mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
tracelog disabled by default in /etc/firejail/firejail.config file
Committer note: This is the same as commit 6e687c301 ("tracelog disabled
by default in /etc/firejail/firejail.config file", 2022-08-29) but
without the Landlock-related changes.
This commit is contained in:
netblue30
Kelvin M. Klann
parent
97874c3bf9
commit
7bd03a67ba
5 changed files with 19 additions and 4 deletions
|
|
@ -57,6 +57,11 @@
|
|||
# to the specified period of time to allow sandbox setup to finish.
|
||||
# join-timeout 5
|
||||
|
||||
# tracelog enables auditing blacklisted files and directories. A message
|
||||
# is sent to syslog in case the file or the directory is accessed.
|
||||
# Disabled by default.
|
||||
# tracelog no
|
||||
|
||||
# Enable or disable sandbox name change, default enabled.
|
||||
# name-change yes
|
||||
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ int checkcfg(int val) {
|
|||
cfg_val[CFG_CHROOT] = 0;
|
||||
cfg_val[CFG_SECCOMP_LOG] = 0;
|
||||
cfg_val[CFG_PRIVATE_LIB] = 0;
|
||||
cfg_val[CFG_TRACELOG] = 0;
|
||||
|
||||
// open configuration file
|
||||
const char *fname = SYSCONFDIR "/firejail.config";
|
||||
|
|
@ -111,6 +112,7 @@ int checkcfg(int val) {
|
|||
PARSE_YESNO(CFG_SECCOMP, "seccomp")
|
||||
PARSE_YESNO(CFG_NETWORK, "network")
|
||||
PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
|
||||
PARSE_YESNO(CFG_TRACELOG, "tracelog")
|
||||
PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
|
||||
PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
|
||||
PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
|
||||
|
|
|
|||
|
|
@ -831,6 +831,7 @@ enum {
|
|||
// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
|
||||
CFG_ALLOW_TRAY,
|
||||
CFG_SECCOMP_LOG,
|
||||
CFG_TRACELOG,
|
||||
CFG_MAX // this should always be the last entry
|
||||
};
|
||||
extern char *xephyr_screen;
|
||||
|
|
|
|||
|
|
@ -343,7 +343,8 @@ errout:
|
|||
|
||||
|
||||
static void exit_err_feature(const char *feature) {
|
||||
fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
|
||||
fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
|
||||
feature, SYSCONFDIR "/firejail.config");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
|
@ -1489,8 +1490,12 @@ int main(int argc, char **argv, char **envp) {
|
|||
arg_tracefile = tmp;
|
||||
}
|
||||
}
|
||||
else if (strcmp(argv[i], "--tracelog") == 0)
|
||||
arg_tracelog = 1;
|
||||
else if (strcmp(argv[i], "--tracelog") == 0) {
|
||||
if (checkcfg(CFG_TRACELOG))
|
||||
arg_tracelog = 1;
|
||||
else
|
||||
exit_err_feature("tracelog");
|
||||
}
|
||||
else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
|
||||
check_unsigned(argv[i] + 13, "Error: invalid rlimit");
|
||||
sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
|
||||
|
|
|
|||
|
|
@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
|||
return 0;
|
||||
}
|
||||
else if (strcmp(ptr, "tracelog") == 0) {
|
||||
arg_tracelog = 1;
|
||||
if (checkcfg(CFG_TRACELOG))
|
||||
arg_tracelog = 1;
|
||||
// no warning, we have tracelog in over 400 profiles
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(ptr, "private") == 0) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue