From 5c95f0f9578593b5549a1c8b37693e9f419ef880 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 1 Mar 2021 07:24:29 -0500 Subject: [PATCH] retiring --audit (replaced by jailtest) --- Makefile.in | 2 +- configure | 3 +- configure.ac | 2 +- src/faudit/Makefile.in | 14 ----- src/faudit/caps.c | 78 ------------------------ src/faudit/dbus.c | 131 ---------------------------------------- src/faudit/dev.c | 47 -------------- src/faudit/faudit.h | 68 --------------------- src/faudit/files.c | 75 ----------------------- src/faudit/main.c | 98 ------------------------------ src/faudit/network.c | 101 ------------------------------- src/faudit/pid.c | 99 ------------------------------ src/faudit/seccomp.c | 101 ------------------------------- src/faudit/syscall.c | 105 -------------------------------- src/faudit/x11.c | 63 ------------------- src/firejail/firejail.h | 2 - src/firejail/join.c | 2 +- src/firejail/main.c | 24 -------- src/firejail/sandbox.c | 16 +---- src/firejail/usage.c | 1 - src/man/firejail.txt | 30 --------- 21 files changed, 5 insertions(+), 1057 deletions(-) delete mode 100644 src/faudit/Makefile.in delete mode 100644 src/faudit/caps.c delete mode 100644 src/faudit/dbus.c delete mode 100644 src/faudit/dev.c delete mode 100644 src/faudit/faudit.h delete mode 100644 src/faudit/files.c delete mode 100644 src/faudit/main.c delete mode 100644 src/faudit/network.c delete mode 100644 src/faudit/pid.c delete mode 100644 src/faudit/seccomp.c delete mode 100644 src/faudit/syscall.c delete mode 100644 src/faudit/x11.c diff --git a/Makefile.in b/Makefile.in index b0deee03b21..dae2079b454 100644 --- a/Makefile.in +++ b/Makefile.in @@ -24,7 +24,7 @@ endif COMPLETIONDIRS = src/zsh_completion src/bash_completion all: all_items mydirs $(MAN_TARGET) filters APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest -SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee +SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so diff --git a/configure b/configure index 7ef95075e92..e5e0dcc0d83 100755 --- a/configure +++ b/configure @@ -4366,7 +4366,7 @@ fi ac_config_files="$ac_config_files mkdeb.sh" -ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile" +ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -5090,7 +5090,6 @@ do "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; - "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; diff --git a/configure.ac b/configure.ac index 2654a26998e..e8bd6fb801d 100644 --- a/configure.ac +++ b/configure.ac @@ -305,7 +305,7 @@ fi AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ -src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ +src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ src/jailtest/Makefile) diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in deleted file mode 100644 index 44c121a4c7c..00000000000 --- a/src/faudit/Makefile.in +++ /dev/null @@ -1,14 +0,0 @@ -all: faudit - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -faudit: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist - -distclean: clean - rm -fr Makefile diff --git a/src/faudit/caps.c b/src/faudit/caps.c deleted file mode 100644 index e9547dc8e6e..00000000000 --- a/src/faudit/caps.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "faudit.h" -#include - -#define MAXBUF 4098 -static int extract_caps(uint64_t *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "CapBnd:\t", 8) == 0) { - char *ptr = buf + 8; - unsigned long long tmp; - sscanf(ptr, "%llx", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -// return 1 if the capability is in the map -static int check_capability(uint64_t map, int cap) { - int i; - uint64_t mask = 1ULL; - - for (i = 0; i < 64; i++, mask <<= 1) { - if ((i == cap) && (mask & map)) - return 1; - } - - return 0; -} - -void caps_test(void) { - uint64_t caps_val; - - if (extract_caps(&caps_val)) { - printf("SKIP: cannot extract capabilities on this platform.\n"); - return; - } - - if (caps_val) { - printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); - printf("Use \"firejail --caps.drop=all\" to fix it.\n"); - - if (check_capability(caps_val, CAP_SYS_ADMIN)) - printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); - if (check_capability(caps_val, CAP_SYS_BOOT)) - printf("UGLY: CAP_SYS_BOOT is enabled.\n"); - } - else - printf("GOOD: all capabilities are disabled.\n"); -} diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c deleted file mode 100644 index 389504fb8aa..00000000000 --- a/src/faudit/dbus.c +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include "../include/rundefs.h" -#include -#include -#include - -// return 0 if the connection is possible -int check_unix(const char *sockfile) { - assert(sockfile); - int rv = -1; - - // open socket - int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock == -1) - return rv; - - // connect - struct sockaddr_un remote; - memset(&remote, 0, sizeof(struct sockaddr_un)); - remote.sun_family = AF_UNIX; - strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); - int len = strlen(remote.sun_path) + sizeof(remote.sun_family); - if (*sockfile == '@') - remote.sun_path[0] = '\0'; - if (connect(sock, (struct sockaddr *)&remote, len) == 0) - rv = 0; - - close(sock); - return rv; -} - -static char *test_dbus_env(char *env_var_name) { - // check the session bus - char *str = getenv(env_var_name); - char *found = NULL; - if (str) { - int rv = 0; - char *bus = strdup(str); - if (!bus) - errExit("strdup"); - char *sockfile; - if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { - sockfile += 13; - *sockfile = '@'; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - *sockfile = '@'; - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - } - else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { - sockfile += 10; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - if (rv == 0) { - if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 || - strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) { - printf("GOOD: D-Bus filtering is active on %s\n", sockfile); - } else { - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - } - } - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - found = strdup(sockfile); - if (!found) - errExit("strdup"); - } - else if (strstr(bus, "tcp:host=") != NULL) - printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); - else - printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); - free(bus); - } - else - printf("MAYBE: %s environment variable not configured.\n", env_var_name); - return found; -} - -static void test_default_socket(const char *found, const char *format, ...) { - va_list ap; - va_start(ap, format); - char *sockfile; - if (vasprintf(&sockfile, format, ap) == -1) - errExit("vasprintf"); - va_end(ap); - if (found != NULL && strcmp(found, sockfile) == 0) - goto end; - int rv = check_unix(sockfile); - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); -end: - free(sockfile); -} - -void dbus_test(void) { - char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS"); - test_default_socket(found_user, "/run/user/%d/bus", (int) getuid()); - test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid()); - if (found_user != NULL) - free(found_user); - char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS"); - test_default_socket(found_system, "/run/dbus/system_bus_socket"); - if (found_system != NULL) - free(found_system); -} diff --git a/src/faudit/dev.c b/src/faudit/dev.c deleted file mode 100644 index 61cb1cabe6a..00000000000 --- a/src/faudit/dev.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include - -void dev_test(void) { - DIR *dir; - if (!(dir = opendir("/dev"))) { - fprintf(stderr, "Error: cannot open /dev directory\n"); - return; - } - - struct dirent *entry; - printf("INFO: files visible in /dev directory: "); - int cnt = 0; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) - continue; - - printf("%s, ", entry->d_name); - cnt++; - } - printf("\n"); - - if (cnt > 20) - printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); - else - printf("GOOD: Access to /dev directory is restricted.\n"); - closedir(dir); -} diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h deleted file mode 100644 index cfed1504b76..00000000000 --- a/src/faudit/faudit.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#ifndef FAUDIT_H -#define FAUDIT_H -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) - -// main.c -extern char *prog; - -// pid.c -void pid_test(void); - -// caps.c -void caps_test(void); - -// seccomp.c -void seccomp_test(void); - -// syscall.c -void syscall_helper(int argc, char **argv); -void syscall_run(const char *name); - -// files.c -void files_test(void); - -// network.c -void network_test(void); - -// dbus.c -int check_unix(const char *sockfile); -void dbus_test(void); - -// dev.c -void dev_test(void); - -// x11.c -void x11_test(void); - -#endif diff --git a/src/faudit/files.c b/src/faudit/files.c deleted file mode 100644 index 73e0a387dac..00000000000 --- a/src/faudit/files.c +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - -static char *username = NULL; -static char *homedir = NULL; - -static void check_home_file(const char *name) { - assert(homedir); - - char *fname; - if (asprintf(&fname, "%s/%s", homedir, name) == -1) - errExit("asprintf"); - - if (access(fname, R_OK) == 0) { - printf("UGLY: I can access files in %s directory. ", fname); - printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); - } - else - printf("GOOD: I cannot access files in %s directory.