10 files changed, 62 insertions, 13 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 5f25e7312..f7b5a221d 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) {
                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
        }
        else {
-                printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n");
+                printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
        }       
        close(sock);
diff --git a/src/faudit/files.c b/src/faudit/files.c
index c27973358..e27d3436a 100644
--- a/src/faudit/files.c
+++ b/src/faudit/files.c
@@ -33,7 +33,7 @@ static void check_home_file(const char *name) {
        if (access(fname, R_OK) == 0) {
                printf("UGLY: I can access files in %s directory. ", fname);
-                printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname);
+                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
        }
        else
                printf("GOOD: I cannot access files in %s directory.\n", fname);
diff --git a/src/faudit/main.c b/src/faudit/main.c
index df549ac3e..86d3fe4a9 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -41,7 +41,7 @@ int main(int argc, char **argv) {
                fprintf(stderr, "Error: cannot extract the path of the audit program\n");
                return 1;
        }
-        printf("INFO: Starting %s.\n", prog);
+        printf("INFO: starting %s.\n", prog);
        
        
        // check pid namespace
diff --git a/src/faudit/network.c b/src/faudit/network.c
index bb3116c3b..39821cd25 100644
--- a/src/faudit/network.c
+++ b/src/faudit/network.c
@@ -40,7 +40,7 @@ void check_ssh(void) {
        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
                printf("GOOD: SSH server not available on localhost.\n");
        else {
-                printf("MAYBE: An SSH server is accessible on localhost. ");
+                printf("MAYBE: an SSH server is accessible on localhost. ");
                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
        }
        
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 84d73a03f..7088ad340 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -79,11 +79,8 @@ void syscall_run(const char *name) {
        if (child < 0)
                errExit("fork");
        if (child == 0) {
-                char *cmd;
-                if (asprintf(&cmd, "%s syscall %s", prog, name) == -1)
-                        errExit("asprintf");
                execl(prog, prog, "syscall", name, NULL);
-                exit(0);
+                exit(1);
        }
                
        // wait for the child to finish
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 0b6e2e181..39013de56 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -260,6 +260,7 @@ extern int arg_ipc;		// enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
 extern int arg_appimage;        // appimage
+extern int arg_audit;           // audit
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7b956bf64..34cc38cd5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -100,6 +100,7 @@ int arg_ipc = 0;					// enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
 int arg_writable_var = 0;                       // writable var
 int arg_appimage = 0;                           // appimage
+int arg_audit = 0;                              // audit
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1830,6 +1831,8 @@ int main(int argc, char **argv) {
                //*************************************
                // command
                //*************************************
+                else if (strcmp(argv[i], "--audit") == 0)
+                        arg_audit = 1;
                else if (strcmp(argv[i], "--appimage") == 0)
                        arg_appimage = 1;
                else if (strcmp(argv[i], "--csh") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0e3d722b7..8cf2486b3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -275,9 +275,18 @@ static int monitor_application(pid_t app_pid) {
 static void start_application(void) {
        //****************************************
+        // audit
+        //****************************************
+        if (arg_audit) {
+                char *audit_prog;
+                if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                        errExit("asprintf");
+                execl(audit_prog, audit_prog, NULL);
+        }
+        //****************************************
        // start the program without using a shell
        //****************************************
-        if (arg_shell_none) {
+        else if (arg_shell_none) {
                if (arg_debug) {
                        int i;
                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 82b1affcc..e31867351 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -35,6 +35,8 @@ void usage(void) {
        printf("Options:\n\n");
        printf("    -- - signal the end of options and disables further option processing.\n\n");
        printf("    --appimage - sandbox an AppImage application\n\n");
+        printf("    --audit - audit the sandbox, see Audit section for more details\n\n");
+        printf("    --audit=test-program - audit the sandbox, see Audit section for more details\n\n");
 #ifdef HAVE_NETWORK     
        printf("    --bandwidth=name|pid - set  bandwidth  limits  for  the sandbox identified\n");
        printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
@@ -298,7 +300,19 @@ void usage(void) {
        printf("\n");
 #endif
+        printf("Audit\n\n");
+        printf("Audit feature allows the user to point out gaps in security profiles. The\n");
+        printf("implementation replaces the program to be sandboxed with a test program. By\n");
+        printf("default, we use faudit program distributed with Firejail. A custom test program\n");
+        printf("can also be supplied by the user. Examples:\n\n");
+        printf("Running the default audit program:\n");
+        printf("    $ firejail --audit transmission-gtk\n\n");
+        printf("Running a custom audit program:\n");
+        printf("    $ firejail --audit=~/sandbox-test transmission-gtk\n\n");
+        printf("In the examples above, the sandbox configures transmission-gtk profile and\n");
+        printf("starts the test program. The real program, transmission-gtk, will not be\n");
+        printf("started.\n\n\n");
+        
        printf("Monitoring\n\n");
        printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bb8c64dc9..a523e51cb 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -88,6 +88,12 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
 .br
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
 .TP
+\fB\-\-audit
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
+\fB\-\-audit=test-program
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -1691,15 +1697,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 Set rate-limits:
-        firejail --bandwidth=name|pid set network download upload
+        $ firejail --bandwidth=name|pid set network download upload
 Clear rate-limits:
-        firejail --bandwidth=name|pid clear network
+        $ firejail --bandwidth=name|pid clear network
 Status:
-        firejail --bandwidth=name|pid status
+        $ firejail --bandwidth=name|pid status
 where:
 .br
@@ -1723,6 +1729,25 @@ Example:
 .br
        $ firejail \-\-bandwidth=mybrowser clear eth0
+.SH AUDIT
+Audit feature allows the user to point out gaps in security profiles. The
+implementation replaces the program to be sandboxed with a test program. By
+default, we use faudit program distributed with Firejail. A custom test program
+can also be supplied by the user. Examples:
+Running the default audit program:
+.br
+        $ firejail --audit transmission-gtk
+Running a custom audit program:
+.br
+        $ firejail --audit=~/sandbox-test transmission-gtk\n\n");
+In the examples above, the sandbox configures transmission-gtk profile and
+starts the test program. The real program, transmission-gtk, will not be
+started.
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:

diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 5f25e7312..f7b5a221d 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) {
42	printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");	42	printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
43	}	43	}
44	else {	44	else {
45	printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n");	45	printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
46	}	46	}
47		47
48	close(sock);	48	close(sock);


diff --git a/src/faudit/files.c b/src/faudit/files.c index c27973358..e27d3436a 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c
@@ -33,7 +33,7 @@ static void check_home_file(const char *name) {
33		33
34	if (access(fname, R_OK) == 0) {	34	if (access(fname, R_OK) == 0) {
35	printf("UGLY: I can access files in %s directory. ", fname);	35	printf("UGLY: I can access files in %s directory. ", fname);
36	printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname);	36	printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
37	}	37	}
38	else	38	else
39	printf("GOOD: I cannot access files in %s directory.\n", fname);	39	printf("GOOD: I cannot access files in %s directory.\n", fname);


diff --git a/src/faudit/main.c b/src/faudit/main.c index df549ac3e..86d3fe4a9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c
@@ -41,7 +41,7 @@ int main(int argc, char **argv) {
41	fprintf(stderr, "Error: cannot extract the path of the audit program\n");	41	fprintf(stderr, "Error: cannot extract the path of the audit program\n");
42	return 1;	42	return 1;
43	}	43	}
44	printf("INFO: Starting %s.\n", prog);	44	printf("INFO: starting %s.\n", prog);
45		45
46		46
47	// check pid namespace	47	// check pid namespace


diff --git a/src/faudit/network.c b/src/faudit/network.c index bb3116c3b..39821cd25 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c
@@ -40,7 +40,7 @@ void check_ssh(void) {
40	if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)	40	if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
41	printf("GOOD: SSH server not available on localhost.\n");	41	printf("GOOD: SSH server not available on localhost.\n");
42	else {	42	else {
43	printf("MAYBE: An SSH server is accessible on localhost. ");	43	printf("MAYBE: an SSH server is accessible on localhost. ");
44	printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");	44	printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
45	}	45	}
46		46


diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 84d73a03f..7088ad340 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c
@@ -79,11 +79,8 @@ void syscall_run(const char *name) {
79	if (child < 0)	79	if (child < 0)
80	errExit("fork");	80	errExit("fork");
81	if (child == 0) {	81	if (child == 0) {
82	char *cmd;
83	if (asprintf(&cmd, "%s syscall %s", prog, name) == -1)
84	errExit("asprintf");
85	execl(prog, prog, "syscall", name, NULL);	82	execl(prog, prog, "syscall", name, NULL);
86	exit(0);	83	exit(1);
87	}	84	}
88		85
89	// wait for the child to finish	86	// wait for the child to finish


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0b6e2e181..39013de56 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -260,6 +260,7 @@ extern int arg_ipc; // enable ipc namespace
260	extern int arg_writable_etc; // writable etc	260	extern int arg_writable_etc; // writable etc
261	extern int arg_writable_var; // writable var	261	extern int arg_writable_var; // writable var
262	extern int arg_appimage; // appimage	262	extern int arg_appimage; // appimage
		263	extern int arg_audit; // audit
263		264
264	extern int parent_to_child_fds[2];	265	extern int parent_to_child_fds[2];
265	extern int child_to_parent_fds[2];	266	extern int child_to_parent_fds[2];


diff --git a/src/firejail/main.c b/src/firejail/main.c index 7b956bf64..34cc38cd5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -100,6 +100,7 @@ int arg_ipc = 0; // enable ipc namespace
100	int arg_writable_etc = 0; // writable etc	100	int arg_writable_etc = 0; // writable etc
101	int arg_writable_var = 0; // writable var	101	int arg_writable_var = 0; // writable var
102	int arg_appimage = 0; // appimage	102	int arg_appimage = 0; // appimage
		103	int arg_audit = 0; // audit
103		104
104	int parent_to_child_fds[2];	105	int parent_to_child_fds[2];
105	int child_to_parent_fds[2];	106	int child_to_parent_fds[2];
@@ -1830,6 +1831,8 @@ int main(int argc, char **argv) {
1830	//*************************************	1831	//*************************************
1831	// command	1832	// command
1832	//*************************************	1833	//*************************************
		1834	else if (strcmp(argv[i], "--audit") == 0)
		1835	arg_audit = 1;
1833	else if (strcmp(argv[i], "--appimage") == 0)	1836	else if (strcmp(argv[i], "--appimage") == 0)
1834	arg_appimage = 1;	1837	arg_appimage = 1;
1835	else if (strcmp(argv[i], "--csh") == 0) {	1838	else if (strcmp(argv[i], "--csh") == 0) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0e3d722b7..8cf2486b3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -275,9 +275,18 @@ static int monitor_application(pid_t app_pid) {
275		275
276	static void start_application(void) {	276	static void start_application(void) {
277	//****************************************	277	//****************************************
		278	// audit
		279	//****************************************
		280	if (arg_audit) {
		281	char *audit_prog;
		282	if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
		283	errExit("asprintf");
		284	execl(audit_prog, audit_prog, NULL);
		285	}
		286	//****************************************
278	// start the program without using a shell	287	// start the program without using a shell
279	//****************************************	288	//****************************************
280	if (arg_shell_none) {	289	else if (arg_shell_none) {
281	if (arg_debug) {	290	if (arg_debug) {
282	int i;	291	int i;
283	for (i = cfg.original_program_index; i < cfg.original_argc; i++) {	292	for (i = cfg.original_program_index; i < cfg.original_argc; i++) {


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 82b1affcc..e31867351 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -35,6 +35,8 @@ void usage(void) {
35	printf("Options:\n\n");	35	printf("Options:\n\n");
36	printf(" -- - signal the end of options and disables further option processing.\n\n");	36	printf(" -- - signal the end of options and disables further option processing.\n\n");
37	printf(" --appimage - sandbox an AppImage application\n\n");	37	printf(" --appimage - sandbox an AppImage application\n\n");
		38	printf(" --audit - audit the sandbox, see Audit section for more details\n\n");
		39	printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n");
38	#ifdef HAVE_NETWORK	40	#ifdef HAVE_NETWORK
39	printf(" --bandwidth=name\|pid - set bandwidth limits for the sandbox identified\n");	41	printf(" --bandwidth=name\|pid - set bandwidth limits for the sandbox identified\n");
40	printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");	42	printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
@@ -298,7 +300,19 @@ void usage(void) {
298	printf("\n");	300	printf("\n");
299	#endif	301	#endif
300		302
301		303	printf("Audit\n\n");
		304	printf("Audit feature allows the user to point out gaps in security profiles. The\n");
		305	printf("implementation replaces the program to be sandboxed with a test program. By\n");
		306	printf("default, we use faudit program distributed with Firejail. A custom test program\n");
		307	printf("can also be supplied by the user. Examples:\n\n");
		308	printf("Running the default audit program:\n");
		309	printf(" $ firejail --audit transmission-gtk\n\n");
		310	printf("Running a custom audit program:\n");
		311	printf(" $ firejail --audit=~/sandbox-test transmission-gtk\n\n");
		312	printf("In the examples above, the sandbox configures transmission-gtk profile and\n");
		313	printf("starts the test program. The real program, transmission-gtk, will not be\n");
		314	printf("started.\n\n\n");
		315
302	printf("Monitoring\n\n");	316	printf("Monitoring\n\n");
303		317
304	printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");	318	printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bb8c64dc9..a523e51cb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -88,6 +88,12 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
88	.br	88	.br
89	$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage	89	$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
90	.TP	90	.TP
		91	\fB\-\-audit
		92	Audit the sandbox, see \fBAUDIT\fR section for more details.
		93	.TP
		94	\fB\-\-audit=test-program
		95	Audit the sandbox, see \fBAUDIT\fR section for more details.
		96	.TP
91	\fB\-\-bandwidth=name\|pid	97	\fB\-\-bandwidth=name\|pid
92	Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.	98	Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
93	.TP	99	.TP
@@ -1691,15 +1697,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
1691		1697
1692	Set rate-limits:	1698	Set rate-limits:
1693		1699
1694	firejail --bandwidth=name\|pid set network download upload	1700	$ firejail --bandwidth=name\|pid set network download upload
1695		1701
1696	Clear rate-limits:	1702	Clear rate-limits:
1697		1703
1698	firejail --bandwidth=name\|pid clear network	1704	$ firejail --bandwidth=name\|pid clear network
1699		1705
1700	Status:	1706	Status:
1701		1707
1702	firejail --bandwidth=name\|pid status	1708	$ firejail --bandwidth=name\|pid status
1703		1709
1704	where:	1710	where:
1705	.br	1711	.br
@@ -1723,6 +1729,25 @@ Example:
1723	.br	1729	.br
1724	$ firejail \-\-bandwidth=mybrowser clear eth0	1730	$ firejail \-\-bandwidth=mybrowser clear eth0
1725		1731
		1732	.SH AUDIT
		1733	Audit feature allows the user to point out gaps in security profiles. The
		1734	implementation replaces the program to be sandboxed with a test program. By
		1735	default, we use faudit program distributed with Firejail. A custom test program
		1736	can also be supplied by the user. Examples:
		1737
		1738	Running the default audit program:
		1739	.br
		1740	$ firejail --audit transmission-gtk
		1741
		1742	Running a custom audit program:
		1743	.br
		1744	$ firejail --audit=~/sandbox-test transmission-gtk\n\n");
		1745
		1746	In the examples above, the sandbox configures transmission-gtk profile and
		1747	starts the test program. The real program, transmission-gtk, will not be
		1748	started.
		1749
		1750
1726	.SH MONITORING	1751	.SH MONITORING
1727	Option \-\-list prints a list of all sandboxes. The format	1752	Option \-\-list prints a list of all sandboxes. The format
1728	for each process entry is as follows:	1753	for each process entry is as follows: