profstats fix (netblue30#4733)

kmk3 · Dec 10, 2021 · 30e7546 · 30e7546
1 parent 7c7b47b
commit 30e7546
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 38 deletions.
diff --git a/Makefile.in b/Makefile.in
@@ -27,7 +27,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
-SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
@@ -138,8 +138,6 @@ endif
  install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
  install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
  sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
- # program used track profile statistics during development - no manpage, this is not a user program
- install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats
 ifeq ($(BUSYBOX_WORKAROUND),yes)
  ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif

diff --git a/README.md b/README.md
@@ -298,34 +298,37 @@ INTRUSION DETECTION SYSTEM (IDS)
 
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
-$ cd /etc/firejail
-$ ./profstats *.profile
- profiles 1167
- include local profile 1167 (include profile-name.local)
- include globals 1136 (include globals.local)
- blacklist ~/.ssh 1042 (include disable-common.inc)
- seccomp 1062
- capabilities 1163
- noexec 1049 (include disable-exec.inc)
- noroot 971
- memory-deny-write-execute 256
- apparmor 693
- private-bin 677
- private-dev 1027
- private-etc 532
- private-tmp 897
- whitelist home directory 557
- whitelist var 836 (include whitelist-var-common.inc)
- whitelist run/user 1137 (include whitelist-runuser-common.inc
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
+No include .local found in /etc/firejail/noprofile.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
+
+Stats:
+ profiles 1176
+ include local profile 1175 (include profile-name.local)
+ include globals 1144 (include globals.local)
+ blacklist ~/.ssh 1050 (include disable-common.inc)
+ seccomp 1070
+ capabilities 1171
+ noexec 1057 (include disable-exec.inc)
+ noroot 979
+ memory-deny-write-execute 258
+ apparmor 700
+ private-bin 681
+ private-dev 1033
+ private-etc 533
+ private-tmp 905
+ whitelist home directory 562
+ whitelist var 842 (include whitelist-var-common.inc)
+ whitelist run/user 1145 (include whitelist-runuser-common.inc
  or blacklist ${RUNUSER})
- whitelist usr/share 609 (include whitelist-usr-share-common.inc
- net none 396
- dbus-user none 656
- dbus-user filter 108
- dbus-system none 808
+ whitelist usr/share 614 (include whitelist-usr-share-common.inc
+ net none 399
+ dbus-user none 662
+ dbus-user filter 113
+ dbus-system none 816
  dbus-system filter 10
 ```
 

diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
@@ -3,7 +3,7 @@ all: profstats
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h
  $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 profstats: $(OBJS)

diff --git a/src/profstats/main.c b/src/profstats/main.c
@@ -17,10 +17,8 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
+
+#include "../include/common.h"
 
 #define MAXBUF 2048
 // stats
@@ -99,8 +97,9 @@ static void usage(void) {
  printf("\n");
 }
 
-void process_file(const char *fname) {
+static void process_file(char *fname) {
  assert(fname);
+ char *tmpfname = NULL;
 
  if (arg_debug)
  printf("processing #%s#\n", fname);
@@ -109,9 +108,19 @@ void process_file(const char *fname) {
 
  FILE *fp = fopen(fname, "r");
  if (!fp) {
- fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
- level--;
- return;
+ // the file was not found in the current directory
+ // look for it in /etc/firejail directory
+ if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+ errExit("asprintf");
+
+ fp = fopen(tmpfname, "r");
+ if (!fp) {
+ fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+ free(tmpfname);
+ level--;
+ return;
+ }
+ fname = tmpfname;
  }
 
  int have_include_local = 0;
@@ -204,6 +213,8 @@ void process_file(const char *fname) {
  if (!have_include_local)
  printf("No include .local found in %s\n", fname);
  level--;
+ if (tmpfname)
+ free(tmpfname);
 }
 
 int main(int argc, char **argv) {