From 5ebebb1211364a4d7164ad30d021adabf5374d32 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 24 Jan 2018 08:48:50 -0500 Subject: added firejail --apparmor.print and firemon --apparmor --- src/firemon/Makefile.in | 3 ++- src/firemon/apparmor.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ src/firemon/firemon.c | 10 +++++++- src/firemon/firemon.h | 3 +++ src/firemon/usage.c | 1 + 5 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 src/firemon/apparmor.c (limited to 'src/firemon') diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index c24bae9ff..326c305d9 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in @@ -6,13 +6,14 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ HAVE_GCOV=@HAVE_GCOV@ +HAVE_APPARMOR=@HAVE_APPARMOR@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now HAVE_GCOV=@HAVE_GCOV@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c new file mode 100644 index 000000000..0fe287e8f --- /dev/null +++ b/src/firemon/apparmor.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2014-2018 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "firemon.h" +#include + +#ifdef HAVE_APPARMOR +static void print_apparmor(int pid) { + char *label = NULL; + char *mode = NULL; + int rv = aa_gettaskcon(pid, &label, &mode); + if (rv != -1) { + printf(" AppArmor: "); + if (label) + printf("%s ", label); + if (mode) + printf("%s", mode); + printf("\n"); + } +} + +void apparmor(pid_t pid, int print_procs) { + pid_read(pid); + + // print processes + int i; + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 1) { + if (print_procs || pid == 0) + pid_print_list(i, arg_nowrap); + int child = find_child(i); + if (child != -1) + print_apparmor(child); + } + } + printf("\n"); +} + +#else + +void apparmor(pid_t pid, int print_procs) { + (void) pid; + (void) print_procs; + printf("AppArmor support not available\n"); +} +#endif diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 44e2b8687..54f0c5fc9 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -37,6 +37,7 @@ static int arg_x11 = 0; static int arg_top = 0; static int arg_list = 0; static int arg_netstats = 0; +static int arg_apparmor = 0; int arg_nowrap = 0; static struct termios tlocal; // startup terminal setting @@ -178,6 +179,8 @@ int main(int argc, char **argv) { arg_route = 1; else if (strcmp(argv[i], "--arp") == 0) arg_arp = 1; + else if (strcmp(argv[i], "--apparmor") == 0) + arg_apparmor = 1; else if (strncmp(argv[i], "--name=", 7) == 0) { char *name = argv[i] + 7; @@ -238,7 +241,7 @@ int main(int argc, char **argv) { } // if --name requested without other options, print all data - if (pid && !arg_cpu && !arg_seccomp && !arg_caps && + if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) { arg_tree = 1; arg_cpu = 1; @@ -249,6 +252,7 @@ int main(int argc, char **argv) { arg_interface = 1; arg_route = 1; arg_arp = 1; + arg_apparmor = 1; } // cumulative options @@ -265,6 +269,10 @@ int main(int argc, char **argv) { caps((pid_t) pid, print_procs); print_procs = 0; } + if (arg_apparmor) { + apparmor((pid_t) pid, print_procs); + print_procs = 0; + } if (arg_cgroup) { cgroup((pid_t) pid, print_procs); print_procs = 0; diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index a03aa85e5..2e0466638 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -83,4 +83,7 @@ void netstats(void); // x11.c void x11(pid_t pid, int print_procs); +//apparmor.c +void apparmor(pid_t pid, int print_procs); + #endif diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 9d3babf55..617f4dacd 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c @@ -27,6 +27,7 @@ void usage(void) { printf("are also being monitored. On Grsecurity systems only root user\n"); printf("can run this program.\n\n"); printf("Options:\n"); + printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"); printf("\t--arp - print ARP table for each sandbox.\n\n"); printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); printf("\t--cgroup - print control group information for each sandbox.\n\n"); -- cgit v1.2.3-54-g00ecf