6 files changed, 113 insertions, 5 deletions
diff --git a/README b/README
index 03a68e95c..56c78e34a 100644
--- a/README
+++ b/README
@@ -615,6 +615,8 @@ juan (https://github.com/nyancat18)
        - fixed Kdenlive, Shotcut profiles
        - new profiles for Cinelerra, Cliqz, Bluefish
        - profile hardening
+k4leg (https://github.com/k4leg)
+        - fix PyCharm profiles
 Kaan Genç (https://github.com/SeriousBug)
        - dynamic allocation of noblacklist buffer
 Karoshi42 (https://github.com/karoshi42)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 17f5af434..04c586f79 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -91,6 +91,9 @@ static char *usage_str =
        "    --deterministic-shutdown - terminate orphan processes.\n"
        "    --dns=address - set DNS server.\n"
        "    --dns.print=name|pid - print DNS configuration.\n"
+#ifdef HAVE_NETWORK
+        "    --dnstrace - monitor DNS queries.\n"
+#endif
        "    --env=name=value - set environment variable.\n"
        "    --fs.print=name|pid - print the filesystem log.\n"
 #ifdef HAVE_FILE_TRANSFER
@@ -99,6 +102,9 @@ static char *usage_str =
        "    --help, -? - this help screen.\n"
        "    --hostname=name - set sandbox hostname.\n"
        "    --hosts-file=file - use file as /etc/hosts.\n"
+#ifdef HAVE_NETWORK
+        "    --icmptrace - monitor Server Name Indiication (TLS/SNI).\n"
+#endif
        "    --ids-check - verify file system.\n"
        "    --ids-init - initialize IDS database.\n"
        "    --ignore=command - ignore command in profile files.\n"
@@ -154,8 +160,6 @@ static char *usage_str =
        "    --netns=name - Run the program in a named, persistent network namespace.\n"
        "    --netstats - monitor network statistics.\n"
        "    --nettrace - monitor received TCP, UDP and ICMP traffic.\n"
-        "    --nettrace - monitor DNS queries.\n"
-        "    --nettrace - monitor Server Name Indiication (TLS/SNI).\n"
 #endif
        "    --nice=value - set nice value.\n"
        "    --no3d - disable 3D hardware acceleration.\n"
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 32122754f..48bf14710 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -70,6 +70,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
                type, (nxdomain)? " NXDOMAIN": "");
        if (strcmp(tmp, last)) {
                printf("%s\n", tmp);
+                fflush(0);
                strcpy(last, tmp);
        }
@@ -77,6 +78,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
 errout:
        printf("%02d:%02d:%02d  %15s  Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+        fflush(0);
 }
 // https://www.kernel.org/doc/html/latest/networking/filter.html
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c
index 986091bb4..bb857c922 100644
--- a/src/fnettrace-icmp/main.c
+++ b/src/fnettrace-icmp/main.c
@@ -64,19 +64,19 @@ char *code_dest_unreachable[16] = {
        "Host unreachable for ToS",
        "Communication administratively prohibited",
        "Host Precedence Violation",
-        "Precedence cutoff in effect "
+        "Precedence cutoff in effect"
 };
 char *code_redirect_message[4] = {
        "Datagram for the Network",
        "Datagram for the Host",
        "Datagram for the ToS & network",
-        "Datagram for the ToS & host "
+        "Datagram for the ToS & host"
 };
 char *code_time_exceeded[2] = {
        "TTL expired in transit",
-        "Fragment reassembly time exceeded "
+        "Fragment reassembly time exceeded"
 };
 char *code_bad_ip_header[3] = {
@@ -115,6 +115,7 @@ static void print_icmp(uint32_t ip_dest, uint32_t ip_src, uint8_t type, uint8_t
                icmp_bytes,
                type_ptr,
                code_ptr);
+        fflush(0);
 }
 // https://www.kernel.org/doc/html/latest/networking/filter.html
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index 71793a560..d0f75dac9 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -77,6 +77,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
                snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
                if (strcmp(tmp, last)) {
                        printf("%s\n", tmp);
+                        fflush(0);
                        strcpy(last, tmp);
                }
        }
@@ -86,6 +87,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
 errout:
        printf("%02d:%02d:%02d  %-15s  Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+        fflush(0);
        return;
 nosni:
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map
index d3d234f5a..c630b6688 100644
--- a/src/fnettrace/static-ip-map
+++ b/src/fnettrace/static-ip-map
@@ -48,6 +48,7 @@
 4.0.0.0/9 Level 3
 6.0.0.0/8 US Army
 7.0.0.0/8 US Army
+8.0.0.0/9 Level 3
 9.0.0.0/8 IBM
 11.0.0.0/8 US Army
 17.0.0.0/8 Apple
@@ -199,7 +200,103 @@
 151.139.0.0/16 StackPath
 # Linode
+103.29.68.0/22 Linode
+104.200.16.0/21 Linode
+104.200.24.0/22 Linode
+104.200.25.0/24 Linode
+104.200.26.0/24 Linode
+104.200.27.0/24 Linode
+104.200.28.0/22 Linode
+104.237.128.0/21 Linode
+104.237.136.0/21 Linode
+104.237.144.0/21 Linode
+104.237.152.0/21 Linode
+104.237.152.0/24 Linode
+104.237.153.0/24 Linode
+104.237.154.0/24 Linode
+104.237.155.0/24 Linode
+104.237.156.0/24 Linode
+104.237.157.0/24 Linode
+104.237.158.0/24 Linode
+104.237.159.0/24 Linode
+109.237.24.0/22 Linode
+109.74.192.0/20 Linode
+139.144.0.0/20 Linode
+139.144.104.0/21 Linode
+139.144.112.0/20 Linode
+139.144.128.0/21 Linode
+139.144.136.0/21 Linode
+139.144.144.0/20 Linode
+139.144.160.0/22 Linode
+139.144.16.0/20  Linode
+139.144.164.0/22 Linode
+139.144.168.0/21 Linode
+139.144.176.0/21 Linode
+139.144.184.0/21 Linode
+139.144.192.0/19 Linode
+139.144.224.0/21 Linode
+139.144.232.0/21 Linode
+139.144.240.0/22 Linode
+139.144.32.0/21 Linode
+139.144.40.0/21 Linode
+139.144.48.0/20 Linode
+139.144.64.0/20 Linode
+139.144.80.0/21 Linode
+139.144.88.0/21 Linode
+139.144.96.0/21 Linode
+139.162.0.0/19 Linode
+139.162.128.0/19 Linode
+139.162.160.0/19 Linode
+139.162.192.0/19 Linode
+139.162.224.0/19 Linode
+139.162.32.0/19 Linode
+139.162.64.0/19 Linode
+139.162.96.0/19 Linode
+139.177.176.0/21 Linode
+139.177.184.0/21 Linode
+139.177.192.0/21 Linode
+139.177.200.0/21 Linode
+151.236.216.0/21 Linode
+162.216.16.0/22  Linode
+170.187.128.0/24 Linode
+170.187.129.0/24 Linode
+170.187.131.0/24 Linode
+170.187.132.0/24 Linode
+170.187.134.0/23 Linode
+170.187.136.0/21 Linode
+170.187.144.0/20 Linode
+170.187.160.0/21 Linode
+170.187.168.0/21 Linode
+170.187.176.0/21 Linode
+170.187.184.0/21 Linode
+170.187.192.0/22 Linode
+170.187.196.0/22 Linode
+170.187.200.0/21 Linode
+170.187.208.0/20 Linode
+170.187.224.0/21 Linode
+170.187.232.0/21 Linode
+170.187.240.0/21 Linode
+170.187.248.0/21 Linode
 172.104.0.0/15 Linode
+172.104.128.0/19 Linode
