aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2017-01-30 11:01:32 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2017-01-30 11:01:32 -0500
commit4579993d9b756d0821fa77a8fff409e764f2107a (patch)
tree8e2a79821cf9620efd87ab2123fb8f0eeb0386d2
parent--quiet fix (diff)
downloadfirejail-4579993d9b756d0821fa77a8fff409e764f2107a.tar.gz
firejail-4579993d9b756d0821fa77a8fff409e764f2107a.tar.zst
firejail-4579993d9b756d0821fa77a8fff409e764f2107a.zip
--writable-var-log
Diffstat
-rw-r--r--README.md8
-rw-r--r--RELNOTES3
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/fs.c21
-rw-r--r--src/firejail/main.c6
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/usage.c1
-rw-r--r--src/man/firejail-profile.txt5
-rw-r--r--src/man/firejail.txt11
9 files changed, 53 insertions, 7 deletions
diff --git a/README.md b/README.md
index e480361c4..07de69e42 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,14 @@ Added AppImage type 2 support, and support for passing command line arguments to
98 Example: 98 Example:
99 $ firejail --hosts-file=~/myhosts firefox 99 $ firejail --hosts-file=~/myhosts firefox
100 100
101 --writable-var-log
102 Use the real /var/log directory, not a clone. By default, a
103 tmpfs is mounted on top of /var/log directory, and a skeleton
104 filesystem is created based on the original /var/log.
105
106 Example:
107 $ sudo firejail --writable-var-log
108
101````` 109`````
102## New Profiles 110## New Profiles
103xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, 111xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
diff --git a/RELNOTES b/RELNOTES
index e7999f13a..16360bc64 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -19,8 +19,9 @@ firejail (0.9.45) baseline; urgency=low
19 * feature: private /opt directory (--private-opt, profile support) 19 * feature: private /opt directory (--private-opt, profile support)
20 * feature: private /srv directory (--private-srv, profile support) 20 * feature: private /srv directory (--private-srv, profile support)
21 * feature: spoof machine-id (--machine-id, profile support) 21 * feature: spoof machine-id (--machine-id, profile support)
22 * feature: allow blacklists under --private (--allow-private-blacklist) 22 * feature: allow blacklists under --private (--allow-private-blacklist, profile support)
23 * feature: user-defined /etc/hosts file (--hosts-file, profile support) 23 * feature: user-defined /etc/hosts file (--hosts-file, profile support)
24 * feature: support for the real /var/log directory (--writable-var-log, profile support)
24 * feature: config support for firejail prompt in terminals 25 * feature: config support for firejail prompt in terminals
25 * feature: AppImage type 2 support 26 * feature: AppImage type 2 support
26 * feature: pass command line arguments to appimages 27 * feature: pass command line arguments to appimages
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7d6e16094..7e5412630 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -338,6 +338,7 @@ extern int arg_nice; // nice value configured
338extern int arg_ipc; // enable ipc namespace 338extern int arg_ipc; // enable ipc namespace
339extern int arg_writable_etc; // writable etc 339extern int arg_writable_etc; // writable etc
340extern int arg_writable_var; // writable var 340extern int arg_writable_var; // writable var
341extern int arg_writable_var_log; // writable /var/log
341extern int arg_appimage; // appimage 342extern int arg_appimage; // appimage
342extern int arg_audit; // audit 343extern int arg_audit; // audit
343extern char *arg_audit_prog; // audit 344extern char *arg_audit_prog; // audit
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index a4d4db7fe..3cda68f1b 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -445,6 +445,7 @@ static void fs_rdwr(const char *dir) {
445 mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) 445 mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
446 errExit("mount read-write"); 446 errExit("mount read-write");
447 fs_logger2("read-write", dir); 447 fs_logger2("read-write", dir);
448printf("readwrite %s\n", dir);
448 } 449 }
449} 450}
450 451
@@ -682,11 +683,13 @@ void fs_basic_fs(void) {
682 fs_rdonly("/usr"); 683 fs_rdonly("/usr");
683 684
684 // update /var directory in order to support multiple sandboxes running on the same root directory 685 // update /var directory in order to support multiple sandboxes running on the same root directory
685// if (!arg_private_dev)
686// fs_dev_shm();
687 fs_var_lock(); 686 fs_var_lock();
688 fs_var_tmp(); 687 fs_var_tmp();
689 fs_var_log(); 688 if (!arg_writable_var_log)
689 fs_var_log();
690 else
691 fs_rdwr("/var/log");
692
690 fs_var_lib(); 693 fs_var_lib();
691 fs_var_cache(); 694 fs_var_cache();
692 fs_var_utmp(); 695 fs_var_utmp();
@@ -996,7 +999,11 @@ void fs_overlayfs(void) {
996// fs_dev_shm(); 999// fs_dev_shm();
997 fs_var_lock(); 1000 fs_var_lock();
998 fs_var_tmp(); 1001 fs_var_tmp();
999 fs_var_log(); 1002 if (!arg_writable_var_log)
1003 fs_var_log();
1004 else
1005 fs_rdwr("/var/log");
1006
1000 fs_var_lib(); 1007 fs_var_lib();
1001 fs_var_cache(); 1008 fs_var_cache();
1002 fs_var_utmp(); 1009 fs_var_utmp();
@@ -1226,7 +1233,11 @@ void fs_chroot(const char *rootdir) {
1226// fs_dev_shm(); 1233// fs_dev_shm();
1227 fs_var_lock(); 1234 fs_var_lock();
1228 fs_var_tmp(); 1235 fs_var_tmp();
1229 fs_var_log(); 1236 if (!arg_writable_var_log)
1237 fs_var_log();
1238 else
1239 fs_rdwr("/var/log");
1240
1230 fs_var_lib(); 1241 fs_var_lib();
1231 fs_var_cache(); 1242 fs_var_cache();
1232 fs_var_utmp(); 1243 fs_var_utmp();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8fea98950..7c6568903 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -114,7 +114,8 @@ int arg_x11_block = 0; // block X11
114int arg_x11_xorg = 0; // use X11 security extention 114int arg_x11_xorg = 0; // use X11 security extention
115int arg_allusers = 0; // all user home directories visible 115int arg_allusers = 0; // all user home directories visible
116int arg_machineid = 0; // preserve /etc/machine-id 116int arg_machineid = 0; // preserve /etc/machine-id
117int arg_allow_private_blacklist = 0; // blacklist things in private directories 117int arg_allow_private_blacklist = 0; // blacklist things in private directories
118int arg_writable_var_log; // writable /var/log
118 119
119int login_shell = 0; 120int login_shell = 0;
120 121
@@ -1488,6 +1489,9 @@ int main(int argc, char **argv) {
1488 else if (strcmp(argv[i], "--writable-var") == 0) { 1489 else if (strcmp(argv[i], "--writable-var") == 0) {
1489 arg_writable_var = 1; 1490 arg_writable_var = 1;
1490 } 1491 }
1492 else if (strcmp(argv[i], "--writable-var-log") == 0) {
1493 arg_writable_var_log = 1;
1494 }
1491 else if (strcmp(argv[i], "--machine-id") == 0) { 1495 else if (strcmp(argv[i], "--machine-id") == 0) {
1492 arg_machineid = 1; 1496 arg_machineid = 1;
1493 } 1497 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d188f97a8..4856b31ae 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -673,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
673 arg_writable_var = 1; 673 arg_writable_var = 1;
674 return 0; 674 return 0;
675 } 675 }
676 if (strcmp(ptr, "writable-var-log") == 0) {
677 arg_writable_var_log = 1;
678 return 0;
679 }
676 680
677 // private directory 681 // private directory
678 if (strncmp(ptr, "private ", 8) == 0) { 682 if (strncmp(ptr, "private ", 8) == 0) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 6f16a5868..15ba22d4d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -192,6 +192,7 @@ void usage(void) {
192#endif 192#endif
193 printf(" --writable-etc - /etc directory is mounted read-write.\n"); 193 printf(" --writable-etc - /etc directory is mounted read-write.\n");
194 printf(" --writable-var - /var directory is mounted read-write.\n"); 194 printf(" --writable-var - /var directory is mounted read-write.\n");
195 printf(" --writable-var-log - use the real /var/log directory, not a clone.\n");
195 printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); 196 printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
196 printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); 197 printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
197 printf("\tattempt to use X11 security extension.\n"); 198 printf("\tattempt to use X11 security extension.\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 034f1beac..90dca19bf 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -244,6 +244,11 @@ Mount /etc directory read-write.
244.TP 244.TP
245\fBwritable-var 245\fBwritable-var
246Mount /var directory read-write. 246Mount /var directory read-write.
247.TP
248\fBwritable-var-log
249Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
250directory, and a skeleton filesystem is created based on the original /var/log.
251
247.SH Security filters 252.SH Security filters
248The following security filters are currently implemented: 253The following security filters are currently implemented:
249 254
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b836fd738..993186476 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1725,6 +1725,17 @@ Example:
1725.br 1725.br
1726$ sudo firejail --writable-var 1726$ sudo firejail --writable-var
1727 1727
1728.TP
1729\fB\-\-writable-var-log
1730Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
1731directory, and a skeleton filesystem is created based on the original /var/log.
1732.br
1733
1734.br
1735Example:
1736.br
1737$ sudo firejail --writable-var-log
1738
1728 1739
1729.TP 1740.TP
1730\fB\-\-x11 1741\fB\-\-x11
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 12:20:02 +0000