mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
retiring --audit (replaced by jailtest)
This commit is contained in:
netblue30
parent
46ed36bfe9
commit
5c95f0f957
21 changed files with 5 additions and 1057 deletions
|
|
@ -24,7 +24,7 @@ endif
|
|||
COMPLETIONDIRS = src/zsh_completion src/bash_completion
|
||||
all: all_items mydirs $(MAN_TARGET) filters
|
||||
APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest
|
||||
SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
|
||||
SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
|
||||
SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
|
||||
MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
|
||||
MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
|
||||
|
|
|
|||
3
configure
vendored
3
configure
vendored
|
|
@ -4366,7 +4366,7 @@ fi
|
|||
|
||||
ac_config_files="$ac_config_files mkdeb.sh"
|
||||
|
||||
ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
|
||||
ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
|
||||
|
||||
cat >confcache <<\_ACEOF
|
||||
# This file is a shell script that caches the results of configure
|
||||
|
|
@ -5090,7 +5090,6 @@ do
|
|||
"src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
|
||||
"src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;;
|
||||
"src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
|
||||
"src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
|
||||
"src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
|
||||
"src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
|
||||
"src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
|
||||
|
|
|
|||
|
|
@ -305,7 +305,7 @@ fi
|
|||
AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
|
||||
AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
|
||||
src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
|
||||
src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
|
||||
src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
|
||||
src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
|
||||
src/jailtest/Makefile)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
all: faudit
|
||||
|
||||
include ../common.mk
|
||||
|
||||
%.o : %.c $(H_FILE_LIST)
|
||||
$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
|
||||
|
||||
faudit: $(OBJS)
|
||||
$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
|
||||
|
||||
clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist
|
||||
|
||||
distclean: clean
|
||||
rm -fr Makefile
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
|
||||
#include "faudit.h"
|
||||
#include <linux/capability.h>
|
||||
|
||||
#define MAXBUF 4098
|
||||
static int extract_caps(uint64_t *val) {
|
||||
FILE *fp = fopen("/proc/self/status", "r");
|
||||
if (!fp)
|
||||
return 1;
|
||||
|
||||
char buf[MAXBUF];
|
||||
while (fgets(buf, MAXBUF, fp)) {
|
||||
if (strncmp(buf, "CapBnd:\t", 8) == 0) {
|
||||
char *ptr = buf + 8;
|
||||
unsigned long long tmp;
|
||||
sscanf(ptr, "%llx", &tmp);
|
||||
*val = tmp;
|
||||
fclose(fp);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
return 1;
|
||||
}
|
||||
|
||||
// return 1 if the capability is in the map
|
||||
static int check_capability(uint64_t map, int cap) {
|
||||
int i;
|
||||
uint64_t mask = 1ULL;
|
||||
|
||||
for (i = 0; i < 64; i++, mask <<= 1) {
|
||||
if ((i == cap) && (mask & map))
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void caps_test(void) {
|
||||
uint64_t caps_val;
|
||||
|
||||
if (extract_caps(&caps_val)) {
|
||||
printf("SKIP: cannot extract capabilities on this platform.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
if (caps_val) {
|
||||
printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
|
||||
printf("Use \"firejail --caps.drop=all\" to fix it.\n");
|
||||
|
||||
if (check_capability(caps_val, CAP_SYS_ADMIN))
|
||||
printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
|
||||
if (check_capability(caps_val, CAP_SYS_BOOT))
|
||||
printf("UGLY: CAP_SYS_BOOT is enabled.\n");
|
||||
}
|
||||
else
|
||||
printf("GOOD: all capabilities are disabled.\n");
|
||||
}
|
||||
|
|
@ -1,131 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
#include "../include/rundefs.h"
|
||||
#include <stdarg.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
|
||||
// return 0 if the connection is possible
|
||||
int check_unix(const char *sockfile) {
|
||||
assert(sockfile);
|
||||
int rv = -1;
|
||||
|
||||
// open socket
|
||||
int sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (sock == -1)
|
||||
return rv;
|
||||
|
||||
// connect
|
||||
struct sockaddr_un remote;
|
||||
memset(&remote, 0, sizeof(struct sockaddr_un));
|
||||
remote.sun_family = AF_UNIX;
|
||||
strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1);
|
||||
int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
|
||||
if (*sockfile == '@')
|
||||
remote.sun_path[0] = '\0';
|
||||
if (connect(sock, (struct sockaddr *)&remote, len) == 0)
|
||||
rv = 0;
|
||||
|
||||
close(sock);
|
||||
return rv;
|
||||
}
|
||||
|
||||
static char *test_dbus_env(char *env_var_name) {
|
||||
// check the session bus
|
||||
char *str = getenv(env_var_name);
|
||||
char *found = NULL;
|
||||
if (str) {
|
||||
int rv = 0;
|
||||
char *bus = strdup(str);
|
||||
if (!bus)
|
||||
errExit("strdup");
|
||||
char *sockfile;
|
||||
if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
|
||||
sockfile += 13;
|
||||
*sockfile = '@';
|
||||
char *ptr = strchr(sockfile, ',');
|
||||
if (ptr)
|
||||
*ptr = '\0';
|
||||
rv = check_unix(sockfile);
|
||||
*sockfile = '@';
|
||||
if (rv == 0)
|
||||
printf("MAYBE: D-Bus socket %s is available\n", sockfile);
|
||||
else if (rv == -1)
|
||||
printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
|
||||
}
|
||||
else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
|
||||
sockfile += 10;
|
||||
char *ptr = strchr(sockfile, ',');
|
||||
if (ptr)
|
||||
*ptr = '\0';
|
||||
rv = check_unix(sockfile);
|
||||
if (rv == 0) {
|
||||
if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 ||
|
||||
strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) {
|
||||
printf("GOOD: D-Bus filtering is active on %s\n", sockfile);
|
||||
} else {
|
||||
printf("MAYBE: D-Bus socket %s is available\n", sockfile);
|
||||
}
|
||||
}
|
||||
else if (rv == -1)
|
||||
printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
|
||||
found = strdup(sockfile);
|
||||
if (!found)
|
||||
errExit("strdup");
|
||||
}
|
||||
else if (strstr(bus, "tcp:host=") != NULL)
|
||||
printf("UGLY: %s bus configured for TCP communication.\n", env_var_name);
|
||||
else
|
||||
printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name);
|
||||
free(bus);
|
||||
}
|
||||
else
|
||||
printf("MAYBE: %s environment variable not configured.\n", env_var_name);
|
||||
return found;
|
||||
}
|
||||
|
||||
static void test_default_socket(const char *found, const char *format, ...) {
|
||||
va_list ap;
|
||||
va_start(ap, format);
|
||||
char *sockfile;
|
||||
if (vasprintf(&sockfile, format, ap) == -1)
|
||||
errExit("vasprintf");
|
||||
va_end(ap);
|
||||
if (found != NULL && strcmp(found, sockfile) == 0)
|
||||
goto end;
|
||||
int rv = check_unix(sockfile);
|
||||
if (rv == 0)
|
||||
printf("MAYBE: D-Bus socket %s is available\n", sockfile);
|
||||
end:
|
||||
free(sockfile);
