9 files changed, 106 insertions, 4 deletions
diff --git a/RELNOTES b/RELNOTES
index d59618c7c..1f62c4d64 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * deprecated --user option, please use "sudo -u username firejail" instead
  * --read-write option rework
  * allow symlinks in home directory for --whitelist option
+  * --allow-debuggers option
  * --private-template (very simillar to the former --private-home)
  * AppImage support (--appimage)
  * AppArmor support (--apparmor)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 98ba8ee3b..8e30e929a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -267,6 +267,7 @@ extern int arg_appimage;	// appimage
 extern int arg_audit;           // audit
 extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
+extern int arg_allow_debuggers; // allow debuggers
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1824765eb..bdb8e0df5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -101,8 +101,9 @@ int arg_writable_etc = 0;			// writable etc
 int arg_writable_var = 0;                       // writable var
 int arg_appimage = 0;                           // appimage
 int arg_audit = 0;                              // audit
-char *arg_audit_prog;                           // audit
+char *arg_audit_prog = NULL;                    // audit
-int arg_apparmor;                               // apparmor
+int arg_apparmor = 0;                           // apparmor
+int arg_allow_debuggers = 0;                    // allow debuggers
 int login_shell = 0;
 int parent_to_child_fds[2];
@@ -730,6 +731,24 @@ static void detect_quiet(int argc, char **argv) {
        }
 }
+static void detect_allow_debuggers(int argc, char **argv) {
+        int i;
+        
+        // detect --allow-debuggers
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--allow-debuggers") == 0) {
+                        arg_allow_debuggers = 1;
+                        break;
+                }
+                
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+}
 char *guess_shell(void) {
        char *shell = NULL;
        // shells in order of preference
@@ -766,11 +785,13 @@ int main(int argc, char **argv) {
 #endif
        detect_quiet(argc, argv);
+        detect_allow_debuggers(argc, argv);
        // drop permissions by default and rise them when required
        EUID_INIT();
        EUID_USER();
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
                run_symlink(argc, argv);
@@ -982,6 +1003,13 @@ int main(int argc, char **argv) {
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
        
+        if (arg_allow_debuggers) {
+                char *cmd = strdup("noblacklist ${PATH}/strace");
+                if (!cmd)
+                        errExit("strdup");
+                profile_add(cmd);
+        }
+        
        // parse arguments
        for (i = 1; i < argc; i++) {
                run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
@@ -1005,6 +1033,9 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--force") == 0)
                        ;
+                else if (strcmp(argv[i], "--allow-debuggers") == 0) {
+                        // already handled
+                }
                //*************************************
                // filtering
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1403db704..26f434f3b 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -828,6 +828,16 @@ void profile_read(const char *fname) {
                exit(1);
        }
+        // allow debuggers
+        if (arg_allow_debuggers) {
+                char *tmp = strrchr(fname, '/');
+                if (tmp && *(tmp + 1) != '\0') {
+                        tmp++;
+                        if (strcmp(tmp, "disable-devel.inc") == 0)
+                                return;
+                }
+        }
        // open profile file:
        FILE *fp = fopen(fname, "r");
        if (fp == NULL) {
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 88620d1dd..7aaf1a5cd 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -344,6 +344,7 @@ void seccomp_filter_32(void) {
                EXAMINE_SYSCALL,
                BLACKLIST(21), // mount
                BLACKLIST(52), // umount2
+// todo: implement --allow-debuggers            
                BLACKLIST(26), // ptrace
                BLACKLIST(283), // kexec_load
                BLACKLIST(341), // name_to_handle_at
@@ -416,6 +417,7 @@ void seccomp_filter_64(void) {
                EXAMINE_SYSCALL,
                BLACKLIST(165), // mount
                BLACKLIST(166), // umount2
+// todo: implement --allow-debuggers            
                BLACKLIST(101), // ptrace
                BLACKLIST(246), // kexec_load
                BLACKLIST(304), // open_by_handle_at
@@ -501,9 +503,13 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_umount2              
                filter_add_blacklist(SYS_umount2, 0);
 #endif
+                if (!arg_allow_debuggers) {
 #ifdef SYS_ptrace               
-                filter_add_blacklist(SYS_ptrace, 0);
+                        filter_add_blacklist(SYS_ptrace, 0);
 #endif
+                }
 #ifdef SYS_kexec_load           
                filter_add_blacklist(SYS_kexec_load, 0);
 #endif
@@ -549,9 +555,12 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_syslog               
                filter_add_blacklist(SYS_syslog, 0);
 #endif
+                if (!arg_allow_debuggers) {
 #ifdef SYS_process_vm_readv             
-                filter_add_blacklist(SYS_process_vm_readv, 0);
+                        filter_add_blacklist(SYS_process_vm_readv, 0);
 #endif
+                }
+                
 #ifdef SYS_process_vm_writev            
                filter_add_blacklist(SYS_process_vm_writev, 0);
 #endif
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index ed6d22e69..ebe1c8830 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
        printf("\n");
        printf("Options:\n\n");
        printf("    -- - signal the end of options and disables further option processing.\n\n");
+        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n");
        printf("    --apparmor - enable AppArmor confinement\n\n");
        printf("    --appimage - sandbox an AppImage application\n\n");
        printf("    --audit - audit the sandbox, see Audit section for more details\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d08b244f7..cc47e3dc6 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -75,6 +75,15 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow-debuggers
+Allow tools such as strace and gdb inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile --allow-debuggers strace -f firefox
+.TP
 \fB\-\-apparmor
 Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
 .TP
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
new file mode 100755
index 000000000..dde9c4cc1
--- /dev/null
+++ b/test/environment/allow-debuggers.exp
@@ -0,0 +1,32 @@
+#!/usr/bin/expect -f
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "exited with 0"
+}
+after 100
+send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "exited with 0"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index a6fe07a1c..785f57d3f 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -82,4 +82,12 @@ echo "TESTING: nice (test/environment/nice.exp)"
 echo "TESTING: quiet (test/environment/quiet.exp)"
 ./quiet.exp
+which strace
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
+        ./allow-debuggers.exp
+else
+        echo "TESTING SKIP: strace not found"
+fi

diff --git a/RELNOTES b/RELNOTES index d59618c7c..1f62c4d64 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
6	* deprecated --user option, please use "sudo -u username firejail" instead	6	* deprecated --user option, please use "sudo -u username firejail" instead
7	* --read-write option rework	7	* --read-write option rework
8	* allow symlinks in home directory for --whitelist option	8	* allow symlinks in home directory for --whitelist option
		9	* --allow-debuggers option
9	* --private-template (very simillar to the former --private-home)	10	* --private-template (very simillar to the former --private-home)
10	* AppImage support (--appimage)	11	* AppImage support (--appimage)
11	* AppArmor support (--apparmor)	12	* AppArmor support (--apparmor)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 98ba8ee3b..8e30e929a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -267,6 +267,7 @@ extern int arg_appimage; // appimage
267	extern int arg_audit; // audit	267	extern int arg_audit; // audit
268	extern char *arg_audit_prog; // audit	268	extern char *arg_audit_prog; // audit
269	extern int arg_apparmor; // apparmor	269	extern int arg_apparmor; // apparmor
		270	extern int arg_allow_debuggers; // allow debuggers
270		271
271	extern int login_shell;	272	extern int login_shell;
272	extern int parent_to_child_fds[2];	273	extern int parent_to_child_fds[2];


