30 files changed, 42 insertions, 4 deletions
diff --git a/README b/README
index 2dc6c0768..6b0f396a3 100644
--- a/README
+++ b/README
@@ -26,6 +26,7 @@ rogshdo (https://github.com/rogshdo)
 avoidr (https://github.com/avoidr)
        - whitelist fix
        - recently-used.xbel fix
+        - added parole profile
        - blacklist ncat, manpage fixes,
        - hostname support in profile file
        - Google Chrome profile rework
diff --git a/RELNOTES b/RELNOTES
index 2a98c43a6..a799b7893 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,6 @@
 firejail (0.9.35) baseline; urgency=low
-  * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat
+  * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
-     and rtorrent profiles
+     parole and rtorrent profiles
  * Google Chrome profile rework
  * added google-chrome-stable profile
  * added google-chrome-beta profile
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 76dc6b234..61b75f7a6 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
 #
 netfilter
+tracelog
 whitelist ${DOWNLOADS}
 whitelist ~/.config/chromium
 whitelist ~/.cache/chromium
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 7c1384523..dde756754 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -7,6 +7,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
 whitelist ~/.conkeror.mozdev.org
 whitelist ~/Downloads
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 6ca5d33a4..98c2e4fc5 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -12,5 +12,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index e0c5c93a3..8a57a8975 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -5,4 +5,5 @@ include /etc/firejail/disable-mgmt.inc
 private
 private-dev
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+tracelog
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 52be5a8be..c0b7e6342 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -11,3 +11,5 @@ caps
 seccomp
 protocol unix,inet,inet6
 noroot
+tracelog
diff --git a/etc/evince.profile b/etc/evince.profile
index 34d8162b3..977a2bd68 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -12,3 +12,4 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 noroot
+tracelog
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index f94fc28df..1a530a867 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -13,5 +13,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index ba8649067..3f20fe755 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -11,5 +11,6 @@ seccomp
 protocol unix,inet,inet6
 noroot
 netfilter
+tracelog
diff --git a/etc/firefox.profile b/etc/firefox.profile
index aa7808c37..2e8b2fa02 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -8,6 +8,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
 netfilter
+tracelog
 noroot
 whitelist ${DOWNLOADS}
 whitelist ~/.mozilla
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 6122876bf..d08a5f41d 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
 #
 netfilter
+tracelog
 whitelist ${DOWNLOADS}
 whitelist ~/.config/google-chrome-beta
 whitelist ~/.cache/google-chrome-beta
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 7b8b12d04..06b1399e1 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
 #
 netfilter
+tracelog
 whitelist ${DOWNLOADS}
 whitelist ~/.config/google-chrome-unstable
 whitelist ~/.cache/google-chrome-unstable
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 351490d7f..7d2580116 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
 #
 netfilter
+tracelog
 whitelist ${DOWNLOADS}
 whitelist ~/.config/google-chrome
 whitelist ~/.cache/google-chrome
diff --git a/etc/midori.profile b/etc/midori.profile
index 77a6fb984..9722d0313 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -8,4 +8,5 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index c1672abce..ab8f55e28 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 netfilter
+tracelog
 whitelist ~/.config/opera-beta
 whitelist ${DOWNLOADS}
 whitelist ~/.cache/opera-beta
diff --git a/etc/opera.profile b/etc/opera.profile
index a76806ed0..c307e7703 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 netfilter
+tracelog
 whitelist ~/.config/opera
 whitelist ${DOWNLOADS}
 whitelist ~/.cache/opera
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index dd50c779e..af5a6f697 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -12,5 +12,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index c2c0356d9..03aa8a71f 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -7,4 +7,5 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/skype.profile b/etc/skype.profile
index 4d2d042cc..f1519b0ff 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+tracelog
 noroot
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 414660857..0063564ae 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -16,5 +16,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/steam.profile b/etc/steam.profile
index 5b9244567..af49580ce 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+tracelog
 noroot
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index d234d777e..f608f5467 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -21,5 +21,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index b0dfdbfad..1245a514b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -13,4 +13,6 @@ seccomp
 protocol unix,inet,inet6
 netfilter
 noroot
+tracelog
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 7aca04fe7..1af714953 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -12,5 +12,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 79e3ae774..1a9fa02b3 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -7,4 +7,5 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+tracelog
 noroot
diff --git a/etc/wine.profile b/etc/wine.profile
index 8a7f66773..6d1106993 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -8,5 +8,6 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+tracelog
 noroot
 seccomp
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index f555a6693..55a1b9c7a 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -59,8 +59,11 @@ void fs_trace(void) {
                errExit("fopen");
        if (arg_trace)
                fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
-        else if (arg_tracelog)
+        else if (arg_tracelog) {
                fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
+                if (!arg_quiet)
+                        printf("Blacklist violations are logged to syslog\n");
+        }       
        else
                assert(0);
                
