From fa88b858da3a412c0111185fc0576fc9ad3c4be3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Dec 2015 11:57:07 -0500 Subject: --tracelog --- README.md | 16 ++++++++++++++++ etc/disable-common.inc | 10 +++++----- src/firejail/fs.c | 14 ++++++++++++-- src/firejail/profile.c | 2 ++ src/firejail/usage.c | 4 ++-- src/man/firejail.txt | 23 ++++++++++++++++++++++- 6 files changed, 59 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 692e689a3..477e59ee0 100644 --- a/README.md +++ b/README.md @@ -95,3 +95,19 @@ New profiles introduced in this version: unbound, dnscrypt-proxy ### --whitelist Whitelist command accepts files in user home, /dev, /media, /var, and /tmp directories. + +### --tracelog + +Tracelog command enables auditing blacklisted files and directories. A message +is sent to syslog in case the file or the directory is accessed. Example: +````` +$ firejail --tracelog firefox +````` +Syslog example: +````` +$ sudo tail -f /var/log/syslog +[...] +Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe iceweasel, syscall open64, path /etc/shadow +Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe iceweasel, syscall opendir, path /boot +[...] +````` \ No newline at end of file diff --git a/etc/disable-common.inc b/etc/disable-common.inc index fdb3e552b..0b98a01e8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -1,11 +1,11 @@ # History files in $HOME -blacklist ${HOME}/.history -blacklist ${HOME}/.*_history +blacklist-nolog ${HOME}/.history +blacklist-nolog ${HOME}/.*_history # HTTP / FTP / Mail -blacklist ${HOME}/.adobe -blacklist ${HOME}/.macromedia -blacklist ${HOME}/.mozilla +blacklist-nolog ${HOME}/.adobe +blacklist-nolog ${HOME}/.macromedia +blacklist-nolog ${HOME}/.mozilla blacklist ${HOME}/.icedove blacklist ${HOME}/.thunderbird blacklist ${HOME}/.sylpheed-2.0 diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ebeaf51c7..e62e2676b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -157,6 +157,7 @@ void fs_delete_cp_command(void) { //*********************************************** typedef enum { BLACKLIST_FILE, + BLACKLIST_NOLOG, MOUNT_READONLY, MOUNT_TMPFS, OPERATION_MAX @@ -194,7 +195,7 @@ static void disable_file(OPERATION op, const char *filename) { } // modify the file - if (op == BLACKLIST_FILE) { + if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { // some distros put all executables under /usr/bin and make /bin a symbolic link if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && is_link(filename) && @@ -213,7 +214,10 @@ static void disable_file(OPERATION op, const char *filename) { errExit("disable file"); } last_disable = SUCCESSFUL; - fs_logger2("blacklist", fname); + if (op == BLACKLIST_FILE) + fs_logger2("blacklist", fname); + else + fs_logger2("blacklist-nolog", fname); } } else if (op == MOUNT_READONLY) { @@ -282,6 +286,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ } if (okay_to_blacklist) disable_file(op, path); + else if (arg_debug) + printf("Not blacklist %s\n", path); } globfree(&globbuf); } @@ -366,6 +372,10 @@ void fs_blacklist(void) { ptr = entry->data + 10; op = BLACKLIST_FILE; } + else if (strncmp(entry->data, "blacklist-nolog ", 16) == 0) { + ptr = entry->data + 16; + op = BLACKLIST_NOLOG; + } else if (strncmp(entry->data, "read-only ", 10) == 0) { ptr = entry->data + 10; op = MOUNT_READONLY; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a8eedcaff..50fdeda7e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -370,6 +370,8 @@ int profile_check_line(char *ptr, int lineno) { // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; + else if (strncmp(ptr, "blacklist-nolog ", 16) == 0) + ptr += 16; else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a64bafeb4..d060af5eb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -263,8 +263,8 @@ void usage(void) { printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); printf("\t--trace - trace open, access and connect system calls.\n\n"); - printf("\t--tracelog - add a log message in syslog for every access to blacklisted\n"); - printf("\t\tfiles or directories.\n\n"); + printf("\t--tracelog - add a syslog message for every access to files or\n"); + printf("\t\tdirectoires blacklisted by the security profile.\n\n"); printf("\t--tree - print a tree of all sandboxed processes.\n\n"); printf("\t--version - print program version and exit.\n\n"); printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 28f75d023..62225c407 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1297,7 +1297,28 @@ Child process initialized parent is shutting down, bye... .TP \fB\-\-tracelog -Add a log message in syslog for every access to blacklisted files or directories. +This option enables auditing blacklisted files and directories. A message +is sent to syslog in case the file or the directory is accessed. +.br + +.br +Example: +.br +$ firejail --tracelog firefox +.br + +.br +Sample messages: +.br +$ sudo tail -f /var/log/syslog +.br +[...] +.br +Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow +.br +Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot +.br +[...] .TP \fB\-\-tree Print a tree of all sandboxed processes, see MONITORING section for more details. -- cgit v1.2.3-70-g09d2