--tracelog

14 files changed, 566 insertions, 20 deletions

diff --git a/Makefile.in b/Makefile.in
index b7629a9e5..59fe34f60 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
 all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/libtrace src/ftee
+APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -62,6 +62,7 @@ realinstall:
         # libraries and plugins
         mkdir -p $(DESTDIR)/$(libdir)/firejail
         install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
         # documents
@@ -157,6 +158,7 @@ install-strip: all
         strip src/firejail/firejail
         strip src/firemon/firemon
         strip src/libtrace/libtrace.so
+        strip src/libtracelog/libtracelog.so
         strip src/ftee/ftee
         $(MAKE) realinstall
 
diff --git a/RELNOTES b/RELNOTES
index c6584371d..f3fd16f57 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,8 +9,7 @@ firejail (0.9.35) baseline; urgency=low
   * added opera-beta profile
   * added --noblacklist option
   * whitelist command enhancements
-  * prevent leaking user information by modifying /home directory,
-          /etc/passwd and /etc/group
+  * prevent user name enumeration
   * added /etc/firejail/nolocal.net network filter
   * added /etc/firejail/webserver.net network filter
   * manipulation of firejail configuration disabled by default
diff --git a/configure b/configure
index fe05f2a80..463dc31c4 100755
--- a/configure
+++ b/configure
@@ -3563,7 +3563,7 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/ftee/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/ftee/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4277,6 +4277,7 @@ do
     "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
     "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
     "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
+    "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
diff --git a/configure.ac b/configure.ac
index f7db96ee7..b5b59d1e4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,7 +52,7 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/ftee/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/ftee/Makefile)
 
 echo
 echo "Configuration options:"
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b50b4d19e..967eb7e45 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -204,6 +204,7 @@ extern int arg_caps_keep;		// keep list
 extern char *arg_caps_list;             // optional caps list
 
 extern int arg_trace;           // syscall tracing support
+extern int arg_tracelog;        // blacklist tracing support
 extern int arg_rlimit_nofile;   // rlimit nofile
 extern int arg_rlimit_nproc;    // rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
@@ -483,6 +484,7 @@ void restrict_users(void);
 // fs_logger.c
 void fs_logger(const char *msg);
 void fs_logger2(const char *msg1, const char *msg2);
+void fs_logger2int(const char *msg1, int d);
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3);
 void fs_logger_print(void);
 void fs_logger_change_owner(void);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 1e01ccc71..ebeaf51c7 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -480,8 +480,6 @@ void fs_proc_sys_dev_boot(void) {
         else
                 fs_logger("remount /sys");
                 
-
-
         if (stat("/sys/firmware", &s) == 0) {
                 disable_file(BLACKLIST_FILE, "/sys/firmware");
         }
@@ -587,11 +585,12 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
         if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
         fs_rdonly("/bin");
         fs_rdonly("/sbin");
         fs_rdonly("/lib");
         fs_rdonly("/lib64");
+        fs_rdonly("/lib32");
         fs_rdonly("/usr");
         fs_rdonly("/etc");
         fs_rdonly("/var");
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 9f742c5bd..bf7322984 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -70,6 +70,15 @@ void fs_logger2(const char *msg1, const char *msg2) {
         insertmsg(ptr);
 }
 
+void fs_logger2int(const char *msg1, int d) {
+        FsMsg *ptr = newmsg();
+        char *str;
+        if (asprintf(&str, "%s %d", msg1, d) == -1)
+                errExit("asprintf");
+        ptr->msg = str;
+        insertmsg(ptr);
+}
+
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3) {
         FsMsg *ptr = newmsg();
         char *str;
@@ -91,7 +100,7 @@ void fs_logger_print(void) {
         
         int rv = chown(RUN_FSLOGGER_FILE, getuid(), getgid());
         (void) rv; // best effort!
-        rv = chmod(RUN_FSLOGGER_FILE, 0600);
+        rv = chmod(RUN_FSLOGGER_FILE, 0644);
         (void) rv; // best effort!
         
         FsMsg *ptr = head;
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 92e4daed2..f555a6693 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -57,7 +57,13 @@ void fs_trace(void) {
         FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
         if (!fp)
                 errExit("fopen");
-        fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
+        if (arg_trace)
+                fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
+        else if (arg_tracelog)
+                fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
+        else
+                assert(0);
+                
         fclose(fp);
         if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0)
                 errExit("chown");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index db9964e98..c1cd9564e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -67,6 +67,7 @@ int arg_caps_keep = 0;			// keep list
 char *arg_caps_list = NULL;                     // optional caps list
 
 int arg_trace = 0;                              // syscall tracing support
+int arg_tracelog = 0;                           // blacklist tracing support
 int arg_rlimit_nofile = 0;                      // rlimit nofile
 int arg_rlimit_nproc = 0;                       // rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
@@ -571,6 +572,8 @@ int main(int argc, char **argv) {
 
                 else if (strcmp(argv[i], "--trace") == 0)
                         arg_trace = 1;
+                else if (strcmp(argv[i], "--tracelog") == 0)
+                        arg_tracelog = 1;
                 else if (strncmp(argv[i], "--rlimit-nofile=", 16) == 0) {
                         if (not_unsigned(argv[i] + 16)) {
                                 fprintf(stderr, "Error: invalid rlimt nofile\n");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index af035fe90..39f95a43a 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -265,19 +265,26 @@ int sandbox(void* sandbox_arg) {
         }
 
         //****************************
-        // mount namespace and log filesystem type
+        // mount namespace
         //****************************
         // mount events are not forwarded between the host the sandbox
         if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) {
                 chk_chroot();
         }
-        // log filesystem type
+        
+        
+        //****************************
+        // log sandbox data
+        //****************************
+        fs_logger2int("sandbox pid:", (int) sandbox_pid);
+        if (cfg.name)
+                fs_logger2("sandbox name:", cfg.name);
         if (cfg.chrootdir)
-                fs_logger("chroot filesystem");
+                fs_logger("sandbox filesystem: chroot");
         else if (arg_overlay)   
-                fs_logger("overlay filesystem");
+                fs_logger("sandbox filesystem: overlay");
         else
-                fs_logger("local filesystem");
+                fs_logger("sandbox filesystem: local");
         fs_logger("install mount namespace");
         
         //****************************
@@ -298,7 +305,7 @@ int sandbox(void* sandbox_arg) {
         fs_build_cp_command();
         
         // trace pre-install
-        if (arg_trace)
+        if (arg_trace || arg_tracelog)
                 fs_trace_preload();
 
         //****************************
@@ -341,7 +348,7 @@ int sandbox(void* sandbox_arg) {
                 //****************************
                 // trace pre-install, this time inside chroot
                 //****************************
-                if (arg_trace)
+                if (arg_trace || arg_tracelog)
                         fs_trace_preload();
         }
         else 
@@ -392,7 +399,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // install trace
         //****************************
-        if (arg_trace)
+        if (arg_trace || arg_tracelog)
                 fs_trace();
                 
         //****************************
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in
index 3924bdf3f..6917127b0 100644
--- a/src/libtrace/Makefile.in
+++ b/src/libtrace/Makefile.in
@@ -15,7 +15,6 @@ all: libtrace.so
 %.o : %.c $(H_FILE_LIST)
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
-# gcc -shared -fPIC -ldl traceopen.c -o traceopen.so
 libtrace.so: $(OBJS)
         $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 9dad3859e..3db931de1 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -423,7 +423,7 @@ typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
 static orig_stat64_t orig_stat64 = NULL;
 int stat64(const char *pathname, struct stat64 *buf) {
         if (!orig_stat)
-                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat");
+                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
                         
