diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-12-11 09:27:40 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-12-11 09:27:40 -0500 |
| commit | fabe7c1fa2409ed9d909efc093c37af346104869 (patch) | |
| tree | bb960a13599e4a27ac3d4acfd169c13fcd86c83d /src | |
| parent | fixes (diff) | |
| download | firejail-fabe7c1fa2409ed9d909efc093c37af346104869.tar.gz firejail-fabe7c1fa2409ed9d909efc093c37af346104869.tar.zst firejail-fabe7c1fa2409ed9d909efc093c37af346104869.zip | |
debug enhancements
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 4 | ||||
| -rw-r--r-- | src/firejail/fs.c | 7 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 28 | ||||
| -rw-r--r-- | src/firejail/main.c | 12 | ||||
| -rw-r--r-- | src/firejail/usage.c | 7 | ||||
| -rw-r--r-- | src/man/firejail.txt | 30 |
6 files changed, 69 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 967eb7e45..5590e9f54 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -187,7 +187,9 @@ static inline int any_interface_configured(void) { | |||
| 187 | 187 | ||
| 188 | extern int arg_private; // mount private /home | 188 | extern int arg_private; // mount private /home |
| 189 | extern int arg_debug; // print debug messages | 189 | extern int arg_debug; // print debug messages |
| 190 | extern int arg_debug_check_filename; // print debug messages for invalid_filename() | 190 | extern int arg_debug_check_filename; // print debug messages for filename checking |
| 191 | extern int arg_debug_blacklists; // print debug messages for blacklists | ||
| 192 | extern int arg_debug_whitelists; // print debug messages for whitelists | ||
| 191 | extern int arg_nonetwork; // --net=none | 193 | extern int arg_nonetwork; // --net=none |
| 192 | extern int arg_command; // -c | 194 | extern int arg_command; // -c |
| 193 | extern int arg_overlay; // overlay option | 195 | extern int arg_overlay; // overlay option |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e62e2676b..1d2dc8e1e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -205,6 +205,13 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 205 | else { | 205 | else { |
| 206 | if (arg_debug) | 206 | if (arg_debug) |
| 207 | printf("Disable %s\n", fname); | 207 | printf("Disable %s\n", fname); |
| 208 | else if (arg_debug_blacklists) { | ||
| 209 | printf("Disable %s", fname); | ||
| 210 | if (op == BLACKLIST_FILE) | ||
| 211 | printf("\n"); | ||
| 212 | else | ||
| 213 | printf(" - no logging\n"); | ||
| 214 | } | ||
| 208 | if (S_ISDIR(s.st_mode)) { | 215 | if (S_ISDIR(s.st_mode)) { |
| 209 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 216 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
| 210 | errExit("disable file"); | 217 | errExit("disable file"); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 37894fee1..465eaa7c8 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -46,7 +46,7 @@ static char *resolve_downloads(void) { | |||
| 46 | errExit("asprintf"); | 46 | errExit("asprintf"); |
| 47 | 47 | ||
| 48 | if (stat(fname, &s) == 0) { | 48 | if (stat(fname, &s) == 0) { |
| 49 | if (arg_debug) | 49 | if (arg_debug || arg_debug_whitelists) |
| 50 | printf("Downloads directory resolved as \"%s\"\n", fname); | 50 | printf("Downloads directory resolved as \"%s\"\n", fname); |
| 51 | 51 | ||
| 52 | char *rv; | 52 | char *rv; |
| @@ -86,10 +86,10 @@ static char *resolve_downloads(void) { | |||
| 86 | if (ptr2) { | 86 | if (ptr2) { |
| 87 | fclose(fp); | 87 | fclose(fp); |
| 88 | *ptr2 = '\0'; | 88 | *ptr2 = '\0'; |
| 89 | if (arg_debug) | 89 | if (arg_debug || arg_debug_whitelists) |
| 90 | printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); | 90 | printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); |
| 91 | if (strlen(ptr1) != 0) { | 91 | if (strlen(ptr1) != 0) { |
| 92 | if (arg_debug) | 92 | if (arg_debug || arg_debug_whitelists) |
| 93 | printf("Downloads directory resolved as \"%s\"\n", ptr1); | 93 | printf("Downloads directory resolved as \"%s\"\n", ptr1); |
| 94 | 94 | ||
| 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
| @@ -244,11 +244,11 @@ static void whitelist_path(ProfileEntry *entry) { | |||
| 244 | // check if the file exists | 244 | // check if the file exists |
| 245 | struct stat s; | 245 | struct stat s; |
| 246 | if (wfile && stat(wfile, &s) == 0) { | 246 | if (wfile && stat(wfile, &s) == 0) { |
| 247 | if (arg_debug) | 247 | if (arg_debug || arg_debug_whitelists) |
| 248 | printf("Whitelisting %s\n", path); | 248 | printf("Whitelisting %s\n", path); |
| 249 | } | 249 | } |
| 250 | else { | 250 | else { |
| 251 | if (arg_debug) { | 251 | if (arg_debug || arg_debug_whitelists) { |
| 252 | fprintf(stderr, "Warning: %s is an invalid file, skipping...\n", path); | 252 | fprintf(stderr, "Warning: %s is an invalid file, skipping...\n", path); |
| 253 | } | 253 | } |
| 254 | return; | 254 | return; |
| @@ -341,7 +341,7 @@ void fs_whitelist(void) { | |||
| 341 | char *fname = realpath(new_name, NULL); | 341 | char *fname = realpath(new_name, NULL); |
| 342 | if (!fname) { | 342 | if (!fname) { |
| 343 | // file not found, blank the entry in the list and continue | 343 | // file not found, blank the entry in the list and continue |
| 344 | if (arg_debug) { | 344 | if (arg_debug || arg_debug_whitelists) { |
| 345 | printf("Removed whitelist path: %s\n", entry->data); | 345 | printf("Removed whitelist path: %s\n", entry->data); |
| 346 | printf("\texpanded: %s\n", new_name); | 346 | printf("\texpanded: %s\n", new_name); |
| 347 | printf("\treal path: (null)\n"); | 347 | printf("\treal path: (null)\n"); |
| @@ -360,7 +360,7 @@ void fs_whitelist(void) { | |||
| 360 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 360 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
| 361 | // whitelisting home directory is disabled if --private or --private-home option is present | 361 | // whitelisting home directory is disabled if --private or --private-home option is present |
| 362 | if (arg_private) { | 362 | if (arg_private) { |
| 363 | if (arg_debug) | 363 | if (arg_debug || arg_debug_whitelists) |
| 364 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | 364 | printf("Removed whitelist path %s, --private option is present\n", entry->data); |
| 365 | 365 | ||
| 366 | *entry->data = '\0'; | 366 | *entry->data = '\0'; |
| @@ -425,7 +425,7 @@ void fs_whitelist(void) { | |||
| 425 | if (asprintf(&newdata, "whitelist %s", fname) == -1) | 425 | if (asprintf(&newdata, "whitelist %s", fname) == -1) |
| 426 | errExit("asprintf"); | 426 | errExit("asprintf"); |
| 427 | entry->data = newdata; | 427 | entry->data = newdata; |
| 428 | if (arg_debug) | 428 | if (arg_debug || arg_debug_whitelists) |
| 429 | printf("Replaced whitelist path: %s\n", entry->data); | 429 | printf("Replaced whitelist path: %s\n", entry->data); |
| 430 | } | 430 | } |
| 431 | free(fname); | 431 | free(fname); |
| @@ -469,7 +469,7 @@ void fs_whitelist(void) { | |||
| 469 | errExit("mount bind"); | 469 | errExit("mount bind"); |
| 470 | 470 | ||
| 471 | // mount tmpfs on /tmp | 471 | // mount tmpfs on /tmp |
| 472 | if (arg_debug) | 472 | if (arg_debug || arg_debug_whitelists) |
| 473 | printf("Mounting tmpfs on /tmp directory\n"); | 473 | printf("Mounting tmpfs on /tmp directory\n"); |
| 474 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 474 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
| 475 | errExit("mounting tmpfs on /tmp"); | 475 | errExit("mounting tmpfs on /tmp"); |
| @@ -491,7 +491,7 @@ void fs_whitelist(void) { | |||
| 491 | errExit("mount bind"); | 491 | errExit("mount bind"); |
| 492 | 492 | ||
| 493 | // mount tmpfs on /media | 493 | // mount tmpfs on /media |
| 494 | if (arg_debug) | 494 | if (arg_debug || arg_debug_whitelists) |
| 495 | printf("Mounting tmpfs on /media directory\n"); | 495 | printf("Mounting tmpfs on /media directory\n"); |
| 496 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 496 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
| 497 | errExit("mounting tmpfs on /media"); | 497 | errExit("mounting tmpfs on /media"); |
| @@ -513,7 +513,7 @@ void fs_whitelist(void) { | |||
| 513 | errExit("mount bind"); | 513 | errExit("mount bind"); |
| 514 | 514 | ||
| 515 | // mount tmpfs on /var | 515 | // mount tmpfs on /var |
| 516 | if (arg_debug) | 516 | if (arg_debug || arg_debug_whitelists) |
| 517 | printf("Mounting tmpfs on /var directory\n"); | 517 | printf("Mounting tmpfs on /var directory\n"); |
| 518 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 518 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
| 519 | errExit("mounting tmpfs on /var"); | 519 | errExit("mounting tmpfs on /var"); |
| @@ -535,7 +535,7 @@ void fs_whitelist(void) { | |||
| 535 | errExit("mount bind"); | 535 | errExit("mount bind"); |
| 536 | 536 | ||
| 537 | // mount tmpfs on /dev | 537 | // mount tmpfs on /dev |
| 538 | if (arg_debug) | 538 | if (arg_debug || arg_debug_whitelists) |
| 539 | printf("Mounting tmpfs on /dev directory\n"); | 539 | printf("Mounting tmpfs on /dev directory\n"); |
| 540 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 540 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
| 541 | errExit("mounting tmpfs on /dev"); | 541 | errExit("mounting tmpfs on /dev"); |
| @@ -557,7 +557,7 @@ void fs_whitelist(void) { | |||
| 557 | errExit("mount bind"); | 557 | errExit("mount bind"); |
| 558 | 558 | ||
| 559 | // mount tmpfs on /opt | 559 | // mount tmpfs on /opt |
| 560 | if (arg_debug) | 560 | if (arg_debug || arg_debug_whitelists) |
| 561 | printf("Mounting tmpfs on /opt directory\n"); | 561 | printf("Mounting tmpfs on /opt directory\n"); |
| 562 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 562 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
| 563 | errExit("mounting tmpfs on /opt"); | 563 | errExit("mounting tmpfs on /opt"); |
| @@ -588,7 +588,7 @@ void fs_whitelist(void) { | |||
| 588 | int rv = symlink(entry->data + 10, entry->link); | 588 | int rv = symlink(entry->data + 10, entry->link); |
| 589 | if (rv) | 589 | if (rv) |
| 590 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 590 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
| 591 | else if (arg_debug) | 591 | else if (arg_debug || arg_debug_whitelists) |
| 592 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 592 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
| 593 | } | 593 | } |
| 594 | } | 594 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 75b90ae81..17a7286f7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -50,7 +50,9 @@ static char child_stack[STACK_SIZE]; // space for child's stack | |||
| 50 | Config cfg; // configuration | 50 | Config cfg; // configuration |
| 51 | int arg_private = 0; // mount private /home and /tmp directoryu | 51 | int arg_private = 0; // mount private /home and /tmp directoryu |
| 52 | int arg_debug = 0; // print debug messages | 52 | int arg_debug = 0; // print debug messages |
| 53 | int arg_debug_check_filename; // print debug messages for invalid_filename() | 53 | int arg_debug_check_filename; // print debug messages for filename checking |
| 54 | int arg_debug_blacklists; // print debug messages for blacklists | ||
| 55 | int arg_debug_whitelists; // print debug messages for whitelists | ||
| 54 | int arg_nonetwork = 0; // --net=none | 56 | int arg_nonetwork = 0; // --net=none |
| 55 | int arg_command = 0; // -c | 57 | int arg_command = 0; // -c |
| 56 | int arg_overlay = 0; // overlay option | 58 | int arg_overlay = 0; // overlay option |
| @@ -468,10 +470,12 @@ int main(int argc, char **argv) { | |||
| 468 | 470 | ||
| 469 | if (strcmp(argv[i], "--debug") == 0) | 471 | if (strcmp(argv[i], "--debug") == 0) |
| 470 | arg_debug = 1; | 472 | arg_debug = 1; |
| 471 | else if (strcmp(argv[i], "--debug-check-filename") == 0) { | 473 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
| 472 | arg_debug = 1; | ||
| 473 | arg_debug_check_filename = 1; | 474 | arg_debug_check_filename = 1; |
| 474 | } | 475 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
| 476 | arg_debug_blacklists = 1; | ||
| 477 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | ||
| 478 | arg_debug_whitelists = 1; | ||
| 475 | else if (strcmp(argv[i], "--quiet") == 0) | 479 | else if (strcmp(argv[i], "--quiet") == 0) |
| 476 | arg_quiet = 1; | 480 | arg_quiet = 1; |
| 477 | 481 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9d5549a77..3d9d745b3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -65,15 +65,22 @@ void usage(void) { | |||
| 65 | printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); | 65 | printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); |
| 66 | printf("\t\tExample: cpu=0,1,2\n\n"); | 66 | printf("\t\tExample: cpu=0,1,2\n\n"); |
| 67 | printf("\t--csh - use /bin/csh as default shell.\n\n"); | 67 | printf("\t--csh - use /bin/csh as default shell.\n\n"); |
| 68 | |||
| 68 | printf("\t--debug - print sandbox debug messages.\n\n"); | 69 | printf("\t--debug - print sandbox debug messages.\n\n"); |
| 70 | printf("\t--debug-blacklists - debug blacklisting.\n\n"); | ||
| 69 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); | 71 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); |
| 70 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf("\t\tFirejail software build and exit.\n\n"); |
| 73 | printf("\t--debug-check-filename - debug filename checking.\n\n"); | ||
| 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 74 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); |
| 72 | printf("\t\tFirejail software build and exit.\n\n"); | 75 | printf("\t\tFirejail software build and exit.\n\n"); |
| 73 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | 76 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); |
| 74 | printf("\t\tFirejail software build and exit.\n\n"); | 77 | printf("\t\tFirejail software build and exit.\n\n"); |
| 75 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 78 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); |
| 76 | printf("\t\tFirejail software build and exit.\n\n"); | 79 | printf("\t\tFirejail software build and exit.\n\n"); |
| 80 | printf("\t--debug-whitelists - debug whitelisting.\n\n"); | ||
| 81 | |||
| 82 | |||
| 83 | |||
| 77 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 84 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
| 78 | printf("\t\tnetwork namespace.\n\n"); | 85 | printf("\t\tnetwork namespace.\n\n"); |
| 79 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); | 86 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e2382eb9f..57b169e89 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -243,6 +243,16 @@ Example: | |||
| 243 | $ firejail \-\-debug firefox | 243 | $ firejail \-\-debug firefox |
| 244 | 244 | ||
| 245 | .TP | 245 | .TP |
| 246 | \fB\-\-debug-blackilsts\fR | ||
| 247 | Debug blacklisting. | ||
| 248 | .br | ||
| 249 | |||
| 250 | .br | ||
| 251 | Example: | ||
| 252 | .br | ||
| 253 | $ firejail \-\-debug-blacklists firefox | ||
| 254 | |||
| 255 | .TP | ||
| 246 | \fB\-\-debug-caps | 256 | \fB\-\-debug-caps |
| 247 | Print all recognized capabilities in the current Firejail software build and exit. | 257 | Print all recognized capabilities in the current Firejail software build and exit. |
| 248 | .br | 258 | .br |
| @@ -252,6 +262,16 @@ Example: | |||
| 252 | .br | 262 | .br |
| 253 | $ firejail \-\-debug-caps | 263 | $ firejail \-\-debug-caps |
| 254 | .TP | 264 | .TP |
| 265 | \fB\-\-debug-check-filename\fR | ||
| 266 | Debug filename checking. | ||
| 267 | .br | ||
| 268 | |||
| 269 | .br | ||
| 270 | Example: | ||
| 271 | .br | ||
| 272 | $ firejail \-\-debug-check-filename firefox | ||
| 273 | |||
| 274 | .TP | ||
| 255 | \fB\-\-debug-errnos | 275 | \fB\-\-debug-errnos |
| 256 | Print all recognized error numbers in the current Firejail software build and exit. | 276 | Print all recognized error numbers in the current Firejail software build and exit. |
| 257 | .br | 277 | .br |
| @@ -279,6 +299,16 @@ Example: | |||
| 279 | .br | 299 | .br |
| 280 | $ firejail \-\-debug-syscalls | 300 | $ firejail \-\-debug-syscalls |
| 281 | .TP | 301 | .TP |
| 302 | \fB\-\-debug-whitelsts\fR | ||
| 303 | Debug whitelisting. | ||
| 304 | .br | ||
| 305 | |||
| 306 | .br | ||
| 307 | Example: | ||
| 308 | .br | ||
| 309 | $ firejail \-\-debug-whitelists firefox | ||
| 310 | |||
| 311 | .TP | ||
| 282 | \fB\-\-defaultgw=address | 312 | \fB\-\-defaultgw=address |
| 283 | Use this address as default gateway in the new network namespace. | 313 | Use this address as default gateway in the new network namespace. |
| 284 | .br | 314 | .br |