From fabe7c1fa2409ed9d909efc093c37af346104869 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Dec 2015 09:27:40 -0500 Subject: debug enhancements --- src/firejail/firejail.h | 4 +++- src/firejail/fs.c | 7 +++++++ src/firejail/fs_whitelist.c | 28 ++++++++++++++-------------- src/firejail/main.c | 12 ++++++++---- src/firejail/usage.c | 7 +++++++ src/man/firejail.txt | 30 ++++++++++++++++++++++++++++++ 6 files changed, 69 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 967eb7e45..5590e9f54 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -187,7 +187,9 @@ static inline int any_interface_configured(void) { extern int arg_private; // mount private /home extern int arg_debug; // print debug messages -extern int arg_debug_check_filename; // print debug messages for invalid_filename() +extern int arg_debug_check_filename; // print debug messages for filename checking +extern int arg_debug_blacklists; // print debug messages for blacklists +extern int arg_debug_whitelists; // print debug messages for whitelists extern int arg_nonetwork; // --net=none extern int arg_command; // -c extern int arg_overlay; // overlay option diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e62e2676b..1d2dc8e1e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -205,6 +205,13 @@ static void disable_file(OPERATION op, const char *filename) { else { if (arg_debug) printf("Disable %s\n", fname); + else if (arg_debug_blacklists) { + printf("Disable %s", fname); + if (op == BLACKLIST_FILE) + printf("\n"); + else + printf(" - no logging\n"); + } if (S_ISDIR(s.st_mode)) { if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) errExit("disable file"); diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 37894fee1..465eaa7c8 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -46,7 +46,7 @@ static char *resolve_downloads(void) { errExit("asprintf"); if (stat(fname, &s) == 0) { - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Downloads directory resolved as \"%s\"\n", fname); char *rv; @@ -86,10 +86,10 @@ static char *resolve_downloads(void) { if (ptr2) { fclose(fp); *ptr2 = '\0'; - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1); if (strlen(ptr1) != 0) { - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Downloads directory resolved as \"%s\"\n", ptr1); if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) @@ -244,11 +244,11 @@ static void whitelist_path(ProfileEntry *entry) { // check if the file exists struct stat s; if (wfile && stat(wfile, &s) == 0) { - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Whitelisting %s\n", path); } else { - if (arg_debug) { + if (arg_debug || arg_debug_whitelists) { fprintf(stderr, "Warning: %s is an invalid file, skipping...\n", path); } return; @@ -341,7 +341,7 @@ void fs_whitelist(void) { char *fname = realpath(new_name, NULL); if (!fname) { // file not found, blank the entry in the list and continue - if (arg_debug) { + if (arg_debug || arg_debug_whitelists) { printf("Removed whitelist path: %s\n", entry->data); printf("\texpanded: %s\n", new_name); printf("\treal path: (null)\n"); @@ -360,7 +360,7 @@ void fs_whitelist(void) { if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { // whitelisting home directory is disabled if --private or --private-home option is present if (arg_private) { - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Removed whitelist path %s, --private option is present\n", entry->data); *entry->data = '\0'; @@ -425,7 +425,7 @@ void fs_whitelist(void) { if (asprintf(&newdata, "whitelist %s", fname) == -1) errExit("asprintf"); entry->data = newdata; - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Replaced whitelist path: %s\n", entry->data); } free(fname); @@ -469,7 +469,7 @@ void fs_whitelist(void) { errExit("mount bind"); // mount tmpfs on /tmp - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Mounting tmpfs on /tmp directory\n"); if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) errExit("mounting tmpfs on /tmp"); @@ -491,7 +491,7 @@ void fs_whitelist(void) { errExit("mount bind"); // mount tmpfs on /media - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Mounting tmpfs on /media directory\n"); if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /media"); @@ -513,7 +513,7 @@ void fs_whitelist(void) { errExit("mount bind"); // mount tmpfs on /var - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Mounting tmpfs on /var directory\n"); if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /var"); @@ -535,7 +535,7 @@ void fs_whitelist(void) { errExit("mount bind"); // mount tmpfs on /dev - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Mounting tmpfs on /dev directory\n"); if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /dev"); @@ -557,7 +557,7 @@ void fs_whitelist(void) { errExit("mount bind"); // mount tmpfs on /opt - if (arg_debug) + if (arg_debug || arg_debug_whitelists) printf("Mounting tmpfs on /opt directory\n"); if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting tmpfs on /opt"); @@ -588,7 +588,7 @@ void fs_whitelist(void) { int rv = symlink(entry->data + 10, entry->link); if (rv) fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); - else if (arg_debug) + else if (arg_debug || arg_debug_whitelists) printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); } } diff --git a/src/firejail/main.c b/src/firejail/main.c index 75b90ae81..17a7286f7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -50,7 +50,9 @@ static char child_stack[STACK_SIZE]; // space for child's stack Config cfg; // configuration int arg_private = 0; // mount private /home and /tmp directoryu int arg_debug = 0; // print debug messages -int arg_debug_check_filename; // print debug messages for invalid_filename() +int arg_debug_check_filename; // print debug messages for filename checking +int arg_debug_blacklists; // print debug messages for blacklists +int arg_debug_whitelists; // print debug messages for whitelists int arg_nonetwork = 0; // --net=none int arg_command = 0; // -c int arg_overlay = 0; // overlay option @@ -468,10 +470,12 @@ int main(int argc, char **argv) { if (strcmp(argv[i], "--debug") == 0) arg_debug = 1; - else if (strcmp(argv[i], "--debug-check-filename") == 0) { - arg_debug = 1; + else if (strcmp(argv[i], "--debug-check-filename") == 0) arg_debug_check_filename = 1; - } + else if (strcmp(argv[i], "--debug-blacklists") == 0) + arg_debug_blacklists = 1; + else if (strcmp(argv[i], "--debug-whitelists") == 0) + arg_debug_whitelists = 1; else if (strcmp(argv[i], "--quiet") == 0) arg_quiet = 1; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9d5549a77..3d9d745b3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -65,15 +65,22 @@ void usage(void) { printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); printf("\t\tExample: cpu=0,1,2\n\n"); printf("\t--csh - use /bin/csh as default shell.\n\n"); + printf("\t--debug - print sandbox debug messages.\n\n"); + printf("\t--debug-blacklists - debug blacklisting.\n\n"); printf("\t--debug-caps - print all recognized capabilities in the current\n"); printf("\t\tFirejail software build and exit.\n\n"); + printf("\t--debug-check-filename - debug filename checking.\n\n"); printf("\t--debug-errnos - print all recognized error numbres in the current\n"); printf("\t\tFirejail software build and exit.\n\n"); printf("\t--debug-protocols - print all recognized protocols in the current\n"); printf("\t\tFirejail software build and exit.\n\n"); printf("\t--debug-syscalls - print all recognized system calls in the current\n"); printf("\t\tFirejail software build and exit.\n\n"); + printf("\t--debug-whitelists - debug whitelisting.\n\n"); + + + printf("\t--defaultgw=address - use this address as default gateway in the new\n"); printf("\t\tnetwork namespace.\n\n"); printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e2382eb9f..57b169e89 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -242,6 +242,16 @@ Example: .br $ firejail \-\-debug firefox +.TP +\fB\-\-debug-blackilsts\fR +Debug blacklisting. +.br + +.br +Example: +.br +$ firejail \-\-debug-blacklists firefox + .TP \fB\-\-debug-caps Print all recognized capabilities in the current Firejail software build and exit. @@ -251,6 +261,16 @@ Print all recognized capabilities in the current Firejail software build and exi Example: .br $ firejail \-\-debug-caps +.TP +\fB\-\-debug-check-filename\fR +Debug filename checking. +.br + +.br +Example: +.br +$ firejail \-\-debug-check-filename firefox + .TP \fB\-\-debug-errnos Print all recognized error numbers in the current Firejail software build and exit. @@ -278,6 +298,16 @@ Print all recognized system calls in the current Firejail software build and exi Example: .br $ firejail \-\-debug-syscalls +.TP +\fB\-\-debug-whitelsts\fR +Debug whitelisting. +.br + +.br +Example: +.br +$ firejail \-\-debug-whitelists firefox + .TP \fB\-\-defaultgw=address Use this address as default gateway in the new network namespace. -- cgit v1.2.3-54-g00ecf