diff options
-rw-r--r-- | README.md | 52 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 159 |
5 files changed, 146 insertions, 85 deletions
@@ -221,6 +221,58 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
221 | kernel. For more information, please see APPARMOR section be‐ | 221 | kernel. For more information, please see APPARMOR section be‐ |
222 | ````` | 222 | ````` |
223 | 223 | ||
224 | ### dnstrace | ||
225 | ````` | ||
226 | --dnstrace[=name|pid] | ||
227 | Monitor DNS queries. The sandbox can be specified by name or | ||
228 | pid. Only networked sandboxes created with --net are supported. | ||
229 | This option is only available when running the sandbox as root. | ||
230 | |||
231 | Without a name/pid, Firejail will monitor the main system net‐ | ||
232 | work namespace. | ||
233 | |||
234 | $ sudo firejail --dnstrace=browser | ||
235 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
236 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
237 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
238 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
239 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
240 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
241 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
242 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
243 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
244 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
245 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
246 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
247 | ````` | ||
248 | |||
249 | ### snitrace | ||
250 | ````` | ||
251 | --snitrace[=name|pid] | ||
252 | Monitor Server Name Indication (TLS/SNI). The sandbox can be | ||
253 | specified by name or pid. Only networked sandboxes created with | ||
254 | --net are supported. This option is only available when running | ||
255 | the sandbox as root. | ||
256 | |||
257 | Without a name/pid, Firejail will monitor the main system net‐ | ||
258 | work namespace. | ||
259 | |||
260 | $ sudo firejail --snitrace=browser | ||
261 | 07:49:51 23.185.0.3 linux.com | ||
262 | 07:49:51 23.185.0.3 www.linux.com | ||
263 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
264 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
265 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
266 | 07:52:42 142.250.176.3 www.gstatic.com | ||
267 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
268 | 07:53:05 192.0.77.37 c0.wp.com | ||
269 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
270 | 07:53:09 192.0.77.32 s0.wp.com | ||
271 | 07:53:09 192.0.77.2 i0.wp.com | ||
272 | 07:53:10 192.0.77.2 i0.wp.com | ||
273 | 07:53:11 192.0.73.2 1.gravatar.com | ||
274 | ````` | ||
275 | |||
224 | ### Profile Statistics | 276 | ### Profile Statistics |
225 | 277 | ||
226 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 278 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -7,6 +7,7 @@ firejail (0.9.71) baseline; urgency=low | |||
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | 7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 |
8 | #5317) | 8 | #5317) |
9 | * feature: added support for ICMP in nettrace | 9 | * feature: added support for ICMP in nettrace |
10 | * feature: --dnstrace and --snitrace | ||
10 | * modif: removed --cgroup= command (#5190 #5200) | 11 | * modif: removed --cgroup= command (#5190 #5200) |
11 | * modif: set --shell=none as the default (#5190) | 12 | * modif: set --shell=none as the default (#5190) |
12 | * modif: removed --shell= command (#5190 #5196 #5209) | 13 | * modif: removed --shell= command (#5190 #5196 #5209) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b6e076dfc..fe80c5e2e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -438,10 +438,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
438 | exit_err_feature("networking"); | 438 | exit_err_feature("networking"); |
439 | exit(0); | 439 | exit(0); |
440 | } | 440 | } |
441 | else if (strcmp(argv[i], "--nettrace-dns") == 0) { | 441 | else if (strcmp(argv[i], "--dnstrace") == 0) { |
442 | if (checkcfg(CFG_NETWORK)) { | 442 | if (checkcfg(CFG_NETWORK)) { |
443 | if (getuid() != 0) { | 443 | if (getuid() != 0) { |
444 | fprintf(stderr, "Error: --nettrace-dns is only available to root user\n"); | 444 | fprintf(stderr, "Error: --dnstrace is only available to root user\n"); |
445 | exit(1); | 445 | exit(1); |
446 | } | 446 | } |
447 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns"); | 447 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns"); |
@@ -450,10 +450,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
450 | exit_err_feature("networking"); | 450 | exit_err_feature("networking"); |
451 | exit(0); | 451 | exit(0); |
452 | } | 452 | } |
453 | else if (strncmp(argv[i], "--nettrace-dns=", 15) == 0) { | 453 | else if (strncmp(argv[i], "--dnstrace=", 15) == 0) { |
454 | if (checkcfg(CFG_NETWORK)) { | 454 | if (checkcfg(CFG_NETWORK)) { |
455 | if (getuid() != 0) { | 455 | if (getuid() != 0) { |
456 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 456 | fprintf(stderr, "Error: --dnstrace is only available to root user\n"); |
457 | exit(1); | 457 | exit(1); |
458 | } | 458 | } |
459 | pid_t pid = require_pid(argv[i] + 15); | 459 | pid_t pid = require_pid(argv[i] + 15); |
@@ -463,10 +463,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
463 | exit_err_feature("networking"); | 463 | exit_err_feature("networking"); |
464 | exit(0); | 464 | exit(0); |
465 | } | 465 | } |
466 | else if (strcmp(argv[i], "--nettrace-sni") == 0) { | 466 | else if (strcmp(argv[i], "--snitrace") == 0) { |
467 | if (checkcfg(CFG_NETWORK)) { | 467 | if (checkcfg(CFG_NETWORK)) { |
468 | if (getuid() != 0) { | 468 | if (getuid() != 0) { |
469 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 469 | fprintf(stderr, "Error: --snitrace is only available to root user\n"); |
470 | exit(1); | 470 | exit(1); |
471 | } | 471 | } |
472 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni"); | 472 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni"); |
@@ -475,10 +475,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
475 | exit_err_feature("networking"); | 475 | exit_err_feature("networking"); |
476 | exit(0); | 476 | exit(0); |
477 | } | 477 | } |
478 | else if (strncmp(argv[i], "--nettrace-sni=", 15) == 0) { | 478 | else if (strncmp(argv[i], "--snitrace=", 15) == 0) { |
479 | if (checkcfg(CFG_NETWORK)) { | 479 | if (checkcfg(CFG_NETWORK)) { |
480 | if (getuid() != 0) { | 480 | if (getuid() != 0) { |
481 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 481 | fprintf(stderr, "Error: --snitrace is only available to root user\n"); |
482 | exit(1); | 482 | exit(1); |
483 | } | 483 | } |
484 | pid_t pid = require_pid(argv[i] + 15); | 484 | pid_t pid = require_pid(argv[i] + 15); |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index f9cd907e5..d3d234f5a 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -184,12 +184,13 @@ | |||
184 | 208.80.152.0/22 Wikipedia | 184 | 208.80.152.0/22 Wikipedia |
185 | 185 | ||
186 | # WholeSale Internet | 186 | # WholeSale Internet |
187 | 69.30.192.0/18 WholeSale Internet | ||
187 | 69.197.128.0/18 WholeSale Internet | 188 | 69.197.128.0/18 WholeSale Internet |
188 | 173.208.128.0/17 WholeSale Internet | 189 | 173.208.128.0/17 WholeSale Internet |
189 | 204.12.192.0/18 WholeSale Internet | 190 | 204.12.192.0/18 WholeSale Internet |
191 | 208.67.0.0/21 WholeSale Internet | ||
190 | 208.110.64.0/19 WholeSale Internet | 192 | 208.110.64.0/19 WholeSale Internet |
191 | 208.110.91.0/24 WholeSale Internet | 193 | 208.110.91.0/24 WholeSale Internet |
192 | 208.67.0.0/21 WholeSale Internet | ||
193 | 194 | ||
194 | # StackPath | 195 | # StackPath |
195 | 69.16.173.0/24 StackPath | 196 | 69.16.173.0/24 StackPath |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c26d21ec9..49fd18a04 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -779,6 +779,46 @@ $ firejail \-\-list | |||
779 | .br | 779 | .br |
780 | $ firejail \-\-dns.print=3272 | 780 | $ firejail \-\-dns.print=3272 |
781 | 781 | ||
782 | #ifdef HAVE_NETWORK | ||
783 | .TP | ||
784 | \fB\-\-dnstrace[=name|pid] | ||
785 | Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes | ||
786 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
787 | .br | ||
788 | |||
789 | .br | ||
790 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
791 | .br | ||
792 | |||
793 | .br | ||
794 | $ sudo firejail --dnstrace=browser | ||
795 | .br | ||
796 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
797 | .br | ||
798 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
799 | .br | ||
800 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
801 | .br | ||
802 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
803 | .br | ||
804 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
805 | .br | ||
806 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
807 | .br | ||
808 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
809 | .br | ||
810 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
811 | .br | ||
812 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
813 | .br | ||
814 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
815 | .br | ||
816 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
817 | .br | ||
818 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
819 | .br | ||
820 | #endif | ||
821 | |||
782 | .TP | 822 | .TP |
783 | \fB\-\-env=name=value | 823 | \fB\-\-env=name=value |
784 | Set environment variable in the new sandbox. | 824 | Set environment variable in the new sandbox. |
@@ -1578,82 +1618,6 @@ the country the traffic originates from is added to the trace. | |||
1578 | We also use the static IP map in /usr/lib/firejail/static-ip-map | 1618 | We also use the static IP map in /usr/lib/firejail/static-ip-map |