         int rv = orig_stat64(pathname, buf);
         printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv);
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
new file mode 100644
index 000000000..8f6c161ab
--- /dev/null
+++ b/src/libtracelog/Makefile.in
@@ -0,0 +1,25 @@
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+
+H_FILE_LIST       = $(wildcard *.[h])
+C_FILE_LIST       = $(wildcard *.c)
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+
+all: libtracelog.so
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+libtracelog.so: $(OBJS)
+        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+
+
+clean:; rm -f $(OBJS) libtracelog.so
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
new file mode 100644
index 000000000..c3bbc132b
--- /dev/null
+++ b/src/libtracelog/libtracelog.c
@@ -0,0 +1,494 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+#include <syslog.h>
+#include <dirent.h>
+
+
+
+// break recursivity on fopen call
+typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
+static orig_fopen_t orig_fopen = NULL;
+typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
+static orig_fopen64_t orig_fopen64 = NULL;
+
+//
+// blacklist storage
+//
+typedef struct list_elem_t {
+        struct list_elem_t *next;
+        char *path;
+} ListElem;
+
+static ListElem *storage;
+
+static storage_add(const char *str) {
+        ListElem *ptr = malloc(sizeof(ListElem));
+        if (!ptr) {
+                fprintf(stderr, "Error: cannot allocate memory\n");
+                return;
+        }
+        ptr->path = strdup(str);
+        if (!ptr->path) {
+                fprintf(stderr, "Error: cannot allocate memory\n");
+                return;
+        }
+        ptr->next = storage;
+        storage = ptr;
+}
+
+static char *storage_find(const char *str) {
+        const char *tofind = str;
+        int allocated = 0;
+
+        if (strstr(str, "..") || strstr(str, "/./")) {
+                tofind = realpath(str, NULL);
+                allocated = 1;
+        }
+
+        ListElem *ptr = storage;
+        while (ptr) {
+                if (strcmp(tofind, ptr->path) == 0) {
+                        if (allocated)
+                                free((char *) tofind);
+                        return ptr->path;
+                }
+                ptr = ptr->next;
+        }
+        
+        if (allocated)
+                free((char *) tofind);
+        return NULL;
+}
+
+//
+// load blacklistst form /run/firejail/mnt/fslogger
+//
+#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
+#define MAXBUF 4096
+static int blacklist_loaded = 0;
+static char *sandbox_pid_str = 0;
+static char *sandbox_name_str = NULL;
+void load_blacklist(void) {
+        if (blacklist_loaded)
+                return;
+        
+        // open filesystem log
+        if (!orig_fopen)
+                orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
+        FILE *fp = orig_fopen(RUN_FSLOGGER_FILE, "r");
+        if (!fp)
+                return;
+
+        // extract blacklists
+        char buf[MAXBUF];
+        int cnt = 0;
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "sandbox pid: ", 13) == 0) {
+                        char *ptr = strchr(buf, '\n');
+                        if (ptr)
+                                *ptr = '\0';
+                        sandbox_pid_str = strdup(buf + 13);
+                }
+                else if (strncmp(buf, "sandbox name: ", 14) == 0) {
+                        char *ptr = strchr(buf, '\n');
+                        if (ptr)
+                                *ptr = '\0';
+                        sandbox_name_str = strdup(buf + 14);
+                }
+                else if (strncmp(buf, "blacklist ", 10) == 0) {
+                        char *ptr = strchr(buf, '\n');
+                        if (ptr)
+                                *ptr = '\0';
+                        storage_add(buf + 10);
+                        cnt++;
+                }
+        }
+        fclose(fp);
+        blacklist_loaded = 1;
+        printf("Monitoring %d blacklists\n", cnt);
+}
+
+
+static void sendlog(const char *name, const char *call, const char *path) {
+        openlog ("firejail", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);
+        if (sandbox_pid_str && sandbox_name_str)
+                syslog (LOG_INFO, "blacklist violation - sandbox %s, name %s, exe %s, syscall %s, path %s",
+                        sandbox_pid_str, sandbox_name_str, name, call, path);
+        else if (sandbox_pid_str)
+                syslog (LOG_INFO, "blacklist violation - sandbox %s, exe %s, syscall %s, path %s",
+                        sandbox_pid_str, name, call, path);
