diff options
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs_trace.c | 19 | ||||
| -rw-r--r-- | src/firejail/main.c | 5 |
3 files changed, 25 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14cad4190..4a59522bf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -260,6 +260,7 @@ extern int arg_caps_keep; // keep list | |||
| 260 | extern char *arg_caps_list; // optional caps list | 260 | extern char *arg_caps_list; // optional caps list |
| 261 | 261 | ||
| 262 | extern int arg_trace; // syscall tracing support | 262 | extern int arg_trace; // syscall tracing support |
| 263 | extern char *arg_tracefile; // syscall tracing file | ||
| 263 | extern int arg_tracelog; // blacklist tracing support | 264 | extern int arg_tracelog; // blacklist tracing support |
| 264 | extern int arg_rlimit_cpu; // rlimit cpu | 265 | extern int arg_rlimit_cpu; // rlimit cpu |
| 265 | extern int arg_rlimit_nofile; // rlimit nofile | 266 | extern int arg_rlimit_nofile; // rlimit nofile |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 26dd5cb27..eac73a074 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
| @@ -41,6 +41,25 @@ void fs_trace_preload(void) { | |||
| 41 | fclose(fp); | 41 | fclose(fp); |
| 42 | fs_logger("touch /etc/ld.so.preload"); | 42 | fs_logger("touch /etc/ld.so.preload"); |
| 43 | } | 43 | } |
| 44 | if (arg_tracefile) { | ||
| 45 | if (arg_debug) | ||
| 46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | ||
| 47 | // create a bind mounted trace logfile that the sandbox can see | ||
| 48 | FILE *fp = fopen(arg_tracefile, "w"); | ||
| 49 | if (!fp) | ||
| 50 | errExit("fopen"); | ||
| 51 | SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | ||
| 52 | fclose(fp); | ||
| 53 | fp = fopen(RUN_TRACE_FILE, "w"); | ||
| 54 | if (!fp) | ||
| 55 | errExit("fopen"); | ||
| 56 | fclose(fp); | ||
| 57 | fs_logger2("touch ", arg_tracefile); | ||
| 58 | if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 59 | errExit("mount bind " RUN_TRACE_FILE); | ||
| 60 | if (arg_debug) | ||
| 61 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); | ||
| 62 | } | ||
| 44 | } | 63 | } |
| 45 | 64 | ||
| 46 | void fs_trace(void) { | 65 | void fs_trace(void) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f44c6281..4c6d20626 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -80,6 +80,7 @@ int arg_caps_keep = 0; // keep list | |||
| 80 | char *arg_caps_list = NULL; // optional caps list | 80 | char *arg_caps_list = NULL; // optional caps list |
| 81 | 81 | ||
| 82 | int arg_trace = 0; // syscall tracing support | 82 | int arg_trace = 0; // syscall tracing support |
| 83 | char *arg_tracefile = NULL; // syscall tracing file | ||
| 83 | int arg_tracelog = 0; // blacklist tracing support | 84 | int arg_tracelog = 0; // blacklist tracing support |
| 84 | int arg_rlimit_cpu = 0; // rlimit max cpu time | 85 | int arg_rlimit_cpu = 0; // rlimit max cpu time |
| 85 | int arg_rlimit_nofile = 0; // rlimit nofile | 86 | int arg_rlimit_nofile = 0; // rlimit nofile |
| @@ -1296,6 +1297,10 @@ int main(int argc, char **argv) { | |||
| 1296 | } | 1297 | } |
| 1297 | else if (strcmp(argv[i], "--trace") == 0) | 1298 | else if (strcmp(argv[i], "--trace") == 0) |
| 1298 | arg_trace = 1; | 1299 | arg_trace = 1; |
| 1300 | else if (strncmp(argv[i], "--trace=", 8) == 0) { | ||
| 1301 | arg_trace = 1; | ||
| 1302 | arg_tracefile = argv[i] + 8; | ||
| 1303 | } | ||
| 1299 | else if (strcmp(argv[i], "--tracelog") == 0) | 1304 | else if (strcmp(argv[i], "--tracelog") == 0) |
| 1300 | arg_tracelog = 1; | 1305 | arg_tracelog = 1; |
| 1301 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { | 1306 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { |