security: Add Sandbox Coverage to report page

Signed-off-by: James Valleroy <jvalleroy@mailbox.org> [sunil: Change label from 'Not Running' to 'Not running' for consistency] Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-06-17 11:10:23 +00:00 · 2020-02-05 07:44:08 -05:00 · 2020-02-05 07:44:08 -05:00 · 20a1c70fc2
commit 20a1c70fc2
parent a6b329fef4
2 changed files with 28 additions and 0 deletions
--- a/plinth/modules/security/init.py
+++ b/plinth/modules/security/init.py
@ -18,6 +18,7 @@
 FreedomBox app for security configuration.
 """

+import re
 import subprocess
 from collections import defaultdict

@ -128,6 +129,16 @@ def get_apps_report():
    except Exception:
        past_cves = None

+    service_exposure_lines = subprocess.check_output(
+        ['systemd-analyze', 'security']).decode().strip().split('\n')
+    service_exposure_lines.pop(0)
+    sandbox_coverage = {}
+    for line in service_exposure_lines:
+        fields = line.split()
+        name = re.sub(r'\.service$', '', fields[0])
+        score = round(100 - float(fields[1]) * 10)
+        sandbox_coverage[name] = score
+
    apps = {
        'freedombox': {
            'name': 'freedombox',
@ -171,6 +182,8 @@ def get_apps_report():
            for service in services:
                if _get_service_is_sandboxed(service):
                    apps[module_name]['sandboxed'] = True
+                    apps[module_name][
+                        'sandbox_coverage'] = sandbox_coverage.get(service)

    for cve_packages in cves.values():
        for app_ in apps.values():
--- a/plinth/modules/security/templates/security_report.html
+++ b/plinth/modules/security/templates/security_report.html
@ -42,6 +42,13 @@
      potentially compromised app to the rest of the system.
    {% endblocktrans %}
  </p>
+  <p>
+    {% blocktrans trimmed %}
+      "Sandbox Coverage" is a score of how effectively the service is isolated
+      from the rest of the system. It is only displayed while the service is
+      running.
+    {% endblocktrans %}
+  </p>
  <table class="table table-bordered table-condensed table-striped">
    <thead>
      <tr>
@ -49,6 +56,7 @@
        <th>{% trans "Current Vulnerabilities" %}</th>
        <th>{% trans "Past Vulnerabilities" %}</th>
        <th>{% trans "Sandboxed" %}</th>
+        <th>{% trans "Sandbox Coverage" %}</th>
      </tr>
    </thead>
    <tbody>
@ -66,6 +74,13 @@
              {% trans "No" %}
            {% endif %}
          </td>
+          <td>
+            {% if app.sandbox_coverage %}
+              {{ app.sandbox_coverage }}%
+            {% elif app.sandboxed %}
+              {% trans "Not running" %}
+            {% endif %}
+          </td>
        </tr>
      {% endfor %}
    </tbody>