Merge pull request #2935 from crass/fix-profile-builder

Fix profile builder
author: netblue30 <netblue30@yahoo.com> 2019-09-15 07:00:09 -0500
committer: GitHub <noreply@github.com> 2019-09-15 07:00:09 -0500
commit: 38ace01bf5a501f8cd3de5c1384297c3163f9c35 (patch)
tree: aab0f8277a0ae1de922b8a9268b01428e8febd73
parent: Fix #2899 (diff)
parent: Merge branch 'master' into fix-profile-builder (diff)
download: firejail-38ace01bf5a501f8cd3de5c1384297c3163f9c35.tar.gz
firejail-38ace01bf5a501f8cd3de5c1384297c3163f9c35.tar.zst
firejail-38ace01bf5a501f8cd3de5c1384297c3163f9c35.zip
8 files changed, 69 insertions, 25 deletions
diff --git a/src/common.mk.in b/src/common.mk.in
index ff66c6748..1464ab9b2 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -3,6 +3,7 @@
 CC=@CC@
 prefix=@prefix@
 exec_prefix=@exec_prefix@
+bindir=@bindir@
 libdir=@libdir@
 sysconfdir=@sysconfdir@
@@ -29,7 +30,10 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
+CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
+CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST)
+CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index f11e37057..a0f71ae03 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -61,19 +61,18 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
        char *output;
        char *stroutput;
-        if(asprintf(&output,"--output=%s",trace_output) == -1)
+        if(asprintf(&output,"--trace=%s",trace_output) == -1)
                errExit("asprintf");
-        if(asprintf(&stroutput,"-o %s",strace_output) == -1)
+        if(asprintf(&stroutput,"-o%s",strace_output) == -1)
                errExit("asprintf");
        char *cmdlist[] = {
-          "/usr/bin/firejail",
+          BINDIR "/firejail",
          "--quiet",
-          output,
          "--noprofile",
          "--caps.drop=all",
          "--nonewprivs",
-          "--trace",
+          output,
          "--shell=none",
          "/usr/bin/strace", // also used as a marker in build_profile()
          "-c",
@@ -110,7 +109,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
        if (arg_debug) {
                for (i = 0; i < len; i++)
-                        printf("\t%s\n", cmd[i]);
+                        printf("%s%s\n", (i)?"\t":"", cmd[i]);
        }
        // fork and execute
@@ -130,7 +129,8 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                errExit("waitpid");
        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
-                printf("\n\n\n");
+                if (fp == stdout)
+                        printf("--- Built profile beings after this line ---\n");
                fprintf(fp, "############################################\n");
                fprintf(fp, "# %s profile\n", argv[index]);
                fprintf(fp, "############################################\n");
@@ -177,9 +177,10 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                fprintf(fp, "### environment\n");
                fprintf(fp, "shell none\n");
-                unlink(trace_output);
+                if (!arg_debug) {
-                unlink(strace_output);
+                        unlink(trace_output);
+                        unlink(strace_output);
+                }
        }
        else {
                fprintf(stderr, "Error: cannot run the sandbox\n");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 14cad4190..4a59522bf 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -260,6 +260,7 @@ extern int arg_caps_keep;		// keep list
 extern char *arg_caps_list;             // optional caps list
 extern int arg_trace;           // syscall tracing support
+extern char *arg_tracefile;     // syscall tracing file
 extern int arg_tracelog;        // blacklist tracing support
 extern int arg_rlimit_cpu;      // rlimit cpu
 extern int arg_rlimit_nofile;   // rlimit nofile
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 26dd5cb27..2a7c83049 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -41,6 +41,27 @@ void fs_trace_preload(void) {
                fclose(fp);
                fs_logger("touch /etc/ld.so.preload");
        }
+        if (arg_tracefile) {
+                if (arg_debug)
+                        printf("Creating an empty trace log file: %s\n", arg_tracefile);
+                // create a bind mounted trace logfile that the sandbox can see
+                EUID_USER();
+                FILE *fp = fopen(arg_tracefile, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                fclose(fp);
+                EUID_ROOT();
+                fp = fopen(RUN_TRACE_FILE, "w");
+                if (!fp)
+                        errExit("fopen " RUN_TRACE_FILE);
+                fclose(fp);
+                fs_logger2("touch ", arg_tracefile);
