diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-08-30 19:09:47 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-09-05 01:07:41 -0300 |
commit | bfcacff665b750ae7b9fc984496df26fcd7cc53d (patch) | |
tree | 59ed47b8b472cfbdb825ff0c45c128a19894cb13 | |
parent | Revert "README/README.md" (diff) | |
download | firejail-bfcacff665b750ae7b9fc984496df26fcd7cc53d.tar.gz firejail-bfcacff665b750ae7b9fc984496df26fcd7cc53d.tar.zst firejail-bfcacff665b750ae7b9fc984496df26fcd7cc53d.zip |
Revert "tracelog disabled by default in /etc/firejail/firejail.config file"
This reverts commit 6e687c30110a52f267c1779c4eeab82bded9cb77.
Part of reverting commits with Landlock-related changes.
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | etc/firejail.config | 5 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 32 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 |
6 files changed, 23 insertions, 33 deletions
@@ -252,8 +252,6 @@ cayday (https://github.com/caydey) | |||
252 | Christian Pinedo (https://github.com/chrpinedo) | 252 | Christian Pinedo (https://github.com/chrpinedo) |
253 | - added nicotine profile | 253 | - added nicotine profile |
254 | - allow python3 in totem profile | 254 | - allow python3 in totem profile |
255 | ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
256 | - Landlock support | ||
257 | creideiki (https://github.com/creideiki) | 255 | creideiki (https://github.com/creideiki) |
258 | - make the sandbox process reap all children | 256 | - make the sandbox process reap all children |
259 | - tor browser profile fix | 257 | - tor browser profile fix |
diff --git a/etc/firejail.config b/etc/firejail.config index e8bf45751..9d37b4d8a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -57,11 +57,6 @@ | |||
57 | # to the specified period of time to allow sandbox setup to finish. | 57 | # to the specified period of time to allow sandbox setup to finish. |
58 | # join-timeout 5 | 58 | # join-timeout 5 |
59 | 59 | ||
60 | # tracelog enables auditing blacklisted files and directories. A message | ||
61 | # is sent to syslog in case the file or the directory is accessed. | ||
62 | # Disabled by default. | ||
63 | # tracelog no | ||
64 | |||
65 | # Enable or disable sandbox name change, default enabled. | 60 | # Enable or disable sandbox name change, default enabled. |
66 | # name-change yes | 61 | # name-change yes |
67 | 62 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 62b8c4dc4..e2fab1265 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -62,7 +62,6 @@ int checkcfg(int val) { | |||
62 | cfg_val[CFG_CHROOT] = 0; | 62 | cfg_val[CFG_CHROOT] = 0; |
63 | cfg_val[CFG_SECCOMP_LOG] = 0; | 63 | cfg_val[CFG_SECCOMP_LOG] = 0; |
64 | cfg_val[CFG_PRIVATE_LIB] = 0; | 64 | cfg_val[CFG_PRIVATE_LIB] = 0; |
65 | cfg_val[CFG_TRACELOG] = 0; | ||
66 | 65 | ||
67 | // open configuration file | 66 | // open configuration file |
68 | const char *fname = SYSCONFDIR "/firejail.config"; | 67 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -112,7 +111,6 @@ int checkcfg(int val) { | |||
112 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | 111 | PARSE_YESNO(CFG_SECCOMP, "seccomp") |
113 | PARSE_YESNO(CFG_NETWORK, "network") | 112 | PARSE_YESNO(CFG_NETWORK, "network") |
114 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 113 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
115 | PARSE_YESNO(CFG_TRACELOG, "tracelog") | ||
116 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 114 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
117 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 115 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
118 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") | 116 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b38b5e0..9c2b53c18 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -32,6 +32,25 @@ | |||
32 | // debug restricted shell | 32 | // debug restricted shell |
33 | //#define DEBUG_RESTRICTED_SHELL | 33 | //#define DEBUG_RESTRICTED_SHELL |
34 | 34 | ||
35 | #ifdef HAVE_LANDLOCK | ||
