diff options
Diffstat (limited to 'src/jailcheck')
-rw-r--r-- | src/jailcheck/access.c | 2 | ||||
-rw-r--r-- | src/jailcheck/jailcheck.h | 2 | ||||
-rw-r--r-- | src/jailcheck/main.c | 23 | ||||
-rw-r--r-- | src/jailcheck/network.c | 56 | ||||
-rw-r--r-- | src/jailcheck/sysfiles.c | 2 |
5 files changed, 83 insertions, 2 deletions
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c index c18d64a82..3c2f46495 100644 --- a/src/jailcheck/access.c +++ b/src/jailcheck/access.c | |||
@@ -36,7 +36,7 @@ void access_setup(const char *directory) { | |||
36 | assert(user_home_dir); | 36 | assert(user_home_dir); |
37 | 37 | ||
38 | if (files_cnt >= MAX_TEST_FILES) { | 38 | if (files_cnt >= MAX_TEST_FILES) { |
39 | fprintf(stderr, "Error: maximum number of test directories exceded\n"); | 39 | fprintf(stderr, "Error: maximum number of test directories exceeded\n"); |
40 | exit(1); | 40 | exit(1); |
41 | } | 41 | } |
42 | 42 | ||
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h index 32be1c978..be3104da3 100644 --- a/src/jailcheck/jailcheck.h +++ b/src/jailcheck/jailcheck.h | |||
@@ -53,6 +53,8 @@ void apparmor_test(pid_t pid); | |||
53 | // seccomp.c | 53 | // seccomp.c |
54 | void seccomp_test(pid_t pid); | 54 | void seccomp_test(pid_t pid); |
55 | 55 | ||
56 | // network.c | ||
57 | void network_test(void); | ||
56 | // utils.c | 58 | // utils.c |
57 | char *get_sudo_user(void); | 59 | char *get_sudo_user(void); |
58 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | 60 | char *get_homedir(const char *user, uid_t *uid, gid_t *gid); |
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 4d642bf96..812ac5808 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c | |||
@@ -157,6 +157,7 @@ int main(int argc, char **argv) { | |||
157 | seccomp_test(pid); | 157 | seccomp_test(pid); |
158 | fflush(0); | 158 | fflush(0); |
159 | 159 | ||
160 | // filesystem tests | ||
160 | pid_t child = fork(); | 161 | pid_t child = fork(); |
161 | if (child == -1) | 162 | if (child == -1) |
162 | errExit("fork"); | 163 | errExit("fork"); |
@@ -185,6 +186,28 @@ int main(int argc, char **argv) { | |||
185 | } | 186 | } |
186 | int status; | 187 | int status; |
187 | wait(&status); | 188 | wait(&status); |
189 | |||
190 | // network test | ||
191 | child = fork(); | ||
192 | if (child == -1) | ||
193 | errExit("fork"); | ||
194 | if (child == 0) { | ||
195 | int rv = join_namespace(pid, "net"); | ||
196 | if (rv == 0) | ||
197 | network_test(); | ||
198 | else { | ||
199 | printf(" Error: I cannot join the process network stack\n"); | ||
200 | exit(1); | ||
201 | } | ||
202 | |||
203 | // drop privileges in order not to trigger cleanup() | ||
204 | if (setgid(user_gid) != 0) | ||
205 | errExit("setgid"); | ||
206 | if (setuid(user_uid) != 0) | ||
207 | errExit("setuid"); | ||
208 | return 0; | ||
209 | } | ||
210 | wait(&status); | ||
188 | } | 211 | } |
189 | } | 212 | } |
190 | 213 | ||
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c new file mode 100644 index 000000000..636344e77 --- /dev/null +++ b/src/jailcheck/network.c | |||
@@ -0,0 +1,56 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailcheck.h" | ||
21 | #include <netdb.h> | ||
22 | #include <arpa/inet.h> | ||
23 | #include <ifaddrs.h> | ||
24 | #include <net/if.h> | ||
25 | #include <linux/connector.h> | ||
26 | #include <linux/netlink.h> | ||
27 | #include <linux/if_link.h> | ||
28 | #include <linux/sockios.h> | ||
29 | #include <sys/ioctl.h> | ||
30 | |||
31 | |||
32 | void network_test(void) { | ||
33 | // I am root running in a network namespace | ||
34 | struct ifaddrs *ifaddr, *ifa; | ||
35 | int found = 0; | ||
36 | |||
37 | // walk through the linked list | ||
38 | if (getifaddrs(&ifaddr) == -1) | ||
39 | errExit("getifaddrs"); | ||
40 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
41 | if (strcmp(ifa->ifa_name, "lo") == 0) | ||
42 | continue; | ||
43 | found = 1; | ||
44 | break; | ||
45 | } | ||
46 | |||
47 | freeifaddrs(ifaddr); | ||
48 | |||
49 | if (found) | ||
50 | printf(" Networking: enabled\n"); | ||
51 | else | ||
52 | printf(" Networking: disabled\n"); | ||
53 | } | ||
54 | |||
55 | |||
56 | |||
diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c index caeb580af..9a0d6350e 100644 --- a/src/jailcheck/sysfiles.c +++ b/src/jailcheck/sysfiles.c | |||
@@ -34,7 +34,7 @@ void sysfiles_setup(const char *file) { | |||
34 | assert(file); | 34 | assert(file); |
35 | 35 | ||
36 | if (files_cnt >= MAX_TEST_FILES) { | 36 | if (files_cnt >= MAX_TEST_FILES) { |
37 | fprintf(stderr, "Error: maximum number of system test files exceded\n"); | 37 | fprintf(stderr, "Error: maximum number of system test files exceeded\n"); |
38 | exit(1); | 38 | exit(1); |
39 | } | 39 | } |
40 | 40 | ||