diff options
author | netblue30 <netblue30@yahoo.com> | 2015-12-11 09:27:40 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-12-11 09:27:40 -0500 |
commit | fabe7c1fa2409ed9d909efc093c37af346104869 (patch) | |
tree | bb960a13599e4a27ac3d4acfd169c13fcd86c83d /src | |
parent | fixes (diff) | |
download | firejail-fabe7c1fa2409ed9d909efc093c37af346104869.tar.gz firejail-fabe7c1fa2409ed9d909efc093c37af346104869.tar.zst firejail-fabe7c1fa2409ed9d909efc093c37af346104869.zip |
debug enhancements
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 7 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 28 | ||||
-rw-r--r-- | src/firejail/main.c | 12 | ||||
-rw-r--r-- | src/firejail/usage.c | 7 | ||||
-rw-r--r-- | src/man/firejail.txt | 30 |
6 files changed, 69 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 967eb7e45..5590e9f54 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -187,7 +187,9 @@ static inline int any_interface_configured(void) { | |||
187 | 187 | ||
188 | extern int arg_private; // mount private /home | 188 | extern int arg_private; // mount private /home |
189 | extern int arg_debug; // print debug messages | 189 | extern int arg_debug; // print debug messages |
190 | extern int arg_debug_check_filename; // print debug messages for invalid_filename() | 190 | extern int arg_debug_check_filename; // print debug messages for filename checking |
191 | extern int arg_debug_blacklists; // print debug messages for blacklists | ||
192 | extern int arg_debug_whitelists; // print debug messages for whitelists | ||
191 | extern int arg_nonetwork; // --net=none | 193 | extern int arg_nonetwork; // --net=none |
192 | extern int arg_command; // -c | 194 | extern int arg_command; // -c |
193 | extern int arg_overlay; // overlay option | 195 | extern int arg_overlay; // overlay option |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e62e2676b..1d2dc8e1e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -205,6 +205,13 @@ static void disable_file(OPERATION op, const char *filename) { | |||
205 | else { | 205 | else { |
206 | if (arg_debug) | 206 | if (arg_debug) |
207 | printf("Disable %s\n", fname); | 207 | printf("Disable %s\n", fname); |
208 | else if (arg_debug_blacklists) { | ||
209 | printf("Disable %s", fname); | ||
210 | if (op == BLACKLIST_FILE) | ||
211 | printf("\n"); | ||
212 | else | ||
213 | printf(" - no logging\n"); | ||
214 | } | ||
208 | if (S_ISDIR(s.st_mode)) { | 215 | if (S_ISDIR(s.st_mode)) { |
209 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 216 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
210 | errExit("disable file"); | 217 | errExit("disable file"); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 37894fee1..465eaa7c8 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -46,7 +46,7 @@ static char *resolve_downloads(void) { | |||
46 | errExit("asprintf"); | 46 | errExit("asprintf"); |
47 | 47 | ||
48 | if (stat(fname, &s) == 0) { | 48 | if (stat(fname, &s) == 0) { |
49 | if (arg_debug) | 49 | if (arg_debug || arg_debug_whitelists) |
50 | printf("Downloads directory resolved as \"%s\"\n", fname); | 50 | printf("Downloads directory resolved as \"%s\"\n", fname); |
51 | 51 | ||
52 | char *rv; | 52 | char *rv; |
@@ -86,10 +86,10 @@ static char *resolve_downloads(void) { | |||
86 | if (ptr2) { | 86 | if (ptr2) { |
87 | fclose(fp); | 87 | fclose(fp); |
88 | *ptr2 = '\0'; | 88 | *ptr2 = '\0'; |
89 | if (arg_debug) | 89 | if (arg_debug || arg_debug_whitelists) |
90 | printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); | 90 | printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); |
91 | if (strlen(ptr1) != 0) { | 91 | if (strlen(ptr1) != 0) { |
92 | if (arg_debug) | 92 | if (arg_debug || arg_debug_whitelists) |
93 | printf("Downloads directory resolved as \"%s\"\n", ptr1); | 93 | printf("Downloads directory resolved as \"%s\"\n", ptr1); |
94 | 94 | ||
95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
@@ -244,11 +244,11 @@ static void whitelist_path(ProfileEntry *entry) { | |||
244 | // check if the file exists | 244 | // check if the file exists |
245 | struct stat s; | 245 | struct stat s; |
246 | if (wfile && stat(wfile, &s) == 0) { | 246 | if (wfile && stat(wfile, &s) == 0) { |
247 | if (arg_debug) | 247 | if (arg_debug || arg_debug_whitelists) |
248 | printf("Whitelisting %s\n", path); | 248 | printf("Whitelisting %s\n", path); |
249 | } | 249 | } |
250 | else { | 250 | else { |
251 | if (arg_debug) { | 251 | if (arg_debug || arg_debug_whitelists) { |
252 | fprintf(stderr, "Warning: %s is an invalid file, skipping...\n", path); | 252 | fprintf(stderr, "Warning: %s is an invalid file, skipping...\n", path); |
253 | } | 253 | } |
254 | return; | 254 | return; |
@@ -341,7 +341,7 @@ void fs_whitelist(void) { | |||
341 | char *fname = realpath(new_name, NULL); | 341 | char *fname = realpath(new_name, NULL); |
342 | if (!fname) { | 342 | if (!fname) { |
343 | // file not found, blank the entry in the list and continue | 343 | // file not found, blank the entry in the list and continue |
344 | if (arg_debug) { | 344 | if (arg_debug || arg_debug_whitelists) { |
345 | printf("Removed whitelist path: %s\n", entry->data); | 345 | printf("Removed whitelist path: %s\n", entry->data); |
346 | printf("\texpanded: %s\n", new_name); | 346 | printf("\texpanded: %s\n", new_name); |
347 | printf("\treal path: (null)\n"); | 347 | printf("\treal path: (null)\n"); |
@@ -360,7 +360,7 @@ void fs_whitelist(void) { | |||
360 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 360 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
361 | // whitelisting home directory is disabled if --private or --private-home option is present | 361 | // whitelisting home directory is disabled if --private or --private-home option is present |
362 | if (arg_private) { | 362 | if (arg_private) { |
363 | if (arg_debug) | 363 | if (arg_debug || arg_debug_whitelists) |
364 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | 364 | printf("Removed whitelist path %s, --private option is present\n", entry->data); |
365 | 365 | ||
366 | *entry->data = '\0'; | 366 | *entry->data = '\0'; |
@@ -425,7 +425,7 @@ void fs_whitelist(void) { | |||
425 | if (asprintf(&newdata, "whitelist %s", fname) == -1) | 425 | if (asprintf(&newdata, "whitelist %s", fname) == -1) |
426 | errExit("asprintf"); | 426 | errExit("asprintf"); |
427 | entry->data = newdata; | 427 | entry->data = newdata; |
428 | if (arg_debug) | 428 | if (arg_debug || arg_debug_whitelists) |
429 | printf("Replaced whitelist path: %s\n", entry->data); | 429 | printf("Replaced whitelist path: %s\n", entry->data); |
430 | } | 430 | } |
431 | free(fname); | 431 | free(fname); |
@@ -469,7 +469,7 @@ void fs_whitelist(void) { | |||
469 | errExit("mount bind"); | 469 | errExit("mount bind"); |
470 | 470 | ||
471 | // mount tmpfs on /tmp | 471 | // mount tmpfs on /tmp |
472 | if (arg_debug) | 472 | if (arg_debug || arg_debug_whitelists) |
473 | printf("Mounting tmpfs on /tmp directory\n"); | 473 | printf("Mounting tmpfs on /tmp directory\n"); |
474 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 474 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
475 | errExit("mounting tmpfs on /tmp"); | 475 | errExit("mounting tmpfs on /tmp"); |
@@ -491,7 +491,7 @@ void fs_whitelist(void) { | |||
491 | errExit("mount bind"); | 491 | errExit("mount bind"); |
492 | 492 | ||
493 | // mount tmpfs on /media | 493 | // mount tmpfs on /media |
494 | if (arg_debug) | 494 | if (arg_debug || arg_debug_whitelists) |
495 | printf("Mounting tmpfs on /media directory\n"); | 495 | printf("Mounting tmpfs on /media directory\n"); |
496 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 496 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
497 | errExit("mounting tmpfs on /media"); | 497 | errExit("mounting tmpfs on /media"); |
@@ -513,7 +513,7 @@ void fs_whitelist(void) { | |||
513 | errExit("mount bind"); | 513 | errExit("mount bind"); |
514 | 514 | ||
515 | // mount tmpfs on /var | 515 | // mount tmpfs on /var |
516 | if (arg_debug) | 516 | if (arg_debug || arg_debug_whitelists) |
517 | printf("Mounting tmpfs on /var directory\n"); | 517 | printf("Mounting tmpfs on /var directory\n"); |
518 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 518 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
519 | errExit("mounting tmpfs on /var"); | 519 | errExit("mounting tmpfs on /var"); |
@@ -535,7 +535,7 @@ void fs_whitelist(void) { | |||
535 | errExit("mount bind"); | 535 | errExit("mount bind"); |
536 | 536 | ||
537 | // mount tmpfs on /dev | 537 | // mount tmpfs on /dev |
538 | if (arg_debug) | 538 | if (arg_debug || arg_debug_whitelists) |
539 | printf("Mounting tmpfs on /dev directory\n"); | 539 | printf("Mounting tmpfs on /dev directory\n"); |
540 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 540 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
541 | errExit("mounting tmpfs on /dev"); | 541 | errExit("mounting tmpfs on /dev"); |
@@ -557,7 +557,7 @@ void fs_whitelist(void) { | |||
557 | errExit("mount bind"); | 557 | errExit("mount bind"); |
558 | 558 | ||
559 | // mount tmpfs on /opt | 559 | // mount tmpfs on /opt |
560 | if (arg_debug) | 560 | if (arg_debug || arg_debug_whitelists) |
561 | printf("Mounting tmpfs on /opt directory\n"); | 561 | printf("Mounting tmpfs on /opt directory\n"); |
562 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 562 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
563 | errExit("mounting tmpfs on /opt"); | 563 | errExit("mounting tmpfs on /opt"); |
@@ -588,7 +588,7 @@ void fs_whitelist(void) { | |||
588 | int rv = symlink(entry->data + 10, entry->link); | 588 | int rv = symlink(entry->data + 10, entry->link); |
589 | if (rv) | 589 | if (rv) |
590 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 590 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
591 | else if (arg_debug) | 591 | else if (arg_debug || arg_debug_whitelists) |
592 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 592 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
593 | } | 593 | } |
594 | } | 594 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 75b90ae81..17a7286f7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -50,7 +50,9 @@ static char child_stack[STACK_SIZE]; // space for child's stack | |||
50 | Config cfg; // configuration | 50 | Config cfg; // configuration |
51 | int arg_private = 0; // mount private /home and /tmp directoryu | 51 | int arg_private = 0; // mount private /home and /tmp directoryu |
52 | int arg_debug = 0; // print debug messages | 52 | int arg_debug = 0; // print debug messages |
53 | int arg_debug_check_filename; // print debug messages for invalid_filename() | 53 | int arg_debug_check_filename; // print debug messages for filename checking |
54 | int arg_debug_blacklists; // print debug messages for blacklists | ||
55 | int arg_debug_whitelists; // print debug messages for whitelists | ||
54 | int arg_nonetwork = 0; // --net=none | 56 | int arg_nonetwork = 0; // --net=none |
55 | int arg_command = 0; // -c | 57 | int arg_command = 0; // -c |
56 | int arg_overlay = 0; // overlay option | 58 | int arg_overlay = 0; // overlay option |
@@ -468,10 +470,12 @@ int main(int argc, char **argv) { | |||
468 | 470 | ||
469 | if (strcmp(argv[i], "--debug") == 0) | 471 | if (strcmp(argv[i], "--debug") == 0) |
470 | arg_debug = 1; | 472 | arg_debug = 1; |
471 | else if (strcmp(argv[i], "--debug-check-filename") == 0) { | 473 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
472 | arg_debug = 1; | ||
473 | arg_debug_check_filename = 1; | 474 | arg_debug_check_filename = 1; |
474 | } | 475 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
476 | arg_debug_blacklists = 1; | ||
477 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | ||
478 | arg_debug_whitelists = 1; | ||
475 | else if (strcmp(argv[i], "--quiet") == 0) | 479 | else if (strcmp(argv[i], "--quiet") == 0) |
476 | arg_quiet = 1; | 480 | arg_quiet = 1; |
477 | 481 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9d5549a77..3d9d745b3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -65,15 +65,22 @@ void usage(void) { | |||
65 | printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); | 65 | printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); |
66 | printf("\t\tExample: cpu=0,1,2\n\n"); | 66 | printf("\t\tExample: cpu=0,1,2\n\n"); |
67 | printf("\t--csh - use /bin/csh as default shell.\n\n"); | 67 | printf("\t--csh - use /bin/csh as default shell.\n\n"); |
68 | |||
68 | printf("\t--debug - print sandbox debug messages.\n\n"); | 69 | printf("\t--debug - print sandbox debug messages.\n\n"); |
70 | printf("\t--debug-blacklists - debug blacklisting.\n\n"); | ||
69 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); | 71 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); |
70 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf("\t\tFirejail software build and exit.\n\n"); |
73 | printf("\t--debug-check-filename - debug filename checking.\n\n"); | ||
71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 74 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); |
72 | printf("\t\tFirejail software build and exit.\n\n"); | 75 | printf("\t\tFirejail software build and exit.\n\n"); |
73 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | 76 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); |
74 | printf("\t\tFirejail software build and exit.\n\n"); | 77 | printf("\t\tFirejail software build and exit.\n\n"); |
75 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 78 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); |
76 | printf("\t\tFirejail software build and exit.\n\n"); | 79 | printf("\t\tFirejail software build and exit.\n\n"); |
80 | printf("\t--debug-whitelists - debug whitelisting.\n\n"); | ||
81 | |||
82 | |||
83 | |||
77 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 84 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
78 | printf("\t\tnetwork namespace.\n\n"); | 85 | printf("\t\tnetwork namespace.\n\n"); |
79 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); | 86 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e2382eb9f..57b169e89 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -243,6 +243,16 @@ Example: | |||
243 | $ firejail \-\-debug firefox | 243 | $ firejail \-\-debug firefox |
244 | 244 | ||
245 | .TP | 245 | .TP |
246 | \fB\-\-debug-blackilsts\fR | ||
247 | Debug blacklisting. | ||
248 | .br | ||
249 | |||
250 | .br | ||
251 | Example: | ||
252 | .br | ||
253 | $ firejail \-\-debug-blacklists firefox | ||
254 | |||
255 | .TP | ||
246 | \fB\-\-debug-caps | 256 | \fB\-\-debug-caps |
247 | Print all recognized capabilities in the current Firejail software build and exit. | 257 | Print all recognized capabilities in the current Firejail software build and exit. |
248 | .br | 258 | .br |
@@ -252,6 +262,16 @@ Example: | |||
252 | .br | 262 | .br |
253 | $ firejail \-\-debug-caps | 263 | $ firejail \-\-debug-caps |
254 | .TP | 264 | .TP |
265 | \fB\-\-debug-check-filename\fR | ||
266 | Debug filename checking. | ||
267 | .br | ||
268 | |||
269 | .br | ||
270 | Example: | ||
271 | .br | ||
272 | $ firejail \-\-debug-check-filename firefox | ||
273 | |||
274 | .TP | ||
255 | \fB\-\-debug-errnos | 275 | \fB\-\-debug-errnos |
256 | Print all recognized error numbers in the current Firejail software build and exit. | 276 | Print all recognized error numbers in the current Firejail software build and exit. |
257 | .br | 277 | .br |
@@ -279,6 +299,16 @@ Example: | |||
279 | .br | 299 | .br |
280 | $ firejail \-\-debug-syscalls | 300 | $ firejail \-\-debug-syscalls |
281 | .TP | 301 | .TP |
302 | \fB\-\-debug-whitelsts\fR | ||
303 | Debug whitelisting. | ||
304 | .br | ||
305 | |||
306 | .br | ||
307 | Example: | ||
308 | .br | ||
309 | $ firejail \-\-debug-whitelists firefox | ||
310 | |||
311 | .TP | ||
282 | \fB\-\-defaultgw=address | 312 | \fB\-\-defaultgw=address |
283 | Use this address as default gateway in the new network namespace. | 313 | Use this address as default gateway in the new network namespace. |
284 | .br | 314 | .br |