|
||||
}
|
||||
|
||||
void dbus_test(void) {
|
||||
char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS");
|
||||
test_default_socket(found_user, "/run/user/%d/bus", (int) getuid());
|
||||
test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid());
|
||||
if (found_user != NULL)
|
||||
free(found_user);
|
||||
char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS");
|
||||
test_default_socket(found_system, "/run/dbus/system_bus_socket");
|
||||
if (found_system != NULL)
|
||||
free(found_system);
|
||||
}
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
#include <dirent.h>
|
||||
|
||||
void dev_test(void) {
|
||||
DIR *dir;
|
||||
if (!(dir = opendir("/dev"))) {
|
||||
fprintf(stderr, "Error: cannot open /dev directory\n");
|
||||
return;
|
||||
}
|
||||
|
||||
struct dirent *entry;
|
||||
printf("INFO: files visible in /dev directory: ");
|
||||
int cnt = 0;
|
||||
while ((entry = readdir(dir)) != NULL) {
|
||||
if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
|
||||
continue;
|
||||
|
||||
printf("%s, ", entry->d_name);
|
||||
cnt++;
|
||||
}
|
||||
printf("\n");
|
||||
|
||||
if (cnt > 20)
|
||||
printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
|
||||
else
|
||||
printf("GOOD: Access to /dev directory is restricted.\n");
|
||||
closedir(dir);
|
||||
}
|
||||
|
|
@ -1,68 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
|
||||
#ifndef FAUDIT_H
|
||||
#define FAUDIT_H
|
||||
#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mount.h>
|
||||
#include <assert.h>
|
||||
|
||||
#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
|
||||
|
||||
// main.c
|
||||
extern char *prog;
|
||||
|
||||
// pid.c
|
||||
void pid_test(void);
|
||||
|
||||
// caps.c
|
||||
void caps_test(void);
|
||||
|
||||
// seccomp.c
|
||||
void seccomp_test(void);
|
||||
|
||||
// syscall.c
|
||||
void syscall_helper(int argc, char **argv);
|
||||
void syscall_run(const char *name);
|
||||
|
||||
// files.c
|
||||
void files_test(void);
|
||||
|
||||
// network.c
|
||||
void network_test(void);
|
||||
|
||||
// dbus.c
|
||||
int check_unix(const char *sockfile);
|
||||
void dbus_test(void);
|
||||
|
||||
// dev.c
|
||||
void dev_test(void);
|
||||
|
||||
// x11.c
|
||||
void x11_test(void);
|
||||
|
||||
#endif
|
||||
|
|
@ -1,75 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
#include <fcntl.h>
|
||||
#include <pwd.h>
|
||||
|
||||
static char *username = NULL;
|
||||
static char *homedir = NULL;
|
||||
|
||||
static void check_home_file(const char *name) {
|
||||
assert(homedir);
|
||||
|
||||
char *fname;
|
||||
if (asprintf(&fname, "%s/%s", homedir, name) == -1)
|
||||
errExit("asprintf");
|
||||
|
||||
if (access(fname, R_OK) == 0) {
|
||||
printf("UGLY: I can access files in %s directory. ", fname);
|
||||
printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
|
||||
}
|
||||
else
|
||||
printf("GOOD: I cannot access files in %s directory.\n", fname);
|
||||
|
||||
free(fname);
|
||||
}
|
||||
|
||||
void files_test(void) {
|
||||
struct passwd *pw = getpwuid(getuid());
|
||||
if (!pw) {
|
||||
fprintf(stderr, "Error: cannot retrieve user account information\n");
|
||||
return;
|
||||
}
|
||||
|
||||
username = strdup(pw->pw_name);
|
||||
if (!username)
|
||||
errExit("strdup");
|
||||
homedir = strdup(pw->pw_dir);
|
||||
if (!homedir)
|
||||
errExit("strdup");
|
||||
|
||||
// check access to .ssh directory
|
||||
check_home_file(".ssh");
|
||||
|
||||
// check access to .gnupg directory
|
||||
check_home_file(".gnupg");
|
||||
|
||||
// check access to Firefox browser directory
|
||||
check_home_file(".mozilla");
|
||||
|
||||
// check access to Chromium browser directory
|
||||
check_home_file(".config/chromium");
|
||||
|
||||
// check access to Debian Icedove directory
|
||||
check_home_file(".icedove");
|
||||
|
||||
// check access to Thunderbird directory
|
||||
check_home_file(".thunderbird");
|
||||
}
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
char *prog;
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
// make test-arguments helper
|
||||
if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
|
||||
printf("Arguments:\n");
|
||||
|
||||
int i;
|
||||
for (i = 0; i < argc; i++) {
|
||||
printf("#%s#\n", argv[i]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
if (argc != 1) {
|
||||
int i;
|
||||
|
||||
for (i = 1; i < argc; i++) {
|
||||
if (strcmp(argv[i], "syscall") == 0) {
|
||||
syscall_helper(argc, argv);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
|
||||
|
||||
// extract program name
|
||||
prog = realpath(argv[0], NULL);
|
||||
if (prog == NULL) {
|
||||
prog = strdup("faudit");
|
||||
if (!prog)
|
||||
errExit("strdup");
|
||||
}
|
||||
printf("INFO: starting %s.\n", prog);
|
||||
|
||||
|
||||
// check pid namespace
|
||||
pid_test();
|
||||
printf("\n");
|
||||
|
||||
// check seccomp
|
||||
seccomp_test();
|
||||
printf("\n");
|
||||
|
||||
// check capabilities
|
||||
caps_test();
|
||||
printf("\n");
|
||||
|
||||
// check some well-known problematic files and directories
|
||||
files_test();
|
||||
printf("\n");
|
||||
|
||||
// network
|
||||
network_test();
|
||||
printf("\n");
|
||||
|
||||
// dbus
|
||||
dbus_test();
|
||||
printf("\n");
|
||||
|
||||
// x11 test
|
||||
x11_test();
|
||||
printf("\n");
|
||||
|
||||
// /dev test
|
||||
dev_test();
|
||||
printf("\n");
|
||||
|
||||
|
||||
free(prog);
|
||||
printf("--------------------------------------------------------------------------------\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
#include <sys/socket.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <linux/netlink.h>
|
||||
#include <linux/rtnetlink.h>
|
||||
|
||||
static void check_ssh(void) {
|
||||
// open socket
|
||||
int sock = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if (sock == -1) {
|
||||
printf("GOOD: SSH server not available on localhost.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
// connect to localhost
|
||||
struct sockaddr_in server;
|
||||
server.sin_addr.s_addr = inet_addr("127.0.0.1");
|
||||
server.sin_family = AF_INET;
|
||||
server.sin_port = htons(22);
|
||||
|
||||
if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
|
||||
printf("GOOD: SSH server not available on localhost.\n");
|
||||
else {
|
||||
printf("MAYBE: an SSH server is accessible on localhost. ");
|
||||
printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
|
||||
}
|
||||
|
||||
close(sock);
|
||||
}
|
||||
|
||||
static void check_http(void) {
|
||||
// open socket
|
||||
int sock = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if (sock == -1) {
|
||||
printf("GOOD: HTTP server not available on localhost.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
// connect to localhost
|
||||
struct sockaddr_in server;
|
||||
server.sin_addr.s_addr = inet_addr("127.0.0.1");
|
||||
server.sin_family = AF_INET;
|
||||
server.sin_port = htons(80);
|
||||
|
||||
if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
|
||||
printf("GOOD: HTTP server not available on localhost.\n");
|
||||
else {
|
||||
printf("MAYBE: an HTTP server is accessible on localhost. ");
|
||||
printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
|
||||
}
|
||||
|
||||
close(sock);
|
||||
}
|
||||
|
||||
void check_netlink(void) {
|
||||
int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
|
||||
if (sock == -1) {
|
||||
printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
struct sockaddr_nl local;
|
||||
memset(&local, 0, sizeof(local));
|
||||
local.nl_family = AF_NETLINK;
|
||||
local.nl_groups = 0; //subscriptions;
|
||||
|
||||
if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
|
||||
printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
|
||||
close(sock);
|
||||
return;
|
||||
}
|
||||
|
||||
close(sock);
|
||||
printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
|
||||
printf("You can use \"--protocol\" to disable the socket.\n");
|
||||
}
|
||||
|
||||
void network_test(void) {
|
||||
check_ssh();
|
||||
check_http();
|
||||
check_netlink();
|
||||
}
|
||||
|
|
@ -1,99 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
|
||||
void pid_test(void) {
|
||||
static char *kern_proc[] = {
|
||||
"kthreadd",
|
||||
"ksoftirqd",
|
||||
"kworker",
|
||||
"rcu_sched",
|
||||
"rcu_bh",
|
||||
NULL // NULL terminated list
|
||||
};
|
||||
int i;
|
||||
|
||||
// look at the first 10 processes
|
||||
int not_visible = 1;
|
||||
for (i = 1; i <= 10; i++) {
|
||||
struct stat s;
|
||||
char *fname;
|
||||
if (asprintf(&fname, "/proc/%d/comm", i) == -1)
|
||||
errExit("asprintf");
|
||||
if (stat(fname, &s) == -1) {
|
||||
free(fname);
|
||||
continue;
|
||||
}
|
||||
|
||||
// open file
|
||||
/* coverity[toctou] */
|
||||
FILE *fp = fopen(fname, "r");
|
||||
if (!fp) {
|
||||
free(fname);
|
||||
continue;
|
||||
}
|
||||
|
||||
// read file
|
||||
char buf[100];
|
||||
if (fgets(buf, 10, fp) == NULL) {
|
||||
fclose(fp);
|
||||
free(fname);
|
||||
continue;
|
||||
}
|
||||
not_visible = 0;
|
||||
|
||||
// clean /n
|
||||
char *ptr;
|
||||
if ((ptr = strchr(buf, '\n')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
// check process name against the kernel list
|
||||
int j = 0;
|
||||
while (kern_proc[j] != NULL) {
|
||||
if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
|
||||
fclose(fp);
|
||||
free(fname);
|
||||
printf("BAD: Process %d is not running in a PID namespace. ", getpid());
|
||||
printf("Are you sure you're running in a sandbox?\n");
|
||||
return;
|
||||
}
|
||||
j++;
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
free(fname);
|
||||
}
|
||||
|
||||
pid_t pid = getpid();
|
||||
if (not_visible && pid > 100)
|
||||
printf("BAD: Process %d is not running in a PID namespace.\n", pid);
|
||||
else
|
||||
printf("GOOD: process %d is running in a PID namespace.\n", pid);
|
||||
|
||||
// try to guess the type of container/sandbox
|
||||
char *str = getenv("container");
|
||||
if (str)
|
||||
printf("INFO: container/sandbox %s.\n", str);
|
||||
else {
|
||||
str = getenv("SNAP");
|
||||
if (str)
|
||||
printf("INFO: this is a snap package\n");
|
||||
}
|
||||
}
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
|
||||
#define MAXBUF 4098
|
||||
static int extract_seccomp(int *val) {
|
||||
FILE *fp = fopen("/proc/self/status", "r");
|
||||
if (!fp)
|
||||
return 1;
|
||||
|
||||
char buf[MAXBUF];
|
||||
while (fgets(buf, MAXBUF, fp)) {
|
||||
if (strncmp(buf, "Seccomp:\t", 9) == 0) {
|
||||
char *ptr = buf + 9;
|
||||
int tmp;
|
||||
sscanf(ptr, "%d", &tmp);
|
||||
*val = tmp;
|
||||
fclose(fp);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
return 1;
|
||||
}
|
||||
|
||||
void seccomp_test(void) {
|
||||
int seccomp_status;
|
||||
int rv = extract_seccomp(&seccomp_status);
|
||||
|
||||
if (rv) {
|
||||
printf("INFO: cannot extract seccomp configuration on this platform.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
if (seccomp_status == 0) {
|
||||
printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
|
||||
}
|
||||
else if (seccomp_status == 1)
|
||||
printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n");
|
||||
else if (seccomp_status == 2) {
|
||||
printf("GOOD: seccomp BPF enabled.\n");
|
||||
|
||||
printf("checking syscalls: "); fflush(0);
|
||||
printf("mount... "); fflush(0);
|
||||
syscall_run("mount");
|
||||
|
||||
printf("umount2... "); fflush(0);
|
||||
syscall_run("umount2");
|
||||
|
||||
printf("ptrace... "); fflush(0);
|
||||
syscall_run("ptrace");
|
||||
|
||||
printf("swapon... "); fflush(0);
|
||||
syscall_run("swapon");
|
||||
|
||||
printf("swapoff... "); fflush(0);
|
||||
syscall_run("swapoff");
|
||||
|
||||
printf("init_module... "); fflush(0);
|
||||
syscall_run("init_module");
|
||||
|
||||
printf("delete_module... "); fflush(0);
|
||||
syscall_run("delete_module");
|
||||
|
||||
printf("chroot... "); fflush(0);
|
||||
syscall_run("chroot");
|
||||
|
||||
printf("pivot_root... "); fflush(0);
|
||||
syscall_run("pivot_root");
|
||||
|
||||
#if defined(__i386__) || defined(__x86_64__)
|
||||
printf("iopl... "); fflush(0);
|
||||
syscall_run("iopl");
|
||||
|
||||
printf("ioperm... "); fflush(0);
|
||||
syscall_run("ioperm");
|
||||
#endif
|
||||
printf("\n");
|
||||
}
|
||||
else
|
||||
fprintf(stderr, "Error: unrecognized seccomp mode\n");
|
||||
|
||||
}
|
||||
|
|
@ -1,105 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
#include <sys/ptrace.h>
|
||||
#include <sys/swap.h>
|
||||
#if defined(__i386__) || defined(__x86_64__)
|
||||
#include <sys/io.h>
|
||||
#endif
|
||||
#include <sys/wait.h>
|
||||
extern int init_module(void *module_image, unsigned long len,
|
||||
const char *param_values);
|
||||
extern int finit_module(int fd, const char *param_values,
|
||||
int flags);
|
||||
extern int delete_module(const char *name, int flags);
|
||||
extern int pivot_root(const char *new_root, const char *put_old);
|
||||
|
||||
void syscall_helper(int argc, char **argv) {
|
||||
(void) argc;
|
||||
|
||||
if (argc < 3)
|
||||
return;
|
||||
|
||||
if (strcmp(argv[2], "mount") == 0) {
|
||||
int rv = mount(NULL, NULL, NULL, 0, NULL);
|
||||
(void) rv;
|
||||
printf("\nUGLY: mount syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "umount2") == 0) {
|
||||
umount2(NULL, 0);
|
||||
printf("\nUGLY: umount2 syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "ptrace") == 0) {
|
||||
ptrace(0, 0, NULL, NULL);
|
||||
printf("\nUGLY: ptrace syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "swapon") == 0) {
|
||||
swapon(NULL, 0);
|
||||
printf("\nUGLY: swapon syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "swapoff") == 0) {
|
||||
swapoff(NULL);
|
||||
printf("\nUGLY: swapoff syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "init_module") == 0) {
|
||||
init_module(NULL, 0, NULL);
|
||||
printf("\nUGLY: init_module syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "delete_module") == 0) {
|
||||
delete_module(NULL, 0);
|
||||
printf("\nUGLY: delete_module syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "chroot") == 0) {
|
||||
int rv = chroot("/blablabla-57281292");
|
||||
(void) rv;
|
||||
printf("\nUGLY: chroot syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "pivot_root") == 0) {
|
||||
pivot_root(NULL, NULL);
|
||||
printf("\nUGLY: pivot_root syscall permitted.\n");
|
||||
}
|
||||
#if defined(__i386__) || defined(__x86_64__)
|
||||
else if (strcmp(argv[2], "iopl") == 0) {
|
||||
iopl(0L);
|
||||
printf("\nUGLY: iopl syscall permitted.\n");
|
||||
}
|
||||
else if (strcmp(argv[2], "ioperm") == 0) {
|
||||
ioperm(0, 0, 0);
|
||||
