diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 8 | ||||
-rw-r--r-- | src/fnettrace-dns/main.c | 2 | ||||
-rw-r--r-- | src/fnettrace-icmp/main.c | 7 | ||||
-rw-r--r-- | src/fnettrace-sni/main.c | 2 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map | 97 |
6 files changed, 113 insertions, 5 deletions
@@ -615,6 +615,8 @@ juan (https://github.com/nyancat18) | |||
615 | - fixed Kdenlive, Shotcut profiles | 615 | - fixed Kdenlive, Shotcut profiles |
616 | - new profiles for Cinelerra, Cliqz, Bluefish | 616 | - new profiles for Cinelerra, Cliqz, Bluefish |
617 | - profile hardening | 617 | - profile hardening |
618 | k4leg (https://github.com/k4leg) | ||
619 | - fix PyCharm profiles | ||
618 | Kaan Genç (https://github.com/SeriousBug) | 620 | Kaan Genç (https://github.com/SeriousBug) |
619 | - dynamic allocation of noblacklist buffer | 621 | - dynamic allocation of noblacklist buffer |
620 | Karoshi42 (https://github.com/karoshi42) | 622 | Karoshi42 (https://github.com/karoshi42) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 17f5af434..04c586f79 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -91,6 +91,9 @@ static char *usage_str = | |||
91 | " --deterministic-shutdown - terminate orphan processes.\n" | 91 | " --deterministic-shutdown - terminate orphan processes.\n" |
92 | " --dns=address - set DNS server.\n" | 92 | " --dns=address - set DNS server.\n" |
93 | " --dns.print=name|pid - print DNS configuration.\n" | 93 | " --dns.print=name|pid - print DNS configuration.\n" |
94 | #ifdef HAVE_NETWORK | ||
95 | " --dnstrace - monitor DNS queries.\n" | ||
96 | #endif | ||
94 | " --env=name=value - set environment variable.\n" | 97 | " --env=name=value - set environment variable.\n" |
95 | " --fs.print=name|pid - print the filesystem log.\n" | 98 | " --fs.print=name|pid - print the filesystem log.\n" |
96 | #ifdef HAVE_FILE_TRANSFER | 99 | #ifdef HAVE_FILE_TRANSFER |
@@ -99,6 +102,9 @@ static char *usage_str = | |||
99 | " --help, -? - this help screen.\n" | 102 | " --help, -? - this help screen.\n" |
100 | " --hostname=name - set sandbox hostname.\n" | 103 | " --hostname=name - set sandbox hostname.\n" |
101 | " --hosts-file=file - use file as /etc/hosts.\n" | 104 | " --hosts-file=file - use file as /etc/hosts.\n" |
105 | #ifdef HAVE_NETWORK | ||
106 | " --icmptrace - monitor Server Name Indiication (TLS/SNI).\n" | ||
107 | #endif | ||
102 | " --ids-check - verify file system.\n" | 108 | " --ids-check - verify file system.\n" |
103 | " --ids-init - initialize IDS database.\n" | 109 | " --ids-init - initialize IDS database.\n" |
104 | " --ignore=command - ignore command in profile files.\n" | 110 | " --ignore=command - ignore command in profile files.\n" |
@@ -154,8 +160,6 @@ static char *usage_str = | |||
154 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 160 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
155 | " --netstats - monitor network statistics.\n" | 161 | " --netstats - monitor network statistics.\n" |
156 | " --nettrace - monitor received TCP, UDP and ICMP traffic.\n" | 162 | " --nettrace - monitor received TCP, UDP and ICMP traffic.\n" |
157 | " --nettrace - monitor DNS queries.\n" | ||
158 | " --nettrace - monitor Server Name Indiication (TLS/SNI).\n" | ||
159 | #endif | 163 | #endif |
160 | " --nice=value - set nice value.\n" | 164 | " --nice=value - set nice value.\n" |
161 | " --no3d - disable 3D hardware acceleration.\n" | 165 | " --no3d - disable 3D hardware acceleration.\n" |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 32122754f..48bf14710 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -70,6 +70,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) { | |||
70 | type, (nxdomain)? " NXDOMAIN": ""); | 70 | type, (nxdomain)? " NXDOMAIN": ""); |
71 | if (strcmp(tmp, last)) { | 71 | if (strcmp(tmp, last)) { |
72 | printf("%s\n", tmp); | 72 | printf("%s\n", tmp); |
73 | fflush(0); | ||
73 | strcpy(last, tmp); | 74 | strcpy(last, tmp); |
74 | } | 75 | } |
75 | 76 | ||
@@ -77,6 +78,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) { | |||
77 | 78 | ||
78 | errout: | 79 | errout: |
79 | printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | 80 | printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); |
81 | fflush(0); | ||
80 | } | 82 | } |
81 | 83 | ||
82 | // https://www.kernel.org/doc/html/latest/networking/filter.html | 84 | // https://www.kernel.org/doc/html/latest/networking/filter.html |
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c index 986091bb4..bb857c922 100644 --- a/src/fnettrace-icmp/main.c +++ b/src/fnettrace-icmp/main.c | |||
@@ -64,19 +64,19 @@ char *code_dest_unreachable[16] = { | |||
64 | "Host unreachable for ToS", | 64 | "Host unreachable for ToS", |
65 | "Communication administratively prohibited", | 65 | "Communication administratively prohibited", |
66 | "Host Precedence Violation", | 66 | "Host Precedence Violation", |
67 | "Precedence cutoff in effect " | 67 | "Precedence cutoff in effect" |
68 | }; | 68 | }; |
69 | 69 | ||
70 | char *code_redirect_message[4] = { | 70 | char *code_redirect_message[4] = { |
71 | "Datagram for the Network", | 71 | "Datagram for the Network", |
72 | "Datagram for the Host", | 72 | "Datagram for the Host", |
73 | "Datagram for the ToS & network", | 73 | "Datagram for the ToS & network", |
74 | "Datagram for the ToS & host " | 74 | "Datagram for the ToS & host" |
75 | }; | 75 | }; |
76 | 76 | ||
77 | char *code_time_exceeded[2] = { | 77 | char *code_time_exceeded[2] = { |
78 | "TTL expired in transit", | 78 | "TTL expired in transit", |
79 | "Fragment reassembly time exceeded " | 79 | "Fragment reassembly time exceeded" |
80 | }; | 80 | }; |
81 | 81 | ||
82 | char *code_bad_ip_header[3] = { | 82 | char *code_bad_ip_header[3] = { |
@@ -115,6 +115,7 @@ static void print_icmp(uint32_t ip_dest, uint32_t ip_src, uint8_t type, uint8_t | |||
115 | icmp_bytes, | 115 | icmp_bytes, |
116 | type_ptr, | 116 | type_ptr, |
117 | code_ptr); | 117 | code_ptr); |
118 | fflush(0); | ||
118 | } | 119 | } |
119 | 120 | ||
120 | // https://www.kernel.org/doc/html/latest/networking/filter.html | 121 | // https://www.kernel.org/doc/html/latest/networking/filter.html |
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index 71793a560..d0f75dac9 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c | |||
@@ -77,6 +77,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | |||
77 | snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name); | 77 | snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name); |
78 | if (strcmp(tmp, last)) { | 78 | if (strcmp(tmp, last)) { |
79 | printf("%s\n", tmp); | 79 | printf("%s\n", tmp); |
80 | fflush(0); | ||
80 | strcpy(last, tmp); | 81 | strcpy(last, tmp); |
81 | } | 82 | } |
82 | } | 83 | } |
@@ -86,6 +87,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | |||
86 | 87 | ||
87 | errout: | 88 | errout: |
88 | printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | 89 | printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); |
90 | fflush(0); | ||
89 | return; | 91 | return; |
90 | 92 | ||
91 | nosni: | 93 | nosni: |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index d3d234f5a..c630b6688 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -48,6 +48,7 @@ | |||
48 | 4.0.0.0/9 Level 3 | 48 | 4.0.0.0/9 Level 3 |
49 | 6.0.0.0/8 US Army | 49 | 6.0.0.0/8 US Army |
50 | 7.0.0.0/8 US Army | 50 | 7.0.0.0/8 US Army |
51 | 8.0.0.0/9 Level 3 | ||
51 | 9.0.0.0/8 IBM | 52 | 9.0.0.0/8 IBM |
