From 7ac22ed3588ce9e8bb5ec7ebd3d7062dcf65a64c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Jul 2016 09:48:57 -0400 Subject: audit: seccomp --- src/faudit/caps.c | 2 +- src/faudit/faudit.h | 10 ++++++-- src/faudit/main.c | 26 ++++++++++++++++----- src/faudit/pid.c | 2 +- src/faudit/seccomp.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 94 insertions(+), 10 deletions(-) create mode 100644 src/faudit/seccomp.c diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 364cfcd03..3cf4a076f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -55,7 +55,7 @@ static int check_capability(uint64_t map, int cap) { return 0; } -void caps(void) { +void caps_test(void) { uint64_t caps_val; if (extract_caps(&caps_val)) { diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 74426ac0a..50d75c2a4 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -32,10 +32,16 @@ #define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) +// main.c +extern char *prog; + // pid.c -void pid(void); +void pid_test(void); // caps.c -void caps(void); +void caps_test(void); + +// seccomp.c +void seccomp_test(void); #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index a3407caa1..0724a7ec9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -18,17 +18,31 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" +#include +char *prog; int main(int argc, char **argv) { - printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n"); + printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n"); + // extract program name + prog = realpath(argv[0], NULL); + if (prog == NULL) { + fprintf(stderr, "Error: cannot extract the path of the audit program\n"); + return 1; + } + printf("Running %s\n", prog); + + // check pid namespace - pid(); + pid_test(); - // chack capabilities - caps(); + // check capabilities + caps_test(); - printf("----------------------------------------------------------\n"); - return 0; + // check seccomp + seccomp_test(); + free(prog); + printf("----------------------------------------------------------------\n"); + return 0; } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index a6f02c051..5744ab244 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -19,7 +19,7 @@ */ #include "faudit.h" -void pid(void) { +void pid_test(void) { char *kern_proc[] = { "kthreadd", "ksoftirqd", diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c new file mode 100644 index 000000000..a50ec1e0c --- /dev/null +++ b/src/faudit/seccomp.c @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include + +#define MAXBUF 4098 +static int extract_seccomp(int *val) { + FILE *fp = fopen("/proc/self/status", "r"); + if (!fp) + return 1; + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "Seccomp:\t", 8) == 0) { + char *ptr = buf + 8; + int tmp; + sscanf(ptr, "%d", &tmp); + *val = tmp; + fclose(fp); + return 0; + } + } + + fclose(fp); + return 1; +} + +void seccomp_test(void) { + int seccomp_status; + int rv = extract_seccomp(&seccomp_status); + + if (rv) { + printf("SKIP: cannot extract seccomp configuration on this platform\n"); + return; + } + + if (seccomp_status == 0) + printf("BAD: seccomp disabled\n"); + else if (seccomp_status == 1) + printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); + else if (seccomp_status == 2) { + printf("GOOD: seccomp BPF enababled\n"); + } + else + fprintf(stderr, "Error: unrecognized seccomp mode\n"); + +} \ No newline at end of file -- cgit v1.2.3-70-g09d2