audit feature

author: netblue30 <netblue30@yahoo.com> 2016-07-05 10:13:25 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-05 10:13:25 -0400
commit: 73ce1000234e0910bc77f424e481a47c6da55dbb (patch)
tree: 4756996183560b6ec401d8fc35e1c4d15ce972de /src
parent: audit feature (diff)
download: firejail-73ce1000234e0910bc77f424e481a47c6da55dbb.tar.gz
firejail-73ce1000234e0910bc77f424e481a47c6da55dbb.tar.zst
firejail-73ce1000234e0910bc77f424e481a47c6da55dbb.zip
4 files changed, 34 insertions, 6 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 39013de56..ddc37e203 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -261,6 +261,7 @@ extern int arg_writable_etc;	// writable etc
 extern int arg_writable_var;    // writable var
 extern int arg_appimage;        // appimage
 extern int arg_audit;           // audit
+extern char *arg_audit_prog;    // audit
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 34cc38cd5..ac554ca2a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -101,6 +101,7 @@ int arg_writable_etc = 0;			// writable etc
 int arg_writable_var = 0;                       // writable var
 int arg_appimage = 0;                           // appimage
 int arg_audit = 0;                              // audit
+char *arg_audit_prog;                           // audit
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1831,8 +1832,21 @@ int main(int argc, char **argv) {
                //*************************************
                // command
                //*************************************
-                else if (strcmp(argv[i], "--audit") == 0)
+                else if (strcmp(argv[i], "--audit") == 0) {
+                        if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                                errExit("asprintf");
                        arg_audit = 1;
+                }
+                else if (strncmp(argv[i], "--audit=", 8) == 0) {
+                        if (strlen(argv[i] + 8) == 0) {
+                                fprintf(stderr, "Error: invalid audit program\n");
+                                exit(1);
+                        }
+                        arg_audit_prog = strdup(argv[i] + 8);
+                        if (!arg_audit_prog)
+                                errExit("strdup");
+                        arg_audit = 1;
+                }
                else if (strcmp(argv[i], "--appimage") == 0)
                        arg_appimage = 1;
                else if (strcmp(argv[i], "--csh") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8cf2486b3..d384d6fa0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -272,16 +272,27 @@ static int monitor_application(pid_t app_pid) {
 #endif  
 }
+void start_audit(void) {
+        char *audit_prog;
+        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                errExit("asprintf");
+        execl(audit_prog, audit_prog, NULL);
+        perror("execl");
+        exit(1);
+}
 static void start_application(void) {
        //****************************************
        // audit
        //****************************************
        if (arg_audit) {
-                char *audit_prog;
+                assert(arg_audit_prog);
-                if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                struct stat s;
-                        errExit("asprintf");
+                if (stat(arg_audit_prog, &s) != 0) {
-                execl(audit_prog, audit_prog, NULL);
+                        fprintf(stderr, "Error: cannot find the audit program\n");
+                        exit(1);
+                }
+                execl(arg_audit_prog, arg_audit_prog, NULL);
        }
        //****************************************
        // start the program without using a shell
@@ -305,6 +316,7 @@ static void start_application(void) {
                        printf("Child process initialized\n");
                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+                exit(1);
        }
        //****************************************
        // start the program using a shell
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index a523e51cb..e4505754e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1741,12 +1741,13 @@ Running the default audit program:
 Running a custom audit program:
 .br
-        $ firejail --audit=~/sandbox-test transmission-gtk\n\n");
+        $ firejail --audit=~/sandbox-test transmission-gtk
 In the examples above, the sandbox configures transmission-gtk profile and
 starts the test program. The real program, transmission-gtk, will not be
 started.
+Limitations: audit feature is not implemented for --x11 commands.
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
author	netblue30 <netblue30@yahoo.com>	2016-07-05 10:13:25 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-05 10:13:25 -0400
commit	73ce1000234e0910bc77f424e481a47c6da55dbb (patch)
tree	4756996183560b6ec401d8fc35e1c4d15ce972de /src
parent	audit feature (diff)
download	firejail-73ce1000234e0910bc77f424e481a47c6da55dbb.tar.gz firejail-73ce1000234e0910bc77f424e481a47c6da55dbb.tar.zst firejail-73ce1000234e0910bc77f424e481a47c6da55dbb.zip