aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2022-08-29 12:30:05 -0400
committerLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2022-09-05 01:07:41 -0300
commit7bd03a67ba8e1c91b80dc3b6a80df71cdd822912 (patch)
tree86fe84d45a8da53f195e7147e78c6402ff6e0925
parentRevert "Merge pull request #5315 from ChrysoliteAzalea/landlock" (diff)
downloadfirejail-7bd03a67ba8e1c91b80dc3b6a80df71cdd822912.tar.gz
firejail-7bd03a67ba8e1c91b80dc3b6a80df71cdd822912.tar.zst
firejail-7bd03a67ba8e1c91b80dc3b6a80df71cdd822912.zip
tracelog disabled by default in /etc/firejail/firejail.config file
Committer note: This is the same as commit 6e687c301 ("tracelog disabled by default in /etc/firejail/firejail.config file", 2022-08-29) but without the Landlock-related changes.
Diffstat
-rw-r--r--etc/firejail.config5
-rw-r--r--src/firejail/checkcfg.c2
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/profile.c4
5 files changed, 19 insertions, 4 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 9d37b4d8a..e8bf45751 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -57,6 +57,11 @@
57# to the specified period of time to allow sandbox setup to finish. 57# to the specified period of time to allow sandbox setup to finish.
58# join-timeout 5 58# join-timeout 5
59 59
60# tracelog enables auditing blacklisted files and directories. A message
61# is sent to syslog in case the file or the directory is accessed.
62# Disabled by default.
63# tracelog no
64
60# Enable or disable sandbox name change, default enabled. 65# Enable or disable sandbox name change, default enabled.
61# name-change yes 66# name-change yes
62 67
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index e2fab1265..62b8c4dc4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -62,6 +62,7 @@ int checkcfg(int val) {
62 cfg_val[CFG_CHROOT] = 0; 62 cfg_val[CFG_CHROOT] = 0;
63 cfg_val[CFG_SECCOMP_LOG] = 0; 63 cfg_val[CFG_SECCOMP_LOG] = 0;
64 cfg_val[CFG_PRIVATE_LIB] = 0; 64 cfg_val[CFG_PRIVATE_LIB] = 0;
65 cfg_val[CFG_TRACELOG] = 0;
65 66
66 // open configuration file 67 // open configuration file
67 const char *fname = SYSCONFDIR "/firejail.config"; 68 const char *fname = SYSCONFDIR "/firejail.config";
@@ -111,6 +112,7 @@ int checkcfg(int val) {
111 PARSE_YESNO(CFG_SECCOMP, "seccomp") 112 PARSE_YESNO(CFG_SECCOMP, "seccomp")
112 PARSE_YESNO(CFG_NETWORK, "network") 113 PARSE_YESNO(CFG_NETWORK, "network")
113 PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") 114 PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
115 PARSE_YESNO(CFG_TRACELOG, "tracelog")
114 PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") 116 PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
115 PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") 117 PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
116 PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") 118 PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 0a4dffb75..94f970eb8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -831,6 +831,7 @@ enum {
831 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv 831 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
832 CFG_ALLOW_TRAY, 832 CFG_ALLOW_TRAY,
833 CFG_SECCOMP_LOG, 833 CFG_SECCOMP_LOG,
834 CFG_TRACELOG,
834 CFG_MAX // this should always be the last entry 835 CFG_MAX // this should always be the last entry
835}; 836};
836extern char *xephyr_screen; 837extern char *xephyr_screen;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 29c25dfc5..c7da3c95c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -343,7 +343,8 @@ errout:
343 343
344 344
345static void exit_err_feature(const char *feature) { 345static void exit_err_feature(const char *feature) {
346 fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); 346 fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
347 feature, SYSCONFDIR "/firejail.config");
347 exit(1); 348 exit(1);
348} 349}
349 350
@@ -1489,8 +1490,12 @@ int main(int argc, char **argv, char **envp) {
1489 arg_tracefile = tmp; 1490 arg_tracefile = tmp;
1490 } 1491 }
1491 } 1492 }
1492 else if (strcmp(argv[i], "--tracelog") == 0) 1493 else if (strcmp(argv[i], "--tracelog") == 0) {
1493 arg_tracelog = 1; 1494 if (checkcfg(CFG_TRACELOG))
1495 arg_tracelog = 1;
1496 else
1497 exit_err_feature("tracelog");
1498 }
1494 else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { 1499 else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
1495 check_unsigned(argv[i] + 13, "Error: invalid rlimit"); 1500 check_unsigned(argv[i] + 13, "Error: invalid rlimit");
1496 sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); 1501 sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f406e2c53..641bb09b1 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
372 return 0; 372 return 0;
373 } 373 }
374 else if (strcmp(ptr, "tracelog") == 0) { 374 else if (strcmp(ptr, "tracelog") == 0) {
375 arg_tracelog = 1; 375 if (checkcfg(CFG_TRACELOG))
376 arg_tracelog = 1;
377 // no warning, we have tracelog in over 400 profiles
376 return 0; 378 return 0;
377 } 379 }
378 else if (strcmp(ptr, "private") == 0) { 380 else if (strcmp(ptr, "private") == 0) {
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-17 17:59:13 +0000