From e11949a712c88f91d9dffc0f9797272e515b7df3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 30 Apr 2024 21:26:55 -0400 Subject: add support for comm, coredump, and prctl procevents in firemon --- RELNOTES | 1 + src/firemon/procevent.c | 57 ++++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/RELNOTES b/RELNOTES index ea7289234..19f54ebc9 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,6 +16,7 @@ firejail (0.9.73) baseline; urgency=low --netfilter6= --trace=) (#6032 #6109) * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 #6228 #6260 #6302 #6305) + * feature: add support for comm, coredump, and prctl procevents in firemon * modif: Stop forwarding own double-dash to the shell (#5599 #5600) * modif: Prevent sandbox name (--name=) and host name (--hostname=) from containing only digits (#5578 #5741) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index e17ed659b..430730374 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -301,7 +301,9 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my proc_ev = (struct proc_event *)cn_msg->data; pid_t pid = 0; pid_t child = 0; + char *new_comm = NULL; int remove_pid = 0; + int nodisplay = 0; switch (proc_ev->what) { case PROC_EVENT_FORK: #ifdef DEBUG_PRCTL @@ -322,6 +324,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my pids[child].parent = pid; } sprintf(lineptr, " fork"); + nodisplay = 1; break; case PROC_EVENT_EXEC: pid = proc_ev->event_data.exec.process_tgid; @@ -363,6 +366,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my sprintf(lineptr, " uid (%d:%d)", proc_ev->event_data.id.r.ruid, proc_ev->event_data.id.e.euid); + nodisplay = 1; break; case PROC_EVENT_GID: @@ -379,6 +383,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my sprintf(lineptr, " gid (%d:%d)", proc_ev->event_data.id.r.rgid, proc_ev->event_data.id.e.egid); + nodisplay = 1; break; @@ -391,6 +396,41 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my sprintf(lineptr, " sid "); break; + case PROC_EVENT_COREDUMP: + pid = proc_ev->event_data.coredump.process_tgid; +#ifdef DEBUG_PRCTL + printf("%s: %d, event coredump, pid %d\n", __FUNCTION__, __LINE__, pid); +#endif + sprintf(lineptr, " coredump "); + break; + + case PROC_EVENT_COMM: + pid = proc_ev->event_data.comm.process_tgid; +#ifdef DEBUG_PRCTL + printf("%s: %d, event comm, pid %d\n", __FUNCTION__, __LINE__, pid); +#endif + if (proc_ev->event_data.comm.process_pid != + proc_ev->event_data.comm.process_tgid) + continue; // this is a thread, not a process + + if (pids[pid].level == 1 || + pids[pids[pid].parent].level == 1) { + sprintf(lineptr, "\n"); + continue; + } + else + sprintf(lineptr, " comm %s", proc_ev->event_data.comm.comm); + nodisplay = 1; + break; + + case PROC_EVENT_PTRACE: + pid = proc_ev->event_data.ptrace.process_tgid; +#ifdef DEBUG_PRCTL + printf("%s: %d, event ptrace, pid %d\n", __FUNCTION__, __LINE__, pid); +#endif + sprintf(lineptr, " ptrace "); + break; + default: #ifdef DEBUG_PRCTL printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__); @@ -449,7 +489,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my if (!cmd) { cmd = pid_proc_cmdline(pid); } - if (cmd == NULL) + if (cmd == NULL || nodisplay) sprintf(lineptr, "\n"); else { sprintf(lineptr, " %s\n", cmd); @@ -473,15 +513,12 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my } // print forked child - if (child) { - cmd = pid_proc_cmdline(child); - if (cmd) { - printf("\tchild %u %s\n", child, cmd); - free(cmd); - } - else - printf("\tchild %u\n", child); - } + if (child) + printf("\tchild %u\n", child); + + // print new comm + if (new_comm) + printf("\tnew comm %s\n", new_comm); // on uid events the uid is changing if (proc_ev->what == PROC_EVENT_UID) { -- cgit v1.2.3-54-g00ecf