printf("\nUGLY: ioperm syscall permitted.\n");
|
||||
}
|
||||
#endif
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void syscall_run(const char *name) {
|
||||
assert(prog);
|
||||
|
||||
pid_t child = fork();
|
||||
if (child < 0)
|
||||
errExit("fork");
|
||||
if (child == 0) {
|
||||
execl(prog, prog, "syscall", name, NULL);
|
||||
perror("execl");
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
// wait for the child to finish
|
||||
waitpid(child, NULL, 0);
|
||||
}
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2021 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "faudit.h"
|
||||
#include <sys/socket.h>
|
||||
#include <dirent.h>
|
||||
|
||||
|
||||
void x11_test(void) {
|
||||
// check regular display 0 sockets
|
||||
if (check_unix("/tmp/.X11-unix/X0") == 0)
|
||||
printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
|
||||
|
||||
if (check_unix("@/tmp/.X11-unix/X0") == 0)
|
||||
printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
|
||||
|
||||
// check all unix sockets in /tmp/.X11-unix directory
|
||||
DIR *dir;
|
||||
if (!(dir = opendir("/tmp/.X11-unix"))) {
|
||||
// sleep 2 seconds and try again
|
||||
sleep(2);
|
||||
if (!(dir = opendir("/tmp/.X11-unix"))) {
|
||||
;
|
||||
}
|
||||
}
|
||||
|
||||
if (dir == NULL)
|
||||
printf("GOOD: cannot open /tmp/.X11-unix directory\n");
|
||||
else {
|
||||
struct dirent *entry;
|
||||
while ((entry = readdir(dir)) != NULL) {
|
||||
if (strcmp(entry->d_name, "X0") == 0)
|
||||
continue;
|
||||
if (strcmp(entry->d_name, ".") == 0)
|
||||
continue;
|
||||
if (strcmp(entry->d_name, "..") == 0)
|
||||
continue;
|
||||
char *name;
|
||||
if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
|
||||
errExit("asprintf");
|
||||
if (check_unix(name) == 0)
|
||||
printf("MAYBE: X11 socket %s is available\n", name);
|
||||
free(name);
|
||||
}
|
||||
closedir(dir);
|
||||
}
|
||||
}
|
||||
|
|
@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp
|
|||
extern int arg_writable_run_user; // writable /run/user
|
||||
extern int arg_writable_var_log; // writable /var/log
|
||||
extern int arg_appimage; // appimage
|
||||
extern int arg_audit; // audit
|
||||
extern char *arg_audit_prog; // audit
|
||||
extern int arg_apparmor; // apparmor
|
||||
extern int arg_allow_debuggers; // allow debuggers
|
||||
extern int arg_x11_block; // block X11
|
||||
|
|
|
|||
|
|
@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
|
|||
extract_x11_display(parent);
|
||||
|
||||
int shfd = -1;
|
||||
if (!arg_shell_none && !arg_audit)
|
||||
if (!arg_shell_none)
|
||||
shfd = open_shell();
|
||||
|
||||
EUID_ROOT();
|
||||
|
|
|
|||
|
|
@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0; // don't overwrite /var/tmp
|
|||
int arg_writable_run_user = 0; // writable /run/user
|
||||
int arg_writable_var_log = 0; // writable /var/log
|
||||
int arg_appimage = 0; // appimage
|
||||
int arg_audit = 0; // audit
|
||||
char *arg_audit_prog = NULL; // audit
|
||||
int arg_apparmor = 0; // apparmor
|
||||
int arg_allow_debuggers = 0; // allow debuggers
|
||||
int arg_x11_block = 0; // block X11
|
||||
|
|
@ -2608,28 +2606,6 @@ int main(int argc, char **argv, char **envp) {
|
|||
//*************************************
|
||||
else if (strncmp(argv[i], "--timeout=", 10) == 0)
|
||||
cfg.timeout = extract_timeout(argv[i] + 10);
|
||||
else if (strcmp(argv[i], "--audit") == 0) {
|
||||
arg_audit_prog = LIBDIR "/firejail/faudit";
|
||||
profile_add_ignore("shell none");
|
||||
arg_audit = 1;
|
||||
}
|
||||
else if (strncmp(argv[i], "--audit=", 8) == 0) {
|
||||
if (strlen(argv[i] + 8) == 0) {
|
||||
fprintf(stderr, "Error: invalid audit program\n");