diff --git a/src/firejail/main.c b/src/firejail/main.c index 1824765eb..bdb8e0df5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -101,8 +101,9 @@ int arg_writable_etc = 0; // writable etc
101	int arg_writable_var = 0; // writable var	101	int arg_writable_var = 0; // writable var
102	int arg_appimage = 0; // appimage	102	int arg_appimage = 0; // appimage
103	int arg_audit = 0; // audit	103	int arg_audit = 0; // audit
104	char *arg_audit_prog; // audit	104	char *arg_audit_prog = NULL; // audit
105	int arg_apparmor; // apparmor	105	int arg_apparmor = 0; // apparmor
		106	int arg_allow_debuggers = 0; // allow debuggers
106	int login_shell = 0;	107	int login_shell = 0;
107		108
108	int parent_to_child_fds[2];	109	int parent_to_child_fds[2];
@@ -730,6 +731,24 @@ static void detect_quiet(int argc, char **argv) {
730	}	731	}
731	}	732	}
732		733
		734	static void detect_allow_debuggers(int argc, char **argv) {
		735	int i;
		736
		737	// detect --allow-debuggers
		738	for (i = 1; i < argc; i++) {
		739	if (strcmp(argv[i], "--allow-debuggers") == 0) {
		740	arg_allow_debuggers = 1;
		741	break;
		742	}
		743
		744	// detect end of firejail params
		745	if (strcmp(argv[i], "--") == 0)
		746	break;
		747	if (strncmp(argv[i], "--", 2) != 0)
		748	break;
		749	}
		750	}
		751
733	char *guess_shell(void) {	752	char *guess_shell(void) {
734	char *shell = NULL;	753	char *shell = NULL;
735	// shells in order of preference	754	// shells in order of preference
@@ -766,11 +785,13 @@ int main(int argc, char **argv) {
766	#endif	785	#endif
767		786
768	detect_quiet(argc, argv);	787	detect_quiet(argc, argv);
		788	detect_allow_debuggers(argc, argv);
769		789
770	// drop permissions by default and rise them when required	790	// drop permissions by default and rise them when required
771	EUID_INIT();	791	EUID_INIT();
772	EUID_USER();	792	EUID_USER();
773		793
		794
774	// check argv[0] symlink wrapper if this is not a login shell	795	// check argv[0] symlink wrapper if this is not a login shell
775	if (*argv[0] != '-')	796	if (*argv[0] != '-')
776	run_symlink(argc, argv);	797	run_symlink(argc, argv);
@@ -982,6 +1003,13 @@ int main(int argc, char **argv) {
982	if (checkcfg(CFG_FORCE_NONEWPRIVS))	1003	if (checkcfg(CFG_FORCE_NONEWPRIVS))
983	arg_nonewprivs = 1;	1004	arg_nonewprivs = 1;
984		1005
		1006	if (arg_allow_debuggers) {
		1007	char *cmd = strdup("noblacklist ${PATH}/strace");
		1008	if (!cmd)
		1009	errExit("strdup");
		1010	profile_add(cmd);
		1011	}
		1012
985	// parse arguments	1013	// parse arguments
986	for (i = 1; i < argc; i++) {	1014	for (i = 1; i < argc; i++) {
987	run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized	1015	run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
@@ -1005,6 +1033,9 @@ int main(int argc, char **argv) {
1005	}	1033	}
1006	else if (strcmp(argv[i], "--force") == 0)	1034	else if (strcmp(argv[i], "--force") == 0)
1007	;	1035	;
		1036	else if (strcmp(argv[i], "--allow-debuggers") == 0) {
		1037	// already handled
		1038	}
1008		1039
1009	//*************************************	1040	//*************************************
1010	// filtering	1041	// filtering


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1403db704..26f434f3b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -828,6 +828,16 @@ void profile_read(const char *fname) {
828	exit(1);	828	exit(1);
829	}	829	}
830		830
		831	// allow debuggers
		832	if (arg_allow_debuggers) {
		833	char *tmp = strrchr(fname, '/');
		834	if (tmp && *(tmp + 1) != '\0') {
		835	tmp++;
		836	if (strcmp(tmp, "disable-devel.inc") == 0)
		837	return;
		838	}
		839	}
		840
831	// open profile file:	841	// open profile file:
832	FILE *fp = fopen(fname, "r");	842	FILE *fp = fopen(fname, "r");
833	if (fp == NULL) {	843	if (fp == NULL) {


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 88620d1dd..7aaf1a5cd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -344,6 +344,7 @@ void seccomp_filter_32(void) {
344	EXAMINE_SYSCALL,	344	EXAMINE_SYSCALL,
345	BLACKLIST(21), // mount	345	BLACKLIST(21), // mount
346	BLACKLIST(52), // umount2	346	BLACKLIST(52), // umount2
		347	// todo: implement --allow-debuggers
347	BLACKLIST(26), // ptrace	348	BLACKLIST(26), // ptrace
348	BLACKLIST(283), // kexec_load	349	BLACKLIST(283), // kexec_load
349	BLACKLIST(341), // name_to_handle_at	350	BLACKLIST(341), // name_to_handle_at
@@ -416,6 +417,7 @@ void seccomp_filter_64(void) {
416	EXAMINE_SYSCALL,	417	EXAMINE_SYSCALL,
417	BLACKLIST(165), // mount	418	BLACKLIST(165), // mount
418	BLACKLIST(166), // umount2	419	BLACKLIST(166), // umount2
		420	// todo: implement --allow-debuggers
419	BLACKLIST(101), // ptrace	421	BLACKLIST(101), // ptrace
420	BLACKLIST(246), // kexec_load	422	BLACKLIST(246), // kexec_load
421	BLACKLIST(304), // open_by_handle_at	423	BLACKLIST(304), // open_by_handle_at
@@ -501,9 +503,13 @@ int seccomp_filter_drop(int enforce_seccomp) {
501	#ifdef SYS_umount2	503	#ifdef SYS_umount2
502	filter_add_blacklist(SYS_umount2, 0);	504	filter_add_blacklist(SYS_umount2, 0);
503	#endif	505	#endif
		506
		507	if (!arg_allow_debuggers) {
504	#ifdef SYS_ptrace	508	#ifdef SYS_ptrace
505	filter_add_blacklist(SYS_ptrace, 0);	509	filter_add_blacklist(SYS_ptrace, 0);
506	#endif	510	#endif
		511	}
		512
507	#ifdef SYS_kexec_load	513	#ifdef SYS_kexec_load
508	filter_add_blacklist(SYS_kexec_load, 0);	514	filter_add_blacklist(SYS_kexec_load, 0);
509	#endif	515	#endif
@@ -549,9 +555,12 @@ int seccomp_filter_drop(int enforce_seccomp) {
549	#ifdef SYS_syslog	555	#ifdef SYS_syslog
550	filter_add_blacklist(SYS_syslog, 0);	556	filter_add_blacklist(SYS_syslog, 0);
551	#endif	557	#endif
		558	if (!arg_allow_debuggers) {
552	#ifdef SYS_process_vm_readv	559	#ifdef SYS_process_vm_readv
553	filter_add_blacklist(SYS_process_vm_readv, 0);	560	filter_add_blacklist(SYS_process_vm_readv, 0);
554	#endif	561	#endif
		562	}
		563
555	#ifdef SYS_process_vm_writev	564	#ifdef SYS_process_vm_writev
556	filter_add_blacklist(SYS_process_vm_writev, 0);	565	filter_add_blacklist(SYS_process_vm_writev, 0);
557	#endif	566	#endif


