diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/profstats/main.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/profstats/main.c b/src/profstats/main.c index 9deb72f7e..310319c69 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -25,6 +25,7 @@ | |||
25 | static int cnt_profiles = 0; | 25 | static int cnt_profiles = 0; |
26 | static int cnt_apparmor = 0; | 26 | static int cnt_apparmor = 0; |
27 | static int cnt_seccomp = 0; | 27 | static int cnt_seccomp = 0; |
28 | static int cnt_restrict_namespaces = 0; | ||
28 | static int cnt_caps = 0; | 29 | static int cnt_caps = 0; |
29 | static int cnt_dbus_system_none = 0; | 30 | static int cnt_dbus_system_none = 0; |
30 | static int cnt_dbus_user_none = 0; | 31 | static int cnt_dbus_user_none = 0; |
@@ -69,6 +70,7 @@ static int arg_whitelisthome = 0; | |||
69 | static int arg_noroot = 0; | 70 | static int arg_noroot = 0; |
70 | static int arg_print_blacklist = 0; | 71 | static int arg_print_blacklist = 0; |
71 | static int arg_print_whitelist = 0; | 72 | static int arg_print_whitelist = 0; |
73 | static int arg_restrict_namespaces = 0; | ||
72 | 74 | ||
73 | static char *profile = NULL; | 75 | static char *profile = NULL; |
74 | 76 | ||
@@ -91,6 +93,7 @@ static void usage(void) { | |||
91 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); | 93 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); |
92 | printf(" --seccomp - print profiles without seccomp\n"); | 94 | printf(" --seccomp - print profiles without seccomp\n"); |
93 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); | 95 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); |
96 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | ||
94 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | 97 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); |
95 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 98 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
96 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | 99 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
@@ -152,6 +155,8 @@ static void process_file(char *fname) { | |||
152 | 155 | ||
153 | if (strncmp(ptr, "seccomp", 7) == 0) | 156 | if (strncmp(ptr, "seccomp", 7) == 0) |
154 | cnt_seccomp++; | 157 | cnt_seccomp++; |
158 | if (strncmp(ptr, "restrict-namespaces", 19) == 0) | ||
159 | cnt_restrict_namespaces++; | ||
155 | else if (strncmp(ptr, "caps", 4) == 0) | 160 | else if (strncmp(ptr, "caps", 4) == 0) |
156 | cnt_caps++; | 161 | cnt_caps++; |
157 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | 162 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
@@ -242,6 +247,8 @@ int main(int argc, char **argv) { | |||
242 | arg_caps = 1; | 247 | arg_caps = 1; |
243 | else if (strcmp(argv[i], "--seccomp") == 0) | 248 | else if (strcmp(argv[i], "--seccomp") == 0) |
244 | arg_seccomp = 1; | 249 | arg_seccomp = 1; |
250 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) | ||
251 | arg_restrict_namespaces = 1; | ||
245 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) | 252 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) |
246 | arg_mdwx = 1; | 253 | arg_mdwx = 1; |
247 | else if (strcmp(argv[i], "--noexec") == 0) | 254 | else if (strcmp(argv[i], "--noexec") == 0) |
@@ -291,7 +298,7 @@ int main(int argc, char **argv) { | |||
291 | for (i = start; i < argc; i++) { | 298 | for (i = start; i < argc; i++) { |
292 | cnt_profiles++; | 299 | cnt_profiles++; |
293 | 300 | ||
294 | // watch seccomp | 301 | int restrict_namespaces = cnt_restrict_namespaces; |
295 | int seccomp = cnt_seccomp; | 302 | int seccomp = cnt_seccomp; |
296 | int caps = cnt_caps; | 303 | int caps = cnt_caps; |
297 | int apparmor = cnt_apparmor; | 304 | int apparmor = cnt_apparmor; |
@@ -334,6 +341,8 @@ int main(int argc, char **argv) { | |||
334 | cnt_whitelistrunuser = whitelistrunuser + 1; | 341 | cnt_whitelistrunuser = whitelistrunuser + 1; |
335 | if (cnt_seccomp > (seccomp + 1)) | 342 | if (cnt_seccomp > (seccomp + 1)) |
336 | cnt_seccomp = seccomp + 1; | 343 | cnt_seccomp = seccomp + 1; |
344 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | ||
345 | cnt_seccomp = restrict_namespaces + 1; | ||
337 | if (cnt_dbus_user_none > (dbususernone + 1)) | 346 | if (cnt_dbus_user_none > (dbususernone + 1)) |
338 | cnt_dbus_user_none = dbususernone + 1; | 347 | cnt_dbus_user_none = dbususernone + 1; |
339 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | 348 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
@@ -353,6 +362,8 @@ int main(int argc, char **argv) { | |||
353 | printf("No caps found in %s\n", argv[i]); | 362 | printf("No caps found in %s\n", argv[i]); |
354 | if (arg_seccomp && seccomp == cnt_seccomp) | 363 | if (arg_seccomp && seccomp == cnt_seccomp) |
355 | printf("No seccomp found in %s\n", argv[i]); | 364 | printf("No seccomp found in %s\n", argv[i]); |
365 | if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces) | ||
366 | printf("No restrict-namespaces found in %s\n", argv[i]); | ||
356 | if (arg_noexec && noexec == cnt_noexec) | 367 | if (arg_noexec && noexec == cnt_noexec) |
357 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 368 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
358 | if (arg_noroot && noroot == cnt_noroot) | 369 | if (arg_noroot && noroot == cnt_noroot) |
@@ -397,6 +408,7 @@ int main(int argc, char **argv) { | |||
397 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 408 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
398 | printf(" noroot\t\t\t%d\n", cnt_noroot); | 409 | printf(" noroot\t\t\t%d\n", cnt_noroot); |
399 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 410 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
411 | printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces); | ||
400 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 412 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
401 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 413 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
402 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 414 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |