diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 9 | ||||
-rw-r--r-- | src/firejail/fs.c | 24 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 15 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 21 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 19 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 12 | ||||
-rw-r--r-- | src/firejail/main.c | 10 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 1 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 39 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 5 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 29 |
17 files changed, 172 insertions, 43 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e4e6f4fa4..b50b4d19e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -56,6 +56,7 @@ | |||
56 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 56 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
57 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" | 57 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" |
58 | #define RUN_GROUP_FILE "/run/firejail/mnt/group" | 58 | #define RUN_GROUP_FILE "/run/firejail/mnt/group" |
59 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | ||
59 | 60 | ||
60 | // profiles | 61 | // profiles |
61 | #define DEFAULT_USER_PROFILE "generic" | 62 | #define DEFAULT_USER_PROFILE "generic" |
@@ -479,6 +480,14 @@ void protocol_filter_load(const char *fname); | |||
479 | // restrict_users.c | 480 | // restrict_users.c |
480 | void restrict_users(void); | 481 | void restrict_users(void); |
481 | 482 | ||
483 | // fs_logger.c | ||
484 | void fs_logger(const char *msg); | ||
485 | void fs_logger2(const char *msg1, const char *msg2); | ||
486 | void fs_logger3(const char *msg1, const char *msg2, const char *msg3); | ||
487 | void fs_logger_print(void); | ||
488 | void fs_logger_change_owner(void); | ||
489 | void fs_logger_print_log_name(const char *name); | ||
490 | void fs_logger_print_log(pid_t pid); | ||
482 | 491 | ||
483 | #endif | 492 | #endif |
484 | 493 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e442bc705..6572f657b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -213,6 +213,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
213 | errExit("disable file"); | 213 | errExit("disable file"); |
214 | } | 214 | } |
215 | last_disable = SUCCESSFUL; | 215 | last_disable = SUCCESSFUL; |
216 | fs_logger2("blacklist", fname); | ||
216 | } | 217 | } |
217 | } | 218 | } |
218 | else if (op == MOUNT_READONLY) { | 219 | else if (op == MOUNT_READONLY) { |
@@ -232,6 +233,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
232 | if (chown(fname, s.st_uid, s.st_gid) == -1) | 233 | if (chown(fname, s.st_uid, s.st_gid) == -1) |
233 | errExit("mounting tmpfs chmod"); | 234 | errExit("mounting tmpfs chmod"); |
234 | last_disable = SUCCESSFUL; | 235 | last_disable = SUCCESSFUL; |
236 | fs_logger2("mount tmpfs on", fname); | ||
235 | } | 237 | } |
236 | else | 238 | else |
237 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 239 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
@@ -427,6 +429,7 @@ void fs_rdonly(const char *dir) { | |||
427 | // mount --bind -o remount,ro /bin | 429 | // mount --bind -o remount,ro /bin |
428 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | 430 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) |
429 | errExit("mount read-only"); | 431 | errExit("mount read-only"); |
432 | fs_logger2("read-only", dir); | ||
430 | } | 433 | } |
431 | } | 434 | } |
432 | void fs_rdonly_noexit(const char *dir) { | 435 | void fs_rdonly_noexit(const char *dir) { |
@@ -444,6 +447,8 @@ void fs_rdonly_noexit(const char *dir) { | |||
444 | merr = 1; | 447 | merr = 1; |
445 | if (merr) | 448 | if (merr) |
446 | fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); | 449 | fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); |
450 | else | ||
451 | fs_logger2("read-only", dir); | ||
447 | } | 452 | } |
448 | } | 453 | } |
449 | 454 | ||
@@ -455,6 +460,7 @@ void fs_proc_sys_dev_boot(void) { | |||
455 | printf("Remounting /proc and /proc/sys filesystems\n"); | 460 | printf("Remounting /proc and /proc/sys filesystems\n"); |
456 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 461 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
457 | errExit("mounting /proc"); | 462 | errExit("mounting /proc"); |
463 | fs_logger("remount /proc"); | ||
458 | 464 | ||
459 | // remount /proc/sys readonly | 465 | // remount /proc/sys readonly |
460 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) | 466 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) |
@@ -462,6 +468,7 @@ void fs_proc_sys_dev_boot(void) { | |||
462 | 468 | ||
463 | if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) | 469 | if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) |
464 | errExit("mounting /proc/sys"); | 470 | errExit("mounting /proc/sys"); |
471 | fs_logger("read-only /proc/sys"); | ||
465 | 472 | ||
466 | 473 | ||
467 | /* Mount a version of /sys that describes the network namespace */ | 474 | /* Mount a version of /sys that describes the network namespace */ |
@@ -471,28 +478,45 @@ void fs_proc_sys_dev_boot(void) { | |||
471 | fprintf(stderr, "Warning: failed to unmount /sys\n"); | 478 | fprintf(stderr, "Warning: failed to unmount /sys\n"); |
472 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 479 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
473 | fprintf(stderr, "Warning: failed to mount /sys\n"); | 480 | fprintf(stderr, "Warning: failed to mount /sys\n"); |
481 | else | ||
482 | fs_logger("remount /sys"); | ||
483 | |||
474 | 484 | ||
475 | 485 | ||
476 | if (arg_debug) | 486 | if (arg_debug) |
477 | printf("Disable /sys/firmware directory\n"); | 487 | printf("Disable /sys/firmware directory\n"); |
478 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 488 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
479 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); | 489 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); |
490 | else | ||
491 | fs_logger("mount tmpfs on /sys/firmware"); | ||
492 | |||
480 | if (arg_debug) | 493 | if (arg_debug) |
481 | printf("Disable /sys/hypervisor directory\n"); | 494 | printf("Disable /sys/hypervisor directory\n"); |
482 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 495 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
483 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); | 496 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); |
497 | else | ||
498 | fs_logger("mount tmpfs on /sys/hypervisor"); | ||
499 | |||
