diff options
author | netblue30 <netblue30@protonmail.com> | 2022-10-23 07:38:29 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-10-23 07:38:29 -0400 |
commit | a0985a135392c0776d45cf8e27ebf15bc7fff198 (patch) | |
tree | f796ca075c61e103abfd54c01872655c9610e8dc /src | |
parent | Merge branch 'master' of ssh://github.com/netblue30/firejail (diff) | |
download | firejail-a0985a135392c0776d45cf8e27ebf15bc7fff198.tar.gz firejail-a0985a135392c0776d45cf8e27ebf15bc7fff198.tar.zst firejail-a0985a135392c0776d45cf8e27ebf15bc7fff198.zip |
dnstrace and snitrace
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 159 |
3 files changed, 93 insertions, 85 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b6e076dfc..fe80c5e2e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -438,10 +438,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
438 | exit_err_feature("networking"); | 438 | exit_err_feature("networking"); |
439 | exit(0); | 439 | exit(0); |
440 | } | 440 | } |
441 | else if (strcmp(argv[i], "--nettrace-dns") == 0) { | 441 | else if (strcmp(argv[i], "--dnstrace") == 0) { |
442 | if (checkcfg(CFG_NETWORK)) { | 442 | if (checkcfg(CFG_NETWORK)) { |
443 | if (getuid() != 0) { | 443 | if (getuid() != 0) { |
444 | fprintf(stderr, "Error: --nettrace-dns is only available to root user\n"); | 444 | fprintf(stderr, "Error: --dnstrace is only available to root user\n"); |
445 | exit(1); | 445 | exit(1); |
446 | } | 446 | } |
447 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns"); | 447 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns"); |
@@ -450,10 +450,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
450 | exit_err_feature("networking"); | 450 | exit_err_feature("networking"); |
451 | exit(0); | 451 | exit(0); |
452 | } | 452 | } |
453 | else if (strncmp(argv[i], "--nettrace-dns=", 15) == 0) { | 453 | else if (strncmp(argv[i], "--dnstrace=", 15) == 0) { |
454 | if (checkcfg(CFG_NETWORK)) { | 454 | if (checkcfg(CFG_NETWORK)) { |
455 | if (getuid() != 0) { | 455 | if (getuid() != 0) { |
456 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 456 | fprintf(stderr, "Error: --dnstrace is only available to root user\n"); |
457 | exit(1); | 457 | exit(1); |
458 | } | 458 | } |
459 | pid_t pid = require_pid(argv[i] + 15); | 459 | pid_t pid = require_pid(argv[i] + 15); |
@@ -463,10 +463,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
463 | exit_err_feature("networking"); | 463 | exit_err_feature("networking"); |
464 | exit(0); | 464 | exit(0); |
465 | } | 465 | } |
466 | else if (strcmp(argv[i], "--nettrace-sni") == 0) { | 466 | else if (strcmp(argv[i], "--snitrace") == 0) { |
467 | if (checkcfg(CFG_NETWORK)) { | 467 | if (checkcfg(CFG_NETWORK)) { |
468 | if (getuid() != 0) { | 468 | if (getuid() != 0) { |
469 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 469 | fprintf(stderr, "Error: --snitrace is only available to root user\n"); |
470 | exit(1); | 470 | exit(1); |
471 | } | 471 | } |
472 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni"); | 472 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni"); |
@@ -475,10 +475,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
475 | exit_err_feature("networking"); | 475 | exit_err_feature("networking"); |
476 | exit(0); | 476 | exit(0); |
477 | } | 477 | } |
478 | else if (strncmp(argv[i], "--nettrace-sni=", 15) == 0) { | 478 | else if (strncmp(argv[i], "--snitrace=", 15) == 0) { |
479 | if (checkcfg(CFG_NETWORK)) { | 479 | if (checkcfg(CFG_NETWORK)) { |
480 | if (getuid() != 0) { | 480 | if (getuid() != 0) { |
481 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 481 | fprintf(stderr, "Error: --snitrace is only available to root user\n"); |
482 | exit(1); | 482 | exit(1); |
483 | } | 483 | } |
484 | pid_t pid = require_pid(argv[i] + 15); | 484 | pid_t pid = require_pid(argv[i] + 15); |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index f9cd907e5..d3d234f5a 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -184,12 +184,13 @@ | |||
184 | 208.80.152.0/22 Wikipedia | 184 | 208.80.152.0/22 Wikipedia |
185 | 185 | ||
186 | # WholeSale Internet | 186 | # WholeSale Internet |
187 | 69.30.192.0/18 WholeSale Internet | ||
187 | 69.197.128.0/18 WholeSale Internet | 188 | 69.197.128.0/18 WholeSale Internet |
188 | 173.208.128.0/17 WholeSale Internet | 189 | 173.208.128.0/17 WholeSale Internet |
189 | 204.12.192.0/18 WholeSale Internet | 190 | 204.12.192.0/18 WholeSale Internet |
191 | 208.67.0.0/21 WholeSale Internet | ||
190 | 208.110.64.0/19 WholeSale Internet | 192 | 208.110.64.0/19 WholeSale Internet |
191 | 208.110.91.0/24 WholeSale Internet | 193 | 208.110.91.0/24 WholeSale Internet |
192 | 208.67.0.0/21 WholeSale Internet | ||
193 | 194 | ||
194 | # StackPath | 195 | # StackPath |
195 | 69.16.173.0/24 StackPath | 196 | 69.16.173.0/24 StackPath |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c26d21ec9..49fd18a04 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -779,6 +779,46 @@ $ firejail \-\-list | |||
779 | .br | 779 | .br |
780 | $ firejail \-\-dns.print=3272 | 780 | $ firejail \-\-dns.print=3272 |
781 | 781 | ||
782 | #ifdef HAVE_NETWORK | ||
783 | .TP | ||
784 | \fB\-\-dnstrace[=name|pid] | ||
785 | Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes | ||
786 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
787 | .br | ||
788 | |||
789 | .br | ||
790 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
791 | .br | ||
792 | |||
793 | .br | ||
794 | $ sudo firejail --dnstrace=browser | ||
795 | .br | ||
796 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
797 | .br | ||
798 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
799 | .br | ||
800 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
801 | .br | ||
802 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
803 | .br | ||
804 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
805 | .br | ||
806 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
807 | .br | ||
808 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
809 | .br | ||
810 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
811 | .br | ||
812 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
813 | .br | ||
814 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
815 | .br | ||
816 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
817 | .br | ||
818 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
819 | .br | ||
820 | #endif | ||
821 | |||
782 | .TP | 822 | .TP |
783 | \fB\-\-env=name=value | 823 | \fB\-\-env=name=value |
784 | Set environment variable in the new sandbox. | 824 | Set environment variable in the new sandbox. |
@@ -1578,82 +1618,6 @@ the country the traffic originates from is added to the trace. | |||
1578 | We also use the static IP map in /usr/lib/firejail/static-ip-map | 1618 | We also use the static IP map in /usr/lib/firejail/static-ip-map |
1579 | to print the domain names for some of the more common websites and cloud platforms. | 1619 | to print the domain names for some of the more common websites and cloud platforms. |
1580 | No external services are contacted for reverse IP lookup. | 1620 | No external services are contacted for reverse IP lookup. |
1581 | .TP | ||
1582 | \fB\-\-nettrace-dns[=name|pid] | ||
1583 | Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes | ||
1584 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
1585 | .br | ||
1586 | |||
1587 | .br | ||
1588 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
1589 | .br | ||
1590 | |||
1591 | .br | ||
1592 | $ sudo firejail --nettrace-dns=browser | ||
1593 | .br | ||
1594 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
1595 | .br | ||
1596 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
1597 | .br | ||
1598 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
1599 | .br | ||
1600 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
1601 | .br | ||
1602 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
1603 | .br | ||
1604 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
1605 | .br | ||
1606 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
1607 | .br | ||
1608 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
1609 | .br | ||
1610 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
1611 | .br | ||
1612 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
1613 | .br | ||
1614 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
1615 | .br | ||
1616 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
1617 | .br | ||
1618 | .TP | ||
1619 | \fB\-\-nettrace-sni[=name|pid] | ||
1620 | Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes | ||
1621 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
1622 | .br | ||
1623 | |||
1624 | .br | ||
1625 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
1626 | .br | ||
1627 | |||
1628 | .br | ||
1629 | $ sudo firejail --nettrace-sni=browser | ||
1630 | .br | ||
1631 | 07:49:51 23.185.0.3 linux.com | ||
1632 | .br | ||
1633 | 07:49:51 23.185.0.3 www.linux.com | ||
1634 | .br | ||
1635 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
1636 | .br | ||
1637 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
1638 | .br | ||
1639 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
1640 | .br | ||
1641 | 07:52:42 142.250.176.3 www.gstatic.com | ||
1642 | .br | ||
1643 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
1644 | .br | ||
1645 | 07:53:05 192.0.77.37 c0.wp.com | ||
1646 | .br | ||
1647 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
1648 | .br | ||
1649 | 07:53:09 192.0.77.32 s0.wp.com | ||
1650 | .br | ||
1651 | 07:53:09 192.0.77.2 i0.wp.com | ||
1652 | .br | ||
1653 | 07:53:10 192.0.77.2 i0.wp.com | ||
1654 | .br | ||
1655 | 07:53:11 192.0.73.2 1.gravatar.com | ||
1656 | .br | ||
1657 | #endif | 1621 | #endif |
1658 | .TP | 1622 | .TP |
1659 | \fB\-\-nice=value | 1623 | \fB\-\-nice=value |
@@ -2833,6 +2797,49 @@ $ firejail \-\-list | |||
2833 | 3272:netblue::firejail \-\-private firefox | 2797 | 3272:netblue::firejail \-\-private firefox |
2834 | .br | 2798 | .br |
2835 | $ firejail \-\-shutdown=3272 | 2799 | $ firejail \-\-shutdown=3272 |
2800 | |||
2801 | #ifdef HAVE_NETWORK | ||
2802 | .TP | ||
2803 | \fB\-\-snitrace[=name|pid] | ||
2804 | Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes | ||
2805 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
2806 | .br | ||
2807 | |||
2808 | .br | ||
2809 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
2810 | .br | ||
2811 | |||
2812 | .br | ||
2813 | $ sudo firejail --snitrace=browser | ||
2814 | .br | ||
2815 | 07:49:51 23.185.0.3 linux.com | ||
2816 | .br | ||
2817 | 07:49:51 23.185.0.3 www.linux.com | ||
2818 | .br | ||
2819 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
2820 | .br | ||
2821 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
2822 | .br | ||
2823 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
2824 | .br | ||
2825 | 07:52:42 142.250.176.3 www.gstatic.com | ||
2826 | .br | ||
2827 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
2828 | .br | ||
2829 | 07:53:05 192.0.77.37 c0.wp.com | ||
2830 | .br | ||
2831 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
2832 | .br | ||
2833 | 07:53:09 192.0.77.32 s0.wp.com | ||
2834 | .br | ||
2835 | 07:53:09 192.0.77.2 i0.wp.com | ||
2836 | .br | ||
2837 | 07:53:10 192.0.77.2 i0.wp.com | ||
2838 | .br | ||
2839 | 07:53:11 192.0.73.2 1.gravatar.com | ||
2840 | .br | ||
2841 | #endif | ||
2842 | |||
2836 | .TP | 2843 | .TP |
2837 | \fB\-\-tab | 2844 | \fB\-\-tab |
2838 | Enable shell tab completion in sandboxes using private or whitelisted home directories. | 2845 | Enable shell tab completion in sandboxes using private or whitelisted home directories. |