36 | |||
37 | extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
38 | |||
39 | extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
40 | |||
41 | extern int landlock_restrict_self(int fd,__u32 flags); | ||
42 | |||
43 | extern int create_full_ruleset(); | ||
44 | |||
45 | extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
46 | |||
47 | extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path); | ||
48 | |||
49 | extern int add_create_special_rule_by_path(int rset_fd,char *allowed_path); | ||
50 | |||
51 | extern int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
52 | |||
53 | #endif | ||
35 | 54 | ||
36 | // profiles | 55 | // profiles |
37 | #define DEFAULT_USER_PROFILE "default" | 56 | #define DEFAULT_USER_PROFILE "default" |
@@ -838,7 +857,6 @@ enum { | |||
838 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 857 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
839 | CFG_ALLOW_TRAY, | 858 | CFG_ALLOW_TRAY, |
840 | CFG_SECCOMP_LOG, | 859 | CFG_SECCOMP_LOG, |
841 | CFG_TRACELOG, | ||
842 | CFG_MAX // this should always be the last entry | 860 | CFG_MAX // this should always be the last entry |
843 | }; | 861 | }; |
844 | extern char *xephyr_screen; | 862 | extern char *xephyr_screen; |
@@ -945,16 +963,4 @@ void run_ids(int argc, char **argv); | |||
945 | // oom.c | 963 | // oom.c |
946 | void oom_set(const char *oom_string); | 964 | void oom_set(const char *oom_string); |
947 | 965 | ||
948 | // landlock.c | ||
949 | #ifdef HAVE_LANDLOCK | ||
950 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
951 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
952 | int landlock_restrict_self(int fd,__u32 flags); | ||
953 | int create_full_ruleset(); | ||
954 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
955 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path); | ||
956 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path); | ||
957 | int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
958 | #endif | ||
959 | |||
960 | #endif | 966 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1daf0da35..3f0dc960a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -348,8 +348,7 @@ errout: | |||
348 | 348 | ||
349 | 349 | ||
350 | static void exit_err_feature(const char *feature) { | 350 | static void exit_err_feature(const char *feature) { |
351 | fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n", | 351 | fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); |
352 | feature, SYSCONFDIR "/firejail.config"); | ||
353 | exit(1); | 352 | exit(1); |
354 | } | 353 | } |
355 | 354 | ||
@@ -1571,12 +1570,8 @@ int main(int argc, char **argv, char **envp) { | |||
1571 | arg_tracefile = tmp; | 1570 | arg_tracefile = tmp; |
1572 | } | 1571 | } |
1573 | } | 1572 | } |
1574 | else if (strcmp(argv[i], "--tracelog") == 0) { | 1573 | else if (strcmp(argv[i], "--tracelog") == 0) |
1575 | if (checkcfg(CFG_TRACELOG)) | 1574 | arg_tracelog = 1; |
1576 | arg_tracelog = 1; | ||
1577 | else | ||
1578 | exit_err_feature("tracelog"); | ||
1579 | } | ||
1580 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { | 1575 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { |
1581 | check_unsigned(argv[i] + 13, "Error: invalid rlimit"); | 1576 | check_unsigned(argv[i] + 13, "Error: invalid rlimit"); |
1582 | sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); | 1577 | sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9f677c11d..9a2f8c82c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -372,9 +372,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
372 | return 0; | 372 | return 0; |
373 | } | 373 | } |
374 | else if (strcmp(ptr, "tracelog") == 0) { | 374 | else if (strcmp(ptr, "tracelog") == 0) { |
375 | if (checkcfg(CFG_TRACELOG)) | 375 | arg_tracelog = 1; |
376 | arg_tracelog = 1; | ||
377 | // no warning, we have tracelog in over 400 profiles | ||
378 | return 0; | 376 | return 0; |
379 | } | 377 | } |
380 | else if (strcmp(ptr, "private") == 0) { | 378 | else if (strcmp(ptr, "private") == 0) { |