|
||||
exit(1);
|
||||
}
|
||||
arg_audit_prog = strdup(argv[i] + 8);
|
||||
if (!arg_audit_prog)
|
||||
errExit("strdup");
|
||||
|
||||
struct stat s;
|
||||
if (stat(arg_audit_prog, &s) != 0) {
|
||||
fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
|
||||
exit(1);
|
||||
}
|
||||
profile_add_ignore("shell none");
|
||||
arg_audit = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--appimage") == 0)
|
||||
arg_appimage = 1;
|
||||
else if (strcmp(argv[i], "--shell=none") == 0) {
|
||||
|
|
|
|||
|
|
@ -474,24 +474,10 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
|
|||
printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
|
||||
}
|
||||
|
||||
//****************************************
|
||||
// audit
|
||||
//****************************************
|
||||
if (arg_audit) {
|
||||
assert(arg_audit_prog);
|
||||
|
||||
#ifdef HAVE_GCOV
|
||||
__gcov_dump();
|
||||
#endif
|
||||
seccomp_install_filters();
|
||||
if (set_sandbox_status)
|
||||
*set_sandbox_status = SANDBOX_DONE;
|
||||
execl(arg_audit_prog, arg_audit_prog, NULL);
|
||||
}
|
||||
//****************************************
|
||||
// start the program without using a shell
|
||||
//****************************************
|
||||
else if (arg_shell_none) {
|
||||
if (arg_shell_none) {
|
||||
if (arg_debug) {
|
||||
int i;
|
||||
for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
|
||||
|
|
|
|||
|
|
@ -33,7 +33,6 @@ static char *usage_str =
|
|||
" --apparmor - enable AppArmor confinement.\n"
|
||||
" --apparmor.print=name|pid - print apparmor status.\n"
|
||||
" --appimage - sandbox an AppImage application.\n"
|
||||
" --audit[=test-program] - audit the sandbox.\n"
|
||||
#ifdef HAVE_NETWORK
|
||||
" --bandwidth=name|pid - set bandwidth limits.\n"
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -155,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
|
|||
$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
|
||||
#endif
|
||||
.TP
|
||||
\fB\-\-audit
|
||||
Audit the sandbox, see \fBAUDIT\fR section for more details.
|
||||
.TP
|
||||
\fB\-\-audit=test-program
|
||||
Audit the sandbox, see \fBAUDIT\fR section for more details.
|
||||
.TP
|
||||
\fB\-\-bandwidth=name|pid
|
||||
Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
|
||||
.TP
|
||||
|
|
@ -2972,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features
|
|||
$ firejail --apparmor firefox
|
||||
#endif
|
||||
|
||||
.SH AUDIT
|
||||
Audit feature allows the user to point out gaps in security profiles. The
|
||||
implementation replaces the program to be sandboxed with a test program. By
|
||||
default, we use faudit program distributed with Firejail. A custom test program
|
||||
can also be supplied by the user. Examples:
|
||||
|
||||
Running the default audit program:
|
||||
.br
|
||||
$ firejail --audit transmission-gtk
|
||||
|
||||
Running a custom audit program:
|
||||
.br
|
||||
$ firejail --audit=~/sandbox-test transmission-gtk
|
||||
|
||||
In the examples above, the sandbox configures transmission-gtk profile and
|
||||
starts the test program. The real program, transmission-gtk, will not be
|
||||
started.
|
||||
|
||||
You can also audit a specific profile without specifying a program.
|
||||
.br
|
||||
$ firejail --audit --profile=/etc/firejail/zoom.profile
|
||||
|
||||
Limitations: audit feature is not implemented for --x11 commands.
|
||||
|
||||
.SH DESKTOP INTEGRATION
|
||||
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
|
||||
The symbolic link should be placed in the first $PATH position. On most systems, a good place
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue