diff options
Diffstat (limited to 'src/fids/main.c')
-rw-r--r-- | src/fids/main.c | 378 |
1 files changed, 378 insertions, 0 deletions
diff --git a/src/fids/main.c b/src/fids/main.c new file mode 100644 index 000000000..e6be365d1 --- /dev/null +++ b/src/fids/main.c | |||
@@ -0,0 +1,378 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fids.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <unistd.h> | ||
24 | #include <fcntl.h> | ||
25 | #include <sys/mman.h> | ||
26 | #include <dirent.h> | ||
27 | #include <glob.h> | ||
28 | |||
29 | #define MAXBUF 4096 | ||
30 | |||
31 | static int dir_level = 1; | ||
32 | static int include_level = 0; | ||
33 | int arg_init = 0; | ||
34 | int arg_check = 0; | ||
35 | char *arg_homedir = NULL; | ||
36 | char *arg_dbfile = NULL; | ||
37 | |||
38 | int f_scanned = 0; | ||
39 | int f_modified = 0; | ||
40 | int f_new = 0; | ||
41 | int f_removed = 0; | ||
42 | int f_permissions = 0; | ||
43 | |||
44 | |||
45 | |||
46 | static inline int is_dir(const char *fname) { | ||
47 | assert(fname); | ||
48 | |||
49 | struct stat s; | ||
50 | if (stat(fname, &s) == 0) { | ||
51 | if (S_ISDIR(s.st_mode)) | ||
52 | return 1; | ||
53 | } | ||
54 | return 0; | ||
55 | } | ||
56 | |||
57 | static inline int is_link(const char *fname) { | ||
58 | assert(fname); | ||
59 | |||
60 | char c; | ||
61 | ssize_t rv = readlink(fname, &c, 1); | ||
62 | return (rv != -1); | ||
63 | } | ||
64 | |||
65 | // mode is an array of 10 chars or more | ||
66 | static inline void file_mode(const char *fname, char *mode) { | ||
67 | assert(fname); | ||
68 | assert(mode); | ||
69 | |||
70 | struct stat s; | ||
71 | if (stat(fname, &s)) { | ||
72 | *mode = '\0'; | ||
73 | return; | ||
74 | } | ||
75 | |||
76 | sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-"); | ||
77 | sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-"); | ||
78 | sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-"); | ||
79 | sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-"); | ||
80 | sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-"); | ||
81 | sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-"); | ||
82 | sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-"); | ||
83 | sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-"); | ||
84 | sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-"); | ||
85 | } | ||
86 | |||
87 | |||
88 | static void file_checksum(const char *fname) { | ||
89 | assert(fname); | ||
90 | |||
91 | int fd = open(fname, O_RDONLY); | ||
92 | if (fd == -1) | ||
93 | return; | ||
94 | |||
95 | off_t size = lseek(fd, 0, SEEK_END); | ||
96 | if (size < 0) { | ||
97 | close(fd); | ||
98 | return; | ||
99 | } | ||
100 | |||
101 | char *content = "empty"; | ||
102 | int mmapped = 0; | ||
103 | if (size == 0) { | ||
104 | // empty files don't mmap - use "empty" string as the file content | ||
105 | size = 6; // strlen("empty") + 1 | ||
106 | } | ||
107 | else { | ||
108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | ||
109 | close(fd); | ||
110 | mmapped = 1; | ||
111 | } | ||
112 | |||
113 | unsigned char checksum[KEY_SIZE / 8]; | ||
114 | blake2b(checksum, sizeof(checksum), content, size); | ||
115 | if (mmapped) | ||
116 | munmap(content, size); | ||
117 | |||
118 | // calculate blake2 checksum | ||
119 | char str_checksum[(KEY_SIZE / 8) * 2 + 1]; | ||
120 | int long unsigned i; | ||
121 | char *ptr = str_checksum; | ||
122 | for (i = 0; i < sizeof(checksum); i++, ptr += 2) | ||
123 | sprintf(ptr, "%02x", (unsigned char ) checksum[i]); | ||
124 | |||
125 | // build permissions string | ||
126 | char mode[10]; | ||
127 | file_mode(fname, mode); | ||
128 | |||
129 | if (arg_init) | ||
