From fa88b858da3a412c0111185fc0576fc9ad3c4be3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Dec 2015 11:57:07 -0500 Subject: --tracelog --- src/firejail/fs.c | 14 ++++++++++++-- src/firejail/profile.c | 2 ++ src/firejail/usage.c | 4 ++-- src/man/firejail.txt | 23 ++++++++++++++++++++++- 4 files changed, 38 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ebeaf51c7..e62e2676b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -157,6 +157,7 @@ void fs_delete_cp_command(void) { //*********************************************** typedef enum { BLACKLIST_FILE, + BLACKLIST_NOLOG, MOUNT_READONLY, MOUNT_TMPFS, OPERATION_MAX @@ -194,7 +195,7 @@ static void disable_file(OPERATION op, const char *filename) { } // modify the file - if (op == BLACKLIST_FILE) { + if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { // some distros put all executables under /usr/bin and make /bin a symbolic link if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && is_link(filename) && @@ -213,7 +214,10 @@ static void disable_file(OPERATION op, const char *filename) { errExit("disable file"); } last_disable = SUCCESSFUL; - fs_logger2("blacklist", fname); + if (op == BLACKLIST_FILE) + fs_logger2("blacklist", fname); + else + fs_logger2("blacklist-nolog", fname); } } else if (op == MOUNT_READONLY) { @@ -282,6 +286,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ } if (okay_to_blacklist) disable_file(op, path); + else if (arg_debug) + printf("Not blacklist %s\n", path); } globfree(&globbuf); } @@ -366,6 +372,10 @@ void fs_blacklist(void) { ptr = entry->data + 10; op = BLACKLIST_FILE; } + else if (strncmp(entry->data, "blacklist-nolog ", 16) == 0) { + ptr = entry->data + 16; + op = BLACKLIST_NOLOG; + } else if (strncmp(entry->data, "read-only ", 10) == 0) { ptr = entry->data + 10; op = MOUNT_READONLY; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a8eedcaff..50fdeda7e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -370,6 +370,8 @@ int profile_check_line(char *ptr, int lineno) { // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; + else if (strncmp(ptr, "blacklist-nolog ", 16) == 0) + ptr += 16; else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a64bafeb4..d060af5eb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -263,8 +263,8 @@ void usage(void) { printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); printf("\t--trace - trace open, access and connect system calls.\n\n"); - printf("\t--tracelog - add a log message in syslog for every access to blacklisted\n"); - printf("\t\tfiles or directories.\n\n"); + printf("\t--tracelog - add a syslog message for every access to files or\n"); + printf("\t\tdirectoires blacklisted by the security profile.\n\n"); printf("\t--tree - print a tree of all sandboxed processes.\n\n"); printf("\t--version - print program version and exit.\n\n"); printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 28f75d023..62225c407 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1297,7 +1297,28 @@ Child process initialized parent is shutting down, bye... .TP \fB\-\-tracelog -Add a log message in syslog for every access to blacklisted files or directories. +This option enables auditing blacklisted files and directories. A message +is sent to syslog in case the file or the directory is accessed. +.br + +.br +Example: +.br +$ firejail --tracelog firefox +.br + +.br +Sample messages: +.br +$ sudo tail -f /var/log/syslog +.br +[...] +.br +Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow +.br +Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot +.br +[...] .TP \fB\-\-tree Print a tree of all sandboxed processes, see MONITORING section for more details. -- cgit v1.2.3-70-g09d2