484 | if (arg_debug) | 500 | if (arg_debug) |
485 | printf("Disable /sys/fs directory\n"); | 501 | printf("Disable /sys/fs directory\n"); |
486 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 502 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
487 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); | 503 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); |
504 | else | ||
505 | fs_logger("mount tmpfs on /sys/fs"); | ||
506 | |||
488 | if (arg_debug) | 507 | if (arg_debug) |
489 | printf("Disable /sys/module directory\n"); | 508 | printf("Disable /sys/module directory\n"); |
490 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 509 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
491 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); | 510 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); |
511 | else | ||
512 | fs_logger("mount tmpfs on /sys/module"); | ||
513 | |||
492 | if (arg_debug) | 514 | if (arg_debug) |
493 | printf("Disable /sys/power directory\n"); | 515 | printf("Disable /sys/power directory\n"); |
494 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 516 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
495 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); | 517 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); |
518 | else | ||
519 | fs_logger("mount tmpfs on /sys/power"); | ||
496 | 520 | ||
497 | 521 | ||
498 | 522 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 946c75d30..a990d9d79 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -143,6 +143,7 @@ static void duplicate(char *fname) { | |||
143 | printf("%s\n", cmd); | 143 | printf("%s\n", cmd); |
144 | if (system(cmd)) | 144 | if (system(cmd)) |
145 | errExit("system cp -a"); | 145 | errExit("system cp -a"); |
146 | fs_logger2("clone", fname); | ||
146 | free(cmd); | 147 | free(cmd); |
147 | free(actual_path); | 148 | free(actual_path); |
148 | } | 149 | } |
@@ -176,8 +177,10 @@ void fs_private_bin_list(void) { | |||
176 | if (chmod(RUN_BIN_DIR, 0755) < 0) | 177 | if (chmod(RUN_BIN_DIR, 0755) < 0) |
177 | errExit("chmod"); | 178 | errExit("chmod"); |
178 | 179 | ||
180 | |||
179 | // copy the list of files in the new etc directory | 181 | // copy the list of files in the new etc directory |
180 | // using a new child process without root privileges | 182 | // using a new child process without root privileges |
183 | fs_logger_print(); // save the current log | ||
181 | pid_t child = fork(); | 184 | pid_t child = fork(); |
182 | if (child < 0) | 185 | if (child < 0) |
183 | errExit("fork"); | 186 | errExit("fork"); |
@@ -196,12 +199,14 @@ void fs_private_bin_list(void) { | |||
196 | if (!dlist) | 199 | if (!dlist) |
197 | errExit("strdup"); | 200 | errExit("strdup"); |
198 | 201 | ||
202 | |||
199 | char *ptr = strtok(dlist, ","); | 203 | char *ptr = strtok(dlist, ","); |
200 | duplicate(ptr); | 204 | duplicate(ptr); |
201 | 205 | ||
202 | while ((ptr = strtok(NULL, ",")) != NULL) | 206 | while ((ptr = strtok(NULL, ",")) != NULL) |
203 | duplicate(ptr); | 207 | duplicate(ptr); |
204 | free(dlist); | 208 | free(dlist); |
209 | fs_logger_print(); | ||
205 | exit(0); | 210 | exit(0); |
206 | } | 211 | } |
207 | // wait for the child to finish | 212 | // wait for the child to finish |
@@ -214,6 +219,7 @@ void fs_private_bin_list(void) { | |||
214 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); | 219 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
215 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 220 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
216 | errExit("mount bind"); | 221 | errExit("mount bind"); |
222 | fs_logger2("mount", paths[i]); | ||
217 | i++; | 223 | i++; |
218 | } | 224 | } |
219 | } | 225 | } |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 86e0918e1..c0cb49db7 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -107,6 +107,7 @@ void fs_private_dev(void){ | |||
107 | // mount tmpfs on top of /dev | 107 | // mount tmpfs on top of /dev |
108 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 108 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
109 | errExit("mounting /dev"); | 109 | errExit("mounting /dev"); |
110 | fs_logger("mount tmpfs on /dev"); | ||
110 | 111 | ||
111 | // bring back /dev/log | 112 | // bring back /dev/log |
112 | if (have_devlog) { | 113 | if (have_devlog) { |
@@ -116,6 +117,7 @@ void fs_private_dev(void){ | |||
116 | fclose(fp); | 117 | fclose(fp); |
117 | if (mount(RUN_DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0) | 118 | if (mount(RUN_DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0) |
118 | errExit("mounting /dev/log"); | 119 | errExit("mounting /dev/log"); |
120 | fs_logger("clone /dev/log"); | ||
119 | } | 121 | } |
120 | } | 122 | } |
121 | 123 | ||
@@ -131,6 +133,7 @@ void fs_private_dev(void){ | |||
131 | errExit("chmod"); | 133 | errExit("chmod"); |
132 | if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) | 134 | if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) |
133 | errExit("mounting /dev/dri"); | 135 | errExit("mounting /dev/dri"); |
136 | fs_logger("clone /dev/dri"); | ||
134 | } | 137 | } |
135 | 138 | ||
136 | // create /dev/shm | 139 | // create /dev/shm |
@@ -143,14 +146,21 @@ void fs_private_dev(void){ | |||
143 | errExit("chown"); | 146 | errExit("chown"); |
144 | if (chmod("/dev/shm", 0777) < 0) | 147 | if (chmod("/dev/shm", 0777) < 0) |
145 | errExit("chmod"); | 148 | errExit("chmod"); |
149 | fs_logger("mkdir /dev/shm"); | ||
146 | 150 | ||
147 | // create devices | 151 | // create devices |
148 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 | 152 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 |
153 | fs_logger("mknod /dev/zero"); | ||
149 | create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3 | 154 | create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3 |
155 | fs_logger("mknod /dev/null"); | ||
150 | create_char_dev("/dev/full", 0666, 1, 7); // mknod -m 666 /dev/full c 1 7 | 156 | create_char_dev("/dev/full", 0666, 1, 7); // mknod -m 666 /dev/full c 1 7 |
157 | fs_logger("mknod /dev/full"); | ||
151 | create_char_dev("/dev/random", 0666, 1, 8); // Mknod -m 666 /dev/random c 1 8 | 158 | create_char_dev("/dev/random", 0666, 1, 8); // Mknod -m 666 /dev/random c 1 8 |
159 | fs_logger("mknod /dev/random"); | ||
152 | create_char_dev("/dev/urandom", 0666, 1, 9); // mknod -m 666 /dev/urandom c 1 9 | 160 | create_char_dev("/dev/urandom", 0666, 1, 9); // mknod -m 666 /dev/urandom c 1 9 |
161 | fs_logger("mknod /dev/urandom"); | ||
153 | create_char_dev("/dev/tty", 0666, 5, 0); // mknod -m 666 /dev/tty c 5 0 | 162 | create_char_dev("/dev/tty", 0666, 5, 0); // mknod -m 666 /dev/tty c 5 0 |
163 | fs_logger("mknod /dev/tty"); | ||
154 | #if 0 | 164 | #if 0 |
155 | create_dev("/dev/tty0", "mknod -m 666 /dev/tty0 c 4 0"); | 165 | create_dev("/dev/tty0", "mknod -m 666 /dev/tty0 c 4 0"); |
156 | create_dev("/dev/console", "mknod -m 622 /dev/console c 5 1"); | 166 | create_dev("/dev/console", "mknod -m 622 /dev/console c 5 1"); |
@@ -164,11 +174,14 @@ void fs_private_dev(void){ | |||
164 | errExit("chown"); | 174 | errExit("chown"); |
165 | if (chmod("/dev/pts", 0755) < 0) | 175 | if (chmod("/dev/pts", 0755) < 0) |
166 | errExit("chmod"); | 176 | errExit("chmod"); |
177 | fs_logger("mkdir /dev/pts"); | ||
167 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); | 178 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); |
179 | fs_logger("mknod /dev/pts/ptmx"); | ||
168 | create_link("/dev/pts/ptmx", "/dev/ptmx"); | 180 | create_link("/dev/pts/ptmx", "/dev/ptmx"); |
169 | // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts | 181 | // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts |
170 | if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0) | 182 | if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0) |
171 | errExit("mounting /dev/pts"); | 183 | errExit("mounting /dev/pts"); |
184 | fs_logger("mount devpts"); | ||
172 | 185 | ||
173 | #if 0 | 186 | #if 0 |
174 | // stdin, stdout, stderr | 187 | // stdin, stdout, stderr |
@@ -190,6 +203,7 @@ void fs_dev_shm(void) { | |||
190 | printf("Mounting tmpfs on /dev/shm\n"); | 203 | printf("Mounting tmpfs on /dev/shm\n"); |
191 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 204 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
192 | errExit("mounting /dev/shm"); | 205 | errExit("mounting /dev/shm"); |
206 | fs_logger("mount tmpfs on /dev/shm"); | ||
193 | } | 207 | } |
194 | else { | 208 | else { |
195 | char *lnk = realpath("/dev/shm", NULL); | 209 | char *lnk = realpath("/dev/shm", NULL); |
@@ -207,6 +221,7 @@ void fs_dev_shm(void) { | |||
207 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); | 221 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); |
208 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 222 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
209 | errExit("mounting /var/tmp"); | 223 | errExit("mounting /var/tmp"); |
224 | fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm"); | ||
210 | free(lnk); | 225 | free(lnk); |
211 | } | 226 | } |
212 | else { | 227 | else { |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 28e337abc..df0e92203 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -83,6 +83,7 @@ static void duplicate(char *fname) { | |||
83 | if (system(cmd)) | 83 | if (system(cmd)) |
84 | errExit("system cp -a --parents"); | 84 | errExit("system cp -a --parents"); |
85 | free(cmd); | 85 | free(cmd); |
86 | fs_logger2("clone", fname); | ||
86 | } | 87 | } |
87 | 88 | ||
88 | 89 | ||
@@ -108,6 +109,7 @@ void fs_private_etc_list(void) { | |||
108 | 109 | ||
109 | // copy the list of files in the new etc directory | 110 | // copy the list of files in the new etc directory |
110 | // using a new child process without root privileges | 111 | // using a new child process without root privileges |
112 | fs_logger_print(); // save the current log | ||
111 | pid_t child = fork(); | 113 | pid_t child = fork(); |
112 | if (child < 0) | 114 | if (child < 0) |
113 | errExit("fork"); | 115 | errExit("fork"); |
@@ -126,12 +128,14 @@ void fs_private_etc_list(void) { | |||
126 | if (!dlist) | 128 | if (!dlist) |
127 | errExit("strdup"); | 129 | errExit("strdup"); |
128 | 130 | ||
131 | |||
129 | char *ptr = strtok(dlist, ","); | 132 | char *ptr = strtok(dlist, ","); |
130 | duplicate(ptr); | 133 | duplicate(ptr); |
131 | 134 | ||
132 | while ((ptr = strtok(NULL, ",")) != NULL) | 135 | while ((ptr = strtok(NULL, ",")) != NULL) |
133 | duplicate(ptr); | 136 | duplicate(ptr); |
134 | free(dlist); | 137 | free(dlist); |
138 | fs_logger_print(); | ||
135 | exit(0); | 139 | exit(0); |
136 | } | 140 | } |
137 | // wait for the child to finish | 141 | // wait for the child to finish |
@@ -141,6 +145,6 @@ void fs_private_etc_list(void) { | |||
141 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); | 145 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); |
142 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 146 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) |
143 | errExit("mount bind"); | 147 | errExit("mount bind"); |
144 | 148 | fs_logger("mount /etc"); | |
145 | } | 149 | } |
146 | 150 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index ca9f7b472..f9e8d62f9 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -44,6 +44,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
44 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { | 44 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { |
45 | if (chown(fname, u, g) == -1) | 45 | if (chown(fname, u, g) == -1) |
46 | errExit("chown"); | 46 | errExit("chown"); |
47 | fs_logger("clone /etc/skel/.zshrc"); | ||
47 | } | 48 | } |
48 | } | 49 | } |
49 | else { // | 50 | else { // |
@@ -55,6 +56,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
55 | errExit("chown"); | 56 | errExit("chown"); |
56 | if (chmod(fname, S_IRUSR | S_IWUSR) < 0) | 57 | if (chmod(fname, S_IRUSR | S_IWUSR) < 0) |
57 | errExit("chown"); | 58 | errExit("chown"); |
59 | fs_logger2("touch", fname); | ||
58 | } | 60 | } |
59 | } | 61 | } |
60 | free(fname); | 62 | free(fname); |
@@ -72,6 +74,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
72 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { | 74 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { |
73 | if (chown(fname, u, g) == -1) | 75 | if (chown(fname, u, g) == -1) |
74 | errExit("chown"); | 76 | errExit("chown"); |
77 | fs_logger("clone /etc/skel/.cshrc"); | ||
75 | } | 78 | } |
76 | } | 79 | } |
77 | else { // | 80 | else { // |
@@ -84,6 +87,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
84 | errExit("chown"); | 87 | errExit("chown"); |
85 | if (chmod(fname, S_IRUSR | S_IWUSR) < 0) | 88 | if (chmod(fname, S_IRUSR | S_IWUSR) < 0) |
86 | errExit("chown"); | 89 | errExit("chown"); |
90 | fs_logger2("touch", fname); | ||
87 | } | 91 | } |
88 | } | 92 | } |
89 | free(fname); | 93 | free(fname); |
@@ -102,6 +106,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
102 | /* coverity[toctou] */ | 106 | /* coverity[toctou] */ |
103 | if (chown(fname, u, g) == -1) | 107 | if (chown(fname, u, g) == -1) |
104 | errExit("chown"); | 108 | errExit("chown"); |
109 | fs_logger("clone /etc/skel/.bashrc"); | ||
105 | } | 110 | } |
106 | } | 111 | } |
107 | free(fname); | 112 | free(fname); |
@@ -139,6 +144,7 @@ static void copy_xauthority(void) { | |||
139 | int rv = copy_file(src, dest); | 144 | int rv = copy_file(src, dest); |
140 | if (rv) | 145 | if (rv) |
141 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 146 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); |
147 | fs_logger2("clone", dest); | ||
142 | 148 | ||
143 | // set permissions and ownership | 149 | // set permissions and ownership |
144 | if (chown(dest, getuid(), getgid()) < 0) | 150 | if (chown(dest, getuid(), getgid()) < 0) |
@@ -177,6 +183,7 @@ void fs_private_homedir(void) { | |||
177 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); | 183 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); |
178 | if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 184 | if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |
179 | errExit("mount bind"); | 185 | errExit("mount bind"); |
186 | fs_logger3("mount-bind", private_homedir, cfg.homedir); | ||
180 | // preserve mode and ownership | 187 | // preserve mode and ownership |
181 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) | 188 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) |
182 | // errExit("mount-bind chown"); | 189 | // errExit("mount-bind chown"); |
@@ -189,6 +196,7 @@ void fs_private_homedir(void) { | |||
189 | printf("Mounting a new /root directory\n"); | 196 | printf("Mounting a new /root directory\n"); |
190 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 197 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
191 | errExit("mounting home directory"); | 198 | errExit("mounting home directory"); |
199 | fs_logger("mount tmpfs on /root"); | ||
192 | } | 200 | } |
193 | else { | 201 | else { |
194 | // mask /home | 202 | // mask /home |
@@ -196,6 +204,7 @@ void fs_private_homedir(void) { | |||
196 | printf("Mounting a new /home directory\n"); | 204 | printf("Mounting a new /home directory\n"); |
197 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 205 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
198 | errExit("mounting home directory"); | 206 | errExit("mounting home directory"); |
207 | fs_logger("mount tmpfs on /home"); | ||
199 | } | 208 | } |
200 | 209 | ||
201 | 210 | ||
@@ -222,12 +231,14 @@ void fs_private(void) { | |||
222 | printf("Mounting a new /home directory\n"); | 231 | printf("Mounting a new /home directory\n"); |
223 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 232 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
224 | errExit("mounting home directory"); | 233 | errExit("mounting home directory"); |
234 | fs_logger("mount tmpfs on /home"); | ||
225 | 235 | ||
226 | // mask /root | 236 | // mask /root |
227 | if (arg_debug) | 237 | if (arg_debug) |
228 | printf("Mounting a new /root directory\n"); | 238 | printf("Mounting a new /root directory\n"); |
229 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 239 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
230 | errExit("mounting home directory"); | 240 | errExit("mounting home directory"); |
241 | fs_logger("mount tmpfs on /root"); | ||
231 | 242 | ||
232 | if (u != 0) { | 243 | if (u != 0) { |
233 | // create /home/user | 244 | // create /home/user |
@@ -241,6 +252,7 @@ void fs_private(void) { | |||
241 | } | 252 | } |
242 | if (chown(homedir, u, g) < 0) | 253 | if (chown(homedir, u, g) < 0) |
243 | errExit("chown"); | 254 | errExit("chown"); |
255 | fs_logger2("mkdir", homedir); | ||
244 | } | 256 | } |
245 | 257 | ||
246 | skel(homedir, u, g); | 258 | skel(homedir, u, g); |
@@ -379,6 +391,7 @@ static void duplicate(char *name) { | |||
379 | printf("%s\n", cmd); | 391 | printf("%s\n", cmd); |
380 | if (system(cmd)) | 392 | if (system(cmd)) |
381 | errExit("system cp -a --parents"); | 393 | errExit("system cp -a --parents"); |
394 | fs_logger2("clone", fname); | ||
382 | free(cmd); | 395 | free(cmd); |
383 | free(fname); | 396 | free(fname); |
384 | } | 397 | } |
@@ -415,9 +428,11 @@ void fs_private_home_list(void) { | |||
415 | errExit("chown"); | 428 | errExit("chown"); |
416 | if (chmod(RUN_HOME_DIR, 0755) < 0) | 429 | if (chmod(RUN_HOME_DIR, 0755) < 0) |
417 | errExit("chmod"); | 430 | errExit("chmod"); |
431 | |||
418 | 432 | ||
419 | // copy the list of files in the new home directory | 433 | // copy the list of files in the new home directory |
420 | // using a new child process without root privileges | 434 | // using a new child process without root privileges |
435 | fs_logger_print(); // save the current log | ||
421 | pid_t child = fork(); | 436 | pid_t child = fork(); |
422 | if (child < 0) | 437 | if (child < 0) |
423 | errExit("fork"); | 438 | errExit("fork"); |
@@ -437,13 +452,14 @@ void fs_private_home_list(void) { | |||
437 | char *dlist = strdup(cfg.home_private_keep); | 452 | char *dlist = strdup(cfg.home_private_keep); |
438 | if (!dlist) | 453 | if (!dlist) |
439 | errExit("strdup"); | 454 | errExit("strdup"); |
440 | 455 | ||
441 | char *ptr = strtok(dlist, ","); | 456 | char *ptr = strtok(dlist, ","); |
442 | duplicate(ptr); | 457 | duplicate(ptr); |
443 | 458 | ||
444 | while ((ptr = strtok(NULL, ",")) != NULL) | 459 | while ((ptr = strtok(NULL, ",")) != NULL) |
445 | duplicate(ptr); | 460 | duplicate(ptr); |
446 | free(dlist); | 461 | free(dlist); |
462 | fs_logger_print(); | ||
447 | exit(0); | 463 | exit(0); |
448 | } | 464 | } |
449 | // wait for the child to finish | 465 | // wait for the child to finish |
@@ -458,6 +474,7 @@ void fs_private_home_list(void) { | |||
458 | printf("Mount-bind %s on top of %s\n", newhome, homedir); | 474 | printf("Mount-bind %s on top of %s\n", newhome, homedir); |
459 | if (mount(newhome, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 475 | if (mount(newhome, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |
460 | errExit("mount bind"); | 476 | errExit("mount bind"); |
477 | fs_logger2("mount", homedir); | ||
461 | // preserve mode and ownership | 478 | // preserve mode and ownership |
462 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) | 479 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) |
463 | // errExit("mount-bind chown"); | 480 | // errExit("mount-bind chown"); |
@@ -470,6 +487,7 @@ void fs_private_home_list(void) { | |||
470 | printf("Mounting a new /root directory\n"); | 487 | printf("Mounting a new /root directory\n"); |
471 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 488 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
472 | errExit("mounting home directory"); | 489 | errExit("mounting home directory"); |
490 | fs_logger("mount tmpfs on /root"); | ||
473 | } | 491 | } |
474 | else { | 492 | else { |
475 | // mask /home | 493 | // mask /home |
@@ -477,6 +495,7 @@ void fs_private_home_list(void) { | |||
477 | printf("Mounting a new /home directory\n"); | 495 | printf("Mounting a new /home directory\n"); |
478 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 496 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
479 | errExit("mounting home directory"); | 497 | errExit("mounting home directory"); |
498 | fs_logger("mount tmpfs on /home"); | ||
480 | } | 499 | } |
481 | 500 | ||
482 | skel(homedir, u, g); | 501 | skel(homedir, u, g); |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index eb3861d1b..860d0cc14 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -51,6 +51,7 @@ void fs_hostname(const char *hostname) { | |||
51 | // bind-mount the file on top of /etc/hostname | 51 | // bind-mount the file on top of /etc/hostname |
52 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) | 52 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) |
53 | errExit("mount bind /etc/hostname"); | 53 | errExit("mount bind /etc/hostname"); |
54 | fs_logger("create /etc/hostname"); | ||
54 | } | 55 | } |
55 | 56 | ||
56 | // create a new /etc/hosts | 57 | // create a new /etc/hosts |
@@ -98,13 +99,14 @@ void fs_hostname(const char *hostname) { | |||
98 | // bind-mount the file on top of /etc/hostname | 99 | // bind-mount the file on top of /etc/hostname |
99 | if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) | 100 | if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) |
100 | errExit("mount bind /etc/hosts"); | 101 | errExit("mount bind /etc/hosts"); |
102 | fs_logger("create /etc/hosts"); | ||
101 | } | 103 | } |
102 | } | 104 | } |
103 | 105 | ||
104 | void fs_resolvconf(void) { | 106 | void fs_resolvconf(void) { |
105 | if (cfg.dns1 == 0) | 107 | if (cfg.dns1 == 0) |
106 | return; | 108 | return; |
107 | 109 | ||
108 | struct stat s; | 110 | struct stat s; |
109 | fs_build_mnt_dir(); | 111 | fs_build_mnt_dir(); |
110 | 112 | ||
@@ -135,6 +137,7 @@ void fs_resolvconf(void) { | |||
135 | // bind-mount the file on top of /etc/hostname | 137 | // bind-mount the file on top of /etc/hostname |
136 | if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) | 138 | if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) |
137 | errExit("mount bind /etc/resolv.conf"); | 139 | errExit("mount bind /etc/resolv.conf"); |
140 | fs_logger("create /etc/resolv.conf"); | ||
138 | } | 141 | } |
139 | else { | 142 | else { |
140 | fprintf(stderr, "Error: cannot set DNS servers, /etc/resolv.conf file is missing\n"); | 143 | fprintf(stderr, "Error: cannot set DNS servers, /etc/resolv.conf file is missing\n"); |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f4f5d3e81..92e4daed2 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -42,6 +42,7 @@ void fs_trace_preload(void) { | |||
42 | errExit("chown"); | 42 | errExit("chown"); |
43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
44 | errExit("chmod"); | 44 | errExit("chmod"); |
45 | fs_logger("touch /etc/ls.so.preload"); | ||
45 | } | 46 | } |
46 | } | 47 | } |
47 | 48 | ||
@@ -68,6 +69,7 @@ void fs_trace(void) { | |||
68 | printf("Mount the new ld.so.preload file\n"); | 69 | printf("Mount the new ld.so.preload file\n"); |
69 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) | 70 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) |
70 | errExit("mount bind ls.so.preload"); | 71 | errExit("mount bind ls.so.preload"); |
72 | fs_logger("create /etc/ls.so.preload"); | ||
71 | } | 73 | } |
72 | 74 | ||
73 | 75 | ||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index c6f989266..a53c22093 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -102,6 +102,7 @@ static void build_dirs(void) { | |||
102 | errExit("mkdir"); | 102 | errExit("mkdir"); |
103 | if (chown(ptr->name, ptr->st_uid, ptr->st_gid)) | 103 | if (chown(ptr->name, ptr->st_uid, ptr->st_gid)) |
104 | errExit("chown"); | 104 | errExit("chown"); |
105 | fs_logger2("mkdir", ptr->name); | ||
105 | ptr = ptr->next; | 106 | ptr = ptr->next; |
106 | } | 107 | } |
107 | } | 108 | } |
@@ -122,6 +123,7 @@ void fs_var_log(void) { | |||
122 | printf("Mounting tmpfs on /var/log\n"); | 123 | printf("Mounting tmpfs on /var/log\n"); |
123 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
124 | errExit("mounting /var/log"); | 125 | errExit("mounting /var/log"); |
126 | fs_logger("mount tmpfs on /var/log"); | ||
125 | 127 | ||
126 | build_dirs(); | 128 | build_dirs(); |
127 | release_all(); | 129 | release_all(); |
@@ -135,6 +137,7 @@ void fs_var_log(void) { | |||
135 | errExit("chown"); | 137 | errExit("chown"); |
136 | if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | 138 | if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) |
137 | errExit("chmod"); | 139 | errExit("chmod"); |
140 | fs_logger("touch /var/log/wtmp"); | ||
138 | 141 | ||
139 | // create an empty /var/log/btmp file | 142 | // create an empty /var/log/btmp file |
140 | fp = fopen("/var/log/btmp", "w"); | 143 | fp = fopen("/var/log/btmp", "w"); |
@@ -144,6 +147,7 @@ void fs_var_log(void) { | |||
144 | errExit("chown"); | 147 | errExit("chown"); |
145 | if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0) | 148 | if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0) |
146 | errExit("chmod"); | 149 | errExit("chmod"); |
150 | fs_logger("touch /var/log/btmp"); | ||
147 | } | 151 | } |
148 | else | 152 | else |
149 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); | 153 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); |
@@ -158,6 +162,7 @@ void fs_var_lib(void) { | |||
158 | printf("Mounting tmpfs on /var/lib/dhcp\n"); | 162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); |
159 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
160 | errExit("mounting /var/lib/dhcp"); | 164 | errExit("mounting /var/lib/dhcp"); |
165 | fs_logger("mount tmpfs on /var/lib/dhcp"); | ||
161 | 166 | ||
162 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file | 167 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file |
163 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); | 168 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); |
@@ -169,6 +174,7 @@ void fs_var_lib(void) { | |||
169 | errExit("chown"); | 174 | errExit("chown"); |
170 | if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) | 175 | if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) |
171 | errExit("chmod"); | 176 | errExit("chmod"); |
177 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); | ||
172 | } | 178 | } |
173 | } | 179 | } |
174 | 180 | ||
@@ -178,6 +184,7 @@ void fs_var_lib(void) { | |||
178 | printf("Mounting tmpfs on /var/lib/nginx\n"); | 184 | printf("Mounting tmpfs on /var/lib/nginx\n"); |
179 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
180 | errExit("mounting /var/lib/nginx"); | 186 | errExit("mounting /var/lib/nginx"); |
187 | fs_logger("mount tmpfs on /var/lib/nignx"); | ||
181 | } | 188 | } |
182 | 189 | ||
183 | // net-snmp multiserver | 190 | // net-snmp multiserver |
@@ -186,6 +193,7 @@ void fs_var_lib(void) { | |||
186 | printf("Mounting tmpfs on /var/lib/snmp\n"); | 193 | printf("Mounting tmpfs on /var/lib/snmp\n"); |
187 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
188 | errExit("mounting /var/lib/snmp"); | 195 | errExit("mounting /var/lib/snmp"); |
196 | fs_logger("mount tmpfs on /var/lib/snmp"); | ||
189 | } | 197 | } |
190 | 198 | ||
191 | // this is where sudo remembers its state | 199 | // this is where sudo remembers its state |
@@ -194,6 +202,7 @@ void fs_var_lib(void) { | |||
194 | printf("Mounting tmpfs on /var/lib/sudo\n"); | 202 | printf("Mounting tmpfs on /var/lib/sudo\n"); |
195 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
196 | errExit("mounting /var/lib/sudo"); | 204 | errExit("mounting /var/lib/sudo"); |
205 | fs_logger("mount tmpfs on /var/lib/sudo"); | ||
197 | } | 206 | } |
198 | } | 207 | } |
199 | 208 | ||
@@ -204,7 +213,8 @@ void fs_var_cache(void) { | |||
204 | if (arg_debug) | 213 | if (arg_debug) |
205 | printf("Mounting tmpfs on /var/cache/apache2\n"); | 214 | printf("Mounting tmpfs on /var/cache/apache2\n"); |
206 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
207 | errExit("mounting /var/cahce/apache2"); | 216 | errExit("mounting /var/cache/apache2"); |
217 | fs_logger("mount tmpfs on /var/cache/apache2"); | ||
208 | } | 218 | } |
209 | 219 | ||
210 | if (stat("/var/cache/lighttpd", &s) == 0) { | 220 | if (stat("/var/cache/lighttpd", &s) == 0) { |
@@ -212,6 +222,7 @@ void fs_var_cache(void) { | |||
212 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); | 222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); |
213 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
214 | errExit("mounting /var/cache/lighttpd"); | 224 | errExit("mounting /var/cache/lighttpd"); |
225 | fs_logger("mount tmpfs on /var/cache/lighttpd"); | ||
215 | 226 | ||
216 | struct passwd *p = getpwnam("www-data"); | 227 | struct passwd *p = getpwnam("www-data"); |
217 | uid_t uid = 0; | 228 | uid_t uid = 0; |
@@ -226,12 +237,14 @@ void fs_var_cache(void) { | |||
226 | errExit("mkdir"); | 237 | errExit("mkdir"); |
227 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) | 238 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) |
228 | errExit("chown"); | 239 | errExit("chown"); |
240 | fs_logger("mkdir /var/cache/lighttpd/compress"); | ||
229 | 241 | ||
230 | rv = mkdir("/var/cache/lighttpd/uploads", S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); | 242 | rv = mkdir("/var/cache/lighttpd/uploads", S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); |
231 | if (rv == -1) | 243 | if (rv == -1) |
232 | errExit("mkdir"); | 244 | errExit("mkdir"); |
233 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) | 245 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) |
234 | errExit("chown"); | 246 | errExit("chown"); |
247 | fs_logger("/var/cache/lighttpd/uploads"); | ||
235 | } | 248 | } |
236 | } | 249 | } |
237 | 250 | ||
@@ -257,6 +270,7 @@ void fs_var_lock(void) { | |||
257 | printf("Mounting tmpfs on /var/lock\n"); | 270 | printf("Mounting tmpfs on /var/lock\n"); |
258 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
259 | errExit("mounting /lock"); | 272 | errExit("mounting /lock"); |
273 | fs_logger("mount tmpfs on /var/lock"); | ||
260 | } | 274 | } |
261 | else { | 275 | else { |
262 | char *lnk = realpath("/var/lock", NULL); | 276 | char *lnk = realpath("/var/lock", NULL); |
@@ -275,6 +289,7 @@ void fs_var_lock(void) { | |||
275 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
276 | errExit("mounting /var/lock"); | 290 | errExit("mounting /var/lock"); |
277 | free(lnk); | 291 | free(lnk); |
292 | fs_logger("mount tmpfs on /var/lock"); | ||
278 | } | 293 | } |
279 | else { | 294 | else { |
280 | fprintf(stderr, "Warning: /var/lock not mounted\n"); | 295 | fprintf(stderr, "Warning: /var/lock not mounted\n"); |
@@ -291,6 +306,7 @@ void fs_var_tmp(void) { | |||
291 | printf("Mounting tmpfs on /var/tmp\n"); | 306 | printf("Mounting tmpfs on /var/tmp\n"); |
292 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
293 | errExit("mounting /var/tmp"); | 308 | errExit("mounting /var/tmp"); |
309 | fs_logger("mount tmpfs on /var/tmp"); | ||
294 | } | 310 | } |
295 | } | 311 | } |
296 | else { | 312 | else { |
@@ -348,6 +364,7 @@ void fs_var_utmp(void) { | |||
348 | printf("Mount the new utmp file\n"); | 364 | printf("Mount the new utmp file\n"); |
349 | if (mount(UTMP_FILE, "/var/run/utmp", NULL, MS_BIND|MS_REC, NULL) < 0) | 365 | if (mount(UTMP_FILE, "/var/run/utmp", NULL, MS_BIND|MS_REC, NULL) < 0) |
350 | errExit("mount bind utmp"); | 366 | errExit("mount bind utmp"); |
367 | fs_logger("create /var/run/utmp"); | ||
351 | } | 368 | } |
352 | 369 | ||
353 | 370 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 95238a956..f8cce219e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -119,6 +119,7 @@ static int mkpath(const char* path, mode_t mode) { | |||
119 | errExit("strdup"); | 119 | errExit("strdup"); |
120 | 120 | ||
121 | char* p; | 121 | char* p; |
122 | int done = 0; | ||
122 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { | 123 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { |
123 | *p='\0'; | 124 | *p='\0'; |
124 | if (mkdir(file_path, mode)==-1) { | 125 | if (mkdir(file_path, mode)==-1) { |
@@ -133,10 +134,13 @@ static int mkpath(const char* path, mode_t mode) { | |||
133 | errExit("chmod"); | 134 | errExit("chmod"); |
134 | if (chown(file_path, uid, gid) == -1) | 135 | if (chown(file_path, uid, gid) == -1) |
135 | errExit("chown"); | 136 | errExit("chown"); |
137 | done = 1; | ||
136 | } | 138 | } |
137 | 139 | ||
138 | *p='/'; | 140 | *p='/'; |
139 | } | 141 | } |
142 | if (done) | ||
143 | fs_logger2("mkpath", path); | ||
140 | 144 | ||
141 | free(file_path); | 145 | free(file_path); |
142 | return 0; | 146 | return 0; |
@@ -225,6 +229,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
