5 files changed, 58 insertions, 12 deletions
diff --git a/Makefile.in b/Makefile.in
index 9ef542958..db326d2db 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -310,6 +310,9 @@ deb: dist
 snap: all
        cd platform/snap; ./snap.sh
+install-snap: snap
+        sudo snap remove faudit; sudo snap install faudit*.snap
 github-compile:
        cd test/compile; ./compile.sh
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index f7b5a221d..1ead2aa38 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -60,10 +60,10 @@ void dbus_test(void) {
                        sockfile += 13;
                        *sockfile = '@';
                        char *ptr = strchr(sockfile, ',');
-                        if (ptr) {
+                        if (ptr)
                                *ptr = '\0';    
-                                check_session_bus(sockfile);
+                        check_session_bus(sockfile);
-                        }
+                        
                        sockfile -= 13;
                        free(sockfile);
                }
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 86d3fe4a9..14794719d 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -46,23 +46,30 @@ int main(int argc, char **argv) {
        
        // check pid namespace
        pid_test();
+        printf("\n");
        
-        // check capabilities
-        caps_test();
        // check seccomp
        seccomp_test();
+        printf("\n");
        
+        // check capabilities
+        caps_test();
+        printf("\n");
        // check some well-known problematic files and directories
        files_test();
+        printf("\n");
        
        // network
        network_test();
+        printf("\n");
        
        // dbus
        dbus_test();
+        printf("\n");
        
        free(prog);
        printf("--------------------------------------------------------------------------------\n");
        return 0;
 }
diff --git a/src/faudit/network.c b/src/faudit/network.c
index 0e0ad1844..cf1eede69 100644
--- a/src/faudit/network.c
+++ b/src/faudit/network.c
@@ -23,7 +23,7 @@
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
-void check_ssh(void) {
+static void check_ssh(void) {
        // open socket
        int sock = socket(AF_INET, SOCK_STREAM, 0);
        if (sock == -1) {
@@ -47,6 +47,30 @@ void check_ssh(void) {
        close(sock);
 }
+static void check_http(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: HTTP server not available on localhost.\n");
+                return;
+        }
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(80);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: HTTP server not available on localhost.\n");
+        else {
+                printf("MAYBE: an HTTP server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
 void check_netlink(void) {
        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
        if (sock == -1) {
@@ -72,5 +96,6 @@ void check_netlink(void) {
        
 void network_test(void) {
        check_ssh();
+        check_http();
        check_netlink();
 }
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index 2770daece..a0fb1d921 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -31,6 +31,7 @@ void pid_test(void) {
        int i;
        // look at the first 10 processes
+        int not_visible = 1;
        for (i = 1; i <= 10; i++) { 
                struct stat s;
                char *fname;
@@ -45,7 +46,7 @@ void pid_test(void) {
                /* coverity[toctou] */
                FILE *fp = fopen(fname, "r");
                if (!fp) {
-                        fprintf(stderr, "Warning: cannot open %s\n", fname);
+//                      fprintf(stderr, "Warning: cannot open %s\n", fname);
                        free(fname);
                        continue;
                }
@@ -53,11 +54,13 @@ void pid_test(void) {
                // read file
                char buf[100];
                if (fgets(buf, 10, fp) == NULL) {
-                        fprintf(stderr, "Warning: cannot read %s\n", fname);
+//                      fprintf(stderr, "Warning: cannot read %s\n", fname);
                        fclose(fp);
                        free(fname);
                        continue;
                }
+                not_visible = 0;
                // clean /n
                char *ptr;
                if ((ptr = strchr(buf, '\n')) != NULL)
@@ -69,7 +72,7 @@ void pid_test(void) {
                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
                                fclose(fp);
                                free(fname);
-                                printf("BAD: Process %d, not running in a PID namespace. ", getpid());
+                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
                                printf("Are you sure you're running in a sandbox?\n");
                                return;
                        }
@@ -80,11 +83,19 @@ void pid_test(void) {
                free(fname);
        }
+        pid_t pid = getpid();
-        printf("GOOD: process %d running in a PID namespace.\n", getpid());
+        if (not_visible && pid > 100)
+                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
+        else
+                printf("GOOD: process %d is running in a PID namespace.\n", pid);
        
