From 159f33e886fa5fc150972dc3a5071c59b8691e1e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 7 Mar 2016 15:34:25 -0500 Subject: logging fixes --- src/firejail/fs.c | 4 +++- src/firejail/fs_bin.c | 22 +++++++++++++++++++++- src/firejail/fs_dev.c | 6 +++--- src/firejail/fs_home.c | 11 ++++++----- src/firejail/fs_var.c | 20 ++++++++++---------- src/firejail/fs_whitelist.c | 16 +++++++++++----- src/firejail/restrict_users.c | 8 ++++++-- src/firejail/x11.c | 2 +- 8 files changed, 61 insertions(+), 28 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d9a860722..5efdd4d87 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -178,6 +178,7 @@ void fs_build_mnt_dir(void) { if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /tmp/firejail/mnt"); tmpfs_mounted = 1; + fs_logger2("tmpfs", RUN_MNT_DIR); } } @@ -342,7 +343,7 @@ static void disable_file(OPERATION op, const char *filename) { if (chown(fname, s.st_uid, s.st_gid) == -1) errExit("mounting tmpfs chmod"); last_disable = SUCCESSFUL; - fs_logger2("mount tmpfs on", fname); + fs_logger2("tmpfs", fname); } else printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); @@ -1030,5 +1031,6 @@ void fs_private_tmp(void) { printf("Mounting tmpfs on /tmp directory\n"); if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /tmp/firejail/mnt"); + fs_logger2("tmpfs", "/tmp"); } diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 447ef7f8f..228ed347a 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -144,7 +144,6 @@ static void duplicate(char *fname) { printf("%s\n", cmd); if (system(cmd)) errExit("system cp -a"); - fs_logger2("clone", fname); free(cmd); free(actual_path); } @@ -220,8 +219,29 @@ void fs_private_bin_list(void) { printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); + fs_logger2("tmpfs", paths[i]); fs_logger2("mount", paths[i]); i++; } + + // log cloned files + char *dlist = strdup(private_list); + if (!dlist) + errExit("strdup"); + + + char *ptr = strtok(dlist, ","); + while (ptr) { + i = 0; + while (paths[i]) { + char *fname; + if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1) + errExit("asprintf"); + fs_logger2("clone", fname); + free(fname); + i++; + } + ptr = strtok(NULL, ","); + } } diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 97ee9de55..2525dab24 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -107,7 +107,7 @@ void fs_private_dev(void){ // mount tmpfs on top of /dev if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /dev"); - fs_logger("mount tmpfs on /dev"); + fs_logger("tmpfs /dev"); // bring back /dev/log if (have_devlog) { @@ -203,7 +203,7 @@ void fs_dev_shm(void) { printf("Mounting tmpfs on /dev/shm\n"); if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /dev/shm"); - fs_logger("mount tmpfs on /dev/shm"); + fs_logger("tmpfs /dev/shm"); } else { char *lnk = realpath("/dev/shm", NULL); @@ -221,7 +221,7 @@ void fs_dev_shm(void) { printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /var/tmp"); - fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm"); + fs_logger2("tmpfs", lnk); free(lnk); } else { diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2b6142c6c..8a3484b06 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -107,7 +107,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { errExit("asprintf"); struct stat s; // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.bashrc", &s) == 0) { if (is_link("/etc/skel/.bashrc")) { @@ -254,6 +254,7 @@ void fs_private_homedir(void) { if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); fs_logger3("mount-bind", private_homedir, cfg.homedir); + fs_logger2("whitelist", cfg.homedir); // preserve mode and ownership // if (chown(homedir, s.st_uid, s.st_gid) == -1) // errExit("mount-bind chown"); @@ -266,7 +267,7 @@ void fs_private_homedir(void) { printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) errExit("mounting home directory"); - fs_logger("mount tmpfs on /root"); + fs_logger("tmpfs /root"); } else { // mask /home @@ -274,7 +275,7 @@ void fs_private_homedir(void) { printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting home directory"); - fs_logger("mount tmpfs on /home"); + fs_logger("tmpfs /home"); } @@ -304,14 +305,14 @@ void fs_private(void) { printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting home directory"); - fs_logger("mount tmpfs on /home"); + fs_logger("tmpfs /home"); // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) errExit("mounting root directory"); - fs_logger("mount tmpfs on /root"); + fs_logger("tmpfs /root"); if (u != 0) { // create /home/user diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 82d453308..f904fa5d9 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -123,7 +123,7 @@ void fs_var_log(void) { printf("Mounting tmpfs on /var/log\n"); if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/log"); - fs_logger("mount tmpfs on /var/log"); + fs_logger("tmpfs /var/log"); build_dirs(); release_all(); @@ -162,7 +162,7 @@ void fs_var_lib(void) { printf("Mounting tmpfs on /var/lib/dhcp\n"); if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/dhcp"); - fs_logger("mount tmpfs on /var/lib/dhcp"); + fs_logger("tmpfs /var/lib/dhcp"); // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); @@ -184,7 +184,7 @@ void fs_var_lib(void) { printf("Mounting tmpfs on /var/lib/nginx\n"); if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/nginx"); - fs_logger("mount tmpfs on /var/lib/nginx"); + fs_logger("tmpfs /var/lib/nginx"); } // net-snmp