225 | 229 | ||
226 | // create the path if necessary | 230 | // create the path if necessary |
227 | mkpath(path, s.st_mode); | 231 | mkpath(path, s.st_mode); |
232 | fs_logger2("whitelist", path); | ||
228 | 233 | ||
229 | // process directory | 234 | // process directory |
230 | if (S_ISDIR(s.st_mode)) { | 235 | if (S_ISDIR(s.st_mode)) { |
@@ -442,6 +447,7 @@ void fs_whitelist(void) { | |||
442 | printf("Mounting tmpfs on /tmp directory\n"); | 447 | printf("Mounting tmpfs on /tmp directory\n"); |
443 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 448 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) |
444 | errExit("mounting tmpfs on /tmp"); | 449 | errExit("mounting tmpfs on /tmp"); |
450 | fs_logger("mount tmpfs on /tmp"); | ||
445 | } | 451 | } |
446 | 452 | ||
447 | // /media mountpoint | 453 | // /media mountpoint |
@@ -463,9 +469,10 @@ void fs_whitelist(void) { | |||
463 | printf("Mounting tmpfs on /media directory\n"); | 469 | printf("Mounting tmpfs on /media directory\n"); |
464 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 470 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
465 | errExit("mounting tmpfs on /media"); | 471 | errExit("mounting tmpfs on /media"); |
472 | fs_logger("mount tmpfs on /media"); | ||
466 | } | 473 | } |
467 | 474 | ||
468 | // /media mountpoint | 475 | // /var mountpoint |
469 | if (var_dir) { | 476 | if (var_dir) { |
470 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR | 477 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR |
471 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 478 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
@@ -484,6 +491,7 @@ void fs_whitelist(void) { | |||
484 | printf("Mounting tmpfs on /var directory\n"); | 491 | printf("Mounting tmpfs on /var directory\n"); |
485 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 492 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
486 | errExit("mounting tmpfs on /var"); | 493 | errExit("mounting tmpfs on /var"); |
494 | fs_logger("mount tmpfs on /var"); | ||
487 | } | 495 | } |
488 | 496 | ||
489 | // /dev mountpoint | 497 | // /dev mountpoint |
@@ -505,6 +513,7 @@ void fs_whitelist(void) { | |||
505 | printf("Mounting tmpfs on /dev directory\n"); | 513 | printf("Mounting tmpfs on /dev directory\n"); |
506 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 514 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
507 | errExit("mounting tmpfs on /dev"); | 515 | errExit("mounting tmpfs on /dev"); |
516 | fs_logger("mount tmpfs on /dev"); | ||
508 | } | 517 | } |
509 | 518 | ||
510 | // /opt mountpoint | 519 | // /opt mountpoint |
@@ -526,6 +535,7 @@ void fs_whitelist(void) { | |||
526 | printf("Mounting tmpfs on /opt directory\n"); | 535 | printf("Mounting tmpfs on /opt directory\n"); |
527 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 536 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
528 | errExit("mounting tmpfs on /opt"); | 537 | errExit("mounting tmpfs on /opt"); |
538 | fs_logger("mount tmpfs on /opt"); | ||
529 | } | 539 | } |
530 | 540 | ||
531 | // go through profile rules again, and interpret whitelist commands | 541 | // go through profile rules again, and interpret whitelist commands |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2981683aa..a6e95e963 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -340,7 +340,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
340 | caps_print_filter_name(argv[i] + 13); | 340 | caps_print_filter_name(argv[i] + 13); |
341 | exit(0); | 341 | exit(0); |
342 | } | 342 | } |
343 | 343 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { | |
344 | // join sandbox by pid or by name | ||
345 | pid_t pid; | ||
346 | if (read_pid(argv[i] + 11, &pid) == 0) | ||
347 | fs_logger_print_log(pid); | ||
348 | else | ||
349 | fs_logger_print_log_name(argv[i] + 11); | ||
350 | exit(0); | ||
351 | } | ||
344 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { | 352 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { |
345 | // join sandbox by pid or by name | 353 | // join sandbox by pid or by name |
346 | pid_t pid; | 354 | pid_t pid; |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 6ead5799c..3d54751c7 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -45,6 +45,7 @@ static void disable_file(const char *path, const char *file) { | |||
45 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 45 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
46 | errExit("disable file"); | 46 | errExit("disable file"); |
47 | } | 47 | } |
48 | fs_logger2("blacklist", fname); | ||
48 | 49 | ||
49 | doexit: | 50 | doexit: |
50 | free(fname); | 51 | free(fname); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 50a9a9b89..ec65005ba 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -59,40 +59,6 @@ static USER_LIST *ulist_find(const char *user) { | |||
59 | return NULL; | 59 | return NULL; |
60 | } | 60 | } |
61 | 61 | ||
62 | static int mkpath(const char* path) { | ||
63 | assert(path && *path); | ||
64 | |||
65 | // work on a copy of the path | ||
66 | char *file_path = strdup(path); | ||
67 | if (!file_path) | ||
68 | errExit("strdup"); | ||
69 | |||
70 | char* p; | ||
71 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { | ||
72 | *p='\0'; | ||
73 | if (mkdir(file_path, 0755)==-1) { | ||
74 | if (errno != EEXIST) { | ||
75 | *p='/'; | ||
76 | free(file_path); | ||
77 | return -1; | ||
78 | } | ||
79 | } | ||
80 | else { | ||
81 | if (chmod(file_path, 0755) == -1) | ||
82 | errExit("chmod"); | ||
83 | if (chown(file_path, 0, 0) == -1) | ||
84 | errExit("chown"); | ||
85 | } | ||
86 | |||
87 | *p='/'; | ||
88 | } | ||
89 | |||
90 | free(file_path); | ||
91 | return 0; | ||
92 | } | ||
93 | |||
94 | |||
95 | |||
96 | static void sanitize_home(void) { | 62 | static void sanitize_home(void) { |
97 | assert(getuid() != 0); // this code works only for regular users | 63 | assert(getuid() != 0); // this code works only for regular users |
98 | 64 | ||
@@ -117,6 +83,7 @@ static void sanitize_home(void) { | |||
117 | // mount tmpfs in the new home | 83 | // mount tmpfs in the new home |
118 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 84 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
119 | errExit("mount tmpfs"); | 85 | errExit("mount tmpfs"); |
86 | fs_logger("mount tmpfs on /home"); | ||
120 | 87 | ||
121 | // create user home directory | 88 | // create user home directory |
122 | if (mkdir(cfg.homedir, 0755) == -1) { | 89 | if (mkdir(cfg.homedir, 0755) == -1) { |
@@ -125,6 +92,7 @@ static void sanitize_home(void) { | |||
125 | if (mkdir(cfg.homedir, 0755) == -1) | 92 | if (mkdir(cfg.homedir, 0755) == -1) |
126 | errExit("mkdir"); | 93 | errExit("mkdir"); |
127 | } | 94 | } |
95 | fs_logger2("mkdir", cfg.homedir); | ||
128 | 96 | ||
129 | // set mode and ownership | 97 | // set mode and ownership |
130 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | 98 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) |
@@ -218,6 +186,7 @@ static void sanitize_passwd(void) { | |||
218 | // mount-bind tne new password file | 186 | // mount-bind tne new password file |
219 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 187 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
220 | errExit("mount"); | 188 | errExit("mount"); |
189 | fs_logger("create /etc/passwd"); | ||
221 | 190 | ||
222 | return; | 191 | return; |
223 | 192 | ||
@@ -344,6 +313,7 @@ static void sanitize_group(void) { | |||
344 | // mount-bind tne new group file | 313 | // mount-bind tne new group file |
345 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 314 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
346 | errExit("mount"); | 315 | errExit("mount"); |
316 | fs_logger("create /etc/group"); | ||
347 | 317 | ||
348 | return; | 318 | return; |
349 | 319 | ||
@@ -367,6 +337,7 @@ void restrict_users(void) { | |||
367 | // mount tmpfs on top of /home in order to hide it | 337 | // mount tmpfs on top of /home in order to hide it |
368 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 338 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
369 | errExit("mount tmpfs"); | 339 | errExit("mount tmpfs"); |
340 | fs_logger("mount tmpfs on /home"); | ||
370 | } | 341 | } |
371 | sanitize_passwd(); | 342 | sanitize_passwd(); |
372 | sanitize_group(); | 343 | sanitize_group(); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2827ca9d3..5ae43dbd1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -271,6 +271,7 @@ int sandbox(void* sandbox_arg) { | |||
271 | if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { | 271 | if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { |
272 | chk_chroot(); | 272 | chk_chroot(); |
273 | } | 273 | } |
274 | fs_logger("install mount namespace"); | ||
274 | 275 | ||
275 | //**************************** | 276 | //**************************** |
276 | // netfilter etc. | 277 | // netfilter etc. |
@@ -400,7 +401,7 @@ int sandbox(void* sandbox_arg) { | |||
400 | pulseaudio_disable(); | 401 | pulseaudio_disable(); |
401 | else | 402 | else |
402 | pulseaudio_init(); | 403 | pulseaudio_init(); |
403 | 404 | ||
404 | //**************************** | 405 | //**************************** |
405 | // networking | 406 | // networking |
406 | //**************************** | 407 | //**************************** |
@@ -468,6 +469,8 @@ int sandbox(void* sandbox_arg) { | |||
468 | 469 | ||
469 | // if any dns server is configured, it is time to set it now | 470 | // if any dns server is configured, it is time to set it now |
470 | fs_resolvconf(); | 471 | fs_resolvconf(); |
472 | fs_logger_print(); | ||
473 | fs_logger_change_owner(); | ||
471 | 474 | ||
472 | // print network configuration | 475 | // print network configuration |
473 | if (!arg_quiet) { | 476 | if (!arg_quiet) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d8f6d6849..70b9cf24e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -83,7 +83,11 @@ void usage(void) { | |||
83 | printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n"); | 83 | printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n"); |
84 | printf("\t\tby PID.\n\n"); | 84 | printf("\t\tby PID.\n\n"); |
85 | 85 | ||
86 | printf("\t--env=name=value - set environment variable in the new sandbox\n"); | 86 | printf("\t--env=name=value - set environment variable in the new sandbox\n\n"); |
87 | printf("\t--fs.print=name - print the filesystem log for the sandbox identified\n"); | ||
88 | printf("\t\tby name.\n\n"); | ||
89 | printf("\t--fs.print=pid - print the filesystem log for the sandbox identified\n"); | ||
90 | printf("\t\tby PID.\n\n"); | ||
87 | 91 | ||
88 | printf("\t--help, -? - this help screen.\n\n"); | 92 | printf("\t--help, -? - this help screen.\n\n"); |
89 | printf("\t--hostname=name - set sandbox hostname.\n\n"); | 93 | printf("\t--hostname=name - set sandbox hostname.\n\n"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 45f7ec364..6c7476be6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -84,6 +84,7 @@ int mkpath_as_root(const char* path) { | |||
84 | errExit("strdup"); | 84 | errExit("strdup"); |
85 | 85 | ||
86 | char* p; | 86 | char* p; |
87 | int done = 0; | ||
87 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { | 88 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { |
88 | *p='\0'; | 89 | *p='\0'; |
89 | if (mkdir(file_path, 0755)==-1) { | 90 | if (mkdir(file_path, 0755)==-1) { |
@@ -98,11 +99,14 @@ int mkpath_as_root(const char* path) { | |||
98 | errExit("chmod"); | 99 | errExit("chmod"); |
99 | if (chown(file_path, 0, 0) == -1) | 100 | if (chown(file_path, 0, 0) == -1) |
100 | errExit("chown"); | 101 | errExit("chown"); |
102 | done = 1; | ||
101 | } | 103 | } |
102 | 104 | ||
103 | *p='/'; | 105 | *p='/'; |
104 | } | 106 | } |
105 | 107 | if (done) | |
108 | fs_logger2("mkpath", path); | ||
109 | |||
106 | free(file_path); | 110 | free(file_path); |
107 | return 0; | 111 | return 0; |
108 | } | 112 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4f9f0cba9..de03af56c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -338,6 +338,35 @@ Example: | |||
338 | $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib | 338 | $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib |
339 | 339 | ||
340 | .TP | 340 | .TP |
341 | \fB\-\-fs.print=name | ||
342 | Print the filesystem log for the sandbox identified by name. | ||
343 | .br | ||
344 | |||
345 | .br | ||
346 | Example: | ||
347 | .br | ||
348 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
349 | .br | ||
350 | [...] | ||
351 | .br | ||
352 | $ firejail \-\-fs.print=mygame | ||
353 | |||
354 | .TP | ||
355 | \fB\-\-fs.print=pid | ||
356 | Print the filesystem log for a sandbox identified by PID. | ||
357 | .br | ||
358 | |||
359 | .br | ||
360 | Example: | ||
361 | .br | ||
362 | $ firejail \-\-list | ||
363 | .br | ||
364 | 3272:netblue:firejail \-\-private firefox | ||
365 | .br | ||
366 | $ firejail \-\-fs.print=3272 | ||
367 | |||
368 | |||
369 | .TP | ||
341 | \fB\-?\fR, \fB\-\-help\fR | 370 | \fB\-?\fR, \fB\-\-help\fR |
342 | Print options end exit. | 371 | Print options end exit. |
343 | 372 | ||