github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

tracelog disabled by default in /etc/firejail/firejail.config file

Browse source
This commit is contained in:
netblue30 2022-08-29 12:30:05 -04:00
parent 836ffe37ff
commit 6e687c3011
6 changed files with 33 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README
View file

@ -252,6 +252,8 @@ cayday (https://github.com/caydey)
Christian Pinedo (https://github.com/chrpinedo) Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile - added nicotine profile
- allow python3 in totem profile - allow python3 in totem profile
ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- Landlock support
creideiki (https://github.com/creideiki) creideiki (https://github.com/creideiki)
- make the sandbox process reap all children - make the sandbox process reap all children
- tor browser profile fix - tor browser profile fix

5
etc/firejail.config
View file

@ -57,6 +57,11 @@
# to the specified period of time to allow sandbox setup to finish. # to the specified period of time to allow sandbox setup to finish.
# join-timeout 5 # join-timeout 5
# tracelog enables auditing blacklisted files and directories. A message
# is sent to syslog in case the file or the directory is accessed.
# Disabled by default.
# tracelog no
# Enable or disable sandbox name change, default enabled. # Enable or disable sandbox name change, default enabled.
# name-change yes # name-change yes

2
src/firejail/checkcfg.c
View file

@ -62,6 +62,7 @@ int checkcfg(int val) {
cfg_val[CFG_CHROOT] = 0; cfg_val[CFG_CHROOT] = 0;
cfg_val[CFG_SECCOMP_LOG] = 0; cfg_val[CFG_SECCOMP_LOG] = 0;
cfg_val[CFG_PRIVATE_LIB] = 0; cfg_val[CFG_PRIVATE_LIB] = 0;
cfg_val[CFG_TRACELOG] = 0;
// open configuration file // open configuration file
const char *fname = SYSCONFDIR "/firejail.config"; const char *fname = SYSCONFDIR "/firejail.config";
@ -111,6 +112,7 @@ int checkcfg(int val) {
PARSE_YESNO(CFG_SECCOMP, "seccomp") PARSE_YESNO(CFG_SECCOMP, "seccomp")
PARSE_YESNO(CFG_NETWORK, "network") PARSE_YESNO(CFG_NETWORK, "network")
PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
PARSE_YESNO(CFG_TRACELOG, "tracelog")
PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")

32
src/firejail/firejail.h
View file

@ -32,25 +32,6 @@
// debug restricted shell // debug restricted shell
//#define DEBUG_RESTRICTED_SHELL //#define DEBUG_RESTRICTED_SHELL
#ifdef HAVE_LANDLOCK
extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
extern int landlock_restrict_self(int fd,__u32 flags);
extern int create_full_ruleset();
extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
extern int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
#endif
// profiles // profiles
#define DEFAULT_USER_PROFILE "default" #define DEFAULT_USER_PROFILE "default"
@ -857,6 +838,7 @@ enum {
// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
CFG_ALLOW_TRAY, CFG_ALLOW_TRAY,
CFG_SECCOMP_LOG, CFG_SECCOMP_LOG,
CFG_TRACELOG,
CFG_MAX // this should always be the last entry CFG_MAX // this should always be the last entry
}; };
extern char *xephyr_screen; extern char *xephyr_screen;
@ -963,4 +945,16 @@ void run_ids(int argc, char **argv);
// oom.c // oom.c
void oom_set(const char *oom_string); void oom_set(const char *oom_string);
// landlock.c
#ifdef HAVE_LANDLOCK
int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
int landlock_restrict_self(int fd,__u32 flags);
int create_full_ruleset();
int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
int add_execute_rule_by_path(int rset_fd,char *allowed_path);
#endif
#endif #endif

9
src/firejail/main.c
View file

@ -348,7 +348,8 @@ errout:
static void exit_err_feature(const char *feature) { static void exit_err_feature(const char *feature) {
fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
feature, SYSCONFDIR "/firejail.config");
exit(1); exit(1);
} }
@ -1570,8 +1571,12 @@ int main(int argc, char **argv, char **envp) {
arg_tracefile = tmp; arg_tracefile = tmp;
} }
} }
else if (strcmp(argv[i], "--tracelog") == 0) else if (strcmp(argv[i], "--tracelog") == 0) {
if (checkcfg(CFG_TRACELOG))
arg_tracelog = 1; arg_tracelog = 1;
else
exit_err_feature("tracelog");
}
else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
check_unsigned(argv[i] + 13, "Error: invalid rlimit"); check_unsigned(argv[i] + 13, "Error: invalid rlimit");
sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);

2
src/firejail/profile.c
View file

@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0; return 0;
} }
else if (strcmp(ptr, "tracelog") == 0) { else if (strcmp(ptr, "tracelog") == 0) {
if (checkcfg(CFG_TRACELOG))
arg_tracelog = 1; arg_tracelog = 1;
// no warning, we have tracelog in over 400 profiles
return 0; return 0;
} }
else if (strcmp(ptr, "private") == 0) { else if (strcmp(ptr, "private") == 0) {