logging fixes

author: netblue30 <netblue30@yahoo.com> 2016-03-07 15:34:25 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-03-07 15:34:25 -0500
commit: 159f33e886fa5fc150972dc3a5071c59b8691e1e (patch)
tree: d5fe8ede844bee46e264e9c138898e5d6aa54775
parent: profile fix (diff)
download: firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.tar.gz
firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.tar.zst
firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.zip
8 files changed, 61 insertions, 28 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index d9a860722..5efdd4d87 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -178,6 +178,7 @@ void fs_build_mnt_dir(void) {
                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /tmp/firejail/mnt");
                tmpfs_mounted = 1;
+                fs_logger2("tmpfs", RUN_MNT_DIR);
        }
 }
@@ -342,7 +343,7 @@ static void disable_file(OPERATION op, const char *filename) {
                        if (chown(fname, s.st_uid, s.st_gid) == -1)
                                errExit("mounting tmpfs chmod");
                        last_disable = SUCCESSFUL;
-                        fs_logger2("mount tmpfs on", fname);
+                        fs_logger2("tmpfs", fname);
                }
                else
                        printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
@@ -1030,5 +1031,6 @@ void fs_private_tmp(void) {
                printf("Mounting tmpfs on /tmp directory\n");
        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                errExit("mounting /tmp/firejail/mnt");
+        fs_logger2("tmpfs", "/tmp");
 }
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 447ef7f8f..228ed347a 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -144,7 +144,6 @@ static void duplicate(char *fname) {
                        printf("%s\n", cmd);
                if (system(cmd))
                        errExit("system cp -a");
-                fs_logger2("clone", fname);
                free(cmd);
                free(actual_path);
        }
@@ -220,8 +219,29 @@ void fs_private_bin_list(void) {
                        printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]);
                if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
+                fs_logger2("tmpfs", paths[i]);
                fs_logger2("mount", paths[i]);
                i++;
        }
+        
+        // log cloned files
+        char *dlist = strdup(private_list);
+        if (!dlist)
+                errExit("strdup");
+        
+        
+        char *ptr = strtok(dlist, ",");
+        while (ptr) {
+                i = 0;
+                while (paths[i]) {
+                        char *fname;
+                        if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1)
+                                errExit("asprintf");
+                        fs_logger2("clone", fname);
+                        free(fname);
+                        i++;
+                }
+                ptr = strtok(NULL, ",");
+        }
 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 97ee9de55..2525dab24 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -107,7 +107,7 @@ void fs_private_dev(void){
        // mount tmpfs on top of /dev
        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting /dev");
-        fs_logger("mount tmpfs on /dev");
+        fs_logger("tmpfs /dev");
        // bring back /dev/log
        if (have_devlog) {
@@ -203,7 +203,7 @@ void fs_dev_shm(void) {
                        printf("Mounting tmpfs on /dev/shm\n");
                if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting /dev/shm");
-                fs_logger("mount tmpfs on /dev/shm");
+                fs_logger("tmpfs /dev/shm");
        }
        else {
                char *lnk = realpath("/dev/shm", NULL);
@@ -221,7 +221,7 @@ void fs_dev_shm(void) {
                                printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/tmp");
-                        fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm");
+                        fs_logger2("tmpfs", lnk);
                        free(lnk);
                }
                else {
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2b6142c6c..8a3484b06 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -107,7 +107,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        errExit("asprintf");
                struct stat s;
                // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (stat(fname, &s) == 0) 
                        return;
                if (stat("/etc/skel/.bashrc", &s) == 0) {
                        if (is_link("/etc/skel/.bashrc")) {
@@ -254,6 +254,7 @@ void fs_private_homedir(void) {
        if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger3("mount-bind", private_homedir, cfg.homedir);
+        fs_logger2("whitelist", cfg.homedir);
 // preserve mode and ownership
 //      if (chown(homedir, s.st_uid, s.st_gid) == -1)
 //              errExit("mount-bind chown");
@@ -266,7 +267,7 @@ void fs_private_homedir(void) {
                        printf("Mounting a new /root directory\n");
                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                        errExit("mounting home directory");
-                fs_logger("mount tmpfs on /root");
+                fs_logger("tmpfs /root");
        }
        else {
                // mask /home
@@ -274,7 +275,7 @@ void fs_private_homedir(void) {
                        printf("Mounting a new /home directory\n");
                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
-                fs_logger("mount tmpfs on /home");
+                fs_logger("tmpfs /home");
        }
        
@@ -304,14 +305,14 @@ void fs_private(void) {
                printf("Mounting a new /home directory\n");
        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting home directory");
-        fs_logger("mount tmpfs on /home");
+        fs_logger("tmpfs /home");
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                errExit("mounting root directory");
-        fs_logger("mount tmpfs on /root");
+        fs_logger("tmpfs /root");
        if (u != 0) {
                // create /home/user
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 82d453308..f904fa5d9 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -123,7 +123,7 @@ void fs_var_log(void) {
                        printf("Mounting tmpfs on /var/log\n");
                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/log");
-                fs_logger("mount tmpfs on /var/log");
+                fs_logger("tmpfs /var/log");
                
                build_dirs();
                release_all();
@@ -162,7 +162,7 @@ void fs_var_lib(void) {
                        printf("Mounting tmpfs on /var/lib/dhcp\n");
                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/dhcp");
-                fs_logger("mount tmpfs on /var/lib/dhcp");
+                fs_logger("tmpfs /var/lib/dhcp");
                        
                // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file
                FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w");
@@ -184,7 +184,7 @@ void fs_var_lib(void) {
                        printf("Mounting tmpfs on /var/lib/nginx\n");
                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/nginx");
-                fs_logger("mount tmpfs on /var/lib/nginx");
+                fs_logger("tmpfs /var/lib/nginx");
        }                       
        // net-snmp multiserver
@@ -193,7 +193,7 @@ void fs_var_lib(void) {
                        printf("Mounting tmpfs on /var/lib/snmp\n");
                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/snmp");
-                fs_logger("mount tmpfs on /var/lib/snmp");
+                fs_logger("tmpfs /var/lib/snmp");
        }                       
        // this is where sudo remembers its state
@@ -202,7 +202,7 @@ void fs_var_lib(void) {
                        printf("Mounting tmpfs on /var/lib/sudo\n");
                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/sudo");
-                fs_logger("mount tmpfs on /var/lib/sudo");
+                fs_logger("tmpfs /var/lib/sudo");
        }                       
 }
@@ -214,7 +214,7 @@ void fs_var_cache(void) {
                        printf("Mounting tmpfs on /var/cache/apache2\n");
                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/apache2");
-                fs_logger("mount tmpfs on /var/cache/apache2");
+                fs_logger("tmpfs /var/cache/apache2");
        }                       
        if (stat("/var/cache/lighttpd", &s) == 0) {
@@ -222,7 +222,7 @@ void fs_var_cache(void) {
                        printf("Mounting tmpfs on /var/cache/lighttpd\n");
                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/lighttpd");
-                fs_logger("mount tmpfs on /var/cache/lighttpd");
+                fs_logger("tmpfs /var/cache/lighttpd");
                struct passwd *p = getpwnam("www-data");
                uid_t uid = 0;
@@ -270,7 +270,7 @@ void fs_var_lock(void) {
                        printf("Mounting tmpfs on /var/lock\n");
                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting /lock");
-                fs_logger("mount tmpfs on /var/lock");
+                fs_logger("tmpfs /var/lock");
        }
        else {
                char *lnk = realpath("/var/lock", NULL);
@@ -289,7 +289,7 @@ void fs_var_lock(void) {
                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/lock");
                        free(lnk);
-                        fs_logger("mount tmpfs on /var/lock");
+                        fs_logger("tmpfs /var/lock");
                }
                else {
                        fprintf(stderr, "Warning: /var/lock not mounted\n");
@@ -306,7 +306,7 @@ void fs_var_tmp(void) {
                                printf("Mounting tmpfs on /var/tmp\n");
                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/tmp");
-                        fs_logger("mount tmpfs on /var/tmp");
+                        fs_logger("tmpfs /var/tmp");
                }
        }
        else {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index dce044cb7..7e61bfde5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -516,7 +516,7 @@ void fs_whitelist(void) {
                        printf("Mounting tmpfs on /tmp directory\n");
                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting tmpfs on /tmp");
-                fs_logger("mount tmpfs on /tmp");
+                fs_logger("tmpfs /tmp");
        }
        
        // /media mountpoint
@@ -538,7 +538,7 @@ void fs_whitelist(void) {
                        printf("Mounting tmpfs on /media directory\n");
                if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting tmpfs on /media");
-                fs_logger("mount tmpfs on /media");
+                fs_logger("tmpfs /media");
        }
        // /var mountpoint
@@ -560,7 +560,7 @@ void fs_whitelist(void) {
                        printf("Mounting tmpfs on /var directory\n");
                if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting tmpfs on /var");
-                fs_logger("mount tmpfs on /var");
+                fs_logger("tmpfs /var");
        }
        // /dev mountpoint
@@ -582,7 +582,7 @@ void fs_whitelist(void) {
                        printf("Mounting tmpfs on /dev directory\n");
                if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting tmpfs on /dev");
-                fs_logger("mount tmpfs on /dev");
+                fs_logger("tmpfs /dev");
        }
        // /opt mountpoint
@@ -604,7 +604,7 @@ void fs_whitelist(void) {
                        printf("Mounting tmpfs on /opt directory\n");
                if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting tmpfs on /opt");
-                fs_logger("mount tmpfs on /opt");
+                fs_logger("tmpfs /opt");
        }
        // go through profile rules again, and interpret whitelist commands
@@ -643,36 +643,42 @@ void fs_whitelist(void) {
        if (home_dir) {
                if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR);
        }
        
        // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR
        if (tmp_dir) {
                if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR);
        }
        // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR
        if (var_dir) {
                if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR);
        }
        // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR
        if (opt_dir) {
                if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR);
        }
        // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR
        if (dev_dir) {
                if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR);
        }
        // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR
        if (media_dir) {
                if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR);
        }
        if (new_name)
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 88dd38021..5a41c441b 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -83,7 +83,7 @@ static void sanitize_home(void) {
        // mount tmpfs in the new home
        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
-        fs_logger("mount tmpfs on /home");
+        fs_logger("tmpfs /home");
        // create user home directory
        if (mkdir(cfg.homedir, 0755) == -1) {
@@ -107,6 +107,10 @@ static void sanitize_home(void) {
        // mask home dir under /run
        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
+        fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
+        if (!arg_private)
+                fs_logger2("whitelist", cfg.homedir);
+        
 }
 static void sanitize_passwd(void) {
@@ -347,7 +351,7 @@ void restrict_users(void) {
                        // mount tmpfs on top of /home in order to hide it
                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                                errExit("mount tmpfs");
-                        fs_logger("mount tmpfs on /home");
+                        fs_logger("tmpfs /home");
                }
                sanitize_passwd();
                sanitize_group();
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 7769503b1..8c781c67a 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -84,7 +84,7 @@ void fs_x11(void) {
                printf("Mounting tmpfs on /tmp/.X11-unix directory\n");
        if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                errExit("mounting tmpfs on /tmp");
-        fs_logger("mount tmpfs on /tmp/.X11-unix");
+        fs_logger("tmpfs /tmp/.X11-unix");
        // create an empty file
        FILE *fp = fopen(x11file, "w");
author	netblue30 <netblue30@yahoo.com>	2016-03-07 15:34:25 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-03-07 15:34:25 -0500
commit	159f33e886fa5fc150972dc3a5071c59b8691e1e (patch)
tree	d5fe8ede844bee46e264e9c138898e5d6aa54775
parent	profile fix (diff)
download	firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.tar.gz firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.tar.zst firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.zip