github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #152] Logging for violations of blacklisted directories #104

New issue

Closed

opened 2026-05-05 05:02:53 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 05:02:53 -06:00

Owner

Originally created by @reinerh on GitHub (Nov 22, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/152

A Debian user is requesting the enhancement that firejail logs or warns the user when an application is trying to access a blacklisted directory.
I also think this would be a good idea.
Would it be possible to watch the blacklisted files/directories with inotify?

Link to the bug report: https://bugs.debian.org/794837

Originally created by @reinerh on GitHub (Nov 22, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/152 A Debian user is requesting the enhancement that firejail logs or warns the user when an application is trying to access a blacklisted directory. I also think this would be a good idea. Would it be possible to watch the blacklisted files/directories with inotify? Link to the bug report: https://bugs.debian.org/794837

gitea-mirror

2026-05-05 05:02:53 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:02:57 -06:00

Author

Owner

@ghost commented on GitHub (Nov 22, 2015):

I also think this is a good idea. Maybe even more generally logging every attempt of using forbidden functions, if this isn't yet implemented.

@ghost commented on GitHub (Nov 22, 2015): I also think this is a good idea. Maybe even more generally logging every attempt of using forbidden functions, if this isn't yet implemented.

gitea-mirror commented

2026-05-05 05:03:01 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 23, 2015):

I'll implement it for the next release, thanks.

@netblue30 commented on GitHub (Nov 23, 2015): I'll implement it for the next release, thanks.

gitea-mirror commented

2026-05-05 05:03:04 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 6, 2015):

I ended up implementing it using library calls interposition (there is a new libtracelog.so in /usr/lib/firejail). With inotify, the kernel will emit notifications only on files the user has permissions to access, and since they are already blacklisted, there will be no notification.

The new option is --tracelog. These are some sample syslog messages (using LOG_INFO):

Dec  3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
Dec  3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot

The solution is not perfect, it can be bypassed if the file access is implemented outside glibc. However, regular programs such as Firefox always use glibc for access.

@netblue30 commented on GitHub (Dec 6, 2015): I ended up implementing it using library calls interposition (there is a new libtracelog.so in /usr/lib/firejail). With inotify, the kernel will emit notifications only on files the user has permissions to access, and since they are already blacklisted, there will be no notification. The new option is --tracelog. These are some sample syslog messages (using LOG_INFO): ``` Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot ``` The solution is not perfect, it can be bypassed if the file access is implemented outside glibc. However, regular programs such as Firefox always use glibc for access. ``` ```

gitea-mirror commented

2026-05-05 05:03:08 -06:00

Author

Owner

@reinerh commented on GitHub (Dec 6, 2015):

Can this be made the default? So that you don't have to always include the cmdline flag?
I think if there is a blacklist violation, the users are interested in this.
Or is the performance impact too high to make it a default?

@reinerh commented on GitHub (Dec 6, 2015): Can this be made the default? So that you don't have to always include the cmdline flag? I think if there is a blacklist violation, the users are interested in this. Or is the performance impact too high to make it a default?

gitea-mirror commented

2026-05-05 05:03:10 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 6, 2015):

I'll add support for it in profile files. For Firefox wouldn't be a problem. There could be a problem for programs that access files all the time. I'll make it default for browsers, mail, bittorrent and chat.

@netblue30 commented on GitHub (Dec 6, 2015): I'll add support for it in profile files. For Firefox wouldn't be a problem. There could be a problem for programs that access files all the time. I'll make it default for browsers, mail, bittorrent and chat.

gitea-mirror commented

2026-05-05 05:03:12 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 7, 2015):

I ended up with default logging in firefox, chromium, thunderbird and transmission. I'll go with this in the next release, I need more testing from users.

@netblue30 commented on GitHub (Dec 7, 2015): I ended up with default logging in firefox, chromium, thunderbird and transmission. I'll go with this in the next release, I need more testing from users.

gitea-mirror commented

2026-05-05 05:03:15 -06:00

Author

Owner

@reinerh commented on GitHub (Dec 7, 2015):

Awesome, thanks! :)

@reinerh commented on GitHub (Dec 7, 2015): Awesome, thanks! :)

gitea-mirror commented

2026-05-05 05:03:18 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 10, 2015):

You're welcome!

@netblue30 commented on GitHub (Dec 10, 2015): You're welcome!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#104

No description provided.

Rows
Columns