\n", fname); - - free(fname); -} - -void files_test(void) { - struct passwd *pw = getpwuid(getuid()); - if (!pw) { - fprintf(stderr, "Error: cannot retrieve user account information\n"); - return; - } - - username = strdup(pw->pw_name); - if (!username) - errExit("strdup"); - homedir = strdup(pw->pw_dir); - if (!homedir) - errExit("strdup"); - - // check access to .ssh directory - check_home_file(".ssh"); - - // check access to .gnupg directory - check_home_file(".gnupg"); - - // check access to Firefox browser directory - check_home_file(".mozilla"); - - // check access to Chromium browser directory - check_home_file(".config/chromium"); - - // check access to Debian Icedove directory - check_home_file(".icedove"); - - // check access to Thunderbird directory - check_home_file(".thunderbird"); -} diff --git a/src/faudit/main.c b/src/faudit/main.c deleted file mode 100644 index 605d5ff7bc1..00000000000 --- a/src/faudit/main.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -char *prog; - -int main(int argc, char **argv) { - // make test-arguments helper - if (getenv("FIREJAIL_TEST_ARGUMENTS")) { - printf("Arguments:\n"); - - int i; - for (i = 0; i < argc; i++) { - printf("#%s#\n", argv[i]); - } - - return 0; - } - - - if (argc != 1) { - int i; - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "syscall") == 0) { - syscall_helper(argc, argv); - return 0; - } - } - return 1; - } - - printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); - - // extract program name - prog = realpath(argv[0], NULL); - if (prog == NULL) { - prog = strdup("faudit"); - if (!prog) - errExit("strdup"); - } - printf("INFO: starting %s.\n", prog); - - - // check pid namespace - pid_test(); - printf("\n"); - - // check seccomp - seccomp_test(); - printf("\n"); - - // check capabilities - caps_test(); - printf("\n"); - - // check some well-known problematic files and directories - files_test(); - printf("\n"); - - // network - network_test(); - printf("\n"); - - // dbus - dbus_test(); - printf("\n"); - - // x11 test - x11_test(); - printf("\n"); - - // /dev test - dev_test(); - printf("\n"); - - - free(prog); - printf("--------------------------------------------------------------------------------\n"); - - return 0; -} diff --git a/src/faudit/network.c b/src/faudit/network.c deleted file mode 100644 index 8e799dc19fc..00000000000 --- a/src/faudit/network.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#include -#include - -static void check_ssh(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: SSH server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(22); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: SSH server not available on localhost.\n"); - else { - printf("MAYBE: an SSH server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -static void check_http(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: HTTP server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(80); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: HTTP server not available on localhost.\n"); - else { - printf("MAYBE: an HTTP server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -void check_netlink(void) { - int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); - if (sock == -1) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - return; - } - - struct sockaddr_nl local; - memset(&local, 0, sizeof(local)); - local.nl_family = AF_NETLINK; - local.nl_groups = 0; //subscriptions; - - if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - close(sock); - return; - } - - close(sock); - printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); - printf("You can use \"--protocol\" to disable the socket.\n"); -} - -void network_test(void) { - check_ssh(); - check_http(); - check_netlink(); -} diff --git a/src/faudit/pid.c b/src/faudit/pid.c deleted file mode 100644 index ec8c37dc77a..00000000000 --- a/src/faudit/pid.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -void pid_test(void) { - static char *kern_proc[] = { - "kthreadd", - "ksoftirqd", - "kworker", - "rcu_sched", - "rcu_bh", - NULL // NULL terminated list - }; - int i; - - // look at the first 10 processes - int not_visible = 1; - for (i = 1; i <= 10; i++) { - struct stat s; - char *fname; - if (asprintf(&fname, "/proc/%d/comm", i) == -1) - errExit("asprintf"); - if (stat(fname, &s) == -1) { - free(fname); - continue; - } - - // open file - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - free(fname); - continue; - } - - // read file - char buf[100]; - if (fgets(buf, 10, fp) == NULL) { - fclose(fp); - free(fname); - continue; - } - not_visible = 0; - - // clean /n - char *ptr; - if ((ptr = strchr(buf, '\n')) != NULL) - *ptr = '\0'; - - // check process name against the kernel list - int j = 0; - while (kern_proc[j] != NULL) { - if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { - fclose(fp); - free(fname); - printf("BAD: Process %d is not running in a PID namespace. ", getpid()); - printf("Are you sure you're running in a sandbox?\n"); - return; - } - j++; - } - - fclose(fp); - free(fname); - } - - pid_t pid = getpid(); - if (not_visible && pid > 100) - printf("BAD: Process %d is not running in a PID namespace.\n", pid); - else - printf("GOOD: process %d is running in a PID namespace.\n", pid); - - // try to guess the type of container/sandbox - char *str = getenv("container"); - if (str) - printf("INFO: container/sandbox %s.\n", str); - else { - str = getenv("SNAP"); - if (str) - printf("INFO: this is a snap package\n"); - } -} diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c deleted file mode 100644 index d8acee160f0..00000000000 --- a/src/faudit/seccomp.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -#define MAXBUF 4098 -static int extract_seccomp(int *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "Seccomp:\t", 9) == 0) { - char *ptr = buf + 9; - int tmp; - sscanf(ptr, "%d", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -void seccomp_test(void) { - int seccomp_status; - int rv = extract_seccomp(&seccomp_status); - - if (rv) { - printf("INFO: cannot extract seccomp configuration on this platform.\n"); - return; - } - - if (seccomp_status == 0) { - printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); - } - else if (seccomp_status == 1) - printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); - else if (seccomp_status == 2) { - printf("GOOD: seccomp BPF enabled.\n"); - - printf("checking syscalls: "); fflush(0); - printf("mount... "); fflush(0); - syscall_run("mount"); - - printf("umount2... "); fflush(0); - syscall_run("umount2"); - - printf("ptrace... "); fflush(0); - syscall_run("ptrace"); - - printf("swapon... "); fflush(0); - syscall_run("swapon"); - - printf("swapoff... "); fflush(0); - syscall_run("swapoff"); - - printf("init_module... "); fflush(0); - syscall_run("init_module"); - - printf("delete_module... "); fflush(0); - syscall_run("delete_module"); - - printf("chroot... "); fflush(0); - syscall_run("chroot"); - - printf("pivot_root... "); fflush(0); - syscall_run("pivot_root"); - -#if defined(__i386__) || defined(__x86_64__) - printf("iopl... "); fflush(0); - syscall_run("iopl"); - - printf("ioperm... "); fflush(0); - syscall_run("ioperm"); -#endif - printf("\n"); - } - else - fprintf(stderr, "Error: unrecognized seccomp mode\n"); - -} diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c deleted file mode 100644 index 11e83a0f5f6..00000000000 --- a/src/faudit/syscall.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#if defined(__i386__) || defined(__x86_64__) -#include -#endif -#include -extern int init_module(void *module_image, unsigned long len, - const char *param_values); -extern int finit_module(int fd, const char *param_values, - int flags); -extern int delete_module(const char *name, int flags); -extern int pivot_root(const char *new_root, const char *put_old); - -void syscall_helper(int argc, char **argv) { - (void) argc; - - if (argc < 3) - return; - - if (strcmp(argv[2], "mount") == 0) { - int rv = mount(NULL, NULL, NULL, 0, NULL); - (void) rv; - printf("\nUGLY: mount syscall permitted.\n"); - } - else if (strcmp(argv[2], "umount2") == 0) { - umount2(NULL, 0); - printf("\nUGLY: umount2 syscall permitted.\n"); - } - else if (strcmp(argv[2], "ptrace") == 0) { - ptrace(0, 0, NULL, NULL); - printf("\nUGLY: ptrace syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapon") == 0) { - swapon(NULL, 0); - printf("\nUGLY: swapon syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapoff") == 0) { - swapoff(NULL); - printf("\nUGLY: swapoff syscall permitted.\n"); - } - else if (strcmp(argv[2], "init_module") == 0) { - init_module(NULL, 0, NULL); - printf("\nUGLY: init_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "delete_module") == 0) { - delete_module(NULL, 0); - printf("\nUGLY: delete_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "chroot") == 0) { - int rv = chroot("/blablabla-57281292"); - (void) rv; - printf("\nUGLY: chroot syscall permitted.\n"); - } - else if (strcmp(argv[2], "pivot_root") == 0) { - pivot_root(NULL, NULL); - printf("\nUGLY: pivot_root syscall permitted.\n"); - } -#if defined(__i386__) || defined(__x86_64__) - else if (strcmp(argv[2], "iopl") == 0) { - iopl(0L); - printf("\nUGLY: iopl syscall permitted.\n"); - } - else if (strcmp(argv[2], "ioperm") == 0) { - ioperm(0, 0, 0); - printf("\nUGLY: ioperm syscall permitted.\n"); - } -#endif - exit(0); -} - -void syscall_run(const char *name) { - assert(prog); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - execl(prog, prog, "syscall", name, NULL); - perror("execl"); - _exit(1); - } - - // wait for the child to finish - waitpid(child, NULL, 0); -} diff --git a/src/faudit/x11.c b/src/faudit/x11.c deleted file mode 100644 index 2ffd7bac766..00000000000 --- a/src/faudit/x11.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (C) 2014-2021 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - - -void x11_test(void) { - // check regular display 0 sockets - if (check_unix("/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); - - if (check_unix("@/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); - - // check all unix sockets in /tmp/.X11-unix directory - DIR *dir; - if (!