+172.104.160.0/19 Linode
+172.104.192.0/21 Linode
+172.104.200.0/23 Linode
+172.104.202.0/23 Linode
+172.104.205.0/24 Linode
+172.104.206.0/24 Linode
+172.104.207.0/24 Linode
+172.104.208.0/20 Linode
+172.104.220.0/24 Linode
+172.104.224.0/19 Linode
+172.104.32.0/19 Linode
+172.104.4.0/22 Linode
+172.104.64.0/19 Linode
+172.104.8.0/21 Linode
+172.104.96.0/19 Linode
+172.105.0.0/19 Linode
+172.105.112.0/20 Linode
+172.105.128.0/23 Linode
 # Akamai
 23.0.0.0/12 Akamai

diff --git a/README b/README index 03a68e95c..56c78e34a 100644 --- a/README +++ b/README
@@ -615,6 +615,8 @@ juan (https://github.com/nyancat18)
615	- fixed Kdenlive, Shotcut profiles	615	- fixed Kdenlive, Shotcut profiles
616	- new profiles for Cinelerra, Cliqz, Bluefish	616	- new profiles for Cinelerra, Cliqz, Bluefish
617	- profile hardening	617	- profile hardening
		618	k4leg (https://github.com/k4leg)
		619	- fix PyCharm profiles
618	Kaan Genç (https://github.com/SeriousBug)	620	Kaan Genç (https://github.com/SeriousBug)
619	- dynamic allocation of noblacklist buffer	621	- dynamic allocation of noblacklist buffer
620	Karoshi42 (https://github.com/karoshi42)	622	Karoshi42 (https://github.com/karoshi42)


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 17f5af434..04c586f79 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -91,6 +91,9 @@ static char *usage_str =
91	" --deterministic-shutdown - terminate orphan processes.\n"	91	" --deterministic-shutdown - terminate orphan processes.\n"
92	" --dns=address - set DNS server.\n"	92	" --dns=address - set DNS server.\n"
93	" --dns.print=name\|pid - print DNS configuration.\n"	93	" --dns.print=name\|pid - print DNS configuration.\n"
		94	#ifdef HAVE_NETWORK
		95	" --dnstrace - monitor DNS queries.\n"
		96	#endif
94	" --env=name=value - set environment variable.\n"	97	" --env=name=value - set environment variable.\n"
95	" --fs.print=name\|pid - print the filesystem log.\n"	98	" --fs.print=name\|pid - print the filesystem log.\n"
96	#ifdef HAVE_FILE_TRANSFER	99	#ifdef HAVE_FILE_TRANSFER
@@ -99,6 +102,9 @@ static char *usage_str =
99	" --help, -? - this help screen.\n"	102	" --help, -? - this help screen.\n"
100	" --hostname=name - set sandbox hostname.\n"	103	" --hostname=name - set sandbox hostname.\n"
101	" --hosts-file=file - use file as /etc/hosts.\n"	104	" --hosts-file=file - use file as /etc/hosts.\n"
		105	#ifdef HAVE_NETWORK
		106	" --icmptrace - monitor Server Name Indiication (TLS/SNI).\n"
		107	#endif
102	" --ids-check - verify file system.\n"	108	" --ids-check - verify file system.\n"
103	" --ids-init - initialize IDS database.\n"	109	" --ids-init - initialize IDS database.\n"
104	" --ignore=command - ignore command in profile files.\n"	110	" --ignore=command - ignore command in profile files.\n"
@@ -154,8 +160,6 @@ static char *usage_str =
154	" --netns=name - Run the program in a named, persistent network namespace.\n"	160	" --netns=name - Run the program in a named, persistent network namespace.\n"
155	" --netstats - monitor network statistics.\n"	161	" --netstats - monitor network statistics.\n"
156	" --nettrace - monitor received TCP, UDP and ICMP traffic.\n"	162	" --nettrace - monitor received TCP, UDP and ICMP traffic.\n"
157	" --nettrace - monitor DNS queries.\n"
158	" --nettrace - monitor Server Name Indiication (TLS/SNI).\n"
159	#endif	163	#endif
160	" --nice=value - set nice value.\n"	164	" --nice=value - set nice value.\n"
161	" --no3d - disable 3D hardware acceleration.\n"	165	" --no3d - disable 3D hardware acceleration.\n"


diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 32122754f..48bf14710 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c
@@ -70,6 +70,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
70	type, (nxdomain)? " NXDOMAIN": "");	70	type, (nxdomain)? " NXDOMAIN": "");
71	if (strcmp(tmp, last)) {	71	if (strcmp(tmp, last)) {
72	printf("%s\n", tmp);	72	printf("%s\n", tmp);
		73	fflush(0);
73	strcpy(last, tmp);	74	strcpy(last, tmp);
74	}	75	}
75		76
@@ -77,6 +78,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
77		78
78	errout:	79	errout:
79	printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);	80	printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
		81	fflush(0);
80	}	82	}
81		83
82	// https://www.kernel.org/doc/html/latest/networking/filter.html	84	// https://www.kernel.org/doc/html/latest/networking/filter.html


diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c index 986091bb4..bb857c922 100644 --- a/src/fnettrace-icmp/main.c +++ b/src/fnettrace-icmp/main.c
@@ -64,19 +64,19 @@ char *code_dest_unreachable[16] = {
64	"Host unreachable for ToS",	64	"Host unreachable for ToS",
65	"Communication administratively prohibited",	65	"Communication administratively prohibited",
66	"Host Precedence Violation",	66	"Host Precedence Violation",
67	"Precedence cutoff in effect "	67	"Precedence cutoff in effect"
68	};	68	};
69		69
70	char *code_redirect_message[4] = {	70	char *code_redirect_message[4] = {
71	"Datagram for the Network",	71	"Datagram for the Network",
72	"Datagram for the Host",	72	"Datagram for the Host",
73	"Datagram for the ToS & network",	73	"Datagram for the ToS & network",
74	"Datagram for the ToS & host "	74	"Datagram for the ToS & host"
75	};	75	};
76		76
77	char *code_time_exceeded[2] = {	77	char *code_time_exceeded[2] = {
78	"TTL expired in transit",	78	"TTL expired in transit",
79	"Fragment reassembly time exceeded "	79	"Fragment reassembly time exceeded"
80	};	80	};
81		81
82	char *code_bad_ip_header[3] = {	82	char *code_bad_ip_header[3] = {
@@ -115,6 +115,7 @@ static void print_icmp(uint32_t ip_dest, uint32_t ip_src, uint8_t type, uint8_t
115	icmp_bytes,	115	icmp_bytes,
116	type_ptr,	116	type_ptr,
117	code_ptr);	117	code_ptr);
		118	fflush(0);
118	}	119	}
119		120
120	// https://www.kernel.org/doc/html/latest/networking/filter.html	121	// https://www.kernel.org/doc/html/latest/networking/filter.html


diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index 71793a560..d0f75dac9 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c
@@ -77,6 +77,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
77	snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);	77	snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
78	if (strcmp(tmp, last)) {	78	if (strcmp(tmp, last)) {
79	printf("%s\n", tmp);	79	printf("%s\n", tmp);
		80	fflush(0);
80	strcpy(last, tmp);	81	strcpy(last, tmp);
81	}	82	}
82	}	83	}
@@ -86,6 +87,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
86		87
87	errout:	88	errout:
88	printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);	89	printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
		90	fflush(0);
89	return;	91	return;
90		92
91	nosni:	93	nosni:


diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index d3d234f5a..c630b6688 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map
@@ -48,6 +48,7 @@
48	4.0.0.0/9 Level 3	48	4.0.0.0/9 Level 3
49	6.0.0.0/8 US Army	49	6.0.0.0/8 US Army
50	7.0.0.0/8 US Army	50	7.0.0.0/8 US Army
		51	8.0.0.0/9 Level 3
51	9.0.0.0/8 IBM	52	9.0.0.0/8 IBM
52	11.0.0.0/8 US Army	53	11.0.0.0/8 US Army
53	17.0.0.0/8 Apple	54	17.0.0.0/8 Apple
@@ -199,7 +200,103 @@
199	151.139.0.0/16 StackPath	200	151.139.0.0/16 StackPath
200		201
201	# Linode	202	# Linode
		203	103.29.68.0/22 Linode
		204	104.200.16.0/21 Linode
		205	104.200.24.0/22 Linode
		206	104.200.25.0/24 Linode
		207	104.200.26.0/24 Linode
		208	104.200.27.0/24 Linode
		209	104.200.28.0/22 Linode
		210	104.237.128.0/21 Linode
		211	104.237.136.0/21 Linode
		212	104.237.144.0/21 Linode
		213	104.237.152.0/21 Linode
		214	104.237.152.0/24 Linode
		215	104.237.153.0/24 Linode
		216	104.237.154.0/24 Linode
		217	104.237.155.0/24 Linode
		218	104.237.156.0/24 Linode
		219	104.237.157.0/24 Linode
		220	104.237.158.0/24 Linode
		221	104.237.159.0/24 Linode
		222	109.237.24.0/22 Linode
		223	109.74.192.0/20 Linode
		224	139.144.0.0/20 Linode
		225	139.144.104.0/21 Linode
		226	139.144.112.0/20 Linode
		227	139.144.128.0/21 Linode
		228	139.144.136.0/21 Linode
		229	139.144.144.0/20 Linode
		230	139.144.160.0/22 Linode
		231	139.144.16.0/20 Linode
		232	139.144.164.0/22 Linode
		233	139.144.168.0/21 Linode
		234	139.144.176.0/21 Linode
		235	139.144.184.0/21 Linode
		236	139.144.192.0/19 Linode
		237	139.144.224.0/21 Linode
		238	139.144.232.0/21 Linode
		239	139.144.240.0/22 Linode
		240	139.144.32.0/21 Linode
		241	139.144.40.0/21 Linode
		242	139.144.48.0/20 Linode
		243	139.144.64.0/20 Linode
		244	139.144.80.0/21 Linode
		245	139.144.88.0/21 Linode
		246	139.144.96.0/21 Linode
		247	139.162.0.0/19 Linode
		248	139.162.128.0/19 Linode
		249	139.162.160.0/19 Linode
		250	139.162.192.0/19 Linode
		251	139.162.224.0/19 Linode
		252	139.162.32.0/19 Linode
		253	139.162.64.0/19 Linode
		254	139.162.96.0/19 Linode
		255	139.177.176.0/21 Linode
		256	139.177.184.0/21 Linode
		257	139.177.192.0/21 Linode
		258	139.177.200.0/21 Linode
		259	151.236.216.0/21 Linode
		260	162.216.16.0/22 Linode
		261	170.187.128.0/24 Linode
		262	170.187.129.0/24 Linode
		263	170.187.131.0/24 Linode
		264	170.187.132.0/24 Linode
		265	170.187.134.0/23 Linode
		266	170.187.136.0/21 Linode
		267	170.187.144.0/20 Linode
		268	170.187.160.0/21 Linode
		269	170.187.168.0/21 Linode
		270	170.187.176.0/21 Linode
		271	170.187.184.0/21 Linode
		272	170.187.192.0/22 Linode
		273	170.187.196.0/22 Linode
		274	170.187.200.0/21 Linode
		275	170.187.208.0/20 Linode
		276	170.187.224.0/21 Linode
		277	170.187.232.0/21 Linode
		278	170.187.240.0/21 Linode
		279	170.187.248.0/21 Linode
202	172.104.0.0/15 Linode	280	172.104.0.0/15 Linode
		281	172.104.128.0/19 Linode
		282	172.104.160.0/19 Linode
		283	172.104.192.0/21 Linode
		284	172.104.200.0/23 Linode
		285	172.104.202.0/23 Linode
		286	172.104.205.0/24 Linode
		287	172.104.206.0/24 Linode
		288	172.104.207.0/24 Linode
		289	172.104.208.0/20 Linode
		290	172.104.220.0/24 Linode
		291	172.104.224.0/19 Linode
		292	172.104.32.0/19 Linode
		293	172.104.4.0/22 Linode
		294	172.104.64.0/19 Linode
		295	172.104.8.0/21 Linode
		296	172.104.96.0/19 Linode
		297	172.105.0.0/19 Linode
		298	172.105.112.0/20 Linode
		299	172.105.128.0/23 Linode
203		300
204	# Akamai	301	# Akamai
205	23.0.0.0/12 Akamai	302	23.0.0.0/12 Akamai