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 50fdeda7e..366a56e13 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -120,6 +120,10 @@ int profile_check_line(char *ptr, int lineno) {
                arg_shell_none = 1;
                return 0;
        }       
+        else if (strcmp(ptr, "tracelog") == 0) {
+                arg_tracelog = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "private") == 0) {
                arg_private = 1;
                return 0;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 90aca5130..600b82d3d 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -158,7 +158,9 @@ All modifications are discarded when the sandbox is closed.
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
 when the sandbox is closed.
+.TP
+\f\ tracelog
+Blacklist violations logged to syslog.
 .SH Filters
 \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:

diff --git a/README b/README index 2dc6c0768..6b0f396a3 100644 --- a/README +++ b/README
@@ -26,6 +26,7 @@ rogshdo (https://github.com/rogshdo)
26	avoidr (https://github.com/avoidr)	26	avoidr (https://github.com/avoidr)
27	- whitelist fix	27	- whitelist fix
28	- recently-used.xbel fix	28	- recently-used.xbel fix
		29	- added parole profile
29	- blacklist ncat, manpage fixes,	30	- blacklist ncat, manpage fixes,
30	- hostname support in profile file	31	- hostname support in profile file
31	- Google Chrome profile rework	32	- Google Chrome profile rework


diff --git a/RELNOTES b/RELNOTES index 2a98c43a6..a799b7893 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,6 +1,6 @@
1	firejail (0.9.35) baseline; urgency=low	1	firejail (0.9.35) baseline; urgency=low
2	* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat	2	* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
3	and rtorrent profiles	3	parole and rtorrent profiles
4	* Google Chrome profile rework	4	* Google Chrome profile rework
5	* added google-chrome-stable profile	5	* added google-chrome-stable profile
6	* added google-chrome-beta profile	6	* added google-chrome-beta profile


diff --git a/etc/chromium.profile b/etc/chromium.profile index 76dc6b234..61b75f7a6 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
9	#	9	#
10		10
11	netfilter	11	netfilter
		12	tracelog
12	whitelist ${DOWNLOADS}	13	whitelist ${DOWNLOADS}
13	whitelist ~/.config/chromium	14	whitelist ~/.config/chromium
14	whitelist ~/.cache/chromium	15	whitelist ~/.cache/chromium


diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 7c1384523..dde756754 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile
@@ -7,6 +7,7 @@ caps.drop all
7	seccomp	7	seccomp
8	protocol unix,inet,inet6	8	protocol unix,inet,inet6
9	netfilter	9	netfilter
		10	tracelog
10	noroot	11	noroot
11	whitelist ~/.conkeror.mozdev.org	12	whitelist ~/.conkeror.mozdev.org
12	whitelist ~/Downloads	13	whitelist ~/Downloads


diff --git a/etc/deluge.profile b/etc/deluge.profile index 6ca5d33a4..98c2e4fc5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile
@@ -12,5 +12,7 @@ caps.drop all
12	seccomp	12	seccomp
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	netfilter	14	netfilter
		15	tracelog
15	noroot	16	noroot
16		17
		18


diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e0c5c93a3..8a57a8975 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -5,4 +5,5 @@ include /etc/firejail/disable-mgmt.inc
5	private	5	private
6	private-dev	6	private-dev
7	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	7	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
		8	tracelog
8		9


diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 52be5a8be..c0b7e6342 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile
@@ -11,3 +11,5 @@ caps
11	seccomp	11	seccomp
12	protocol unix,inet,inet6	12	protocol unix,inet,inet6
13	noroot	13	noroot
		14	tracelog
		15


diff --git a/etc/evince.profile b/etc/evince.profile index 34d8162b3..977a2bd68 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -12,3 +12,4 @@ caps.drop all
12	seccomp	12	seccomp
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	noroot	14	noroot
		15	tracelog


diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f94fc28df..1a530a867 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile
@@ -13,5 +13,6 @@ caps.drop all
13	seccomp	13	seccomp
14	protocol unix,inet,inet6	14	protocol unix,inet,inet6
15	netfilter	15	netfilter
		16	tracelog
16	noroot	17	noroot
17		18


diff --git a/etc/filezilla.profile b/etc/filezilla.profile index ba8649067..3f20fe755 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile
@@ -11,5 +11,6 @@ seccomp
11	protocol unix,inet,inet6	11	protocol unix,inet,inet6
12	noroot	12	noroot
13	netfilter	13	netfilter
		14	tracelog
14		15
15		16


diff --git a/etc/firefox.profile b/etc/firefox.profile index aa7808c37..2e8b2fa02 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -8,6 +8,7 @@ caps.drop all
8	seccomp	8	seccomp
9	protocol unix,inet,inet6,netlink	9	protocol unix,inet,inet6,netlink
10	netfilter	10	netfilter
		11	tracelog
11	noroot	12	noroot
12	whitelist ${DOWNLOADS}	13	whitelist ${DOWNLOADS}
13	whitelist ~/.mozilla	14	whitelist ~/.mozilla


diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 6122876bf..d08a5f41d 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
9	#	9	#
10		10
11	netfilter	11	netfilter
		12	tracelog
12	whitelist ${DOWNLOADS}	13	whitelist ${DOWNLOADS}
13	whitelist ~/.config/google-chrome-beta	14	whitelist ~/.config/google-chrome-beta
14	whitelist ~/.cache/google-chrome-beta	15	whitelist ~/.cache/google-chrome-beta


diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 7b8b12d04..06b1399e1 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
9	#	9	#
10		10
11	netfilter	11	netfilter
		12	tracelog
12	whitelist ${DOWNLOADS}	13	whitelist ${DOWNLOADS}
13	whitelist ~/.config/google-chrome-unstable	14	whitelist ~/.config/google-chrome-unstable
14	whitelist ~/.cache/google-chrome-unstable	15	whitelist ~/.cache/google-chrome-unstable


diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 351490d7f..7d2580116 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
9	#	9	#
10		10
11	netfilter	11	netfilter
		12	tracelog
12	whitelist ${DOWNLOADS}	13	whitelist ${DOWNLOADS}
13	whitelist ~/.config/google-chrome	14	whitelist ~/.config/google-chrome
14	whitelist ~/.cache/google-chrome	15	whitelist ~/.cache/google-chrome


diff --git a/etc/midori.profile b/etc/midori.profile index 77a6fb984..9722d0313 100644 --- a/etc/midori.profile +++ b/etc/midori.profile
@@ -8,4 +8,5 @@ caps.drop all
8	seccomp	8	seccomp
9	protocol unix,inet,inet6	9	protocol unix,inet,inet6
10	netfilter	10	netfilter
		11	tracelog
11		12


diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index c1672abce..ab8f55e28 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc
5	include /etc/firejail/disable-common.inc	5	include /etc/firejail/disable-common.inc
6	include /etc/firejail/disable-devel.inc	6	include /etc/firejail/disable-devel.inc
7	netfilter	7	netfilter
		8	tracelog
8	whitelist ~/.config/opera-beta	9	whitelist ~/.config/opera-beta
9	whitelist ${DOWNLOADS}	10	whitelist ${DOWNLOADS}
10	whitelist ~/.cache/opera-beta	11	whitelist ~/.cache/opera-beta


diff --git a/etc/opera.profile b/etc/opera.profile index a76806ed0..c307e7703 100644 --- a/etc/opera.profile +++ b/etc/opera.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc
5	include /etc/firejail/disable-common.inc	5	include /etc/firejail/disable-common.inc
6	include /etc/firejail/disable-devel.inc	6	include /etc/firejail/disable-devel.inc
7	netfilter	7	netfilter
		8	tracelog
8	whitelist ~/.config/opera	9	whitelist ~/.config/opera
9	whitelist ${DOWNLOADS}	10	whitelist ${DOWNLOADS}
10	whitelist ~/.cache/opera	11	whitelist ~/.cache/opera


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd50c779e..af5a6f697 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile
@@ -12,5 +12,6 @@ caps.drop all
12	seccomp	12	seccomp
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	netfilter	14	netfilter
		15	tracelog
15	noroot	16	noroot
16		17


diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c2c0356d9..03aa8a71f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile
@@ -7,4 +7,5 @@ caps.drop all
7	seccomp	7	seccomp
8	protocol unix,inet,inet6	8	protocol unix,inet,inet6
9	netfilter	9	netfilter
		10	tracelog
10	noroot	11	noroot


diff --git a/etc/skype.profile b/etc/skype.profile index 4d2d042cc..f1519b0ff 100644 --- a/etc/skype.profile +++ b/etc/skype.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.inc
6	include /etc/firejail/disable-devel.inc	6	include /etc/firejail/disable-devel.inc
7	caps.drop all	7	caps.drop all
8	netfilter	8	netfilter
		9	tracelog
9	noroot	10	noroot
10	seccomp	11	seccomp
11	protocol unix,inet,inet6	12	protocol unix,inet,inet6


diff --git a/etc/spotify.profile b/etc/spotify.profile index 414660857..0063564ae 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile
@@ -16,5 +16,6 @@ caps.drop all
16	seccomp	16	seccomp
17	protocol unix,inet,inet6	17	protocol unix,inet,inet6
18	netfilter	18	netfilter
		19	tracelog
19	noroot	20	noroot
20		21


diff --git a/etc/steam.profile b/etc/steam.profile index 5b9244567..af49580ce 100644 --- a/etc/steam.profile +++ b/etc/steam.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-common.inc
7	include /etc/firejail/disable-devel.inc	7	include /etc/firejail/disable-devel.inc
8	caps.drop all	8	caps.drop all
9	netfilter	9	netfilter
		10	tracelog
10	noroot	11	noroot
11	seccomp	12	seccomp
12	protocol unix,inet,inet6	13	protocol unix,inet,inet6


diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index d234d777e..f608f5467 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile
@@ -21,5 +21,6 @@ caps.drop all
21	seccomp	21	seccomp
22	protocol unix,inet,inet6	22	protocol unix,inet,inet6
23	netfilter	23	netfilter
		24	tracelog
24	noroot	25	noroot
25		26


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index b0dfdbfad..1245a514b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -13,4 +13,6 @@ seccomp
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	netfilter	14	netfilter
15	noroot	15	noroot
		16	tracelog
		17
16		18


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 7aca04fe7..1af714953 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -12,5 +12,6 @@ caps.drop all
12	seccomp	12	seccomp
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	netfilter	14	netfilter
		15	tracelog
15	noroot	16	noroot
16		17


diff --git a/etc/weechat.profile b/etc/weechat.profile index 79e3ae774..1a9fa02b3 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile
@@ -7,4 +7,5 @@ caps.drop all
7	seccomp	7	seccomp
8	protocol unix,inet,inet6	8	protocol unix,inet,inet6
9	netfilter	9	netfilter
		10	tracelog
10	noroot	11	noroot


diff --git a/etc/wine.profile b/etc/wine.profile index 8a7f66773..6d1106993 100644 --- a/etc/wine.profile +++ b/etc/wine.profile
@@ -8,5 +8,6 @@ include /etc/firejail/disable-common.inc
8	include /etc/firejail/disable-devel.inc	8	include /etc/firejail/disable-devel.inc
9	caps.drop all	9	caps.drop all
10	netfilter	10	netfilter
		11	tracelog
11	noroot	12	noroot
12	seccomp	13	seccomp


diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f555a6693..55a1b9c7a 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -59,8 +59,11 @@ void fs_trace(void) {
59	errExit("fopen");	59	errExit("fopen");
60	if (arg_trace)	60	if (arg_trace)
61	fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);	61	fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
62	else if (arg_tracelog)	62	else if (arg_tracelog) {
63	fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);	63	fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
		64	if (!arg_quiet)
		65	printf("Blacklist violations are logged to syslog\n");
		66	}
64	else	67	else
65	assert(0);	68	assert(0);
66		69


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 50fdeda7e..366a56e13 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -120,6 +120,10 @@ int profile_check_line(char *ptr, int lineno) {
120	arg_shell_none = 1;	120	arg_shell_none = 1;
121	return 0;	121	return 0;
122	}	122	}
		123	else if (strcmp(ptr, "tracelog") == 0) {
		124	arg_tracelog = 1;
		125	return 0;
		126	}
123	else if (strcmp(ptr, "private") == 0) {	127	else if (strcmp(ptr, "private") == 0) {
124	arg_private = 1;	128	arg_private = 1;
125	return 0;	129	return 0;


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90aca5130..600b82d3d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -158,7 +158,9 @@ All modifications are discarded when the sandbox is closed.
158	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.	158	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
159	The modifications to file_or_directory are persistent, everything else is discarded	159	The modifications to file_or_directory are persistent, everything else is discarded
160	when the sandbox is closed.	160	when the sandbox is closed.
161		161	.TP
		162	\f\ tracelog
		163	Blacklist violations logged to syslog.
162	.SH Filters	164	.SH Filters
163	\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:	165	\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:
164		166