From aee833f8bbc958d71f78d55ba677a419b970aa05 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 8 Sep 2020 08:21:05 -0400 Subject: profstats: track dbus-system none --- README.md | 44 +++++++++++++++++++-------------------- etc/profile-m-z/openarena.profile | 2 +- src/profstats/main.c | 17 +++++++++++++++ 3 files changed, 40 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 8d113bae8..914aaab49 100644 --- a/README.md +++ b/README.md @@ -160,33 +160,33 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ### Profile Statistics -A small tool to print profile statistics. Compile as usual and run: +A small tool to print profile statistics. Compile as usual and run in /etc/profiles: ````` -$ make -$ cd etc $ ./profstats *.profile - profiles 966 - include local profile 966 (include profile-name.local) - include globals 966 (include globals.local) - blacklist ~/.ssh 951 (include disable-common.inc) - seccomp 908 - capabilities 965 - noexec 830 (include disable-exec.inc) - memory-deny-write-execute 214 - apparmor 488 - private-bin 483 - private-dev 829 - private-etc 366 - private-tmp 726 - whitelist var 638 (include whitelist-var-common.inc) - whitelist run/user 282 (include whitelist-runuser-common.inc +Warning: multiple caps in transmission-daemon.profile + +Stats: + profiles 1025 + include local profile 1025 (include profile-name.local) + include globals 1025 (include globals.local) + blacklist ~/.ssh 1001 (include disable-common.inc) + seccomp 971 + capabilities 1024 + noexec 895 (include disable-exec.inc) + memory-deny-write-execute 217 + apparmor 546 + private-bin 537 + private-dev 893 + private-etc 426 + private-tmp 780 + whitelist var 691 (include whitelist-var-common.inc) + whitelist run/user 329 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 275 (include whitelist-usr-share-common.inc - net none 313 + whitelist usr/share 349 (include whitelist-usr-share-common.inc + net none 329 + dbus-system none 624 ````` -Run ./profstats -h for help. - ### New profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 45682fc31..88d5d0e1e 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile @@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena whitelist /usr/share/openarena include whitelist-common.inc include whitelist-runuser-common.inc -include whitelist-usr-share-common.in +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor diff --git a/src/profstats/main.c b/src/profstats/main.c index a75ad8e29..194cb210a 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c @@ -28,6 +28,7 @@ static int cnt_profiles = 0; static int cnt_apparmor = 0; static int cnt_seccomp = 0; static int cnt_caps = 0; +static int cnt_dbus_system_none = 0; static int cnt_dotlocal = 0; static int cnt_globalsdotlocal = 0; static int cnt_netnone = 0; @@ -57,6 +58,8 @@ static int arg_whitelistrunuser = 0; static int arg_whitelistusrshare = 0; static int arg_ssh = 0; static int arg_mdwx = 0; +static int arg_dbus_system_none = 0; + static char *profile = NULL; @@ -67,6 +70,7 @@ static void usage(void) { printf("Options:\n"); printf(" --apparmor - print profiles without apparmor\n"); printf(" --caps - print profiles without caps\n"); + printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); printf(" --private-bin - print profiles without private-bin\n"); @@ -138,6 +142,8 @@ void process_file(const char *fname) { cnt_privatetmp++; else if (strncmp(ptr, "private-etc", 11) == 0) cnt_privateetc++; + else if (strncmp(ptr, "dbus-system none", 16) == 0) + cnt_dbus_system_none++; else if (strncmp(ptr, "include ", 8) == 0) { // not processing .local files if (strstr(ptr, ".local")) { @@ -148,6 +154,11 @@ void process_file(const char *fname) { cnt_dotlocal++; continue; } + // clean blanks + char *ptr = buf + 8; + while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t') + ptr++; + *ptr = '\0'; process_file(buf + 8); } } @@ -197,6 +208,8 @@ int main(int argc, char **argv) { arg_whitelistusrshare = 1; else if (strcmp(argv[i], "--ssh") == 0) arg_ssh = 1; + else if (strcmp(argv[i], "--dbus-system-none") == 0) + arg_dbus_system_none = 1; else if (*argv[i] == '-') { fprintf(stderr, "Error: invalid option %s\n", argv[i]); return 1; @@ -228,6 +241,7 @@ int main(int argc, char **argv) { int whitelistvar = cnt_whitelistvar; int whitelistrunuser = cnt_whitelistrunuser; int whitelistusrshare = cnt_whitelistusrshare; + int dbussystemnone = cnt_dbus_system_none; int ssh = cnt_ssh; int mdwx = cnt_mdwx; @@ -249,6 +263,8 @@ int main(int argc, char **argv) { if (cnt_whitelistrunuser > (whitelistrunuser + 1)) cnt_whitelistrunuser = whitelistrunuser + 1; + if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) + printf("No dbus-system none found in %s\n", argv[i]); if (arg_apparmor && apparmor == cnt_apparmor) printf("No apparmor found in %s\n", argv[i]); if (arg_caps && caps == cnt_caps) @@ -299,6 +315,7 @@ int main(int argc, char **argv) { printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); printf(" net none\t\t\t%d\n", cnt_netnone); + printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); printf("\n"); return 0; } -- cgit v1.2.3-70-g09d2