52 | 11.0.0.0/8 US Army | 53 | 11.0.0.0/8 US Army |
53 | 17.0.0.0/8 Apple | 54 | 17.0.0.0/8 Apple |
@@ -199,7 +200,103 @@ | |||
199 | 151.139.0.0/16 StackPath | 200 | 151.139.0.0/16 StackPath |
200 | 201 | ||
201 | # Linode | 202 | # Linode |
203 | 103.29.68.0/22 Linode | ||
204 | 104.200.16.0/21 Linode | ||
205 | 104.200.24.0/22 Linode | ||
206 | 104.200.25.0/24 Linode | ||
207 | 104.200.26.0/24 Linode | ||
208 | 104.200.27.0/24 Linode | ||
209 | 104.200.28.0/22 Linode | ||
210 | 104.237.128.0/21 Linode | ||
211 | 104.237.136.0/21 Linode | ||
212 | 104.237.144.0/21 Linode | ||
213 | 104.237.152.0/21 Linode | ||
214 | 104.237.152.0/24 Linode | ||
215 | 104.237.153.0/24 Linode | ||
216 | 104.237.154.0/24 Linode | ||
217 | 104.237.155.0/24 Linode | ||
218 | 104.237.156.0/24 Linode | ||
219 | 104.237.157.0/24 Linode | ||
220 | 104.237.158.0/24 Linode | ||
221 | 104.237.159.0/24 Linode | ||
222 | 109.237.24.0/22 Linode | ||
223 | 109.74.192.0/20 Linode | ||
224 | 139.144.0.0/20 Linode | ||
225 | 139.144.104.0/21 Linode | ||
226 | 139.144.112.0/20 Linode | ||
227 | 139.144.128.0/21 Linode | ||
228 | 139.144.136.0/21 Linode | ||
229 | 139.144.144.0/20 Linode | ||
230 | 139.144.160.0/22 Linode | ||
231 | 139.144.16.0/20 Linode | ||
232 | 139.144.164.0/22 Linode | ||
233 | 139.144.168.0/21 Linode | ||
234 | 139.144.176.0/21 Linode | ||
235 | 139.144.184.0/21 Linode | ||
236 | 139.144.192.0/19 Linode | ||
237 | 139.144.224.0/21 Linode | ||
238 | 139.144.232.0/21 Linode | ||
239 | 139.144.240.0/22 Linode | ||
240 | 139.144.32.0/21 Linode | ||
241 | 139.144.40.0/21 Linode | ||
242 | 139.144.48.0/20 Linode | ||
243 | 139.144.64.0/20 Linode | ||
244 | 139.144.80.0/21 Linode | ||
245 | 139.144.88.0/21 Linode | ||
246 | 139.144.96.0/21 Linode | ||
247 | 139.162.0.0/19 Linode | ||
248 | 139.162.128.0/19 Linode | ||
249 | 139.162.160.0/19 Linode | ||
250 | 139.162.192.0/19 Linode | ||
251 | 139.162.224.0/19 Linode | ||
252 | 139.162.32.0/19 Linode | ||
253 | 139.162.64.0/19 Linode | ||
254 | 139.162.96.0/19 Linode | ||
255 | 139.177.176.0/21 Linode | ||
256 | 139.177.184.0/21 Linode | ||
257 | 139.177.192.0/21 Linode | ||
258 | 139.177.200.0/21 Linode | ||
259 | 151.236.216.0/21 Linode | ||
260 | 162.216.16.0/22 Linode | ||
261 | 170.187.128.0/24 Linode | ||
262 | 170.187.129.0/24 Linode | ||
263 | 170.187.131.0/24 Linode | ||
264 | 170.187.132.0/24 Linode | ||
265 | 170.187.134.0/23 Linode | ||
266 | 170.187.136.0/21 Linode | ||
267 | 170.187.144.0/20 Linode | ||
268 | 170.187.160.0/21 Linode | ||
269 | 170.187.168.0/21 Linode | ||
270 | 170.187.176.0/21 Linode | ||
271 | 170.187.184.0/21 Linode | ||
272 | 170.187.192.0/22 Linode | ||
273 | 170.187.196.0/22 Linode | ||
274 | 170.187.200.0/21 Linode | ||
275 | 170.187.208.0/20 Linode | ||
276 | 170.187.224.0/21 Linode | ||
277 | 170.187.232.0/21 Linode | ||
278 | 170.187.240.0/21 Linode | ||
279 | 170.187.248.0/21 Linode | ||
202 | 172.104.0.0/15 Linode | 280 | 172.104.0.0/15 Linode |
281 | 172.104.128.0/19 Linode | ||
282 | 172.104.160.0/19 Linode | ||
283 | 172.104.192.0/21 Linode | ||
284 | 172.104.200.0/23 Linode | ||
285 | 172.104.202.0/23 Linode | ||
286 | 172.104.205.0/24 Linode | ||
287 | 172.104.206.0/24 Linode | ||
288 | 172.104.207.0/24 Linode | ||
289 | 172.104.208.0/20 Linode | ||
290 | 172.104.220.0/24 Linode | ||
291 | 172.104.224.0/19 Linode | ||
292 | 172.104.32.0/19 Linode | ||
293 | 172.104.4.0/22 Linode | ||
294 | 172.104.64.0/19 Linode | ||
295 | 172.104.8.0/21 Linode | ||
296 | 172.104.96.0/19 Linode | ||
297 | 172.105.0.0/19 Linode | ||
298 | 172.105.112.0/20 Linode | ||
299 | 172.105.128.0/23 Linode | ||
203 | 300 | ||
204 | # Akamai | 301 | # Akamai |
205 | 23.0.0.0/12 Akamai | 302 | 23.0.0.0/12 Akamai |