Allow firejail --trace option to take an optional parameter which is the trace log file path. The trace log file will be created if it does not exist and then bind mounted to RUN_TRACE_FILE so that the sandboxed program can access it.

author: Glenn Washburn <development@efficientek.com> 2019-08-29 21:57:13 -0500
committer: Glenn Washburn <development@efficientek.com> 2019-08-29 21:57:13 -0500
commit: f6584eaf3b5bfa166fed56b900dbda6629c4fbd3 (patch)
tree: 4c516d172e25e9b9bf0c2a18b22d0435c6265eea
parent: Allow libtrace preload library to use for trace output a logfile specified by... (diff)
download: firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.tar.gz
firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.tar.zst
firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.zip
3 files changed, 25 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 14cad4190..4a59522bf 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -260,6 +260,7 @@ extern int arg_caps_keep;		// keep list
 extern char *arg_caps_list;             // optional caps list
 extern int arg_trace;           // syscall tracing support
+extern char *arg_tracefile;     // syscall tracing file
 extern int arg_tracelog;        // blacklist tracing support
 extern int arg_rlimit_cpu;      // rlimit cpu
 extern int arg_rlimit_nofile;   // rlimit nofile
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 26dd5cb27..eac73a074 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -41,6 +41,25 @@ void fs_trace_preload(void) {
                fclose(fp);
                fs_logger("touch /etc/ld.so.preload");
        }
+        if (arg_tracefile) {
+                if (arg_debug)
+                        printf("Creating an empty trace log file: %s\n", arg_tracefile);
+                // create a bind mounted trace logfile that the sandbox can see
+                FILE *fp = fopen(arg_tracefile, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                fclose(fp);
+                fp = fopen(RUN_TRACE_FILE, "w");
+                if (!fp)
+                        errExit("fopen");
+                fclose(fp);
+                fs_logger2("touch ", arg_tracefile);
+                if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount bind " RUN_TRACE_FILE);
+                if (arg_debug)
+                        printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
+        }
 }
 void fs_trace(void) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9f44c6281..4c6d20626 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -80,6 +80,7 @@ int arg_caps_keep = 0;			// keep list
 char *arg_caps_list = NULL;                     // optional caps list
 int arg_trace = 0;                              // syscall tracing support
+char *arg_tracefile = NULL;                     // syscall tracing file
 int arg_tracelog = 0;                           // blacklist tracing support
 int arg_rlimit_cpu = 0;                         // rlimit max cpu time
 int arg_rlimit_nofile = 0;                      // rlimit nofile
@@ -1296,6 +1297,10 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--trace") == 0)
                        arg_trace = 1;
+                else if (strncmp(argv[i], "--trace=", 8) == 0) {
+                        arg_trace = 1;
+                        arg_tracefile = argv[i] + 8;
+                }
                else if (strcmp(argv[i], "--tracelog") == 0)
                        arg_tracelog = 1;
                else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
author	Glenn Washburn <development@efficientek.com>	2019-08-29 21:57:13 -0500
committer	Glenn Washburn <development@efficientek.com>	2019-08-29 21:57:13 -0500
commit	f6584eaf3b5bfa166fed56b900dbda6629c4fbd3 (patch)
tree	4c516d172e25e9b9bf0c2a18b22d0435c6265eea
parent	Allow libtrace preload library to use for trace output a logfile specified by... (diff)
download	firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.tar.gz firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.tar.zst firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14cad4190..4a59522bf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -260,6 +260,7 @@ extern int arg_caps_keep; // keep list
260	extern char *arg_caps_list; // optional caps list	260	extern char *arg_caps_list; // optional caps list
261		261
262	extern int arg_trace; // syscall tracing support	262	extern int arg_trace; // syscall tracing support
		263	extern char *arg_tracefile; // syscall tracing file
263	extern int arg_tracelog; // blacklist tracing support	264	extern int arg_tracelog; // blacklist tracing support
264	extern int arg_rlimit_cpu; // rlimit cpu	265	extern int arg_rlimit_cpu; // rlimit cpu
265	extern int arg_rlimit_nofile; // rlimit nofile	266	extern int arg_rlimit_nofile; // rlimit nofile


diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 26dd5cb27..eac73a074 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -41,6 +41,25 @@ void fs_trace_preload(void) {
41	fclose(fp);	41	fclose(fp);
42	fs_logger("touch /etc/ld.so.preload");	42	fs_logger("touch /etc/ld.so.preload");
43	}	43	}
		44	if (arg_tracefile) {
		45	if (arg_debug)
		46	printf("Creating an empty trace log file: %s\n", arg_tracefile);
		47	// create a bind mounted trace logfile that the sandbox can see
		48	FILE *fp = fopen(arg_tracefile, "w");
		49	if (!fp)
		50	errExit("fopen");
		51	SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);
		52	fclose(fp);
		53	fp = fopen(RUN_TRACE_FILE, "w");
		54	if (!fp)
		55	errExit("fopen");
		56	fclose(fp);
		57	fs_logger2("touch ", arg_tracefile);
		58	if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND\|MS_REC, NULL) < 0)
		59	errExit("mount bind " RUN_TRACE_FILE);
		60	if (arg_debug)
		61	printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
		62	}
44	}	63	}
45		64
46	void fs_trace(void) {	65	void fs_trace(void) {


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f44c6281..4c6d20626 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -80,6 +80,7 @@ int arg_caps_keep = 0; // keep list
80	char *arg_caps_list = NULL; // optional caps list	80	char *arg_caps_list = NULL; // optional caps list
81		81
82	int arg_trace = 0; // syscall tracing support	82	int arg_trace = 0; // syscall tracing support
		83	char *arg_tracefile = NULL; // syscall tracing file
83	int arg_tracelog = 0; // blacklist tracing support	84	int arg_tracelog = 0; // blacklist tracing support
84	int arg_rlimit_cpu = 0; // rlimit max cpu time	85	int arg_rlimit_cpu = 0; // rlimit max cpu time
85	int arg_rlimit_nofile = 0; // rlimit nofile	86	int arg_rlimit_nofile = 0; // rlimit nofile
@@ -1296,6 +1297,10 @@ int main(int argc, char **argv) {
1296	}	1297	}
1297	else if (strcmp(argv[i], "--trace") == 0)	1298	else if (strcmp(argv[i], "--trace") == 0)
1298	arg_trace = 1;	1299	arg_trace = 1;
		1300	else if (strncmp(argv[i], "--trace=", 8) == 0) {
		1301	arg_trace = 1;
		1302	arg_tracefile = argv[i] + 8;
		1303	}
1299	else if (strcmp(argv[i], "--tracelog") == 0)	1304	else if (strcmp(argv[i], "--tracelog") == 0)
1300	arg_tracelog = 1;	1305	arg_tracelog = 1;
1301	else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {	1306	else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {