diff options
-rw-r--r-- | src/common.mk.in | 6 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 21 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 21 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/include/rundefs.h | 1 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 25 | ||||
-rw-r--r-- | src/man/firejail.txt | 14 |
8 files changed, 69 insertions, 25 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index ff66c6748..1464ab9b2 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -3,6 +3,7 @@ | |||
3 | CC=@CC@ | 3 | CC=@CC@ |
4 | prefix=@prefix@ | 4 | prefix=@prefix@ |
5 | exec_prefix=@exec_prefix@ | 5 | exec_prefix=@exec_prefix@ |
6 | bindir=@bindir@ | ||
6 | libdir=@libdir@ | 7 | libdir=@libdir@ |
7 | sysconfdir=@sysconfdir@ | 8 | sysconfdir=@sysconfdir@ |
8 | 9 | ||
@@ -29,7 +30,10 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
29 | OBJS = $(C_FILE_LIST:.c=.o) | 30 | OBJS = $(C_FILE_LIST:.c=.o) |
30 | BINOBJS = $(foreach file, $(OBJS), $file) | 31 | BINOBJS = $(foreach file, $(OBJS), $file) |
31 | 32 | ||
32 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
34 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | ||
35 | CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) | ||
36 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
33 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 37 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
34 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 38 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
35 | 39 | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index f11e37057..a0f71ae03 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -61,19 +61,18 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
61 | 61 | ||
62 | char *output; | 62 | char *output; |
63 | char *stroutput; | 63 | char *stroutput; |
64 | if(asprintf(&output,"--output=%s",trace_output) == -1) | 64 | if(asprintf(&output,"--trace=%s",trace_output) == -1) |
65 | errExit("asprintf"); | 65 | errExit("asprintf"); |
66 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | 66 | if(asprintf(&stroutput,"-o%s",strace_output) == -1) |
67 | errExit("asprintf"); | 67 | errExit("asprintf"); |
68 | 68 | ||
69 | char *cmdlist[] = { | 69 | char *cmdlist[] = { |
70 | "/usr/bin/firejail", | 70 | BINDIR "/firejail", |
71 | "--quiet", | 71 | "--quiet", |
72 | output, | ||
73 | "--noprofile", | 72 | "--noprofile", |
74 | "--caps.drop=all", | 73 | "--caps.drop=all", |
75 | "--nonewprivs", | 74 | "--nonewprivs", |
76 | "--trace", | 75 | output, |
77 | "--shell=none", | 76 | "--shell=none", |
78 | "/usr/bin/strace", // also used as a marker in build_profile() | 77 | "/usr/bin/strace", // also used as a marker in build_profile() |
79 | "-c", | 78 | "-c", |
@@ -110,7 +109,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
110 | 109 | ||
111 | if (arg_debug) { | 110 | if (arg_debug) { |
112 | for (i = 0; i < len; i++) | 111 | for (i = 0; i < len; i++) |
113 | printf("\t%s\n", cmd[i]); | 112 | printf("%s%s\n", (i)?"\t":"", cmd[i]); |
114 | } | 113 | } |
115 | 114 | ||
116 | // fork and execute | 115 | // fork and execute |
@@ -130,7 +129,8 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
130 | errExit("waitpid"); | 129 | errExit("waitpid"); |
131 | 130 | ||
132 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | 131 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { |
133 | printf("\n\n\n"); | 132 | if (fp == stdout) |
133 | printf("--- Built profile beings after this line ---\n"); | ||
134 | fprintf(fp, "############################################\n"); | 134 | fprintf(fp, "############################################\n"); |
135 | fprintf(fp, "# %s profile\n", argv[index]); | 135 | fprintf(fp, "# %s profile\n", argv[index]); |
136 | fprintf(fp, "############################################\n"); | 136 | fprintf(fp, "############################################\n"); |
@@ -177,9 +177,10 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
177 | fprintf(fp, "### environment\n"); | 177 | fprintf(fp, "### environment\n"); |
178 | fprintf(fp, "shell none\n"); | 178 | fprintf(fp, "shell none\n"); |
179 | 179 | ||
180 | unlink(trace_output); | 180 | if (!arg_debug) { |
181 | unlink(strace_output); | 181 | unlink(trace_output); |
182 | 182 | unlink(strace_output); | |
183 | } | ||
183 | } | 184 | } |
184 | else { | 185 | else { |
185 | fprintf(stderr, "Error: cannot run the sandbox\n"); | 186 | fprintf(stderr, "Error: cannot run the sandbox\n"); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14cad4190..4a59522bf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -260,6 +260,7 @@ extern int arg_caps_keep; // keep list | |||
260 | extern char *arg_caps_list; // optional caps list | 260 | extern char *arg_caps_list; // optional caps list |
261 | 261 | ||
262 | extern int arg_trace; // syscall tracing support | 262 | extern int arg_trace; // syscall tracing support |
263 | extern char *arg_tracefile; // syscall tracing file | ||
263 | extern int arg_tracelog; // blacklist tracing support | 264 | extern int arg_tracelog; // blacklist tracing support |
264 | extern int arg_rlimit_cpu; // rlimit cpu | 265 | extern int arg_rlimit_cpu; // rlimit cpu |
265 | extern int arg_rlimit_nofile; // rlimit nofile | 266 | extern int arg_rlimit_nofile; // rlimit nofile |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 26dd5cb27..2a7c83049 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -41,6 +41,27 @@ void fs_trace_preload(void) { | |||
41 | fclose(fp); | 41 | fclose(fp); |
42 | fs_logger("touch /etc/ld.so.preload"); | 42 | fs_logger("touch /etc/ld.so.preload"); |
43 | } | 43 | } |
44 | if (arg_tracefile) { | ||
45 | if (arg_debug) | ||
46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | ||
47 | // create a bind mounted trace logfile that the sandbox can see | ||
48 | EUID_USER(); | ||
49 | FILE *fp = fopen(arg_tracefile, "w"); | ||
50 | if (!fp) | ||
51 | errExit("fopen"); | ||
52 | SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | ||
53 | fclose(fp); | ||
54 | EUID_ROOT(); | ||
55 | fp = fopen(RUN_TRACE_FILE, "w"); | ||
56 | if (!fp) | ||
57 | errExit("fopen " RUN_TRACE_FILE); | ||
58 | fclose(fp); | ||
59 | fs_logger2("touch ", arg_tracefile); | ||
60 | if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
61 | errExit("mount bind " RUN_TRACE_FILE); | ||
62 | if (arg_debug) | ||
63 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); | ||
64 | } | ||
44 | } | 65 | } |
45 | 66 | ||
46 | void fs_trace(void) { | 67 | void fs_trace(void) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f44c6281..4c6d20626 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -80,6 +80,7 @@ int arg_caps_keep = 0; // keep list | |||
80 | char *arg_caps_list = NULL; // optional caps list | 80 | char *arg_caps_list = NULL; // optional caps list |
81 | 81 | ||
82 | int arg_trace = 0; // syscall tracing support | 82 | int arg_trace = 0; // syscall tracing support |
83 | char *arg_tracefile = NULL; // syscall tracing file | ||
83 | int arg_tracelog = 0; // blacklist tracing support | 84 | int arg_tracelog = 0; // blacklist tracing support |
84 | int arg_rlimit_cpu = 0; // rlimit max cpu time | 85 | int arg_rlimit_cpu = 0; // rlimit max cpu time |
85 | int arg_rlimit_nofile = 0; // rlimit nofile | 86 | int arg_rlimit_nofile = 0; // rlimit nofile |
@@ -1296,6 +1297,10 @@ int main(int argc, char **argv) { | |||
1296 | } | 1297 | } |
1297 | else if (strcmp(argv[i], "--trace") == 0) | 1298 | else if (strcmp(argv[i], "--trace") == 0) |
1298 | arg_trace = 1; | 1299 | arg_trace = 1; |
1300 | else if (strncmp(argv[i], "--trace=", 8) == 0) { | ||
1301 | arg_trace = 1; | ||
1302 | arg_tracefile = argv[i] + 8; | ||
1303 | } | ||
1299 | else if (strcmp(argv[i], "--tracelog") == 0) | 1304 | else if (strcmp(argv[i], "--tracelog") == 0) |
1300 | arg_tracelog = 1; | 1305 | arg_tracelog = 1; |
1301 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { | 1306 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 6cc931faf..df135b9ca 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -95,6 +95,7 @@ | |||
95 | #define RUN_PASSWD_FILE RUN_MNT_DIR "/passwd" | 95 | #define RUN_PASSWD_FILE RUN_MNT_DIR "/passwd" |
96 | #define RUN_GROUP_FILE RUN_MNT_DIR "/group" | 96 | #define RUN_GROUP_FILE RUN_MNT_DIR "/group" |
97 | #define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger" | 97 | #define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger" |
98 | #define RUN_TRACE_FILE RUN_MNT_DIR "/trace" | ||
98 | #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" | 99 | #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" |
99 | #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" | 100 | #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" |
100 | #define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join" | 101 | #define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join" |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 11e98d95e..0c21b9b70 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -32,7 +32,7 @@ | |||
32 | #include <sys/stat.h> | 32 | #include <sys/stat.h> |
33 | #include <syslog.h> | 33 | #include <syslog.h> |
34 | #include <dirent.h> | 34 | #include <dirent.h> |
35 | #include <limits.h> | 35 | #include "../include/rundefs.h" |
36 | 36 | ||
37 | #define tprintf(fp, args...) \ | 37 | #define tprintf(fp, args...) \ |
38 | do { \ | 38 | do { \ |
@@ -46,6 +46,8 @@ typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); | |||
46 | static orig_fopen_t orig_fopen = NULL; | 46 | static orig_fopen_t orig_fopen = NULL; |
47 | typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode); | 47 | typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode); |
48 | static orig_fopen64_t orig_fopen64 = NULL; | 48 | static orig_fopen64_t orig_fopen64 = NULL; |
49 | typedef int (*orig_access_t)(const char *pathname, int mode); | ||
50 | static orig_access_t orig_access = NULL; | ||
49 | 51 | ||
50 | // | 52 | // |
51 | // library constructor/destructor | 53 | // library constructor/destructor |
@@ -62,10 +64,20 @@ void init(void) { | |||
62 | return; | 64 | return; |
63 | 65 | ||
64 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); | 66 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); |
65 | 67 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); | |
66 | // tty | 68 | |
67 | ftty = orig_fopen("/dev/tty", "w"); | 69 | // allow environment variable to override defaults |
68 | tprintf(ftty, "=== tracelib init() === \n"); | 70 | char *logfile = getenv("FIREJAIL_TRACEFILE"); |
71 | if (!logfile) { | ||
72 | // if exists, log to trace file | ||
73 | logfile = RUN_TRACE_FILE; | ||
74 | if (orig_access(logfile, F_OK)) | ||
75 | // else log to associated tty | ||
76 | logfile = "/dev/tty"; | ||
77 | } | ||
78 | |||
79 | // logfile | ||
80 | ftty = orig_fopen(logfile, "a"); | ||
69 | 81 | ||
70 | // pid | 82 | // pid |
71 | mypid = getpid(); | 83 | mypid = getpid(); |
@@ -85,6 +97,7 @@ void init(void) { | |||
85 | if (ptr) | 97 | if (ptr) |
86 | *ptr = '\0'; | 98 | *ptr = '\0'; |
87 | 99 | ||
100 | tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); | ||
88 | fclose(fp); | 101 | fclose(fp); |
89 | free(fname); | 102 | free(fname); |
90 | } | 103 | } |
@@ -476,8 +489,6 @@ DIR *opendir(const char *pathname) { | |||
476 | } | 489 | } |
477 | 490 | ||
478 | // access | 491 | // access |
479 | typedef int (*orig_access_t)(const char *pathname, int mode); | ||
480 | static orig_access_t orig_access = NULL; | ||
481 | int access(const char *pathname, int mode) { | 492 | int access(const char *pathname, int mode) { |
482 | if (!orig_access) | 493 | if (!orig_access) |
483 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); | 494 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ed2f776f2..38bc0edc4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile. | |||
71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. | 72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
73 | .PP | 73 | .PP |
74 | If a program argument is not specified, Firejail starts the default shell from the current user. | 74 | If a program argument is not specified, Firejail starts /bin/bash shell. |
75 | Examples: | 75 | Examples: |
76 | .PP | 76 | .PP |
77 | $ firejail [OPTIONS] # starting the user default shell (normally /bin/bash) | 77 | $ firejail [OPTIONS] # starting a /bin/bash shell |
78 | .PP | 78 | .PP |
79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
80 | .PP | 80 | .PP |
@@ -1862,9 +1862,8 @@ domain with personality(2) system call. | |||
1862 | .br | 1862 | .br |
1863 | 1863 | ||
1864 | .TP | 1864 | .TP |
1865 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 | 1865 | \fB\-\-seccomp.drop=syscall,@group |
1866 | Enable seccomp filter, whitelist "syscall2" but blacklist the | 1866 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. |
1867 | syscalls or the syscall groups specified by the command. | ||
1868 | .br | 1867 | .br |
1869 | 1868 | ||
1870 | .br | 1869 | .br |
@@ -2142,8 +2141,9 @@ Example: | |||
2142 | .br | 2141 | .br |
2143 | $ firejail \-\-top | 2142 | $ firejail \-\-top |
2144 | .TP | 2143 | .TP |
2145 | \fB\-\-trace | 2144 | \fB\-\-trace[=filename] |
2146 | Trace open, access and connect system calls. | 2145 | Trace open, access and connect system calls. If filename is specified, log |
2146 | trace output to filename, otherwise log to console. | ||
2147 | .br | 2147 | .br |
2148 | 2148 | ||
2149 | .br | 2149 | .br |