mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
Revert "tracelog disabled by default in /etc/firejail/firejail.config file"
This reverts commit 6e687c3011.
Part of reverting commits with Landlock-related changes.
This commit is contained in:
Kelvin M. Klann
parent
2a79f3a268
commit
bfcacff665
6 changed files with 23 additions and 33 deletions
2
README
2
README
|
|
@ -252,8 +252,6 @@ cayday (https://github.com/caydey)
|
|||
Christian Pinedo (https://github.com/chrpinedo)
|
||||
- added nicotine profile
|
||||
- allow python3 in totem profile
|
||||
ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
|
||||
- Landlock support
|
||||
creideiki (https://github.com/creideiki)
|
||||
- make the sandbox process reap all children
|
||||
- tor browser profile fix
|
||||
|
|
|
|||
|
|
@ -57,11 +57,6 @@
|
|||
# to the specified period of time to allow sandbox setup to finish.
|
||||
# join-timeout 5
|
||||
|
||||
# tracelog enables auditing blacklisted files and directories. A message
|
||||
# is sent to syslog in case the file or the directory is accessed.
|
||||
# Disabled by default.
|
||||
# tracelog no
|
||||
|
||||
# Enable or disable sandbox name change, default enabled.
|
||||
# name-change yes
|
||||
|
||||
|
|
|
|||
|
|
@ -62,7 +62,6 @@ int checkcfg(int val) {
|
|||
cfg_val[CFG_CHROOT] = 0;
|
||||
cfg_val[CFG_SECCOMP_LOG] = 0;
|
||||
cfg_val[CFG_PRIVATE_LIB] = 0;
|
||||
cfg_val[CFG_TRACELOG] = 0;
|
||||
|
||||
// open configuration file
|
||||
const char *fname = SYSCONFDIR "/firejail.config";
|
||||
|
|
@ -112,7 +111,6 @@ int checkcfg(int val) {
|
|||
PARSE_YESNO(CFG_SECCOMP, "seccomp")
|
||||
PARSE_YESNO(CFG_NETWORK, "network")
|
||||
PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
|
||||
PARSE_YESNO(CFG_TRACELOG, "tracelog")
|
||||
PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
|
||||
PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
|
||||
PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
|
||||
|
|
|
|||
|
|
@ -32,6 +32,25 @@
|
|||
// debug restricted shell
|
||||
//#define DEBUG_RESTRICTED_SHELL
|
||||
|
||||
#ifdef HAVE_LANDLOCK
|
||||
|
||||
extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
|
||||
|
||||
extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
|
||||
|
||||
extern int landlock_restrict_self(int fd,__u32 flags);
|
||||
|
||||
extern int create_full_ruleset();
|
||||
|
||||
extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
|
||||
|
||||
extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
|
||||
|
||||
extern int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
|
||||
|
||||
extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
|
||||
|
||||
#endif
|
||||
|
||||
// profiles
|
||||
#define DEFAULT_USER_PROFILE "default"
|
||||
|
|
@ -838,7 +857,6 @@ enum {
|
|||
// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
|
||||
CFG_ALLOW_TRAY,
|
||||
CFG_SECCOMP_LOG,
|
||||
CFG_TRACELOG,
|
||||
CFG_MAX // this should always be the last entry
|
||||
};
|
||||
extern char *xephyr_screen;
|
||||
|
|
@ -945,16 +963,4 @@ void run_ids(int argc, char **argv);
|
|||
// oom.c
|
||||
void oom_set(const char *oom_string);
|
||||
|
||||
// landlock.c
|
||||
#ifdef HAVE_LANDLOCK
|
||||
int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
|
||||
int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
|
||||
int landlock_restrict_self(int fd,__u32 flags);
|
||||
int create_full_ruleset();
|
||||
int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
|
||||
int add_execute_rule_by_path(int rset_fd,char *allowed_path);
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -348,8 +348,7 @@ errout:
|
|||
|
||||
|
||||
static void exit_err_feature(const char *feature) {
|
||||
fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
|
||||
feature, SYSCONFDIR "/firejail.config");
|
||||
fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
|
@ -1571,12 +1570,8 @@ int main(int argc, char **argv, char **envp) {
|
|||
arg_tracefile = tmp;
|
||||
}
|
||||
}
|
||||
else if (strcmp(argv[i], "--tracelog") == 0) {
|
||||
if (checkcfg(CFG_TRACELOG))
|
||||
arg_tracelog = 1;
|
||||
else
|
||||
exit_err_feature("tracelog");
|
||||
}
|
||||
else if (strcmp(argv[i], "--tracelog") == 0)
|
||||
arg_tracelog = 1;
|
||||
else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
|
||||
check_unsigned(argv[i] + 13, "Error: invalid rlimit");
|
||||
sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
|
||||
|
|
|
|||
|
|
@ -372,9 +372,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
|||
return 0;
|
||||
}
|
||||
else if (strcmp(ptr, "tracelog") == 0) {
|
||||
if (checkcfg(CFG_TRACELOG))
|
||||
arg_tracelog = 1;
|
||||
// no warning, we have tracelog in over 400 profiles
|
||||
arg_tracelog = 1;
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(ptr, "private") == 0) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue