diff options
author | netblue30 <netblue30@yahoo.com> | 2017-01-30 11:01:32 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-01-30 11:01:32 -0500 |
commit | 4579993d9b756d0821fa77a8fff409e764f2107a (patch) | |
tree | 8e2a79821cf9620efd87ab2123fb8f0eeb0386d2 | |
parent | --quiet fix (diff) | |
download | firejail-4579993d9b756d0821fa77a8fff409e764f2107a.tar.gz firejail-4579993d9b756d0821fa77a8fff409e764f2107a.tar.zst firejail-4579993d9b756d0821fa77a8fff409e764f2107a.zip |
--writable-var-log
-rw-r--r-- | README.md | 8 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 21 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
9 files changed, 53 insertions, 7 deletions
@@ -98,6 +98,14 @@ Added AppImage type 2 support, and support for passing command line arguments to | |||
98 | Example: | 98 | Example: |
99 | $ firejail --hosts-file=~/myhosts firefox | 99 | $ firejail --hosts-file=~/myhosts firefox |
100 | 100 | ||
101 | --writable-var-log | ||
102 | Use the real /var/log directory, not a clone. By default, a | ||
103 | tmpfs is mounted on top of /var/log directory, and a skeleton | ||
104 | filesystem is created based on the original /var/log. | ||
105 | |||
106 | Example: | ||
107 | $ sudo firejail --writable-var-log | ||
108 | |||
101 | ````` | 109 | ````` |
102 | ## New Profiles | 110 | ## New Profiles |
103 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | 111 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, |
@@ -19,8 +19,9 @@ firejail (0.9.45) baseline; urgency=low | |||
19 | * feature: private /opt directory (--private-opt, profile support) | 19 | * feature: private /opt directory (--private-opt, profile support) |
20 | * feature: private /srv directory (--private-srv, profile support) | 20 | * feature: private /srv directory (--private-srv, profile support) |
21 | * feature: spoof machine-id (--machine-id, profile support) | 21 | * feature: spoof machine-id (--machine-id, profile support) |
22 | * feature: allow blacklists under --private (--allow-private-blacklist) | 22 | * feature: allow blacklists under --private (--allow-private-blacklist, profile support) |
23 | * feature: user-defined /etc/hosts file (--hosts-file, profile support) | 23 | * feature: user-defined /etc/hosts file (--hosts-file, profile support) |
24 | * feature: support for the real /var/log directory (--writable-var-log, profile support) | ||
24 | * feature: config support for firejail prompt in terminals | 25 | * feature: config support for firejail prompt in terminals |
25 | * feature: AppImage type 2 support | 26 | * feature: AppImage type 2 support |
26 | * feature: pass command line arguments to appimages | 27 | * feature: pass command line arguments to appimages |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7d6e16094..7e5412630 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -338,6 +338,7 @@ extern int arg_nice; // nice value configured | |||
338 | extern int arg_ipc; // enable ipc namespace | 338 | extern int arg_ipc; // enable ipc namespace |
339 | extern int arg_writable_etc; // writable etc | 339 | extern int arg_writable_etc; // writable etc |
340 | extern int arg_writable_var; // writable var | 340 | extern int arg_writable_var; // writable var |
341 | extern int arg_writable_var_log; // writable /var/log | ||
341 | extern int arg_appimage; // appimage | 342 | extern int arg_appimage; // appimage |
342 | extern int arg_audit; // audit | 343 | extern int arg_audit; // audit |
343 | extern char *arg_audit_prog; // audit | 344 | extern char *arg_audit_prog; // audit |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a4d4db7fe..3cda68f1b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -445,6 +445,7 @@ static void fs_rdwr(const char *dir) { | |||
445 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | 445 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) |
446 | errExit("mount read-write"); | 446 | errExit("mount read-write"); |
447 | fs_logger2("read-write", dir); | 447 | fs_logger2("read-write", dir); |
448 | printf("readwrite %s\n", dir); | ||
448 | } | 449 | } |
449 | } | 450 | } |
450 | 451 | ||
@@ -682,11 +683,13 @@ void fs_basic_fs(void) { | |||
682 | fs_rdonly("/usr"); | 683 | fs_rdonly("/usr"); |
683 | 684 | ||
684 | // update /var directory in order to support multiple sandboxes running on the same root directory | 685 | // update /var directory in order to support multiple sandboxes running on the same root directory |
685 | // if (!arg_private_dev) | ||
686 | // fs_dev_shm(); | ||
687 | fs_var_lock(); | 686 | fs_var_lock(); |
688 | fs_var_tmp(); | 687 | fs_var_tmp(); |
689 | fs_var_log(); | 688 | if (!arg_writable_var_log) |
689 | fs_var_log(); | ||
690 | else | ||
691 | fs_rdwr("/var/log"); | ||
692 | |||
690 | fs_var_lib(); | 693 | fs_var_lib(); |
691 | fs_var_cache(); | 694 | fs_var_cache(); |
692 | fs_var_utmp(); | 695 | fs_var_utmp(); |
@@ -996,7 +999,11 @@ void fs_overlayfs(void) { | |||
996 | // fs_dev_shm(); | 999 | // fs_dev_shm(); |
997 | fs_var_lock(); | 1000 | fs_var_lock(); |
998 | fs_var_tmp(); | 1001 | fs_var_tmp(); |
999 | fs_var_log(); | 1002 | if (!arg_writable_var_log) |
1003 | fs_var_log(); | ||
1004 | else | ||
1005 | fs_rdwr("/var/log"); | ||
1006 | |||
1000 | fs_var_lib(); | 1007 | fs_var_lib(); |
1001 | fs_var_cache(); | 1008 | fs_var_cache(); |
1002 | fs_var_utmp(); | 1009 | fs_var_utmp(); |
@@ -1226,7 +1233,11 @@ void fs_chroot(const char *rootdir) { | |||
1226 | // fs_dev_shm(); | 1233 | // fs_dev_shm(); |
1227 | fs_var_lock(); | 1234 | fs_var_lock(); |
1228 | fs_var_tmp(); | 1235 | fs_var_tmp(); |
1229 | fs_var_log(); | 1236 | if (!arg_writable_var_log) |
1237 | fs_var_log(); | ||
1238 | else | ||
1239 | fs_rdwr("/var/log"); | ||
1240 | |||
1230 | fs_var_lib(); | 1241 | fs_var_lib(); |
1231 | fs_var_cache(); | 1242 | fs_var_cache(); |
1232 | fs_var_utmp(); | 1243 | fs_var_utmp(); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8fea98950..7c6568903 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -114,7 +114,8 @@ int arg_x11_block = 0; // block X11 | |||
114 | int arg_x11_xorg = 0; // use X11 security extention | 114 | int arg_x11_xorg = 0; // use X11 security extention |
115 | int arg_allusers = 0; // all user home directories visible | 115 | int arg_allusers = 0; // all user home directories visible |
116 | int arg_machineid = 0; // preserve /etc/machine-id | 116 | int arg_machineid = 0; // preserve /etc/machine-id |
117 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 117 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
118 | int arg_writable_var_log; // writable /var/log | ||
118 | 119 | ||
119 | int login_shell = 0; | 120 | int login_shell = 0; |
120 | 121 | ||
@@ -1488,6 +1489,9 @@ int main(int argc, char **argv) { | |||
1488 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1489 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1489 | arg_writable_var = 1; | 1490 | arg_writable_var = 1; |
1490 | } | 1491 | } |
1492 | else if (strcmp(argv[i], "--writable-var-log") == 0) { | ||
1493 | arg_writable_var_log = 1; | ||
1494 | } | ||
1491 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1495 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1492 | arg_machineid = 1; | 1496 | arg_machineid = 1; |
1493 | } | 1497 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d188f97a8..4856b31ae 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -673,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
673 | arg_writable_var = 1; | 673 | arg_writable_var = 1; |
674 | return 0; | 674 | return 0; |
675 | } | 675 | } |
676 | if (strcmp(ptr, "writable-var-log") == 0) { | ||
677 | arg_writable_var_log = 1; | ||
678 | return 0; | ||
679 | } | ||
676 | 680 | ||
677 | // private directory | 681 | // private directory |
678 | if (strncmp(ptr, "private ", 8) == 0) { | 682 | if (strncmp(ptr, "private ", 8) == 0) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6f16a5868..15ba22d4d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -192,6 +192,7 @@ void usage(void) { | |||
192 | #endif | 192 | #endif |
193 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); | 193 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); |
194 | printf(" --writable-var - /var directory is mounted read-write.\n"); | 194 | printf(" --writable-var - /var directory is mounted read-write.\n"); |
195 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); | ||
195 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); | 196 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); |
196 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); | 197 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); |
197 | printf("\tattempt to use X11 security extension.\n"); | 198 | printf("\tattempt to use X11 security extension.\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 034f1beac..90dca19bf 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -244,6 +244,11 @@ Mount /etc directory read-write. | |||
244 | .TP | 244 | .TP |
245 | \fBwritable-var | 245 | \fBwritable-var |
246 | Mount /var directory read-write. | 246 | Mount /var directory read-write. |
247 | .TP | ||
248 | \fBwritable-var-log | ||
249 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | ||
250 | directory, and a skeleton filesystem is created based on the original /var/log. | ||
251 | |||
247 | .SH Security filters | 252 | .SH Security filters |
248 | The following security filters are currently implemented: | 253 | The following security filters are currently implemented: |
249 | 254 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b836fd738..993186476 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1725,6 +1725,17 @@ Example: | |||
1725 | .br | 1725 | .br |
1726 | $ sudo firejail --writable-var | 1726 | $ sudo firejail --writable-var |
1727 | 1727 | ||
1728 | .TP | ||
1729 | \fB\-\-writable-var-log | ||
1730 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | ||
1731 | directory, and a skeleton filesystem is created based on the original /var/log. | ||
1732 | .br | ||
1733 | |||
1734 | .br | ||
1735 | Example: | ||
1736 | .br | ||
1737 | $ sudo firejail --writable-var-log | ||
1738 | |||
1728 | 1739 | ||
1729 | .TP | 1740 | .TP |
1730 | \fB\-\-x11 | 1741 | \fB\-\-x11 |