profstats fix (#4733)

Makefile.in

@@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
-SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
@@ -138,8 +138,6 @@ endif
 	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
 	install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
 	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-	# program used track profile statistics during development - no manpage, this is not a user program
-	install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats
 ifeq ($(BUSYBOX_WORKAROUND),yes)
 	./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif

README.md

@@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS)
 
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
-$ cd /etc/firejail
+No include .local found in /etc/firejail/noprofile.profile
-$ ./profstats *.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
-    profiles			1167
+
-    include local profile	1167   (include profile-name.local)
+Stats:
-    include globals		1136   (include globals.local)
+    profiles			1176
-    blacklist ~/.ssh		1042   (include disable-common.inc)
+    include local profile	1175   (include profile-name.local)
-    seccomp			1062
+    include globals		1144   (include globals.local)
-    capabilities		1163
+    blacklist ~/.ssh		1050   (include disable-common.inc)
-    noexec			1049   (include disable-exec.inc)
+    seccomp			1070
-    noroot			971
+    capabilities		1171
-    memory-deny-write-execute	256
+    noexec			1057   (include disable-exec.inc)
-    apparmor			693
+    noroot			979
-    private-bin			677
+    memory-deny-write-execute	258
-    private-dev			1027
+    apparmor			700
-    private-etc			532
+    private-bin			681
-    private-tmp			897
+    private-dev			1033
-    whitelist home directory	557
+    private-etc			533
-    whitelist var		836   (include whitelist-var-common.inc)
+    private-tmp			905
-    whitelist run/user		1137   (include whitelist-runuser-common.inc
+    whitelist home directory	562
+    whitelist var		842   (include whitelist-var-common.inc)
+    whitelist run/user		1145   (include whitelist-runuser-common.inc
 					or blacklist ${RUNUSER})
-    whitelist usr/share		609   (include whitelist-usr-share-common.inc
+    whitelist usr/share		614   (include whitelist-usr-share-common.inc
-    net none			396
+    net none			399
-    dbus-user none 		656
+    dbus-user none 		662
-    dbus-user filter 		108
+    dbus-user filter 		113
-    dbus-system none 		808
+    dbus-system none 		816
     dbus-system filter 		10
 ```
 

src/profstats/Makefile.in

@@ -3,7 +3,7 @@ all: profstats
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 profstats: $(OBJS)

src/profstats/main.c

@@ -17,10 +17,8 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <stdio.h>
+
-#include <stdlib.h>
+#include "../include/common.h"
-#include <string.h>
-#include <assert.h>
 
 #define MAXBUF 2048
 // stats
@@ -99,8 +97,9 @@ static void usage(void) {
 	printf("\n");
 }
 
-void process_file(const char *fname) {
+static void process_file(char *fname) {
 	assert(fname);
+	char *tmpfname = NULL;
 
 	if (arg_debug)
 		printf("processing #%s#\n", fname);
@@ -109,10 +108,20 @@ void process_file(const char *fname) {
 
 	FILE *fp = fopen(fname, "r");
 	if (!fp) {
-		fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
+		// the file was not found in the current directory
+		// look for it in /etc/firejail directory
+		if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+			errExit("asprintf");
+
+		fp = fopen(tmpfname, "r");
+		if (!fp) {
+			fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+			free(tmpfname);
 			level--;
 			return;
 		}
+		fname = tmpfname;
+	}
 
 	int have_include_local = 0;
 	char buf[MAXBUF];
@@ -204,6 +213,8 @@ void process_file(const char *fname) {
 	if (!have_include_local)
 		printf("No include .local found in %s\n", fname);
 	level--;
+	if (tmpfname)
+		free(tmpfname);
 }
 
 int main(int argc, char **argv) {