        // try to guess the type of container/sandbox
        char *str = getenv("container");
        if (str)
                printf("INFO: container/sandbox %s.\n", str);
+        else {
+                str = getenv("SNAP");
+                if (str)
+                        printf("INFO: this is a snap package\n");
+        }
 }

diff --git a/Makefile.in b/Makefile.in index 9ef542958..db326d2db 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -310,6 +310,9 @@ deb: dist
310	snap: all	310	snap: all
311	cd platform/snap; ./snap.sh	311	cd platform/snap; ./snap.sh
312		312
		313	install-snap: snap
		314	sudo snap remove faudit; sudo snap install faudit*.snap
		315
313	github-compile:	316	github-compile:
314	cd test/compile; ./compile.sh	317	cd test/compile; ./compile.sh
315		318


diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index f7b5a221d..1ead2aa38 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c
@@ -60,10 +60,10 @@ void dbus_test(void) {
60	sockfile += 13;	60	sockfile += 13;
61	*sockfile = '@';	61	*sockfile = '@';
62	char *ptr = strchr(sockfile, ',');	62	char *ptr = strchr(sockfile, ',');
63	if (ptr) {	63	if (ptr)
64	*ptr = '\0';	64	*ptr = '\0';
65	check_session_bus(sockfile);	65	check_session_bus(sockfile);
66	}	66
67	sockfile -= 13;	67	sockfile -= 13;
68	free(sockfile);	68	free(sockfile);
69	}	69	}


diff --git a/src/faudit/main.c b/src/faudit/main.c index 86d3fe4a9..14794719d 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -46,23 +46,30 @@ int main(int argc, char **argv) {
46		46
47	// check pid namespace	47	// check pid namespace
48	pid_test();	48	pid_test();
		49	printf("\n");
49		50
50	// check capabilities
51	caps_test();
52
53	// check seccomp	51	// check seccomp
54	seccomp_test();	52	seccomp_test();
		53	printf("\n");
55		54
		55	// check capabilities
		56	caps_test();
		57	printf("\n");
		58
56	// check some well-known problematic files and directories	59	// check some well-known problematic files and directories
57	files_test();	60	files_test();
		61	printf("\n");
58		62
59	// network	63	// network
60	network_test();	64	network_test();
		65	printf("\n");
61		66
62	// dbus	67	// dbus
63	dbus_test();	68	dbus_test();
		69	printf("\n");
64		70
65	free(prog);	71	free(prog);
66	printf("--------------------------------------------------------------------------------\n");	72	printf("--------------------------------------------------------------------------------\n");
		73
67	return 0;	74	return 0;
68	}	75	}


diff --git a/src/faudit/network.c b/src/faudit/network.c index 0e0ad1844..cf1eede69 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c
@@ -23,7 +23,7 @@
23	#include <linux/netlink.h>	23	#include <linux/netlink.h>
24	#include <linux/rtnetlink.h>	24	#include <linux/rtnetlink.h>
25		25
26	void check_ssh(void) {	26	static void check_ssh(void) {
27	// open socket	27	// open socket
28	int sock = socket(AF_INET, SOCK_STREAM, 0);	28	int sock = socket(AF_INET, SOCK_STREAM, 0);
29	if (sock == -1) {	29	if (sock == -1) {
@@ -47,6 +47,30 @@ void check_ssh(void) {
47	close(sock);	47	close(sock);
48	}	48	}
49		49
		50	static void check_http(void) {
		51	// open socket
		52	int sock = socket(AF_INET, SOCK_STREAM, 0);
		53	if (sock == -1) {
		54	printf("GOOD: HTTP server not available on localhost.\n");
		55	return;
		56	}
		57
		58	// connect to localhost
		59	struct sockaddr_in server;
		60	server.sin_addr.s_addr = inet_addr("127.0.0.1");
		61	server.sin_family = AF_INET;
		62	server.sin_port = htons(80);
		63
		64	if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
		65	printf("GOOD: HTTP server not available on localhost.\n");
		66	else {
		67	printf("MAYBE: an HTTP server is accessible on localhost. ");
		68	printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
		69	}
		70
		71	close(sock);
		72	}
		73
50	void check_netlink(void) {	74	void check_netlink(void) {
51	int sock = socket(AF_NETLINK, SOCK_RAW \| SOCK_CLOEXEC, 0);	75	int sock = socket(AF_NETLINK, SOCK_RAW \| SOCK_CLOEXEC, 0);
52	if (sock == -1) {	76	if (sock == -1) {
@@ -72,5 +96,6 @@ void check_netlink(void) {
72		96
73	void network_test(void) {	97	void network_test(void) {
74	check_ssh();	98	check_ssh();
		99	check_http();
75	check_netlink();	100	check_netlink();
76	}	101	}


diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 2770daece..a0fb1d921 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c
@@ -31,6 +31,7 @@ void pid_test(void) {
31	int i;	31	int i;
32		32
33	// look at the first 10 processes	33	// look at the first 10 processes
		34	int not_visible = 1;
34	for (i = 1; i <= 10; i++) {	35	for (i = 1; i <= 10; i++) {
35	struct stat s;	36	struct stat s;
36	char *fname;	37	char *fname;
@@ -45,7 +46,7 @@ void pid_test(void) {
45	/* coverity[toctou] */	46	/* coverity[toctou] */
46	FILE *fp = fopen(fname, "r");	47	FILE *fp = fopen(fname, "r");
47	if (!fp) {	48	if (!fp) {
48	fprintf(stderr, "Warning: cannot open %s\n", fname);	49	// fprintf(stderr, "Warning: cannot open %s\n", fname);
49	free(fname);	50	free(fname);
50	continue;	51	continue;
51	}	52	}
@@ -53,11 +54,13 @@ void pid_test(void) {
53	// read file	54	// read file
54	char buf[100];	55	char buf[100];
55	if (fgets(buf, 10, fp) == NULL) {	56	if (fgets(buf, 10, fp) == NULL) {
56	fprintf(stderr, "Warning: cannot read %s\n", fname);	57	// fprintf(stderr, "Warning: cannot read %s\n", fname);
57	fclose(fp);	58	fclose(fp);
58	free(fname);	59	free(fname);
59	continue;	60	continue;
60	}	61	}
		62	not_visible = 0;
		63
61	// clean /n	64	// clean /n
62	char *ptr;	65	char *ptr;
63	if ((ptr = strchr(buf, '\n')) != NULL)	66	if ((ptr = strchr(buf, '\n')) != NULL)
@@ -69,7 +72,7 @@ void pid_test(void) {
69	if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {	72	if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
70	fclose(fp);	73	fclose(fp);
71	free(fname);	74	free(fname);
72	printf("BAD: Process %d, not running in a PID namespace. ", getpid());	75	printf("BAD: Process %d is not running in a PID namespace. ", getpid());
73	printf("Are you sure you're running in a sandbox?\n");	76	printf("Are you sure you're running in a sandbox?\n");
74	return;	77	return;
75	}	78	}
@@ -80,11 +83,19 @@ void pid_test(void) {
80	free(fname);	83	free(fname);
81	}	84	}
82		85
83		86	pid_t pid = getpid();
84	printf("GOOD: process %d running in a PID namespace.\n", getpid());	87	if (not_visible && pid > 100)
		88	printf("BAD: Process %d is not running in a PID namespace.\n", pid);
		89	else
		90	printf("GOOD: process %d is running in a PID namespace.\n", pid);
85		91
86	// try to guess the type of container/sandbox	92	// try to guess the type of container/sandbox
87	char *str = getenv("container");	93	char *str = getenv("container");
88	if (str)	94	if (str)
89	printf("INFO: container/sandbox %s.\n", str);	95	printf("INFO: container/sandbox %s.\n", str);
		96	else {
		97	str = getenv("SNAP");
		98	if (str)
		99	printf("INFO: this is a snap package\n");
		100	}
90	}	101	}