From 80ccd124b6e510f820f5ccca7dd6b8acc3671e6a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 15 Jul 2016 12:10:58 -0400 Subject: faudit work --- src/faudit/dbus.c | 2 +- src/faudit/dev.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ src/faudit/faudit.h | 3 +++ src/faudit/main.c | 4 ++++ 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 src/faudit/dev.c diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1ead2aa38..979617001 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) { printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); } else { - printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); + printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } close(sock); diff --git a/src/faudit/dev.c b/src/faudit/dev.c new file mode 100644 index 000000000..52506a258 --- /dev/null +++ b/src/faudit/dev.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include + +void dev_test(void) { + DIR *dir; + if (!(dir = opendir("/dev"))) { + fprintf(stderr, "Error: cannot open /dev directory\n"); + return; + } + + struct dirent *entry; + char *end; + printf("INFO: files visible in /dev directory: "); + int cnt = 0; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + continue; + + printf("%s, ", entry->d_name); + cnt++; + } + printf("\n"); + + if (cnt > 20) + printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); + else + printf("GOOD: Access to /dev directory is restricted.\n"); + closedir(dir); +} diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 3c08a3eab..93fb4b709 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -58,4 +58,7 @@ void network_test(void); // dbus.c void dbus_test(void); +// dev.c +void dev_test(void); + #endif diff --git a/src/faudit/main.c b/src/faudit/main.c index 14794719d..72c386cd1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -68,6 +68,10 @@ int main(int argc, char **argv) { dbus_test(); printf("\n"); + // /dev test + dev_test(); + printf("\n"); + free(prog); printf("--------------------------------------------------------------------------------\n"); -- cgit v1.2.3-70-g09d2