From 7655973d13775fc8a939cae7ebbadf3b38209a02 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Jul 2016 07:41:19 -0400 Subject: faudit: caps --- src/faudit/caps.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/faudit/faudit.h | 4 +++ src/faudit/main.c | 7 +++-- src/faudit/pid.c | 6 ++--- 4 files changed, 89 insertions(+), 5 deletions(-) create mode 100644 src/faudit/caps.c (limited to 'src') diff --git a/src/faudit/caps.c b/src/faudit/caps.c new file mode 100644 index 000000000..364cfcd03 --- /dev/null +++ b/src/faudit/caps.c @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include + +#define MAXBUF 4098 +static int extract_caps(uint64_t *val) { + FILE *fp = fopen("/proc/self/status", "r"); + if (!fp) + return 1; + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "CapBnd:\t", 8) == 0) { + char *ptr = buf + 8; + unsigned long long tmp; + sscanf(ptr, "%llx", &tmp); + *val = tmp; + fclose(fp); + return 0; + } + } + + fclose(fp); + return 1; +} + +// return 1 if the capability is in tbe map +static int check_capability(uint64_t map, int cap) { + int i; + uint64_t mask = 1ULL; + + for (i = 0; i < 64; i++, mask <<= 1) { + if ((i == cap) && (mask & map)) + return 1; + } + + return 0; +} + +void caps(void) { + uint64_t caps_val; + + if (extract_caps(&caps_val)) { + printf("SKIP: cannot extract capabilities on this platform\n"); + return; + } + + if (caps_val) { + printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); + + if (check_capability(caps_val, CAP_SYS_ADMIN)) + printf("UGLY: CAP_SYS_ADMIN is enabled\n"); + if (check_capability(caps_val, CAP_SYS_BOOT)) + printf("UGLY: CAP_SYS_BOOT is enabled\n"); + } + else + printf("GOOD: all capabilities are disabled\n"); +} + diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 9c001c285..74426ac0a 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -22,6 +22,7 @@ #define FAUDIT_H #include #include +#include #include #include #include @@ -34,4 +35,7 @@ // pid.c void pid(void); +// caps.c +void caps(void); + #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index d90eb1c0b..a3407caa1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -20,12 +20,15 @@ #include "faudit.h" int main(int argc, char **argv) { - printf("FAUDIT: Firejail audit started\n"); + printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n"); // check pid namespace pid(); + + // chack capabilities + caps(); - printf("FAUDIT: Firejail audit ended\n"); + printf("----------------------------------------------------------\n"); return 0; } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 861324255..a6f02c051 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -69,7 +69,7 @@ void pid(void) { if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { fclose(fp); free(fname); - printf("FAUDIT: Process PID %d, not running in a PID namespace\n", getpid()); + printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); return; } j++; @@ -80,10 +80,10 @@ void pid(void) { } - printf("FAUDIT: Process PID %d, running in a PID namespace\n", getpid()); + printf("GOOD: Process PID %d, running in a PID namespace\n", getpid()); // try to guess the type of container/sandbox char *str = getenv("container"); if (str) - printf("FAUDIT: Container/sandbox: %s\n", str); + printf("Container/sandbox: %s\n", str); } -- cgit v1.2.3-54-g00ecf