+                if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount bind " RUN_TRACE_FILE);
+                if (arg_debug)
+                        printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
+        }
 }
 void fs_trace(void) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9f44c6281..4c6d20626 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -80,6 +80,7 @@ int arg_caps_keep = 0;			// keep list
 char *arg_caps_list = NULL;                     // optional caps list
 int arg_trace = 0;                              // syscall tracing support
+char *arg_tracefile = NULL;                     // syscall tracing file
 int arg_tracelog = 0;                           // blacklist tracing support
 int arg_rlimit_cpu = 0;                         // rlimit max cpu time
 int arg_rlimit_nofile = 0;                      // rlimit nofile
@@ -1296,6 +1297,10 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--trace") == 0)
                        arg_trace = 1;
+                else if (strncmp(argv[i], "--trace=", 8) == 0) {
+                        arg_trace = 1;
+                        arg_tracefile = argv[i] + 8;
+                }
                else if (strcmp(argv[i], "--tracelog") == 0)
                        arg_tracelog = 1;
                else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 6cc931faf..df135b9ca 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -95,6 +95,7 @@
 #define RUN_PASSWD_FILE                 RUN_MNT_DIR "/passwd"
 #define RUN_GROUP_FILE                  RUN_MNT_DIR "/group"
 #define RUN_FSLOGGER_FILE               RUN_MNT_DIR "/fslogger"
+#define RUN_TRACE_FILE                  RUN_MNT_DIR "/trace"
 #define RUN_UMASK_FILE                  RUN_MNT_DIR "/umask"
 #define RUN_OVERLAY_ROOT                RUN_MNT_DIR "/oroot"
 #define RUN_READY_FOR_JOIN              RUN_MNT_DIR "/ready-for-join"
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 11e98d95e..0c21b9b70 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -32,7 +32,7 @@
 #include <sys/stat.h>
 #include <syslog.h>
 #include <dirent.h>
-#include <limits.h>
+#include "../include/rundefs.h"
 #define tprintf(fp, args...) \
    do { \
@@ -46,6 +46,8 @@ typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
 static orig_fopen_t orig_fopen = NULL;
 typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
 static orig_fopen64_t orig_fopen64 = NULL;
+typedef int (*orig_access_t)(const char *pathname, int mode);
+static orig_access_t orig_access = NULL;
 //
 // library constructor/destructor
@@ -62,10 +64,20 @@ void init(void) {
                return;
        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
+        orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
-        // tty
-        ftty = orig_fopen("/dev/tty", "w");
+        // allow environment variable to override defaults
-        tprintf(ftty, "=== tracelib init() === \n");
+        char *logfile = getenv("FIREJAIL_TRACEFILE");
+        if (!logfile) {
+                // if exists, log to trace file
+                logfile = RUN_TRACE_FILE;
+                if (orig_access(logfile, F_OK))
+                        // else log to associated tty
+                        logfile = "/dev/tty";
+        }
+        
+        // logfile
+        ftty = orig_fopen(logfile, "a");
        // pid
        mypid = getpid();
@@ -85,6 +97,7 @@ void init(void) {
        if (ptr)
                *ptr = '\0';
+        tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
        fclose(fp);
        free(fname);
 }
@@ -476,8 +489,6 @@ DIR *opendir(const char *pathname) {
 }
 // access
-typedef int (*orig_access_t)(const char *pathname, int mode);
-static orig_access_t orig_access = NULL;
 int access(const char *pathname, int mode) {
        if (!orig_access)
                orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ed2f776f2..38bc0edc4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts the default shell from the current user.
+If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting the user default shell (normally /bin/bash)
+$ firejail [OPTIONS]                # starting a /bin/bash shell
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -1862,9 +1862,8 @@ domain with personality(2) system call.
 .br
 .TP
-\fB\-\-seccomp.drop=syscall,@group,!syscall2
+\fB\-\-seccomp.drop=syscall,@group
-Enable seccomp filter, whitelist "syscall2" but blacklist the
+Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.
-syscalls or the syscall groups specified by the command.
 .br
 .br
@@ -2142,8 +2141,9 @@ Example:
 .br
 $ firejail \-\-top
 .TP
-\fB\-\-trace
+\fB\-\-trace[=filename]
-Trace open, access and connect system calls.
+Trace open, access and connect system calls. If filename is specified, log
+trace output to filename, otherwise log to console.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2019-09-15 07:00:09 -0500
committer	GitHub <noreply@github.com>	2019-09-15 07:00:09 -0500
commit	38ace01bf5a501f8cd3de5c1384297c3163f9c35 (patch)
tree	aab0f8277a0ae1de922b8a9268b01428e8febd73
parent	Fix #2899 (diff)
parent	Merge branch 'master' into fix-profile-builder (diff)
download	firejail-38ace01bf5a501f8cd3de5c1384297c3163f9c35.tar.gz firejail-38ace01bf5a501f8cd3de5c1384297c3163f9c35.tar.zst firejail-38ace01bf5a501f8cd3de5c1384297c3163f9c35.zip

diff --git a/src/common.mk.in b/src/common.mk.in index ff66c6748..1464ab9b2 100644 --- a/src/common.mk.in +++ b/src/common.mk.in
@@ -3,6 +3,7 @@
3	CC=@CC@	3	CC=@CC@
4	prefix=@prefix@	4	prefix=@prefix@
5	exec_prefix=@exec_prefix@	5	exec_prefix=@exec_prefix@
		6	bindir=@bindir@
6	libdir=@libdir@	7	libdir=@libdir@
7	sysconfdir=@sysconfdir@	8	sysconfdir=@sysconfdir@
8		9
@@ -29,7 +30,10 @@ C_FILE_LIST = $(sort $(wildcard *.c))
29	OBJS = $(C_FILE_LIST:.c=.o)	30	OBJS = $(C_FILE_LIST:.c=.o)
30	BINOBJS = $(foreach file, $(OBJS), $file)	31	BINOBJS = $(foreach file, $(OBJS), $file)
31		32
32	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	33	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
		34	CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
		35	CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST)
		36	CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
33	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	37	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
34	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@	38	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
35		39


diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index f11e37057..a0f71ae03 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c
@@ -61,19 +61,18 @@ void build_profile(int argc, char *argv, int index, FILE fp) {
61		61
62	char *output;	62	char *output;
63	char *stroutput;	63	char *stroutput;
64	if(asprintf(&output,"--output=%s",trace_output) == -1)	64	if(asprintf(&output,"--trace=%s",trace_output) == -1)
65	errExit("asprintf");	65	errExit("asprintf");
66	if(asprintf(&stroutput,"-o %s",strace_output) == -1)	66	if(asprintf(&stroutput,"-o%s",strace_output) == -1)
67	errExit("asprintf");	67	errExit("asprintf");
68		68
69	char *cmdlist[] = {	69	char *cmdlist[] = {
70	"/usr/bin/firejail",	70	BINDIR "/firejail",
71	"--quiet",	71	"--quiet",
72	output,
73	"--noprofile",	72	"--noprofile",
74	"--caps.drop=all",	73	"--caps.drop=all",
75	"--nonewprivs",	74	"--nonewprivs",
76	"--trace",	75	output,
77	"--shell=none",	76	"--shell=none",
78	"/usr/bin/strace", // also used as a marker in build_profile()	77	"/usr/bin/strace", // also used as a marker in build_profile()
79	"-c",	78	"-c",
@@ -110,7 +109,7 @@ void build_profile(int argc, char *argv, int index, FILE fp) {
110		109
111	if (arg_debug) {	110	if (arg_debug) {
112	for (i = 0; i < len; i++)	111	for (i = 0; i < len; i++)
113	printf("\t%s\n", cmd[i]);	112	printf("%s%s\n", (i)?"\t":"", cmd[i]);
114	}	113	}
115		114
116	// fork and execute	115	// fork and execute
@@ -130,7 +129,8 @@ void build_profile(int argc, char *argv, int index, FILE fp) {
130	errExit("waitpid");	129	errExit("waitpid");
131		130
132	if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {	131	if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
133	printf("\n\n\n");	132	if (fp == stdout)
		133	printf("--- Built profile beings after this line ---\n");
134	fprintf(fp, "############################################\n");	134	fprintf(fp, "############################################\n");
135	fprintf(fp, "# %s profile\n", argv[index]);	135	fprintf(fp, "# %s profile\n", argv[index]);
136	fprintf(fp, "############################################\n");	136	fprintf(fp, "############################################\n");
@@ -177,9 +177,10 @@ void build_profile(int argc, char *argv, int index, FILE fp) {
177	fprintf(fp, "### environment\n");	177	fprintf(fp, "### environment\n");
178	fprintf(fp, "shell none\n");	178	fprintf(fp, "shell none\n");
179		179
180	unlink(trace_output);	180	if (!arg_debug) {
181	unlink(strace_output);	181	unlink(trace_output);
182		182	unlink(strace_output);
		183	}
183	}	184	}
184	else {	185	else {
185	fprintf(stderr, "Error: cannot run the sandbox\n");	186	fprintf(stderr, "Error: cannot run the sandbox\n");


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14cad4190..4a59522bf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -260,6 +260,7 @@ extern int arg_caps_keep; // keep list
260	extern char *arg_caps_list; // optional caps list	260	extern char *arg_caps_list; // optional caps list
261		261
262	extern int arg_trace; // syscall tracing support	262	extern int arg_trace; // syscall tracing support
		263	extern char *arg_tracefile; // syscall tracing file
263	extern int arg_tracelog; // blacklist tracing support	264	extern int arg_tracelog; // blacklist tracing support
264	extern int arg_rlimit_cpu; // rlimit cpu	265	extern int arg_rlimit_cpu; // rlimit cpu
265	extern int arg_rlimit_nofile; // rlimit nofile	266	extern int arg_rlimit_nofile; // rlimit nofile


diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 26dd5cb27..2a7c83049 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -41,6 +41,27 @@ void fs_trace_preload(void) {
41	fclose(fp);	41	fclose(fp);
42	fs_logger("touch /etc/ld.so.preload");	42	fs_logger("touch /etc/ld.so.preload");
43	}	43	}
		44	if (arg_tracefile) {
		45	if (arg_debug)
		46	printf("Creating an empty trace log file: %s\n", arg_tracefile);
		47	// create a bind mounted trace logfile that the sandbox can see
		48	EUID_USER();
		49	FILE *fp = fopen(arg_tracefile, "w");
		50	if (!fp)
		51	errExit("fopen");
		52	SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);
		53	fclose(fp);
		54	EUID_ROOT();
		55	fp = fopen(RUN_TRACE_FILE, "w");
		56	if (!fp)
		57	errExit("fopen " RUN_TRACE_FILE);
		58	fclose(fp);
		59	fs_logger2("touch ", arg_tracefile);
		60	if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND\|MS_REC, NULL) < 0)
		61	errExit("mount bind " RUN_TRACE_FILE);
		62	if (arg_debug)
		63	printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
		64	}
44	}	65	}
45		66
46	void fs_trace(void) {	67	void fs_trace(void) {


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f44c6281..4c6d20626 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -80,6 +80,7 @@ int arg_caps_keep = 0; // keep list
80	char *arg_caps_list = NULL; // optional caps list	80	char *arg_caps_list = NULL; // optional caps list
81		81
82	int arg_trace = 0; // syscall tracing support	82	int arg_trace = 0; // syscall tracing support
		83	char *arg_tracefile = NULL; // syscall tracing file
83	int arg_tracelog = 0; // blacklist tracing support	84	int arg_tracelog = 0; // blacklist tracing support
84	int arg_rlimit_cpu = 0; // rlimit max cpu time	85	int arg_rlimit_cpu = 0; // rlimit max cpu time
85	int arg_rlimit_nofile = 0; // rlimit nofile	86	int arg_rlimit_nofile = 0; // rlimit nofile
@@ -1296,6 +1297,10 @@ int main(int argc, char **argv) {
1296	}	1297	}
1297	else if (strcmp(argv[i], "--trace") == 0)	1298	else if (strcmp(argv[i], "--trace") == 0)
1298	arg_trace = 1;	1299	arg_trace = 1;
		1300	else if (strncmp(argv[i], "--trace=", 8) == 0) {
		1301	arg_trace = 1;
		1302	arg_tracefile = argv[i] + 8;
		1303	}
1299	else if (strcmp(argv[i], "--tracelog") == 0)	1304	else if (strcmp(argv[i], "--tracelog") == 0)
1300	arg_tracelog = 1;	1305	arg_tracelog = 1;
1301	else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {	1306	else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {


diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 6cc931faf..df135b9ca 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h
@@ -95,6 +95,7 @@
95	#define RUN_PASSWD_FILE RUN_MNT_DIR "/passwd"	95	#define RUN_PASSWD_FILE RUN_MNT_DIR "/passwd"
96	#define RUN_GROUP_FILE RUN_MNT_DIR "/group"	96	#define RUN_GROUP_FILE RUN_MNT_DIR "/group"
97	#define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger"	97	#define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger"
		98	#define RUN_TRACE_FILE RUN_MNT_DIR "/trace"
98	#define RUN_UMASK_FILE RUN_MNT_DIR "/umask"	99	#define RUN_UMASK_FILE RUN_MNT_DIR "/umask"
99	#define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot"	100	#define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot"
100	#define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join"	101	#define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join"


diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 11e98d95e..0c21b9b70 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c
@@ -32,7 +32,7 @@
32	#include <sys/stat.h>	32	#include <sys/stat.h>
33	#include <syslog.h>	33	#include <syslog.h>
34	#include <dirent.h>	34	#include <dirent.h>
35	#include <limits.h>	35	#include "../include/rundefs.h"
36		36
37	#define tprintf(fp, args...) \	37	#define tprintf(fp, args...) \
38	do { \	38	do { \
@@ -46,6 +46,8 @@ typedef FILE (orig_fopen_t)(const char pathname, const char mode);
46	static orig_fopen_t orig_fopen = NULL;	46	static orig_fopen_t orig_fopen = NULL;
47	typedef FILE (orig_fopen64_t)(const char pathname, const char mode);	47	typedef FILE (orig_fopen64_t)(const char pathname, const char mode);
48	static orig_fopen64_t orig_fopen64 = NULL;	48	static orig_fopen64_t orig_fopen64 = NULL;
		49	typedef int (orig_access_t)(const char pathname, int mode);
		50	static orig_access_t orig_access = NULL;
49		51
50	//	52	//
51	// library constructor/destructor	53	// library constructor/destructor
@@ -62,10 +64,20 @@ void init(void) {
62	return;	64	return;
63		65
64	orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");	66	orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
65		67	orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
66	// tty	68
67	ftty = orig_fopen("/dev/tty", "w");	69	// allow environment variable to override defaults
68	tprintf(ftty, "=== tracelib init() === \n");	70	char *logfile = getenv("FIREJAIL_TRACEFILE");
		71	if (!logfile) {
		72	// if exists, log to trace file
		73	logfile = RUN_TRACE_FILE;
		74	if (orig_access(logfile, F_OK))
		75	// else log to associated tty
		76	logfile = "/dev/tty";
		77	}
		78
		79	// logfile
		80	ftty = orig_fopen(logfile, "a");
69		81
70	// pid	82	// pid
71	mypid = getpid();	83	mypid = getpid();
@@ -85,6 +97,7 @@ void init(void) {
85	if (ptr)	97	if (ptr)
86	*ptr = '\0';	98	*ptr = '\0';
87		99
		100	tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
88	fclose(fp);	101	fclose(fp);
89	free(fname);	102	free(fname);
90	}	103	}
@@ -476,8 +489,6 @@ DIR opendir(const char pathname) {
476	}	489	}
477		490
478	// access	491	// access
479	typedef int (orig_access_t)(const char pathname, int mode);
480	static orig_access_t orig_access = NULL;
481	int access(const char *pathname, int mode) {	492	int access(const char *pathname, int mode) {
482	if (!orig_access)	493	if (!orig_access)
483	orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");	494	orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ed2f776f2..38bc0edc4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
71	The default profile is quite restrictive. In case the application doesn't work, use --noprofile option	71	The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
72	to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.	72	to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
73	.PP	73	.PP
74	If a program argument is not specified, Firejail starts the default shell from the current user.	74	If a program argument is not specified, Firejail starts /bin/bash shell.
75	Examples:	75	Examples:
76	.PP	76	.PP
77	$ firejail [OPTIONS] # starting the user default shell (normally /bin/bash)	77	$ firejail [OPTIONS] # starting a /bin/bash shell
78	.PP	78	.PP
79	$ firejail [OPTIONS] firefox # starting Mozilla Firefox	79	$ firejail [OPTIONS] firefox # starting Mozilla Firefox
80	.PP	80	.PP
@@ -1862,9 +1862,8 @@ domain with personality(2) system call.
1862	.br	1862	.br
1863		1863
1864	.TP	1864	.TP
1865	\fB\-\-seccomp.drop=syscall,@group,!syscall2	1865	\fB\-\-seccomp.drop=syscall,@group
1866	Enable seccomp filter, whitelist "syscall2" but blacklist the	1866	Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.
1867	syscalls or the syscall groups specified by the command.
1868	.br	1867	.br
1869		1868
1870	.br	1869	.br
@@ -2142,8 +2141,9 @@ Example:
2142	.br	2141	.br
2143	$ firejail \-\-top	2142	$ firejail \-\-top
2144	.TP	2143	.TP
2145	\fB\-\-trace	2144	\fB\-\-trace[=filename]
2146	Trace open, access and connect system calls.	2145	Trace open, access and connect system calls. If filename is specified, log
		2146	trace output to filename, otherwise log to console.
2147	.br	2147	.br
2148		2148
2149	.br	2149	.br