multiserver @@ -193,7 +193,7 @@ void fs_var_lib(void) { printf("Mounting tmpfs on /var/lib/snmp\n"); if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/snmp"); - fs_logger("mount tmpfs on /var/lib/snmp"); + fs_logger("tmpfs /var/lib/snmp"); } // this is where sudo remembers its state @@ -202,7 +202,7 @@ void fs_var_lib(void) { printf("Mounting tmpfs on /var/lib/sudo\n"); if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/sudo"); - fs_logger("mount tmpfs on /var/lib/sudo"); + fs_logger("tmpfs /var/lib/sudo"); } } @@ -214,7 +214,7 @@ void fs_var_cache(void) { printf("Mounting tmpfs on /var/cache/apache2\n"); if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/cache/apache2"); - fs_logger("mount tmpfs on /var/cache/apache2"); + fs_logger("tmpfs /var/cache/apache2"); } if (stat("/var/cache/lighttpd", &s) == 0) { @@ -222,7 +222,7 @@ void fs_var_cache(void) { printf("Mounting tmpfs on /var/cache/lighttpd\n"); if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/cache/lighttpd"); - fs_logger("mount tmpfs on /var/cache/lighttpd"); + fs_logger("tmpfs /var/cache/lighttpd"); struct passwd *p = getpwnam("www-data"); uid_t uid = 0; @@ -270,7 +270,7 @@ void fs_var_lock(void) { printf("Mounting tmpfs on /var/lock\n"); if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /lock"); - fs_logger("mount tmpfs on /var/lock"); + fs_logger("tmpfs /var/lock"); } else { char *lnk = realpath("/var/lock", NULL); @@ -289,7 +289,7 @@ void fs_var_lock(void) { if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /var/lock"); free(lnk); - fs_logger("mount tmpfs on /var/lock"); + fs_logger("tmpfs /var/lock"); } else { fprintf(stderr, "Warning: /var/lock not mounted\n"); @@ -306,7 +306,7 @@ void fs_var_tmp(void) { printf("Mounting tmpfs on /var/tmp\n"); if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /var/tmp"); - fs_logger("mount tmpfs on /var/tmp"); + fs_logger("tmpfs /var/tmp"); } } else { diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index dce044cb7..7e61bfde5 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -516,7 +516,7 @@ void fs_whitelist(void) { printf("Mounting tmpfs on /tmp directory\n"); if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting tmpfs on /tmp"); - fs_logger("mount tmpfs on /tmp"); + fs_logger("tmpfs /tmp"); } // /media mountpoint @@ -538,7 +538,7 @@ void fs_whitelist(void) { printf("Mounting tmpfs on /media directory\n"); if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /media"); - fs_logger("mount tmpfs on /media"); + fs_logger("tmpfs /media"); } // /var mountpoint @@ -560,7 +560,7 @@ void fs_whitelist(void) { printf("Mounting tmpfs on /var directory\n"); if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /var"); - fs_logger("mount tmpfs on /var"); + fs_logger("tmpfs /var"); } // /dev mountpoint @@ -582,7 +582,7 @@ void fs_whitelist(void) { printf("Mounting tmpfs on /dev directory\n"); if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /dev"); - fs_logger("mount tmpfs on /dev"); + fs_logger("tmpfs /dev"); } // /opt mountpoint @@ -604,7 +604,7 @@ void fs_whitelist(void) { printf("Mounting tmpfs on /opt directory\n"); if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /opt"); - fs_logger("mount tmpfs on /opt"); + fs_logger("tmpfs /opt"); } // go through profile rules again, and interpret whitelist commands @@ -643,36 +643,42 @@ void fs_whitelist(void) { if (home_dir) { if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); } // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR if (tmp_dir) { if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); } // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR if (var_dir) { if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); } // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR if (opt_dir) { if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); } // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR if (dev_dir) { if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); } // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR if (media_dir) { if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); } if (new_name) diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 88dd38021..5a41c441b 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -83,7 +83,7 @@ static void sanitize_home(void) { // mount tmpfs in the new home if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); - fs_logger("mount tmpfs on /home"); + fs_logger("tmpfs /home"); // create user home directory if (mkdir(cfg.homedir, 0755) == -1) { @@ -107,6 +107,10 @@ static void sanitize_home(void) { // mask home dir under /run if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); + if (!arg_private) + fs_logger2("whitelist", cfg.homedir); + } static void sanitize_passwd(void) { @@ -347,7 +351,7 @@ void restrict_users(void) { // mount tmpfs on top of /home in order to hide it if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); - fs_logger("mount tmpfs on /home"); + fs_logger("tmpfs /home"); } sanitize_passwd(); sanitize_group(); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 7769503b1..8c781c67a 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -84,7 +84,7 @@ void fs_x11(void) { printf("Mounting tmpfs on /tmp/.X11-unix directory\n"); if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting tmpfs on /tmp"); - fs_logger("mount tmpfs on /tmp/.X11-unix"); + fs_logger("tmpfs /tmp/.X11-unix"); // create an empty file FILE *fp = fopen(x11file, "w"); -- cgit v1.2.3-70-g09d2