diff --git a/plinth/modules/security/__init__.py b/plinth/modules/security/__init__.py
index 14a5b8afd..859c6dd1d 100644
--- a/plinth/modules/security/__init__.py
+++ b/plinth/modules/security/__init__.py
@@ -18,6 +18,7 @@
FreedomBox app for security configuration.
"""
+import re
import subprocess
from collections import defaultdict
@@ -128,6 +129,16 @@ def get_apps_report():
except Exception:
past_cves = None
+ service_exposure_lines = subprocess.check_output(
+ ['systemd-analyze', 'security']).decode().strip().split('\n')
+ service_exposure_lines.pop(0)
+ sandbox_coverage = {}
+ for line in service_exposure_lines:
+ fields = line.split()
+ name = re.sub(r'\.service$', '', fields[0])
+ score = round(100 - float(fields[1]) * 10)
+ sandbox_coverage[name] = score
+
apps = {
'freedombox': {
'name': 'freedombox',
@@ -171,6 +182,8 @@ def get_apps_report():
for service in services:
if _get_service_is_sandboxed(service):
apps[module_name]['sandboxed'] = True
+ apps[module_name][
+ 'sandbox_coverage'] = sandbox_coverage.get(service)
for cve_packages in cves.values():
for app_ in apps.values():
diff --git a/plinth/modules/security/templates/security_report.html b/plinth/modules/security/templates/security_report.html
index 7b26be513..fdaba5b21 100644
--- a/plinth/modules/security/templates/security_report.html
+++ b/plinth/modules/security/templates/security_report.html
@@ -42,6 +42,13 @@
potentially compromised app to the rest of the system.
{% endblocktrans %}
+
+ {% blocktrans trimmed %}
+ "Sandbox Coverage" is a score of how effectively the service is isolated
+ from the rest of the system. It is only displayed while the service is
+ running.
+ {% endblocktrans %}
+
@@ -49,6 +56,7 @@
| {% trans "Current Vulnerabilities" %} |
{% trans "Past Vulnerabilities" %} |
{% trans "Sandboxed" %} |
+ {% trans "Sandbox Coverage" %} |
@@ -66,6 +74,13 @@
{% trans "No" %}
{% endif %}
+
+ {% if app.sandbox_coverage %}
+ {{ app.sandbox_coverage }}%
+ {% elif app.sandboxed %}
+ {% trans "Not running" %}
+ {% endif %}
+ |
{% endfor %}