From 873b9d161f4d87a87af78d5074016a5749588513 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 6 Dec 2015 13:11:00 -0500 Subject: traclog added to various profiles --- README | 1 + RELNOTES | 4 ++-- etc/chromium.profile | 1 + etc/conkeror.profile | 1 + etc/deluge.profile | 2 ++ etc/dnscrypt-proxy.profile | 1 + etc/dropbox.profile | 2 ++ etc/evince.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 1 + etc/firefox.profile | 1 + etc/google-chrome-beta.profile | 1 + etc/google-chrome-unstable.profile | 1 + etc/google-chrome.profile | 1 + etc/midori.profile | 1 + etc/opera-beta.profile | 1 + etc/opera.profile | 1 + etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/skype.profile | 1 + etc/spotify.profile | 1 + etc/steam.profile | 1 + etc/thunderbird.profile | 1 + etc/transmission-gtk.profile | 2 ++ etc/transmission-qt.profile | 1 + etc/weechat.profile | 1 + etc/wine.profile | 1 + src/firejail/fs_trace.c | 5 ++++- src/firejail/profile.c | 4 ++++ src/man/firejail-profile.txt | 4 +++- 30 files changed, 42 insertions(+), 4 deletions(-) diff --git a/README b/README index 2dc6c0768..6b0f396a3 100644 --- a/README +++ b/README @@ -26,6 +26,7 @@ rogshdo (https://github.com/rogshdo) avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix + - added parole profile - blacklist ncat, manpage fixes, - hostname support in profile file - Google Chrome profile rework diff --git a/RELNOTES b/RELNOTES index 2a98c43a6..a799b7893 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.35) baseline; urgency=low - * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat - and rtorrent profiles + * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, + parole and rtorrent profiles * Google Chrome profile rework * added google-chrome-stable profile * added google-chrome-beta profile diff --git a/etc/chromium.profile b/etc/chromium.profile index 76dc6b234..61b75f7a6 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc # netfilter +tracelog whitelist ${DOWNLOADS} whitelist ~/.config/chromium whitelist ~/.cache/chromium diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 7c1384523..dde756754 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -7,6 +7,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot whitelist ~/.conkeror.mozdev.org whitelist ~/Downloads diff --git a/etc/deluge.profile b/etc/deluge.profile index 6ca5d33a4..98c2e4fc5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -12,5 +12,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot + diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e0c5c93a3..8a57a8975 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -5,4 +5,5 @@ include /etc/firejail/disable-mgmt.inc private private-dev seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open +tracelog diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 52be5a8be..c0b7e6342 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -11,3 +11,5 @@ caps seccomp protocol unix,inet,inet6 noroot +tracelog + diff --git a/etc/evince.profile b/etc/evince.profile index 34d8162b3..977a2bd68 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -12,3 +12,4 @@ caps.drop all seccomp protocol unix,inet,inet6 noroot +tracelog diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f94fc28df..1a530a867 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -13,5 +13,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/filezilla.profile b/etc/filezilla.profile index ba8649067..3f20fe755 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -11,5 +11,6 @@ seccomp protocol unix,inet,inet6 noroot netfilter +tracelog diff --git a/etc/firefox.profile b/etc/firefox.profile index aa7808c37..2e8b2fa02 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -8,6 +8,7 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +tracelog noroot whitelist ${DOWNLOADS} whitelist ~/.mozilla diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 6122876bf..d08a5f41d 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc # netfilter +tracelog whitelist ${DOWNLOADS} whitelist ~/.config/google-chrome-beta whitelist ~/.cache/google-chrome-beta diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 7b8b12d04..06b1399e1 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc # netfilter +tracelog whitelist ${DOWNLOADS} whitelist ~/.config/google-chrome-unstable whitelist ~/.cache/google-chrome-unstable diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 351490d7f..7d2580116 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc # netfilter +tracelog whitelist ${DOWNLOADS} whitelist ~/.config/google-chrome whitelist ~/.cache/google-chrome diff --git a/etc/midori.profile b/etc/midori.profile index 77a6fb984..9722d0313 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -8,4 +8,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index c1672abce..ab8f55e28 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc netfilter +tracelog whitelist ~/.config/opera-beta whitelist ${DOWNLOADS} whitelist ~/.cache/opera-beta diff --git a/etc/opera.profile b/etc/opera.profile index a76806ed0..c307e7703 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc netfilter +tracelog whitelist ~/.config/opera whitelist ${DOWNLOADS} whitelist ~/.cache/opera diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd50c779e..af5a6f697 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -12,5 +12,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c2c0356d9..03aa8a71f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -7,4 +7,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/skype.profile b/etc/skype.profile index 4d2d042cc..f1519b0ff 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter +tracelog noroot seccomp protocol unix,inet,inet6 diff --git a/etc/spotify.profile b/etc/spotify.profile index 414660857..0063564ae 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -16,5 +16,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/steam.profile b/etc/steam.profile index 5b9244567..af49580ce 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter +tracelog noroot seccomp protocol unix,inet,inet6 diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index d234d777e..f608f5467 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -21,5 +21,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index b0dfdbfad..1245a514b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -13,4 +13,6 @@ seccomp protocol unix,inet,inet6 netfilter noroot +tracelog + diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 7aca04fe7..1af714953 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -12,5 +12,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/weechat.profile b/etc/weechat.profile index 79e3ae774..1a9fa02b3 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -7,4 +7,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +tracelog noroot diff --git a/etc/wine.profile b/etc/wine.profile index 8a7f66773..6d1106993 100644 --- a/etc/wine.profile +++ b/etc/wine.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter +tracelog noroot seccomp diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f555a6693..55a1b9c7a 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -59,8 +59,11 @@ void fs_trace(void) { errExit("fopen"); if (arg_trace) fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); - else if (arg_tracelog) + else if (arg_tracelog) { fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); + if (!arg_quiet) + printf("Blacklist violations are logged to syslog\n"); + } else assert(0); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 50fdeda7e..366a56e13 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -120,6 +120,10 @@ int profile_check_line(char *ptr, int lineno) { arg_shell_none = 1; return 0; } + else if (strcmp(ptr, "tracelog") == 0) { + arg_tracelog = 1; + return 0; + } else if (strcmp(ptr, "private") == 0) { arg_private = 1; return 0; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90aca5130..600b82d3d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -158,7 +158,9 @@ All modifications are discarded when the sandbox is closed. Build a new user home in a temporary filesystem, and mount-bind file_or_directory. The modifications to file_or_directory are persistent, everything else is discarded when the sandbox is closed. - +.TP +\f\ tracelog +Blacklist violations logged to syslog. .SH Filters \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: -- cgit v1.2.3-54-g00ecf