added firejail --apparmor.print and firemon --apparmor

netblue30 · Jan 24, 2018 · 5ebebb1 · 5ebebb1 · Fred-Barclay · Jan 25, 2018
1 parent b78a333
commit 5ebebb1
Show file tree

Hide file tree

Showing 9 changed files with 106 additions and 2 deletions.
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -511,6 +511,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
  cpu_print_filter(pid);
  exit(0);
  }
+ else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {
+ // join sandbox by pid or by name
+ pid_t pid = read_pid(argv[i] + 17);
+ char *pidstr;
+ if (asprintf(&pidstr, "%u", pid) == -1)
+ errExit("asprintf");
+ sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIREMON, "--apparmor", pidstr);
+ free(pidstr);
+ exit(0);
+ }
  else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
  // join sandbox by pid or by name
  pid_t pid = read_pid(argv[i] + 13);

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
  printf("\thome directories.\n");
  printf(" --allusers - all user home directories are visible inside the sandbox.\n");
  printf(" --apparmor - enable AppArmor confinement.\n");
+ printf(" --apparmor.print=name|pid - print apparmor status.\n");
  printf(" --appimage - sandbox an AppImage application.\n");
  printf(" --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK

diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
@@ -6,13 +6,14 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_APPARMOR=@HAVE_APPARMOR@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST = $(sort $(wildcard *.[h]))
 C_FILE_LIST = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS = $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 HAVE_GCOV=@HAVE_GCOV@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@

diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firemon.h"
+#include <sys/apparmor.h>
+
+#ifdef HAVE_APPARMOR
+static void print_apparmor(int pid) {
+ char *label = NULL;
+ char *mode = NULL;
+ int rv = aa_gettaskcon(pid, &label, &mode);
+ if (rv != -1) {
+ printf(" AppArmor: ");
+ if (label)
+ printf("%s ", label);
+ if (mode)
+ printf("%s", mode);
+ printf("\n");
+ }
+}
+
+void apparmor(pid_t pid, int print_procs) {
+ pid_read(pid);
+
+ // print processes
+ int i;
+ for (i = 0; i < max_pids; i++) {
+ if (pids[i].level == 1) {
+ if (print_procs || pid == 0)
+ pid_print_list(i, arg_nowrap);
+ int child = find_child(i);
+ if (child != -1)
+ print_apparmor(child);
+ }
+ }
+ printf("\n");
+}
+
+#else
+
+void apparmor(pid_t pid, int print_procs) {
+ (void) pid;
+ (void) print_procs;
+ printf("AppArmor support not available\n");
+}
+#endif
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
@@ -37,6 +37,7 @@ static int arg_x11 = 0;
 static int arg_top = 0;
 static int arg_list = 0;
 static int arg_netstats = 0;
+static int arg_apparmor = 0;
 int arg_nowrap = 0;
 
 static struct termios tlocal; // startup terminal setting
@@ -178,6 +179,8 @@ int main(int argc, char **argv) {
  arg_route = 1;
  else if (strcmp(argv[i], "--arp") == 0)
  arg_arp = 1;
+ else if (strcmp(argv[i], "--apparmor") == 0)
+ arg_apparmor = 1;
 
  else if (strncmp(argv[i], "--name=", 7) == 0) {
  char *name = argv[i] + 7;
@@ -238,7 +241,7 @@ int main(int argc, char **argv) {
  }
 
  // if --name requested without other options, print all data
- if (pid && !arg_cpu && !arg_seccomp && !arg_caps &&
+ if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
  !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
  arg_tree = 1;
  arg_cpu = 1;
@@ -249,6 +252,7 @@ int main(int argc, char **argv) {
  arg_interface = 1;
  arg_route = 1;
  arg_arp = 1;
+ arg_apparmor = 1;
  }
 
  // cumulative options
@@ -265,6 +269,10 @@ int main(int argc, char **argv) {
  caps((pid_t) pid, print_procs);
  print_procs = 0;
  }
+ if (arg_apparmor) {
+ apparmor((pid_t) pid, print_procs);
+ print_procs = 0;
+ }
  if (arg_cgroup) {
  cgroup((pid_t) pid, print_procs);
  print_procs = 0;

diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
@@ -83,4 +83,7 @@ void netstats(void);
 // x11.c
 void x11(pid_t pid, int print_procs);
 
+//apparmor.c
+void apparmor(pid_t pid, int print_procs);
+
 #endif
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
@@ -27,6 +27,7 @@ void usage(void) {
  printf("are also being monitored. On Grsecurity systems only root user\n");
  printf("can run this program.\n\n");
  printf("Options:\n");
+ printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n");
  printf("\t--arp - print ARP table for each sandbox.\n\n");
  printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
  printf("\t--cgroup - print control group information for each sandbox.\n\n");

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -111,6 +111,21 @@ $ firejail --appimage krita-3.0-x86_64.appimage
 $ firejail --appimage --private krita-3.0-x86_64.appimage
 .br
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+
+.TP
+\fB\-\-apparmor.print=name|pid
+Print the AppArmor confinement status for the sandbox identified by name or by PID.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-apparmor.print=browser
+.br
+5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
+.br
+ AppArmor: firejail-default enforce
+
 .TP
 \fB\-\-audit
 Audit the sandbox, see \fBAUDIT\fR section for more details.

diff --git a/src/man/firemon.txt b/src/man/firemon.txt
@@ -10,6 +10,9 @@ these processes are also being monitored. On Grsecurity systems only root user
 can run this program.
 .SH OPTIONS
 .TP
+\fB\-\-apparmor
+Print AppArmor confinement status for each sandbox.
+.TP
 \fB\-\-arp
 Print ARP table for each sandbox.
 .TP