6 files changed, 33 insertions, 23 deletions

diff --git a/README b/README
index 3e0f043a6..1aa2b4260 100644
--- a/README
+++ b/README
@@ -252,6 +252,8 @@ cayday (https://github.com/caydey)
 Christian Pinedo (https://github.com/chrpinedo)
         - added nicotine profile
         - allow python3 in totem profile
+ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
+        - Landlock support
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
         - tor browser profile fix
diff --git a/etc/firejail.config b/etc/firejail.config
index 9d37b4d8a..e8bf45751 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -57,6 +57,11 @@
 # to the specified period of time to allow sandbox setup to finish.
 # join-timeout 5
 
+# tracelog enables auditing blacklisted files and directories. A message
+# is sent to syslog in case the file or the directory is accessed.
+# Disabled by default.
+# tracelog no
+
 # Enable or disable sandbox name change, default enabled.
 # name-change yes
 
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index e2fab1265..62b8c4dc4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -62,6 +62,7 @@ int checkcfg(int val) {
                 cfg_val[CFG_CHROOT] = 0;
                 cfg_val[CFG_SECCOMP_LOG] = 0;
                 cfg_val[CFG_PRIVATE_LIB] = 0;
+                cfg_val[CFG_TRACELOG] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
@@ -111,6 +112,7 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_SECCOMP, "seccomp")
                         PARSE_YESNO(CFG_NETWORK, "network")
                         PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
+                        PARSE_YESNO(CFG_TRACELOG, "tracelog")
                         PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                         PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
                         PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9c2b53c18..a3b38b5e0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,25 +32,6 @@
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
-#ifdef HAVE_LANDLOCK
-
-extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
-
-extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
-
-extern int landlock_restrict_self(int fd,__u32 flags);
-
-extern int create_full_ruleset();
-
-extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
-
-extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
-
-extern int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
-
-extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
-
-#endif
 
 // profiles
 #define DEFAULT_USER_PROFILE    "default"
@@ -857,6 +838,7 @@ enum {
         // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
         CFG_ALLOW_TRAY,
         CFG_SECCOMP_LOG,
+        CFG_TRACELOG,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
@@ -963,4 +945,16 @@ void run_ids(int argc, char **argv);
 // oom.c
 void oom_set(const char *oom_string);
 
+// landlock.c
+#ifdef HAVE_LANDLOCK
+int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
+int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
+int landlock_restrict_self(int fd,__u32 flags);
+int create_full_ruleset();
+int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
+int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
+int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
+int add_execute_rule_by_path(int rset_fd,char *allowed_path);
+#endif
+
 #endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3f0dc960a..1daf0da35 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -348,7 +348,8 @@ errout:
 
 
 static void exit_err_feature(const char *feature) {
-        fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
+        fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
+                feature, SYSCONFDIR "/firejail.config");
         exit(1);
 }
 
@@ -1570,8 +1571,12 @@ int main(int argc, char **argv, char **envp) {
                                 arg_tracefile = tmp;
                         }
                 }
-                else if (strcmp(argv[i], "--tracelog") == 0)
-                        arg_tracelog = 1;
+                else if (strcmp(argv[i], "--tracelog") == 0) {
+                        if (checkcfg(CFG_TRACELOG))
+                                arg_tracelog = 1;
+                        else
+                                exit_err_feature("tracelog");
+                }
                 else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
                         check_unsigned(argv[i] + 13, "Error: invalid rlimit");
                         sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9a2f8c82c..9f677c11d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "tracelog") == 0) {
-                arg_tracelog = 1;
+                if (checkcfg(CFG_TRACELOG))
+                        arg_tracelog = 1;
+                // no warning, we have tracelog in over 400 profiles
                 return 0;
         }
         else if (strcmp(ptr, "private") == 0) {