profstats fix (#4733)

2026-05-15 22:01:33 -06:00 · 2021-12-10 09:29:47 -05:00 · 2021-12-10 09:29:47 -05:00 · 30e754610f
commit 30e754610f
parent 7c7b47b436
4 changed files with 50 additions and 38 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
-SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
@ -138,8 +138,6 @@ endif
 	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
 	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
 	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-	# program used track profile statistics during development - no manpage, this is not a user program
-	install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats
 ifeq ($(BUSYBOX_WORKAROUND),yes)
 	./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif
--- a/README.md
+++ b/README.md
@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS)

 ### Profile Statistics

-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
-$ cd /etc/firejail
-$ ./profstats *.profile
-    profiles			1167
-    include local profile	1167   (include profile-name.local)
-    include globals		1136   (include globals.local)
-    blacklist ~/.ssh		1042   (include disable-common.inc)
-    seccomp			1062
-    capabilities		1163
-    noexec			1049   (include disable-exec.inc)
-    noroot			971
-    memory-deny-write-execute	256
-    apparmor			693
-    private-bin			677
-    private-dev			1027
-    private-etc			532
-    private-tmp			897
-    whitelist home directory	557
-    whitelist var		836   (include whitelist-var-common.inc)
-    whitelist run/user		1137   (include whitelist-runuser-common.inc
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
+No include .local found in /etc/firejail/noprofile.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
+
+Stats:
+    profiles			1176
+    include local profile	1175   (include profile-name.local)
+    include globals		1144   (include globals.local)
+    blacklist ~/.ssh		1050   (include disable-common.inc)
+    seccomp			1070
+    capabilities		1171
+    noexec			1057   (include disable-exec.inc)
+    noroot			979
+    memory-deny-write-execute	258
+    apparmor			700
+    private-bin			681
+    private-dev			1033
+    private-etc			533
+    private-tmp			905
+    whitelist home directory	562
+    whitelist var		842   (include whitelist-var-common.inc)
+    whitelist run/user		1145   (include whitelist-runuser-common.inc
 					or blacklist ${RUNUSER})
-    whitelist usr/share		609   (include whitelist-usr-share-common.inc
-    net none			396
-    dbus-user none 		656
-    dbus-user filter 		108
-    dbus-system none 		808
+    whitelist usr/share		614   (include whitelist-usr-share-common.inc
+    net none			399
+    dbus-user none 		662
+    dbus-user filter 		113
+    dbus-system none 		816
    dbus-system filter 		10
 ```

--- a/src/profstats/Makefile.in
+++ b/src/profstats/Makefile.in
@ -3,7 +3,7 @@ all: profstats

 include ../common.mk

-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@

 profstats: $(OBJS)
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@ -17,10 +17,8 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
+
+#include "../include/common.h"

 #define MAXBUF 2048
 // stats
@ -99,8 +97,9 @@ static void usage(void) {
 	printf("\n");
 }

-void process_file(const char *fname) {
+static void process_file(char *fname) {
 	assert(fname);
+	char *tmpfname = NULL;

 	if (arg_debug)
 		printf("processing #%s#\n", fname);
@ -109,9 +108,19 @@ void process_file(const char *fname) {

 	FILE *fp = fopen(fname, "r");
 	if (!fp) {
-		fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
-		level--;
-		return;
+		// the file was not found in the current directory
+		// look for it in /etc/firejail directory
+		if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+			errExit("asprintf");
+
+		fp = fopen(tmpfname, "r");
+		if (!fp) {
+			fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+			free(tmpfname);
+			level--;
+			return;
+		}
+		fname = tmpfname;
 	}

 	int have_include_local = 0;
@ -204,6 +213,8 @@ void process_file(const char *fname) {
 	if (!have_include_local)
 		printf("No include .local found in %s\n", fname);
 	level--;
+	if (tmpfname)
+		free(tmpfname);
 }

 int main(int argc, char **argv) {