From 57ffc35a8e0264507118b9839a499375f416260c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 21 Mar 2018 08:56:54 -0400 Subject: added sandbox name support in firemon --- src/firejail/firejail.h | 2 +- src/lib/pid.c | 35 +++++++++++++++++++++++++++++++++-- src/man/firejail.txt | 29 ++++++++++++++++------------- src/man/firemon.txt | 22 +++++++++------------- 4 files changed, 59 insertions(+), 29 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ca3cf18ac..5af141289 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -31,7 +31,7 @@ #define RUN_FIREJAIL_BASEDIR "/run" #define RUN_FIREJAIL_DIR "/run/firejail" #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" -#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" +#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" diff --git a/src/lib/pid.c b/src/lib/pid.c index 0b2f402d1..f138efc8c 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -21,6 +21,7 @@ #include "../include/pid.h" #include #include +#include #include #include #include @@ -165,6 +166,10 @@ doexit: return rv; } +// todo: RUN_FIREJAIL_NAME_DIR is borrowed from src/firejail/firejail.h +// move it in a common place +#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" + static void print_elem(unsigned index, int nowrap) { // get terminal size struct winsize sz; @@ -184,14 +189,40 @@ static void print_elem(unsigned index, int nowrap) { char *cmd = pid_proc_cmdline(index); char *user = pid_get_user_name(uid); char *allocated = user; + + // extract sandbox name - pid == index + char *sandbox_name = ""; + char *fname; + if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) + errExit("asprintf"); + struct stat s; + if (stat(fname, &s) == 0) { + FILE *fp = fopen(fname, "r"); + if (fp) { + sandbox_name = malloc(s.st_size + 1); + if (!sandbox_name) + errExit("malloc"); + char *rv = fgets(sandbox_name, s.st_size + 1, fp); + if (!rv) + *sandbox_name = '\0'; + else { + char *ptr = strchr(sandbox_name, '\n'); + if (ptr) + *ptr = '\0'; + } + fclose(fp); + } + } + free(fname); + if (user ==NULL) user = ""; if (cmd) { if (col < 4 || nowrap) - printf("%s%u:%s:%s\n", indent, index, user, cmd); + printf("%s%u:%s:%s:%s\n", indent, index, user, sandbox_name, cmd); else { char *out; - if (asprintf(&out, "%s%u:%s:%s\n", indent, index, user, cmd) == -1) + if (asprintf(&out, "%s%u:%s:%s:%s\n", indent, index, user, sandbox_name, cmd) == -1) errExit("asprintf"); int len = strlen(out); if (len > col) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b05a5a722..34e4102f6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -254,7 +254,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-caps.print=3272 @@ -309,7 +309,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-cpu.print=3272 @@ -453,7 +453,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-dns.print=3272 @@ -492,7 +492,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-fs.print=3272 @@ -662,7 +662,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-join=3272 @@ -749,11 +749,11 @@ Example: .br $ firejail \-\-list .br -7015:netblue:firejail firefox +7015:netblue:browser:firejail firefox .br -7056:netblue:firejail \-\-net=eth0 transmission-gtk +7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk .br -7064:netblue:firejail \-\-noroot xterm +7064:netblue::firejail \-\-noroot xterm .br $ .TP @@ -1543,7 +1543,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-protocol.print=3272 .br @@ -1992,7 +1992,7 @@ Example: .br $ firejail \-\-list .br -3272:netblue:firejail \-\-private firefox +3272:netblue::firejail \-\-private firefox .br $ firejail \-\-shutdown=3272 .TP @@ -2598,12 +2598,12 @@ Limitations: audit feature is not implemented for --x11 commands. Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: - PID:USER:Command + PID:USER:Sandbox Name:Command Option \-\-tree prints the tree of processes running in the sandbox. The format for each process entry is as follows: - PID:USER:Command + PID:USER:Sandbox Name:Command Option \-\-top is similar to the UNIX top command, however it applies only to sandboxes. @@ -2635,6 +2635,9 @@ It is a sum of the RES values for all processes running in the sandbox. RX(KB/s) Network receive speed. .TP +Sandbox Name +The name of the sandbox, if any. +.TP SHR Shared Memory Size (KiB), it reflects memory shared with other processes. It is a sum of the SHR values for all processes running @@ -2646,7 +2649,7 @@ Network transmit speed. Uptime Sandbox running time in hours:minutes:seconds format. .TP -User +USER The owner of the sandbox. .SH SECURITY PROFILES diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 4827bbbeb..91c59af4d 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -50,7 +50,8 @@ Print route table for each sandbox. Print seccomp configuration for each sandbox. .TP \fB\-\-top -Monitor the most CPU-intensive sandboxes. +Monitor the most CPU-intensive sandboxes. This command is similar to +the regular UNIX top command, however it applies only to sandboxes. .TP \fB\-\-tree Print a tree of all sandboxed processes. @@ -63,19 +64,11 @@ Print program version and exit. Print X11 display number. .PP -Option \-\-list prints a list of all sandboxes. The format -for each entry is as follows: +The format for each listed sandbox entry is as follows: - PID:USER:Command + PID:USER:Sandbox Name:Command -Option \-\-tree prints the tree of processes running in the sandbox. The format -for each process entry is as follows: - - PID:USER:Command - -Option \-\-top is similar to the UNIX top command, however it applies only to -sandboxes. Listed below are the available fields (columns) in alphabetical -order: +Listed below are the available fields (columns) in various firemon commands in alphabetical order: .TP Command @@ -95,6 +88,9 @@ RES Resident Memory Size (KiB), sandbox non-swapped physical memory. It is a sum of the RES values for all processes running in the sandbox. .TP +Sandbox Name +The name of the sandbox, if any. +.TP SHR Shared Memory Size (KiB), it reflects memory shared with other processes. It is a sum of the SHR values for all processes running @@ -103,7 +99,7 @@ in the sandbox, including the controlling process. Uptime Sandbox running time in hours:minutes:seconds format. .TP -User +USER The owner of the sandbox. .SH LICENSE -- cgit v1.2.3-54-g00ecf