diff options
-rw-r--r-- | README.md | 16 | ||||
-rw-r--r-- | etc/disable-common.inc | 10 | ||||
-rw-r--r-- | src/firejail/fs.c | 14 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 23 |
6 files changed, 59 insertions, 10 deletions
@@ -95,3 +95,19 @@ New profiles introduced in this version: unbound, dnscrypt-proxy | |||
95 | ### --whitelist | 95 | ### --whitelist |
96 | 96 | ||
97 | Whitelist command accepts files in user home, /dev, /media, /var, and /tmp directories. | 97 | Whitelist command accepts files in user home, /dev, /media, /var, and /tmp directories. |
98 | |||
99 | ### --tracelog | ||
100 | |||
101 | Tracelog command enables auditing blacklisted files and directories. A message | ||
102 | is sent to syslog in case the file or the directory is accessed. Example: | ||
103 | ````` | ||
104 | $ firejail --tracelog firefox | ||
105 | ````` | ||
106 | Syslog example: | ||
107 | ````` | ||
108 | $ sudo tail -f /var/log/syslog | ||
109 | [...] | ||
110 | Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe iceweasel, syscall open64, path /etc/shadow | ||
111 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe iceweasel, syscall opendir, path /boot | ||
112 | [...] | ||
113 | ````` \ No newline at end of file | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index fdb3e552b..0b98a01e8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,11 +1,11 @@ | |||
1 | # History files in $HOME | 1 | # History files in $HOME |
2 | blacklist ${HOME}/.history | 2 | blacklist-nolog ${HOME}/.history |
3 | blacklist ${HOME}/.*_history | 3 | blacklist-nolog ${HOME}/.*_history |
4 | 4 | ||
5 | # HTTP / FTP / Mail | 5 | # HTTP / FTP / Mail |
6 | blacklist ${HOME}/.adobe | 6 | blacklist-nolog ${HOME}/.adobe |
7 | blacklist ${HOME}/.macromedia | 7 | blacklist-nolog ${HOME}/.macromedia |
8 | blacklist ${HOME}/.mozilla | 8 | blacklist-nolog ${HOME}/.mozilla |
9 | blacklist ${HOME}/.icedove | 9 | blacklist ${HOME}/.icedove |
10 | blacklist ${HOME}/.thunderbird | 10 | blacklist ${HOME}/.thunderbird |
11 | blacklist ${HOME}/.sylpheed-2.0 | 11 | blacklist ${HOME}/.sylpheed-2.0 |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ebeaf51c7..e62e2676b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -157,6 +157,7 @@ void fs_delete_cp_command(void) { | |||
157 | //*********************************************** | 157 | //*********************************************** |
158 | typedef enum { | 158 | typedef enum { |
159 | BLACKLIST_FILE, | 159 | BLACKLIST_FILE, |
160 | BLACKLIST_NOLOG, | ||
160 | MOUNT_READONLY, | 161 | MOUNT_READONLY, |
161 | MOUNT_TMPFS, | 162 | MOUNT_TMPFS, |
162 | OPERATION_MAX | 163 | OPERATION_MAX |
@@ -194,7 +195,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
194 | } | 195 | } |
195 | 196 | ||
196 | // modify the file | 197 | // modify the file |
197 | if (op == BLACKLIST_FILE) { | 198 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
198 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 199 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
199 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && | 200 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && |
200 | is_link(filename) && | 201 | is_link(filename) && |
@@ -213,7 +214,10 @@ static void disable_file(OPERATION op, const char *filename) { | |||
213 | errExit("disable file"); | 214 | errExit("disable file"); |
214 | } | 215 | } |
215 | last_disable = SUCCESSFUL; | 216 | last_disable = SUCCESSFUL; |
216 | fs_logger2("blacklist", fname); | 217 | if (op == BLACKLIST_FILE) |
218 | fs_logger2("blacklist", fname); | ||
219 | else | ||
220 | fs_logger2("blacklist-nolog", fname); | ||
217 | } | 221 | } |
218 | } | 222 | } |
219 | else if (op == MOUNT_READONLY) { | 223 | else if (op == MOUNT_READONLY) { |
@@ -282,6 +286,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
282 | } | 286 | } |
283 | if (okay_to_blacklist) | 287 | if (okay_to_blacklist) |
284 | disable_file(op, path); | 288 | disable_file(op, path); |
289 | else if (arg_debug) | ||
290 | printf("Not blacklist %s\n", path); | ||
285 | } | 291 | } |
286 | globfree(&globbuf); | 292 | globfree(&globbuf); |
287 | } | 293 | } |
@@ -366,6 +372,10 @@ void fs_blacklist(void) { | |||
366 | ptr = entry->data + 10; | 372 | ptr = entry->data + 10; |
367 | op = BLACKLIST_FILE; | 373 | op = BLACKLIST_FILE; |
368 | } | 374 | } |
375 | else if (strncmp(entry->data, "blacklist-nolog ", 16) == 0) { | ||
376 | ptr = entry->data + 16; | ||
377 | op = BLACKLIST_NOLOG; | ||
378 | } | ||
369 | else if (strncmp(entry->data, "read-only ", 10) == 0) { | 379 | else if (strncmp(entry->data, "read-only ", 10) == 0) { |
370 | ptr = entry->data + 10; | 380 | ptr = entry->data + 10; |
371 | op = MOUNT_READONLY; | 381 | op = MOUNT_READONLY; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a8eedcaff..50fdeda7e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -370,6 +370,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
370 | // rest of filesystem | 370 | // rest of filesystem |
371 | if (strncmp(ptr, "blacklist ", 10) == 0) | 371 | if (strncmp(ptr, "blacklist ", 10) == 0) |
372 | ptr += 10; | 372 | ptr += 10; |
373 | else if (strncmp(ptr, "blacklist-nolog ", 16) == 0) | ||
374 | ptr += 16; | ||
373 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 375 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
374 | ptr += 12; | 376 | ptr += 12; |
375 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 377 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a64bafeb4..d060af5eb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -263,8 +263,8 @@ void usage(void) { | |||
263 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); | 263 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); |
264 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 264 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); |
265 | printf("\t--trace - trace open, access and connect system calls.\n\n"); | 265 | printf("\t--trace - trace open, access and connect system calls.\n\n"); |
266 | printf("\t--tracelog - add a log message in syslog for every access to blacklisted\n"); | 266 | printf("\t--tracelog - add a syslog message for every access to files or\n"); |
267 | printf("\t\tfiles or directories.\n\n"); | 267 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); |
268 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | 268 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); |
269 | printf("\t--version - print program version and exit.\n\n"); | 269 | printf("\t--version - print program version and exit.\n\n"); |
270 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 270 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 28f75d023..62225c407 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1297,7 +1297,28 @@ Child process initialized | |||
1297 | parent is shutting down, bye... | 1297 | parent is shutting down, bye... |
1298 | .TP | 1298 | .TP |
1299 | \fB\-\-tracelog | 1299 | \fB\-\-tracelog |
1300 | Add a log message in syslog for every access to blacklisted files or directories. | 1300 | This option enables auditing blacklisted files and directories. A message |
1301 | is sent to syslog in case the file or the directory is accessed. | ||
1302 | .br | ||
1303 | |||
1304 | .br | ||
1305 | Example: | ||
1306 | .br | ||
1307 | $ firejail --tracelog firefox | ||
1308 | .br | ||
1309 | |||
1310 | .br | ||
1311 | Sample messages: | ||
1312 | .br | ||
1313 | $ sudo tail -f /var/log/syslog | ||
1314 | .br | ||
1315 | [...] | ||
1316 | .br | ||
1317 | Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow | ||
1318 | .br | ||
1319 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot | ||
1320 | .br | ||
1321 | [...] | ||
1301 | .TP | 1322 | .TP |
1302 | \fB\-\-tree | 1323 | \fB\-\-tree |
1303 | Print a tree of all sandboxed processes, see MONITORING section for more details. | 1324 | Print a tree of all sandboxed processes, see MONITORING section for more details. |