From b14628560a972d9f1709a249207b6595ffe7ed09 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Jul 2016 14:10:07 -0400 Subject: audit: seccomp --- src/faudit/caps.c | 1 + src/faudit/faudit.h | 4 +++ src/faudit/main.c | 19 ++++++++--- src/faudit/pid.c | 4 +-- src/faudit/seccomp.c | 40 ++++++++++++++++++++++- src/faudit/syscall.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 152 insertions(+), 7 deletions(-) create mode 100644 src/faudit/syscall.c (limited to 'src/faudit') diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 3cf4a076f..f98d45ec8 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -17,6 +17,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + #include "faudit.h" #include diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 50d75c2a4..fdb4556c3 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -44,4 +44,8 @@ void caps_test(void); // seccomp.c void seccomp_test(void); +// syscall.c +void syscall_helper(int argc, char **argv); +void syscall_run(const char *name); + #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index 0724a7ec9..cd358cc1a 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -18,11 +18,22 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" -#include char *prog; int main(int argc, char **argv) { - printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n"); + if (argc != 1) { + int i; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "syscall")) { + syscall_helper(argc, argv); + return 0; + } + } + return 1; + } + + printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n"); // extract program name prog = realpath(argv[0], NULL); @@ -30,7 +41,7 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: cannot extract the path of the audit program\n"); return 1; } - printf("Running %s\n", prog); + printf("INFO: starting %s\n", prog); // check pid namespace @@ -43,6 +54,6 @@ int main(int argc, char **argv) { seccomp_test(); free(prog); - printf("----------------------------------------------------------------\n"); + printf("--------------------------------------------------------------------------------\n"); return 0; } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 5744ab244..53b59a838 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -80,10 +80,10 @@ void pid_test(void) { } - printf("GOOD: Process PID %d, running in a PID namespace\n", getpid()); + printf("GOOD: process PID %d, running in a PID namespace\n", getpid()); // try to guess the type of container/sandbox char *str = getenv("container"); if (str) - printf("Container/sandbox: %s\n", str); + printf("INFO: container/sandbox %s\n", str); } diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index a50ec1e0c..d88d6a958 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -18,7 +18,6 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" -#include #define MAXBUF 4098 static int extract_seccomp(int *val) { @@ -57,6 +56,45 @@ void seccomp_test(void) { printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); else if (seccomp_status == 2) { printf("GOOD: seccomp BPF enababled\n"); + + printf("checking syscalls: "); fflush(0); + printf("mount... "); fflush(0); + syscall_run("mount"); + + printf("umount2... "); fflush(0); + syscall_run("umount2"); + + printf("ptrace... "); fflush(0); + syscall_run("ptrace"); + + printf("swapon... "); fflush(0); + syscall_run("swapon"); + + printf("swapoff... "); fflush(0); + syscall_run("swapoff"); + + printf("init_module... "); fflush(0); + syscall_run("init_module"); + + printf("finit_module... "); fflush(0); + syscall_run("finit_module"); + + printf("delete_module... "); fflush(0); + syscall_run("delete_module"); + + printf("chroot... "); fflush(0); + syscall_run("chroot"); + + printf("pivot_root... "); fflush(0); + syscall_run("pivot_root"); + + printf("iopl... "); fflush(0); + syscall_run("iopl"); + + printf("ioperm... "); fflush(0); + syscall_run("ioperm"); + + printf("\n"); } else fprintf(stderr, "Error: unrecognized seccomp mode\n"); diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c new file mode 100644 index 000000000..11fb3730b --- /dev/null +++ b/src/faudit/syscall.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" + +void syscall_helper(int argc, char **argv) { + if (strcmp(argv[2], "mount") == 0) { + mount(NULL, NULL, NULL, 0, NULL); + printf("\nUGLY: mount syscall permitted\n"); + } + else if (strcmp(argv[2], "umount2") == 0) { + umount2(NULL, 0); + printf("\nUGLY: umount2 syscall permitted\n"); + } + else if (strcmp(argv[2], "ptrace") == 0) { + ptrace(0, 0, NULL, NULL); + printf("\nUGLY: ptrace syscall permitted\n"); + } + else if (strcmp(argv[2], "swapon") == 0) { + swapon(NULL, 0); + printf("\nUGLY: swapon syscall permitted\n"); + } + else if (strcmp(argv[2], "swapoff") == 0) { + swapoff(NULL); + printf("\nUGLY: swapoff syscall permitted\n"); + } + else if (strcmp(argv[2], "init_module") == 0) { + init_module(NULL, 0, NULL); + printf("\nUGLY: init_moule syscall permitted\n"); + } + else if (strcmp(argv[2], "finit_module") == 0) { + swapoff(0, NULL, 0); + printf("\nUGLY: finit_moule syscall permitted\n"); + } + else if (strcmp(argv[2], "delete_module") == 0) { + delete_module(NULL, 0); + printf("\nUGLY: delete_moule syscall permitted\n"); + } + else if (strcmp(argv[2], "chroot") == 0) { + int rv = chroot(NULL); + (void) rv; + printf("\nUGLY: chroot syscall permitted\n"); + } + else if (strcmp(argv[2], "pivot_root") == 0) { + pivot_root(NULL, NULL); + printf("\nUGLY: pivot_root syscall permitted\n"); + } + else if (strcmp(argv[2], "iopl") == 0) { + iopl(0L); + printf("\nUGLY: iopl syscall permitted\n"); + } + else if (strcmp(argv[2], "ioperm") == 0) { + ioperm(0, 0, 0); + printf("\nUGLY: ioperm syscall permitted\n"); + } + exit(0); +} + +void syscall_run(const char *name) { + assert(prog); + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + char *cmd; + if (asprintf(&cmd, "%s syscall %s", prog, name) == -1) + errExit("asprintf"); + execl(prog, prog, "syscall", name, NULL); + exit(0); + } + + // wait for the child to finish + waitpid(child, NULL, 0); +} \ No newline at end of file -- cgit v1.2.3-54-g00ecf