diff options
author | Glenn Washburn <development@efficientek.com> | 2019-08-29 21:57:13 -0500 |
---|---|---|
committer | Glenn Washburn <development@efficientek.com> | 2019-08-29 21:57:13 -0500 |
commit | f6584eaf3b5bfa166fed56b900dbda6629c4fbd3 (patch) | |
tree | 4c516d172e25e9b9bf0c2a18b22d0435c6265eea /src | |
parent | Allow libtrace preload library to use for trace output a logfile specified by... (diff) | |
download | firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.tar.gz firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.tar.zst firejail-f6584eaf3b5bfa166fed56b900dbda6629c4fbd3.zip |
Allow firejail --trace option to take an optional parameter which is the trace log file path. The trace log file will be created if it does not exist and then bind mounted to RUN_TRACE_FILE so that the sandboxed program can access it.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 19 | ||||
-rw-r--r-- | src/firejail/main.c | 5 |
3 files changed, 25 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14cad4190..4a59522bf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -260,6 +260,7 @@ extern int arg_caps_keep; // keep list | |||
260 | extern char *arg_caps_list; // optional caps list | 260 | extern char *arg_caps_list; // optional caps list |
261 | 261 | ||
262 | extern int arg_trace; // syscall tracing support | 262 | extern int arg_trace; // syscall tracing support |
263 | extern char *arg_tracefile; // syscall tracing file | ||
263 | extern int arg_tracelog; // blacklist tracing support | 264 | extern int arg_tracelog; // blacklist tracing support |
264 | extern int arg_rlimit_cpu; // rlimit cpu | 265 | extern int arg_rlimit_cpu; // rlimit cpu |
265 | extern int arg_rlimit_nofile; // rlimit nofile | 266 | extern int arg_rlimit_nofile; // rlimit nofile |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 26dd5cb27..eac73a074 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -41,6 +41,25 @@ void fs_trace_preload(void) { | |||
41 | fclose(fp); | 41 | fclose(fp); |
42 | fs_logger("touch /etc/ld.so.preload"); | 42 | fs_logger("touch /etc/ld.so.preload"); |
43 | } | 43 | } |
44 | if (arg_tracefile) { | ||
45 | if (arg_debug) | ||
46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | ||
47 | // create a bind mounted trace logfile that the sandbox can see | ||
48 | FILE *fp = fopen(arg_tracefile, "w"); | ||
49 | if (!fp) | ||
50 | errExit("fopen"); | ||
51 | SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | ||
52 | fclose(fp); | ||
53 | fp = fopen(RUN_TRACE_FILE, "w"); | ||
54 | if (!fp) | ||
55 | errExit("fopen"); | ||
56 | fclose(fp); | ||
57 | fs_logger2("touch ", arg_tracefile); | ||
58 | if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
59 | errExit("mount bind " RUN_TRACE_FILE); | ||
60 | if (arg_debug) | ||
61 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); | ||
62 | } | ||
44 | } | 63 | } |
45 | 64 | ||
46 | void fs_trace(void) { | 65 | void fs_trace(void) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f44c6281..4c6d20626 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -80,6 +80,7 @@ int arg_caps_keep = 0; // keep list | |||
80 | char *arg_caps_list = NULL; // optional caps list | 80 | char *arg_caps_list = NULL; // optional caps list |
81 | 81 | ||
82 | int arg_trace = 0; // syscall tracing support | 82 | int arg_trace = 0; // syscall tracing support |
83 | char *arg_tracefile = NULL; // syscall tracing file | ||
83 | int arg_tracelog = 0; // blacklist tracing support | 84 | int arg_tracelog = 0; // blacklist tracing support |
84 | int arg_rlimit_cpu = 0; // rlimit max cpu time | 85 | int arg_rlimit_cpu = 0; // rlimit max cpu time |
85 | int arg_rlimit_nofile = 0; // rlimit nofile | 86 | int arg_rlimit_nofile = 0; // rlimit nofile |
@@ -1296,6 +1297,10 @@ int main(int argc, char **argv) { | |||
1296 | } | 1297 | } |
1297 | else if (strcmp(argv[i], "--trace") == 0) | 1298 | else if (strcmp(argv[i], "--trace") == 0) |
1298 | arg_trace = 1; | 1299 | arg_trace = 1; |
1300 | else if (strncmp(argv[i], "--trace=", 8) == 0) { | ||
1301 | arg_trace = 1; | ||
1302 | arg_tracefile = argv[i] + 8; | ||
1303 | } | ||
1299 | else if (strcmp(argv[i], "--tracelog") == 0) | 1304 | else if (strcmp(argv[i], "--tracelog") == 0) |
1300 | arg_tracelog = 1; | 1305 | arg_tracelog = 1; |
1301 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { | 1306 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { |