From 8cc23dbc8f6b48a3d7eb3cfe8d589d78ce34a62a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 19:55:47 -0400 Subject: faudit network --- src/faudit/caps.c | 1 + src/faudit/faudit.h | 6 ++++++ src/faudit/files.c | 4 +++- src/faudit/main.c | 7 +++++-- src/faudit/pid.c | 1 + src/faudit/seccomp.c | 4 +++- 6 files changed, 19 insertions(+), 4 deletions(-) (limited to 'src/faudit') diff --git a/src/faudit/caps.c b/src/faudit/caps.c index f98d45ec8..db1d3266f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -66,6 +66,7 @@ void caps_test(void) { if (caps_val) { printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); + printf("Use \"firejail --caps.drop=all\" to fix it.\n"); if (check_capability(caps_val, CAP_SYS_ADMIN)) printf("UGLY: CAP_SYS_ADMIN is enabled\n"); diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index fdb4556c3..f8d9b709d 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -48,4 +48,10 @@ void seccomp_test(void); void syscall_helper(int argc, char **argv); void syscall_run(const char *name); +// files.c +void files_test(void); + +// network.c +void network_test(void); + #endif \ No newline at end of file diff --git a/src/faudit/files.c b/src/faudit/files.c index 0463af66d..9a230d7e5 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -31,8 +31,10 @@ static void check_home_file(const char *name) { if (asprintf(&fname, "%s/%s", homedir, name) == -1) errExit("asprintf"); - if (access(fname, R_OK) == 0) + if (access(fname, R_OK) == 0) { printf("UGLY: I can access files in %s directory\n", fname); + printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); + } else printf("GOOD: I cannot access files in %s directory\n", fname); diff --git a/src/faudit/main.c b/src/faudit/main.c index 2ed3aa2e1..6758f5671 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -33,7 +33,7 @@ int main(int argc, char **argv) { return 1; } - printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n"); + printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); // extract program name prog = realpath(argv[0], NULL); @@ -53,9 +53,12 @@ int main(int argc, char **argv) { // check seccomp seccomp_test(); - // check some well-known problematic files + // check some well-known problematic files and directories files_test(); + // network + network_test(); + free(prog); printf("--------------------------------------------------------------------------------\n"); return 0; diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 53b59a838..57947418e 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -70,6 +70,7 @@ void pid_test(void) { fclose(fp); free(fname); printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); + printf("Are you sure you're running in a sandbox?\n"); return; } j++; diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index d88d6a958..9cc1a20f6 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -50,8 +50,10 @@ void seccomp_test(void) { return; } - if (seccomp_status == 0) + if (seccomp_status == 0) { printf("BAD: seccomp disabled\n"); + printf("Use \"firejail --seccomp\" to fix it.\n"); + } else if (seccomp_status == 1) printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); else if (seccomp_status == 2) { -- cgit v1.2.3-54-g00ecf