From 4579993d9b756d0821fa77a8fff409e764f2107a Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 30 Jan 2017 11:01:32 -0500
Subject: --writable-var-log

---
 src/firejail/firejail.h      |  1 +
 src/firejail/fs.c            | 21 ++++++++++++++++-----
 src/firejail/main.c          |  6 +++++-
 src/firejail/profile.c       |  4 ++++
 src/firejail/usage.c         |  1 +
 src/man/firejail-profile.txt |  5 +++++
 src/man/firejail.txt         | 11 +++++++++++
 7 files changed, 43 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7d6e16094..7e5412630 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -338,6 +338,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;		// enable ipc namespace
 extern int arg_writable_etc;	// writable etc
 extern int arg_writable_var;	// writable var
+extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;	// appimage
 extern int arg_audit;		// audit
 extern char *arg_audit_prog;	// audit
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index a4d4db7fe..3cda68f1b 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -445,6 +445,7 @@ static void fs_rdwr(const char *dir) {
 		    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
 			errExit("mount read-write");
 		fs_logger2("read-write", dir);
+printf("readwrite %s\n", dir);	
 	}
 }
 
@@ -682,11 +683,13 @@ void fs_basic_fs(void) {
 	fs_rdonly("/usr");
 
 	// update /var directory in order to support multiple sandboxes running on the same root directory
-//	if (!arg_private_dev)
-//		fs_dev_shm();
 	fs_var_lock();
 	fs_var_tmp();
-	fs_var_log();
+	if (!arg_writable_var_log)
+		fs_var_log();
+	else
+		fs_rdwr("/var/log");
+	
 	fs_var_lib();
 	fs_var_cache();
 	fs_var_utmp();
@@ -996,7 +999,11 @@ void fs_overlayfs(void) {
 //		fs_dev_shm();
 	fs_var_lock();
 	fs_var_tmp();
-	fs_var_log();
+	if (!arg_writable_var_log)
+		fs_var_log();
+	else
+		fs_rdwr("/var/log");
+		
 	fs_var_lib();
 	fs_var_cache();
 	fs_var_utmp();
@@ -1226,7 +1233,11 @@ void fs_chroot(const char *rootdir) {
 //			fs_dev_shm();
 		fs_var_lock();
 		fs_var_tmp();
-		fs_var_log();
+		if (!arg_writable_var_log)
+			fs_var_log();
+		else
+			fs_rdwr("/var/log");
+			
 		fs_var_lib();
 		fs_var_cache();
 		fs_var_utmp();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8fea98950..7c6568903 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -114,7 +114,8 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;				// all user home directories visible
 int arg_machineid = 0;				// preserve /etc/machine-id
-int arg_allow_private_blacklist = 0;  // blacklist things in private directories
+int arg_allow_private_blacklist = 0; 		// blacklist things in private directories
+int arg_writable_var_log;			// writable /var/log
 
 int login_shell = 0;
 
@@ -1488,6 +1489,9 @@ int main(int argc, char **argv) {
 		else if (strcmp(argv[i], "--writable-var") == 0) {
 			arg_writable_var = 1;
 		}
+		else if (strcmp(argv[i], "--writable-var-log") == 0) {
+			arg_writable_var_log = 1;
+		}
 		else if (strcmp(argv[i], "--machine-id") == 0) {
 			arg_machineid = 1;
 		}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d188f97a8..4856b31ae 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -673,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_writable_var = 1;
 		return 0;
 	}
+	if (strcmp(ptr, "writable-var-log") == 0) {
+		arg_writable_var_log = 1;
+		return 0;
+	}
 	
 	// private directory
 	if (strncmp(ptr, "private ", 8) == 0) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 6f16a5868..15ba22d4d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -192,6 +192,7 @@ void usage(void) {
 #endif	
 	printf("    --writable-etc - /etc directory is mounted read-write.\n");
 	printf("    --writable-var - /var directory is mounted read-write.\n");
+	printf("    --writable-var-log - use the real /var/log directory, not a clone.\n");
 	printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
 	printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
 	printf("\tattempt to use X11 security extension.\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 034f1beac..90dca19bf 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -244,6 +244,11 @@ Mount /etc directory read-write.
 .TP
 \fBwritable-var
 Mount /var directory read-write.
+.TP
+\fBwritable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+
 .SH Security filters
 The following security filters are currently implemented:
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b836fd738..993186476 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1725,6 +1725,17 @@ Example:
 .br
 $ sudo firejail --writable-var
 
+.TP
+\fB\-\-writable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-var-log
+
 
 .TP
 \fB\-\-x11
-- 
cgit v1.2.3-70-g09d2