diff options
Diffstat (limited to 'src/faudit/caps.c')
-rw-r--r-- | src/faudit/caps.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index b200c6792..d4a98676c 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
@@ -26,7 +26,7 @@ static int extract_caps(uint64_t *val) { | |||
26 | FILE *fp = fopen("/proc/self/status", "r"); | 26 | FILE *fp = fopen("/proc/self/status", "r"); |
27 | if (!fp) | 27 | if (!fp) |
28 | return 1; | 28 | return 1; |
29 | 29 | ||
30 | char buf[MAXBUF]; | 30 | char buf[MAXBUF]; |
31 | while (fgets(buf, MAXBUF, fp)) { | 31 | while (fgets(buf, MAXBUF, fp)) { |
32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | 32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { |
@@ -47,7 +47,7 @@ static int extract_caps(uint64_t *val) { | |||
47 | static int check_capability(uint64_t map, int cap) { | 47 | static int check_capability(uint64_t map, int cap) { |
48 | int i; | 48 | int i; |
49 | uint64_t mask = 1ULL; | 49 | uint64_t mask = 1ULL; |
50 | 50 | ||
51 | for (i = 0; i < 64; i++, mask <<= 1) { | 51 | for (i = 0; i < 64; i++, mask <<= 1) { |
52 | if ((i == cap) && (mask & map)) | 52 | if ((i == cap) && (mask & map)) |
53 | return 1; | 53 | return 1; |
@@ -58,22 +58,21 @@ static int check_capability(uint64_t map, int cap) { | |||
58 | 58 | ||
59 | void caps_test(void) { | 59 | void caps_test(void) { |
60 | uint64_t caps_val; | 60 | uint64_t caps_val; |
61 | 61 | ||
62 | if (extract_caps(&caps_val)) { | 62 | if (extract_caps(&caps_val)) { |
63 | printf("SKIP: cannot extract capabilities on this platform.\n"); | 63 | printf("SKIP: cannot extract capabilities on this platform.\n"); |
64 | return; | 64 | return; |
65 | } | 65 | } |
66 | 66 | ||
67 | if (caps_val) { | 67 | if (caps_val) { |
68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); | 68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); |
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | 69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); |
70 | 70 | ||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | 71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) |
72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); | 72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); |
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | 73 | if (check_capability(caps_val, CAP_SYS_BOOT)) |
74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); | 74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); |
75 | } | 75 | } |
76 | else | 76 | else |
77 | printf("GOOD: all capabilities are disabled.\n"); | 77 | printf("GOOD: all capabilities are disabled.\n"); |
78 | } | 78 | } |
79 | |||