130 | printf("%s\t%s\t%s\n", mode, str_checksum, fname); | ||
131 | else if (arg_check) | ||
132 | db_check(fname, str_checksum, mode); | ||
133 | else | ||
134 | assert(0); | ||
135 | |||
136 | f_scanned++; | ||
137 | if (f_scanned % 500 == 0) | ||
138 | fprintf(stderr, "%d ", f_scanned); | ||
139 | fflush(0); | ||
140 | } | ||
141 | |||
142 | void list_directory(const char *fname) { | ||
143 | assert(fname); | ||
144 | if (dir_level > MAX_DIR_LEVEL) { | ||
145 | fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname); | ||
146 | return; | ||
147 | } | ||
148 | |||
149 | if (db_exclude_check(fname)) | ||
150 | return; | ||
151 | |||
152 | if (is_link(fname)) | ||
153 | return; | ||
154 | |||
155 | if (!is_dir(fname)) { | ||
156 | file_checksum(fname); | ||
157 | return; | ||
158 | } | ||
159 | |||
160 | DIR *dir; | ||
161 | struct dirent *entry; | ||
162 | |||
163 | if (!(dir = opendir(fname))) | ||
164 | return; | ||
165 | |||
166 | dir_level++; | ||
167 | while ((entry = readdir(dir)) != NULL) { | ||
168 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
169 | continue; | ||
170 | char *path; | ||
171 | if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1) | ||
172 | errExit("asprintf"); | ||
173 | list_directory(path); | ||
174 | free(path); | ||
175 | } | ||
176 | closedir(dir); | ||
177 | dir_level--; | ||
178 | } | ||
179 | |||
180 | void globbing(const char *fname) { | ||
181 | assert(fname); | ||
182 | |||
183 | // filter top directory | ||
184 | if (strcmp(fname, "/") == 0) | ||
185 | return; | ||
186 | |||
187 | glob_t globbuf; | ||
188 | int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); | ||
189 | if (globerr) { | ||
190 | fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname); | ||
191 | exit(1); | ||
192 | } | ||
193 | |||
194 | long unsigned i; | ||
195 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
196 | char *path = globbuf.gl_pathv[i]; | ||
197 | assert(path); | ||
198 | |||
199 | list_directory(path); | ||
200 | } | ||
201 | |||
202 | globfree(&globbuf); | ||
203 | } | ||
204 | |||
205 | static void process_config(const char *fname) { | ||
206 | assert(fname); | ||
207 | |||
208 | if (++include_level >= MAX_INCLUDE_LEVEL) { | ||
209 | fprintf(stderr, "Error ids: maximum include level for config files exceeded\n"); | ||
210 | exit(1); | ||
211 | } | ||
212 | |||
213 | fprintf(stderr, "Opening config file %s\n", fname); | ||
214 | int fd = open(fname, O_RDONLY|O_CLOEXEC); | ||
215 | if (fd < 0) { | ||
216 | if (include_level == 1) { | ||
217 | fprintf(stderr, "Error ids: cannot open config file %s\n", fname); | ||
218 | exit(1); | ||
219 | } | ||
220 | return; | ||
221 | } | ||
222 | |||
223 | // make sure the file is owned by root | ||
224 | struct stat s; | ||
225 | if (fstat(fd, &s)) { | ||
226 | fprintf(stderr, "Error ids: cannot stat config file %s\n", fname); | ||
227 | exit(1); | ||
228 | } | ||
229 | if (s.st_uid || s.st_gid) { | ||
230 | fprintf(stderr, "Error ids: config file not owned by root\n"); | ||
231 | exit(1); | ||
232 | } | ||
233 | |||
234 | fprintf(stderr, "Loading config file %s\n", fname); | ||
235 | FILE *fp = fdopen(fd, "r"); | ||
236 | if (!fp) { | ||
237 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); | ||
238 | exit(1); | ||
239 | } | ||
240 | |||
241 | char buf[MAXBUF]; | ||
242 | int line = 0; | ||
243 | while (fgets(buf, MAXBUF, fp)) { | ||
244 | line++; | ||
245 | |||
246 | // trim \n | ||
247 | char *ptr = strchr(buf, '\n'); | ||
248 | if (ptr) | ||
249 | *ptr = '\0'; | ||
250 | |||
251 | // comments | ||
252 | ptr = strchr(buf, '#'); | ||
253 | if (ptr) | ||
254 | *ptr = '\0'; | ||
255 | |||
256 | // empty space | ||
257 | ptr = buf; | ||
258 | while (*ptr == ' ' || *ptr == '\t') | ||
259 | ptr++; | ||
260 | char *start = ptr; | ||
261 | |||
262 | // empty line | ||
263 | if (*start == '\0') | ||
264 | continue; | ||
265 | |||
266 | // trailing spaces | ||
267 | ptr = start + strlen(start); | ||
268 | ptr--; | ||
269 | while (*ptr == ' ' || *ptr == '\t') | ||
270 | *ptr-- = '\0'; | ||
271 | |||
272 | // replace ${HOME} | ||
273 | if (strncmp(start, "include", 7) == 0) { | ||
274 | ptr = start + 7; | ||
275 | if ((*ptr != ' ' && *ptr != '\t') || *ptr == '\0') { | ||
276 | fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname); | ||
277 | exit(1); | ||
278 | } | ||
279 | while (*ptr == ' ' || *ptr == '\t') | ||
280 | ptr++; | ||
281 | |||
282 | if (*ptr == '/') | ||
283 | process_config(ptr); | ||
284 | else { | ||
285 | // assume the file is in /etc/firejail | ||
286 | char *tmp; | ||
287 | if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1) | ||
288 | errExit("asprintf"); | ||
289 | process_config(tmp); | ||
290 | free(tmp); | ||
291 | } | ||
292 | } | ||
293 | else if (*start == '!') { | ||
294 | // exclude file or dir | ||
295 | start++; | ||
296 | if (strncmp(start, "${HOME}", 7)) | ||
297 | db_exclude_add(start); | ||
298 | else { | ||
299 | char *fname; | ||
300 | if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1) | ||
301 | errExit("asprintf"); | ||
302 | db_exclude_add(fname); | ||
303 | free(fname); | ||
304 | } | ||
305 | } | ||
306 | else if (strncmp(start, "${HOME}", 7)) | ||
307 | globbing(start); | ||
308 | else { | ||
309 | char *fname; | ||
310 | if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1) | ||
311 | errExit("asprintf"); | ||
312 | globbing(fname); | ||
313 | free(fname); | ||
314 | } | ||
315 | } | ||
316 | |||
317 | fclose(fp); | ||
318 | include_level--; | ||
319 | } | ||
320 | |||
321 | |||
322 | |||
323 | void usage(void) { | ||
324 | printf("Usage: fids [--help|-h|-?] --init|--check homedir\n"); | ||
325 | } | ||
326 | |||
327 | int main(int argc, char **argv) { | ||
328 | int i; | ||
329 | for (i = 1; i < argc; i++) { | ||
330 | if (strcmp(argv[i], "-h") == 0 || | ||
331 | strcmp(argv[i], "-?") == 0 || | ||
332 | strcmp(argv[i], "--help") == 0) { | ||
333 | usage(); | ||
334 | return 0; | ||
335 | } | ||
336 | else if (strcmp(argv[i], "--init") == 0) | ||
337 | arg_init = 1; | ||
338 | else if (strcmp(argv[i], "--check") == 0) | ||
339 | arg_check = 1; | ||
340 | else if (strncmp(argv[i], "--", 2) == 0) { | ||
341 | fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]); | ||
342 | exit(1); | ||
343 | } | ||
344 | } | ||
345 | |||
346 | if (argc != 3) { | ||
347 | fprintf(stderr, "Error fids: invalid number of arguments\n"); | ||
348 | exit(1); | ||
349 | } | ||
350 | arg_homedir = argv[2]; | ||
351 | |||
352 | int op = arg_check + arg_init; | ||
353 | if (op == 0 || op == 2) { | ||
354 | fprintf(stderr, "Error fids: use either --init or --check\n"); | ||
355 | exit(1); | ||
356 | } | ||
357 | |||
358 | if (arg_init) { | ||
359 | process_config(SYSCONFDIR"/ids.config"); | ||
360 | fprintf(stderr, "\n%d files scanned\n", f_scanned); | ||
361 | fprintf(stderr, "IDS database initialized\n"); | ||
362 | } | ||
363 | else if (arg_check) { | ||
364 | if (db_init()) { | ||
365 | fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n"); | ||
366 | exit(1); | ||
367 | } | ||
368 | |||
369 | process_config(SYSCONFDIR"/ids.config"); | ||
370 | fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n", | ||
371 | f_scanned, f_modified, f_permissions, f_new, f_removed); | ||
372 | db_missing(); | ||
373 | } | ||
374 | else | ||
375 | assert(0); | ||
376 | |||
377 | return 0; | ||
378 | } | ||