(dir = opendir("/tmp/.X11-unix"))) { - // sleep 2 seconds and try again - sleep(2); - if (!(dir = opendir("/tmp/.X11-unix"))) { - ; - } - } - - if (dir == NULL) - printf("GOOD: cannot open /tmp/.X11-unix directory\n"); - else { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, "X0") == 0) - continue; - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - char *name; - if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) - errExit("asprintf"); - if (check_unix(name) == 0) - printf("MAYBE: X11 socket %s is available\n", name); - free(name); - } - closedir(dir); - } -} diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c8080f7781b..b21b5bef67e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage -extern int arg_audit; // audit -extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 diff --git a/src/firejail/join.c b/src/firejail/join.c index a8011aa1436..1575a746945 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { extract_x11_display(parent); int shfd = -1; - if (!arg_shell_none && !arg_audit) + if (!arg_shell_none) shfd = open_shell(); EUID_ROOT(); diff --git a/src/firejail/main.c b/src/firejail/main.c index fe806dcdb64..9705c2436ae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage -int arg_audit = 0; // audit -char *arg_audit_prog = NULL; // audit int arg_apparmor = 0; // apparmor int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 @@ -2608,28 +2606,6 @@ int main(int argc, char **argv, char **envp) { //************************************* else if (strncmp(argv[i], "--timeout=", 10) == 0) cfg.timeout = extract_timeout(argv[i] + 10); - else if (strcmp(argv[i], "--audit") == 0) { - arg_audit_prog = LIBDIR "/firejail/faudit"; - profile_add_ignore("shell none"); - arg_audit = 1; - } - else if (strncmp(argv[i], "--audit=", 8) == 0) { - if (strlen(argv[i] + 8) == 0) { - fprintf(stderr, "Error: invalid audit program\n"); - exit(1); - } - arg_audit_prog = strdup(argv[i] + 8); - if (!arg_audit_prog) - errExit("strdup"); - - struct stat s; - if (stat(arg_audit_prog, &s) != 0) { - fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); - exit(1); - } - profile_add_ignore("shell none"); - arg_audit = 1; - } else if (strcmp(argv[i], "--appimage") == 0) arg_appimage = 1; else if (strcmp(argv[i], "--shell=none") == 0) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f1ab895dbe5..a04551ed4b0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -474,24 +474,10 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); } - //**************************************** - // audit - //**************************************** - if (arg_audit) { - assert(arg_audit_prog); - -#ifdef HAVE_GCOV - __gcov_dump(); -#endif - seccomp_install_filters(); - if (set_sandbox_status) - *set_sandbox_status = SANDBOX_DONE; - execl(arg_audit_prog, arg_audit_prog, NULL); - } //**************************************** // start the program without using a shell //**************************************** - else if (arg_shell_none) { + if (arg_shell_none) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index adba5da40aa..8f9cc065f16 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -33,7 +33,6 @@ static char *usage_str = " --apparmor - enable AppArmor confinement.\n" " --apparmor.print=name|pid - print apparmor status.\n" " --appimage - sandbox an AppImage application.\n" - " --audit[=test-program] - audit the sandbox.\n" #ifdef HAVE_NETWORK " --bandwidth=name|pid - set bandwidth limits.\n" #endif diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 639b171cdd2..f9111ae7b73 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -155,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage #endif .TP -\fB\-\-audit -Audit the sandbox, see \fBAUDIT\fR section for more details. -.TP -\fB\-\-audit=test-program -Audit the sandbox, see \fBAUDIT\fR section for more details. -.TP \fB\-\-bandwidth=name|pid Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. .TP @@ -2972,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features $ firejail --apparmor firefox #endif -.SH AUDIT -Audit feature allows the user to point out gaps in security profiles. The -implementation replaces the program to be sandboxed with a test program. By -default, we use faudit program distributed with Firejail. A custom test program -can also be supplied by the user. Examples: - -Running the default audit program: -.br - $ firejail --audit transmission-gtk - -Running a custom audit program: -.br - $ firejail --audit=~/sandbox-test transmission-gtk - -In the examples above, the sandbox configures transmission-gtk profile and -starts the test program. The real program, transmission-gtk, will not be -started. - -You can also audit a specific profile without specifying a program. -.br - $ firejail --audit --profile=/etc/firejail/zoom.profile - -Limitations: audit feature is not implemented for --x11 commands. - .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place