1579 | to print the domain names for some of the more common websites and cloud platforms. | 1619 | to print the domain names for some of the more common websites and cloud platforms. |
1580 | No external services are contacted for reverse IP lookup. | 1620 | No external services are contacted for reverse IP lookup. |
1581 | .TP | ||
1582 | \fB\-\-nettrace-dns[=name|pid] | ||
1583 | Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes | ||
1584 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
1585 | .br | ||
1586 | |||
1587 | .br | ||
1588 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
1589 | .br | ||
1590 | |||
1591 | .br | ||
1592 | $ sudo firejail --nettrace-dns=browser | ||
1593 | .br | ||
1594 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
1595 | .br | ||
1596 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
1597 | .br | ||
1598 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
1599 | .br | ||
1600 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
1601 | .br | ||
1602 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
1603 | .br | ||
1604 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
1605 | .br | ||
1606 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
1607 | .br | ||
1608 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
1609 | .br | ||
1610 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
1611 | .br | ||
1612 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
1613 | .br | ||
1614 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
1615 | .br | ||
1616 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
1617 | .br | ||
1618 | .TP | ||
1619 | \fB\-\-nettrace-sni[=name|pid] | ||
1620 | Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes | ||
1621 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
1622 | .br | ||
1623 | |||
1624 | .br | ||
1625 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
1626 | .br | ||
1627 | |||
1628 | .br | ||
1629 | $ sudo firejail --nettrace-sni=browser | ||
1630 | .br | ||
1631 | 07:49:51 23.185.0.3 linux.com | ||
1632 | .br | ||
1633 | 07:49:51 23.185.0.3 www.linux.com | ||
1634 | .br | ||
1635 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
1636 | .br | ||
1637 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
1638 | .br | ||
1639 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
1640 | .br | ||
1641 | 07:52:42 142.250.176.3 www.gstatic.com | ||
1642 | .br | ||
1643 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
1644 | .br | ||
1645 | 07:53:05 192.0.77.37 c0.wp.com | ||
1646 | .br | ||
1647 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
1648 | .br | ||
1649 | 07:53:09 192.0.77.32 s0.wp.com | ||
1650 | .br | ||
1651 | 07:53:09 192.0.77.2 i0.wp.com | ||
1652 | .br | ||
1653 | 07:53:10 192.0.77.2 i0.wp.com | ||
1654 | .br | ||
1655 | 07:53:11 192.0.73.2 1.gravatar.com | ||
1656 | .br | ||
1657 | #endif | 1621 | #endif |
1658 | .TP | 1622 | .TP |
1659 | \fB\-\-nice=value | 1623 | \fB\-\-nice=value |
@@ -2833,6 +2797,49 @@ $ firejail \-\-list | |||
2833 | 3272:netblue::firejail \-\-private firefox | 2797 | 3272:netblue::firejail \-\-private firefox |
2834 | .br | 2798 | .br |
2835 | $ firejail \-\-shutdown=3272 | 2799 | $ firejail \-\-shutdown=3272 |
2800 | |||
2801 | #ifdef HAVE_NETWORK | ||
2802 | .TP | ||
2803 | \fB\-\-snitrace[=name|pid] | ||
2804 | Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes | ||
2805 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
2806 | .br | ||
2807 | |||
2808 | .br | ||
2809 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
2810 | .br | ||
2811 | |||
2812 | .br | ||
2813 | $ sudo firejail --snitrace=browser | ||
2814 | .br | ||
2815 | 07:49:51 23.185.0.3 linux.com | ||
2816 | .br | ||
2817 | 07:49:51 23.185.0.3 www.linux.com | ||
2818 | .br | ||
2819 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
2820 | .br | ||
2821 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
2822 | .br | ||
2823 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
2824 | .br | ||
2825 | 07:52:42 142.250.176.3 www.gstatic.com | ||
2826 | .br | ||
2827 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
2828 | .br | ||
2829 | 07:53:05 192.0.77.37 c0.wp.com | ||
2830 | .br | ||
2831 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
2832 | .br | ||
2833 | 07:53:09 192.0.77.32 s0.wp.com | ||
2834 | .br | ||
2835 | 07:53:09 192.0.77.2 i0.wp.com | ||
2836 | .br | ||
2837 | 07:53:10 192.0.77.2 i0.wp.com | ||
2838 | .br | ||
2839 | 07:53:11 192.0.73.2 1.gravatar.com | ||
2840 | .br | ||
2841 | #endif | ||
2842 | |||
2836 | .TP | 2843 | .TP |
2837 | \fB\-\-tab | 2844 | \fB\-\-tab |
2838 | Enable shell tab completion in sandboxes using private or whitelisted home directories. | 2845 | Enable shell tab completion in sandboxes using private or whitelisted home directories. |