = caps + 1;
		196	}
		197
		198	// fix redirections
		199	if (cnt_dotlocal > (dotlocal + 1))
		200	cnt_dotlocal = dotlocal + 1;
		201	if (cnt_globalsdotlocal > (globalsdotlocal + 1))
		202	cnt_globalsdotlocal = globalsdotlocal + 1;
		203
		204	if (arg_apparmor && apparmor == cnt_apparmor)
		205	printf("No apparmor found in %s\n", argv[i]);
		206	if (arg_caps && caps == cnt_caps)
		207	printf("No caps found in %s\n", argv[i]);
		208	if (arg_seccomp && seccomp == cnt_seccomp)
		209	printf("No seccomp found in %s\n", argv[i]);
		210	if (arg_noexec && noexec == cnt_noexec)
		211	printf("No include disable-exec.inc found in %s\n", argv[i]);
		212	if (arg_privatedev && privatedev == cnt_privatedev)
		213	printf("No private-dev found in %s\n", argv[i]);
		214	if (arg_privatetmp && privatetmp == cnt_privatetmp)
		215	printf("No private-tmp found in %s\n", argv[i]);
		216	if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
		217	printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
		218	if (arg_ssh && ssh == cnt_ssh)
		219	printf("No include disable-common.inc found in %s\n", argv[i]);
		220
		221	assert(level == 0);
		222	}
		223
		224	printf("\n");
		225	printf("Stats:\n");
		226	printf(" profiles\t\t\t%d\n", cnt_profiles);
		227	printf(" include local profile\t%d (include profile-name.local)\n", cnt_dotlocal);
		228	printf(" include globals\t\t%d (include globals.local)\n", cnt_dotlocal);
		229	printf(" blacklist ~/.ssh\t\t%d (include disable-common.inc)\n", cnt_ssh);
		230	printf(" seccomp\t\t\t%d\n", cnt_seccomp);
		231	printf(" capabilities\t\t%d\n", cnt_caps);
		232	printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec);
		233	printf(" apparmor\t\t\t%d\n", cnt_apparmor);
		234	printf(" private-dev\t\t\t%d\n", cnt_privatedev);
		235	printf(" private-tmp\t\t\t%d\n", cnt_privatetmp);
		236	printf(" whitelist var directory\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar);
		237	printf(" net none\t\t\t%d\n", cnt_netnone);
		238	printf("\n");
		239	return 0;
		240	} \ No newline at end of file