diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-12-03 11:57:07 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-12-03 11:57:07 -0500 |
| commit | fa88b858da3a412c0111185fc0576fc9ad3c4be3 (patch) | |
| tree | f35513b863ddd2d0c05b7678f52d63cd9e175804 /src | |
| parent | --tracelog (diff) | |
| download | firejail-fa88b858da3a412c0111185fc0576fc9ad3c4be3.tar.gz firejail-fa88b858da3a412c0111185fc0576fc9ad3c4be3.tar.zst firejail-fa88b858da3a412c0111185fc0576fc9ad3c4be3.zip | |
--tracelog
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 14 | ||||
| -rw-r--r-- | src/firejail/profile.c | 2 | ||||
| -rw-r--r-- | src/firejail/usage.c | 4 | ||||
| -rw-r--r-- | src/man/firejail.txt | 23 |
4 files changed, 38 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ebeaf51c7..e62e2676b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -157,6 +157,7 @@ void fs_delete_cp_command(void) { | |||
| 157 | //*********************************************** | 157 | //*********************************************** |
| 158 | typedef enum { | 158 | typedef enum { |
| 159 | BLACKLIST_FILE, | 159 | BLACKLIST_FILE, |
| 160 | BLACKLIST_NOLOG, | ||
| 160 | MOUNT_READONLY, | 161 | MOUNT_READONLY, |
| 161 | MOUNT_TMPFS, | 162 | MOUNT_TMPFS, |
| 162 | OPERATION_MAX | 163 | OPERATION_MAX |
| @@ -194,7 +195,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 194 | } | 195 | } |
| 195 | 196 | ||
| 196 | // modify the file | 197 | // modify the file |
| 197 | if (op == BLACKLIST_FILE) { | 198 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
| 198 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 199 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
| 199 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && | 200 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && |
| 200 | is_link(filename) && | 201 | is_link(filename) && |
| @@ -213,7 +214,10 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 213 | errExit("disable file"); | 214 | errExit("disable file"); |
| 214 | } | 215 | } |
| 215 | last_disable = SUCCESSFUL; | 216 | last_disable = SUCCESSFUL; |
| 216 | fs_logger2("blacklist", fname); | 217 | if (op == BLACKLIST_FILE) |
| 218 | fs_logger2("blacklist", fname); | ||
| 219 | else | ||
| 220 | fs_logger2("blacklist-nolog", fname); | ||
| 217 | } | 221 | } |
| 218 | } | 222 | } |
| 219 | else if (op == MOUNT_READONLY) { | 223 | else if (op == MOUNT_READONLY) { |
| @@ -282,6 +286,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
| 282 | } | 286 | } |
| 283 | if (okay_to_blacklist) | 287 | if (okay_to_blacklist) |
| 284 | disable_file(op, path); | 288 | disable_file(op, path); |
| 289 | else if (arg_debug) | ||
| 290 | printf("Not blacklist %s\n", path); | ||
| 285 | } | 291 | } |
| 286 | globfree(&globbuf); | 292 | globfree(&globbuf); |
| 287 | } | 293 | } |
| @@ -366,6 +372,10 @@ void fs_blacklist(void) { | |||
| 366 | ptr = entry->data + 10; | 372 | ptr = entry->data + 10; |
| 367 | op = BLACKLIST_FILE; | 373 | op = BLACKLIST_FILE; |
| 368 | } | 374 | } |
| 375 | else if (strncmp(entry->data, "blacklist-nolog ", 16) == 0) { | ||
| 376 | ptr = entry->data + 16; | ||
| 377 | op = BLACKLIST_NOLOG; | ||
| 378 | } | ||
| 369 | else if (strncmp(entry->data, "read-only ", 10) == 0) { | 379 | else if (strncmp(entry->data, "read-only ", 10) == 0) { |
| 370 | ptr = entry->data + 10; | 380 | ptr = entry->data + 10; |
| 371 | op = MOUNT_READONLY; | 381 | op = MOUNT_READONLY; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a8eedcaff..50fdeda7e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -370,6 +370,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
| 370 | // rest of filesystem | 370 | // rest of filesystem |
| 371 | if (strncmp(ptr, "blacklist ", 10) == 0) | 371 | if (strncmp(ptr, "blacklist ", 10) == 0) |
| 372 | ptr += 10; | 372 | ptr += 10; |
| 373 | else if (strncmp(ptr, "blacklist-nolog ", 16) == 0) | ||
| 374 | ptr += 16; | ||
| 373 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 375 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
| 374 | ptr += 12; | 376 | ptr += 12; |
| 375 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 377 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a64bafeb4..d060af5eb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -263,8 +263,8 @@ void usage(void) { | |||
| 263 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); | 263 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); |
| 264 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 264 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); |
| 265 | printf("\t--trace - trace open, access and connect system calls.\n\n"); | 265 | printf("\t--trace - trace open, access and connect system calls.\n\n"); |
| 266 | printf("\t--tracelog - add a log message in syslog for every access to blacklisted\n"); | 266 | printf("\t--tracelog - add a syslog message for every access to files or\n"); |
| 267 | printf("\t\tfiles or directories.\n\n"); | 267 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); |
| 268 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | 268 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); |
| 269 | printf("\t--version - print program version and exit.\n\n"); | 269 | printf("\t--version - print program version and exit.\n\n"); |
| 270 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 270 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 28f75d023..62225c407 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1297,7 +1297,28 @@ Child process initialized | |||
| 1297 | parent is shutting down, bye... | 1297 | parent is shutting down, bye... |
| 1298 | .TP | 1298 | .TP |
| 1299 | \fB\-\-tracelog | 1299 | \fB\-\-tracelog |
| 1300 | Add a log message in syslog for every access to blacklisted files or directories. | 1300 | This option enables auditing blacklisted files and directories. A message |
| 1301 | is sent to syslog in case the file or the directory is accessed. | ||
| 1302 | .br | ||
| 1303 | |||
| 1304 | .br | ||
| 1305 | Example: | ||
| 1306 | .br | ||
| 1307 | $ firejail --tracelog firefox | ||
| 1308 | .br | ||
| 1309 | |||
| 1310 | .br | ||
| 1311 | Sample messages: | ||
| 1312 | .br | ||
| 1313 | $ sudo tail -f /var/log/syslog | ||
| 1314 | .br | ||
| 1315 | [...] | ||
| 1316 | .br | ||
| 1317 | Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow | ||
| 1318 | .br | ||
| 1319 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot | ||
| 1320 | .br | ||
| 1321 | [...] | ||
| 1301 | .TP | 1322 | .TP |
| 1302 | \fB\-\-tree | 1323 | \fB\-\-tree |
| 1303 | Print a tree of all sandboxed processes, see MONITORING section for more details. | 1324 | Print a tree of all sandboxed processes, see MONITORING section for more details. |