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ed6d22e69..ebe1c8830 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
34	printf("\n");	34	printf("\n");
35	printf("Options:\n\n");	35	printf("Options:\n\n");
36	printf(" -- - signal the end of options and disables further option processing.\n\n");	36	printf(" -- - signal the end of options and disables further option processing.\n\n");
		37	printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n");
37	printf(" --apparmor - enable AppArmor confinement\n\n");	38	printf(" --apparmor - enable AppArmor confinement\n\n");
38	printf(" --appimage - sandbox an AppImage application\n\n");	39	printf(" --appimage - sandbox an AppImage application\n\n");
39	printf(" --audit - audit the sandbox, see Audit section for more details\n\n");	40	printf(" --audit - audit the sandbox, see Audit section for more details\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d08b244f7..cc47e3dc6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -75,6 +75,15 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
75	\fB\-\-	75	\fB\-\-
76	Signal the end of options and disables further option processing.	76	Signal the end of options and disables further option processing.
77	.TP	77	.TP
		78	\fB\-\-allow-debuggers
		79	Allow tools such as strace and gdb inside the sandbox.
		80	.br
		81
		82	.br
		83	Example:
		84	.br
		85	$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile --allow-debuggers strace -f firefox
		86	.TP
78	\fB\-\-apparmor	87	\fB\-\-apparmor
79	Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.	88	Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
80	.TP	89	.TP


diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp new file mode 100755 index 000000000..dde9c4cc1 --- /dev/null +++ b/test/environment/allow-debuggers.exp
@@ -0,0 +1,32 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	cd /home
		5	spawn $env(SHELL)
		6	match_max 100000
		7
		8	send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
		9	expect {
		10	timeout {puts "TESTING ERROR 0\n";exit}
		11	"Child process initialized"
		12	}
		13	expect {
		14	timeout {puts "TESTING ERROR 1\n";exit}
		15	"exited with 0"
		16	}
		17	after 100
		18
		19	send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
		20	expect {
		21	timeout {puts "TESTING ERROR 2\n";exit}
		22	"Child process initialized"
		23	}
		24	expect {
		25	timeout {puts "TESTING ERROR 3\n";exit}
		26	"exited with 0"
		27	}
		28	after 100
		29
		30
		31	puts "\nall done\n"
		32


diff --git a/test/environment/environment.sh b/test/environment/environment.sh index a6fe07a1c..785f57d3f 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh
@@ -82,4 +82,12 @@ echo "TESTING: nice (test/environment/nice.exp)"
82	echo "TESTING: quiet (test/environment/quiet.exp)"	82	echo "TESTING: quiet (test/environment/quiet.exp)"
83	./quiet.exp	83	./quiet.exp
84		84
		85	which strace
		86	if [ "$?" -eq 0 ];
		87	then
		88	echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
		89	./allow-debuggers.exp
		90	else
		91	echo "TESTING SKIP: strace not found"
		92	fi
85		93