+        else
+                syslog (LOG_INFO, "blacklist violation - exe %s, syscall %s, path %s",
+                        name, call, path);
+        closelog ();
+}
+
+
+//
+// pid
+//
+static pid_t mypid = 0;
+static inline pid_t pid(void) {
+        if (!mypid)
+                mypid = getpid();
+        return mypid;
+}
+
+//
+// process name
+//
+#define MAXNAME 16
+static char myname[MAXNAME];
+static int nameinit = 0;
+static char *name(void) {
+        if (!nameinit) {
+                
+                // initialize the name of the process based on /proc/PID/comm
+                memset(myname, 0, MAXNAME);
+                
+                pid_t p = pid();
+                char *fname;
+                if (asprintf(&fname, "/proc/%u/comm", p) == -1)
+                        return "unknown";
+
+                // read file
+                if (!orig_fopen)
+                        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
+                FILE *fp  = orig_fopen(fname, "r");
+                if (!fp)
+                        return "unknown";
+                if (fgets(myname, MAXNAME, fp) == NULL) {
+                        fclose(fp);
+                        free(fname);
+                        return "unknown";
+                }
+                
+                // clean '\n'
+                char *ptr = strchr(myname, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                        
+                fclose(fp);
+                free(fname);
+                nameinit = 1;
+        }
+        
+        return myname;
+}
+
+//
+// syscalls
+//
+
+// open
+typedef int (*orig_open_t)(const char *pathname, int flags, mode_t mode);
+static orig_open_t orig_open = NULL;
+int open(const char *pathname, int flags, mode_t mode) {
+        if (!orig_open)
+                orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
+        
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_open(pathname, flags, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+typedef int (*orig_open64_t)(const char *pathname, int flags, mode_t mode);
+static orig_open64_t orig_open64 = NULL;
+int open64(const char *pathname, int flags, mode_t mode) {
+        if (!orig_open64)
+                orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_open64(pathname, flags, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+// openat
+typedef int (*orig_openat_t)(int dirfd, const char *pathname, int flags, mode_t mode);
+static orig_openat_t orig_openat = NULL;
+int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
+        if (!orig_openat)
+                orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_openat(dirfd, pathname, flags, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+typedef int (*orig_openat64_t)(int dirfd, const char *pathname, int flags, mode_t mode);
+static orig_openat64_t orig_openat64 = NULL;
+int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
+        if (!orig_openat64)
+                orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_openat64(dirfd, pathname, flags, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+
+// fopen
+FILE *fopen(const char *pathname, const char *mode) {
+        if (!orig_fopen)
+                orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
+        if (!storage)
+                load_blacklist();
+                
+        FILE *rv = orig_fopen(pathname, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+#ifdef __GLIBC__
+FILE *fopen64(const char *pathname, const char *mode) {
+        if (!orig_fopen64)
+                orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
+        if (!storage)
+                load_blacklist();
+                
+        FILE *rv = orig_fopen64(pathname, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+#endif /* __GLIBC__ */
+
+
+// freopen
+typedef FILE *(*orig_freopen_t)(const char *pathname, const char *mode, FILE *stream);
+static orig_freopen_t orig_freopen = NULL;
+FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
+        if (!orig_freopen)
+                orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen");
+        if (!storage)
+                load_blacklist();
+                
+        FILE *rv = orig_freopen(pathname, mode, stream);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+#ifdef __GLIBC__
+typedef FILE *(*orig_freopen64_t)(const char *pathname, const char *mode, FILE *stream);
+static orig_freopen64_t orig_freopen64 = NULL;
+FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
+        if (!orig_freopen64)
+                orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
+        if (!storage)
+                load_blacklist();
+                
+        FILE *rv = orig_freopen64(pathname, mode, stream);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+#endif /* __GLIBC__ */
+
+// unlink
+typedef int (*orig_unlink_t)(const char *pathname);
+static orig_unlink_t orig_unlink = NULL;
+int unlink(const char *pathname) {
+        if (!orig_unlink)
+                orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_unlink(pathname);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+typedef int (*orig_unlinkat_t)(int dirfd, const char *pathname, int flags);
+static orig_unlinkat_t orig_unlinkat = NULL;
+int unlinkat(int dirfd, const char *pathname, int flags) {
+        if (!orig_unlinkat)
+                orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_unlinkat(dirfd, pathname, flags);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+// mkdir/mkdirat/rmdir
+typedef int (*orig_mkdir_t)(const char *pathname, mode_t mode);
+static orig_mkdir_t orig_mkdir = NULL;
+int mkdir(const char *pathname, mode_t mode) {
+        if (!orig_mkdir)
+                orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_mkdir(pathname, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+typedef int (*orig_mkdirat_t)(int dirfd, const char *pathname, mode_t mode);
+static orig_mkdirat_t orig_mkdirat = NULL;
+int mkdirat(int dirfd, const char *pathname, mode_t mode) {
+        if (!orig_mkdirat)
+                orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_mkdirat(dirfd, pathname, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+typedef int (*orig_rmdir_t)(const char *pathname);
+static orig_rmdir_t orig_rmdir = NULL;
+int rmdir(const char *pathname) {
+        if (!orig_rmdir)
+                orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir");
+        if (!storage)
+                load_blacklist();
+                
+        int rv = orig_rmdir(pathname);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+// stat
+typedef int (*orig_stat_t)(const char *pathname, struct stat *buf);
+static orig_stat_t orig_stat = NULL;
+int stat(const char *pathname, struct stat *buf) {
+        if (!orig_stat)
+                orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat");
+        if (!storage)
+                load_blacklist();
+                        
+        int rv = orig_stat(pathname, buf);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+#ifdef __GLIBC__
+typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
+static orig_stat64_t orig_stat64 = NULL;
+int stat64(const char *pathname, struct stat64 *buf) {
+        if (!orig_stat)
+                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
+        if (!storage)
+                load_blacklist();
+                        
+        int rv = orig_stat64(pathname, buf);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+#endif /* __GLIBC__ */
+
+typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf);
+static orig_lstat_t orig_lstat = NULL;
+int lstat(const char *pathname, struct stat *buf) {
+        if (!orig_lstat)
+                orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
+        if (!storage)
+                load_blacklist();
+                        
+        int rv = orig_lstat(pathname, buf);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+#ifdef __GLIBC__
+typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf);
+static orig_lstat64_t orig_lstat64 = NULL;
+int lstat64(const char *pathname, struct stat64 *buf) {
+        if (!orig_lstat)
+                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
+        if (!storage)
+                load_blacklist();
+                        
+        int rv = orig_lstat64(pathname, buf);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+#endif /* __GLIBC__ */
+
+// access
+typedef int (*orig_access_t)(const char *pathname, int mode);
+static orig_access_t orig_access = NULL;
+int access(const char *pathname, int mode) {
+        if (!orig_access)
+                orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
+        if (!storage)
+                load_blacklist();
+                        
+        int rv = orig_access(pathname, mode);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+// opendir
+typedef DIR *(*orig_opendir_t)(const char *pathname);
+static orig_opendir_t orig_opendir = NULL;
+DIR *opendir(const char *pathname) {
+        if (!orig_opendir)
+                orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir");
+        if (!storage)
+                load_blacklist();
+                        
+        DIR *rv = orig_opendir(pathname);
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
+        return rv;
+}
+
+