5 files changed, 109 insertions, 10 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
new file mode 100644
index 000000000..364cfcd03
--- /dev/null
+++ b/src/faudit/caps.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <linux/capability.h>
+#define MAXBUF 4098
+static int extract_caps(uint64_t *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        unsigned long long tmp;
+                        sscanf(ptr, "%llx", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+        fclose(fp);
+        return 1;
+}
+// return 1 if the capability is in tbe map
+static int check_capability(uint64_t map, int cap) {
+        int i;
+        uint64_t mask = 1ULL;
+        
+        for (i = 0; i < 64; i++, mask <<= 1) {
+                if ((i == cap) && (mask & map))
+                        return 1;
+        }
+        return 0;
+}
+void caps(void) {
+        uint64_t caps_val;
+        
+        if (extract_caps(&caps_val)) {
+                printf("SKIP: cannot extract capabilities on this platform\n");
+                return;
+        }
+        
+        if (caps_val) {
+                printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val);
+                
+                if (check_capability(caps_val, CAP_SYS_ADMIN))
+                        printf("UGLY: CAP_SYS_ADMIN is enabled\n");
+                if (check_capability(caps_val, CAP_SYS_BOOT))
+                        printf("UGLY: CAP_SYS_BOOT is enabled\n");
+        }
+        else
+                printf("GOOD: all capabilities are disabled\n"); 
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 9c001c285..74426ac0a 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -22,6 +22,7 @@
 #define FAUDIT_H
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
@@ -34,4 +35,7 @@
 // pid.c
 void pid(void);
+// caps.c
+void caps(void);
 #endif
 \ No newline at end of file
diff --git a/src/faudit/main.c b/src/faudit/main.c
index d90eb1c0b..a3407caa1 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -20,12 +20,15 @@
 #include "faudit.h"
 int main(int argc, char **argv) {
-        printf("FAUDIT: Firejail audit started\n");
+        printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n");
        // check pid namespace
        pid();
+        
+        // chack capabilities
+        caps();
-        printf("FAUDIT: Firejail audit ended\n");
+        printf("----------------------------------------------------------\n");
        return 0;
        
 }
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index 861324255..a6f02c051 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -69,7 +69,7 @@ void pid(void) {
                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
                                fclose(fp);
                                free(fname);
-                                printf("FAUDIT: Process PID %d, not running in a PID namespace\n", getpid());
+                                printf("BAD: Process PID %d, not running in a PID namespace\n", getpid());
                                return;
                        }
                        j++;
@@ -80,10 +80,10 @@ void pid(void) {
        }
-        printf("FAUDIT: Process PID %d, running in a PID namespace\n", getpid());
+        printf("GOOD: Process PID %d, running in a PID namespace\n", getpid());
        
        // try to guess the type of container/sandbox
        char *str = getenv("container");
        if (str)
-                printf("FAUDIT: Container/sandbox: %s\n", str);
+                printf("Container/sandbox: %s\n", str);
 }
diff --git a/todo b/todo
index a5c311562..a30a5319b 100644
--- a/todo
+++ b/todo
@@ -101,10 +101,25 @@ firejail.src: E: no-changelogname-tag
 firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
 1 packages and 0 specfiles checked; 1 errors, 1 warnings.
-15. Testing:
+15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
-find /usr/share/doc/firejail | cpio -ov > t1
-strings /usr/bin/firejail > t1
-gzip -c /usr/bin/firejail > t1
-use diff -s to compare the files
+$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
+Reading profile /etc/firejail/default.profile
+Reading profile /etc/firejail/disable-common.inc
+Reading profile /etc/firejail/disable-programs.inc
+Reading profile /etc/firejail/disable-passwdmgr.inc
+** Note: you can use --noprofile to disable default.profile **
+Parent pid 6872, child pid 6873
+Child process initialized
+----- Firejail Audit: the Good, the Bad and the Ugly -----
+GOOD: Process PID 2, running in a PID namespace
+Container/sandbox: firejail
+GOOD: all capabilities are disabled
+Parent is shutting down, bye...

diff --git a/src/faudit/caps.c b/src/faudit/caps.c new file mode 100644 index 000000000..364cfcd03 --- /dev/null +++ b/src/faudit/caps.c
@@ -0,0 +1,77 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "faudit.h"
		21	#include <linux/capability.h>
		22
		23	#define MAXBUF 4098
		24	static int extract_caps(uint64_t *val) {
		25	FILE *fp = fopen("/proc/self/status", "r");
		26	if (!fp)
		27	return 1;
		28
		29	char buf[MAXBUF];
		30	while (fgets(buf, MAXBUF, fp)) {
		31	if (strncmp(buf, "CapBnd:\t", 8) == 0) {
		32	char *ptr = buf + 8;
		33	unsigned long long tmp;
		34	sscanf(ptr, "%llx", &tmp);
		35	*val = tmp;
		36	fclose(fp);
		37	return 0;
		38	}
		39	}
		40
		41	fclose(fp);
		42	return 1;
		43	}
		44
		45	// return 1 if the capability is in tbe map
		46	static int check_capability(uint64_t map, int cap) {
		47	int i;
		48	uint64_t mask = 1ULL;
		49
		50	for (i = 0; i < 64; i++, mask <<= 1) {
		51	if ((i == cap) && (mask & map))
		52	return 1;
		53	}
		54
		55	return 0;
		56	}
		57
		58	void caps(void) {
		59	uint64_t caps_val;
		60
		61	if (extract_caps(&caps_val)) {
		62	printf("SKIP: cannot extract capabilities on this platform\n");
		63	return;
		64	}
		65
		66	if (caps_val) {
		67	printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val);
		68
		69	if (check_capability(caps_val, CAP_SYS_ADMIN))
		70	printf("UGLY: CAP_SYS_ADMIN is enabled\n");
		71	if (check_capability(caps_val, CAP_SYS_BOOT))
		72	printf("UGLY: CAP_SYS_BOOT is enabled\n");
		73	}
		74	else
		75	printf("GOOD: all capabilities are disabled\n");
		76	}
		77


diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 9c001c285..74426ac0a 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h
@@ -22,6 +22,7 @@
22	#define FAUDIT_H	22	#define FAUDIT_H
23	#include <stdio.h>	23	#include <stdio.h>
24	#include <stdlib.h>	24	#include <stdlib.h>
		25	#include <stdint.h>
25	#include <string.h>	26	#include <string.h>
26	#include <unistd.h>	27	#include <unistd.h>
27	#include <sys/types.h>	28	#include <sys/types.h>
@@ -34,4 +35,7 @@
34	// pid.c	35	// pid.c
35	void pid(void);	36	void pid(void);
36		37
		38	// caps.c
		39	void caps(void);
		40
37	#endif \ No newline at end of file	41	#endif \ No newline at end of file


diff --git a/src/faudit/main.c b/src/faudit/main.c index d90eb1c0b..a3407caa1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -20,12 +20,15 @@
20	#include "faudit.h"	20	#include "faudit.h"
21		21
22	int main(int argc, char **argv) {	22	int main(int argc, char **argv) {
23	printf("FAUDIT: Firejail audit started\n");	23	printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n");
24		24
25	// check pid namespace	25	// check pid namespace
26	pid();	26	pid();
		27
		28	// chack capabilities
		29	caps();
27		30
28	printf("FAUDIT: Firejail audit ended\n");	31	printf("----------------------------------------------------------\n");
29	return 0;	32	return 0;
30		33
31	}	34	}


diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 861324255..a6f02c051 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c
@@ -69,7 +69,7 @@ void pid(void) {
69	if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {	69	if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
70	fclose(fp);	70	fclose(fp);
71	free(fname);	71	free(fname);
72	printf("FAUDIT: Process PID %d, not running in a PID namespace\n", getpid());	72	printf("BAD: Process PID %d, not running in a PID namespace\n", getpid());
73	return;	73	return;
74	}	74	}
75	j++;	75	j++;
@@ -80,10 +80,10 @@ void pid(void) {
80	}	80	}
81		81
82		82
83	printf("FAUDIT: Process PID %d, running in a PID namespace\n", getpid());	83	printf("GOOD: Process PID %d, running in a PID namespace\n", getpid());
84		84
85	// try to guess the type of container/sandbox	85	// try to guess the type of container/sandbox
86	char *str = getenv("container");	86	char *str = getenv("container");
87	if (str)	87	if (str)
88	printf("FAUDIT: Container/sandbox: %s\n", str);	88	printf("Container/sandbox: %s\n", str);
89	}	89	}


diff --git a/todo b/todo index a5c311562..a30a5319b 100644 --- a/todo +++ b/todo
@@ -101,10 +101,25 @@ firejail.src: E: no-changelogname-tag
101	firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found	101	firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
102	1 packages and 0 specfiles checked; 1 errors, 1 warnings.	102	1 packages and 0 specfiles checked; 1 errors, 1 warnings.
103		103
104	15. Testing:	104	15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
105	find /usr/share/doc/firejail \| cpio -ov > t1
106	strings /usr/bin/firejail > t1
107	gzip -c /usr/bin/firejail > t1
108		105
109	use diff -s to compare the files	106	$ firejail --caps.keep=chown,net_bind_service src/faudit/faudit
		107	Reading profile /etc/firejail/default.profile
		108	Reading profile /etc/firejail/disable-common.inc
		109	Reading profile /etc/firejail/disable-programs.inc
		110	Reading profile /etc/firejail/disable-passwdmgr.inc
110		111
		112	Note: you can use --noprofile to disable default.profile
		113
		114	Parent pid 6872, child pid 6873
		115
		116	Child process initialized
		117
		118	----- Firejail Audit: the Good, the Bad and the Ugly -----
		119
		120	GOOD: Process PID 2, running in a PID namespace
		121	Container/sandbox: firejail
		122	GOOD: all capabilities are disabled
		123
		124
		125	Parent is shutting down, bye...