From 20a1c70fc26c160c747746f19f5f778427f2f65a Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Wed, 5 Feb 2020 07:44:08 -0500
Subject: [PATCH] security: Add Sandbox Coverage to report page

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Change label from 'Not Running' to 'Not running' for consistency]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 plinth/modules/security/__init__.py               | 13 +++++++++++++
 .../security/templates/security_report.html       | 15 +++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/plinth/modules/security/__init__.py b/plinth/modules/security/__init__.py
index 14a5b8afd..859c6dd1d 100644
--- a/plinth/modules/security/__init__.py
+++ b/plinth/modules/security/__init__.py
@@ -18,6 +18,7 @@
 FreedomBox app for security configuration.
 """
 
+import re
 import subprocess
 from collections import defaultdict
 
@@ -128,6 +129,16 @@ def get_apps_report():
     except Exception:
         past_cves = None
 
+    service_exposure_lines = subprocess.check_output(
+        ['systemd-analyze', 'security']).decode().strip().split('\n')
+    service_exposure_lines.pop(0)
+    sandbox_coverage = {}
+    for line in service_exposure_lines:
+        fields = line.split()
+        name = re.sub(r'\.service$', '', fields[0])
+        score = round(100 - float(fields[1]) * 10)
+        sandbox_coverage[name] = score
+
     apps = {
         'freedombox': {
             'name': 'freedombox',
@@ -171,6 +182,8 @@ def get_apps_report():
             for service in services:
                 if _get_service_is_sandboxed(service):
                     apps[module_name]['sandboxed'] = True
+                    apps[module_name][
+                        'sandbox_coverage'] = sandbox_coverage.get(service)
 
     for cve_packages in cves.values():
         for app_ in apps.values():
diff --git a/plinth/modules/security/templates/security_report.html b/plinth/modules/security/templates/security_report.html
index 7b26be513..fdaba5b21 100644
--- a/plinth/modules/security/templates/security_report.html
+++ b/plinth/modules/security/templates/security_report.html
@@ -42,6 +42,13 @@
       potentially compromised app to the rest of the system.
     {% endblocktrans %}
   </p>
+  <p>
+    {% blocktrans trimmed %}
+      "Sandbox Coverage" is a score of how effectively the service is isolated
+      from the rest of the system. It is only displayed while the service is
+      running.
+    {% endblocktrans %}
+  </p>
   <table class="table table-bordered table-condensed table-striped">
     <thead>
       <tr>
@@ -49,6 +56,7 @@
         <th>{% trans "Current Vulnerabilities" %}</th>
         <th>{% trans "Past Vulnerabilities" %}</th>
         <th>{% trans "Sandboxed" %}</th>
+        <th>{% trans "Sandbox Coverage" %}</th>
       </tr>
     </thead>
     <tbody>
@@ -66,6 +74,13 @@
               {% trans "No" %}
             {% endif %}
           </td>
+          <td>
+            {% if app.sandbox_coverage %}
+              {{ app.sandbox_coverage }}%
+            {% elif app.sandboxed %}
+              {% trans "Not running" %}
+            {% endif %}
+          </td>
         </tr>
       {% endfor %}
     </tbody>