github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #496] Question: Where do tracelog messages go? #350

New issue

Closed

opened 2026-05-05 05:39:11 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 05:39:11 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (May 3, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/496

I've looked in literally every log in /var/log. I know I need to whitelist a syscall because Emacs crashes when resizing the window when launched in my Mutt sandbox. However, I can't find the log where the syscall violation information should be listed. I'm using systemd. I've checked in /var/log/syslog, dmesg, journalctl -xe, and every other log in /var/log including /var/log/kern.log, and /var/log/debug.

Could it possibly be that I (accidentally) disabled a kernel option during compile which prevents syscall violations from being logged? I compile my own kernel.
If that's not the case, I'm at a complete loss as to where the heck these violations are being logged!

Originally created by @chiraag-nataraj on GitHub (May 3, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/496 I've looked in literally every log in `/var/log`. I know I need to whitelist a syscall because Emacs crashes when resizing the window when launched in my Mutt sandbox. However, I can't find the log where the syscall violation information should be listed. I'm using systemd. I've checked in `/var/log/syslog`, `dmesg`, `journalctl -xe`, and every other log in `/var/log` including `/var/log/kern.log`, and `/var/log/debug`. 1. Could it possibly be that I (accidentally) disabled a kernel option during compile which prevents syscall violations from being logged? I compile my own kernel. 2. If that's not the case, I'm at a complete loss as to where the heck these violations are being logged!

gitea-mirror

2026-05-05 05:39:11 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:39:20 -06:00

Author

Owner

@reinerh commented on GitHub (May 3, 2016):

tracelog only logs blacklist violations to syslog.
firejail can't log syscall violations, as the kernel immediately kills the program when they are violated.
You can run your tool with strace and record all required syscalls, and then check which ones are needed and blacklisted by firejail.

@reinerh commented on GitHub (May 3, 2016): tracelog only logs blacklist violations to syslog. firejail can't log syscall violations, as the kernel immediately kills the program when they are violated. You can run your tool with strace and record all required syscalls, and then check which ones are needed and blacklisted by firejail.

gitea-mirror commented

2026-05-05 05:39:22 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 3, 2016):

Oh right. So I guess the real question is why syscall violations aren't showing up in any of my logs...
I already trying using strace to pinpoint which syscall I was missing...there was too much stuff going on for it to actually be useful.

@chiraag-nataraj commented on GitHub (May 3, 2016): Oh right. So I guess the real question is why syscall violations aren't showing up in any of my logs... I already trying using strace to pinpoint which syscall I was missing...there was too much stuff going on for it to actually be useful.

gitea-mirror commented

2026-05-05 05:39:25 -06:00

Author

Owner

@reinerh commented on GitHub (May 3, 2016):

try something like this:
strace -qq -o /tmp/ls.log ls /
cat /tmp/ls.log | cut -d '(' -f 1 | sort -u

@reinerh commented on GitHub (May 3, 2016): try something like this: strace -qq -o /tmp/ls.log ls / cat /tmp/ls.log | cut -d '(' -f 1 | sort -u

gitea-mirror commented

2026-05-05 05:39:27 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 3, 2016):

Oh wow...that really helps! Unfortunately, I have all the syscalls that show up there whitelisted in my config. Here's the log generated by strace when I have everything blacklisted (I stopped collecting as soon as I Emacs crashed).
muttdebug.txt

@chiraag-nataraj commented on GitHub (May 3, 2016): Oh wow...that really helps! Unfortunately, I have all the syscalls that show up there whitelisted in my config. Here's the log generated by strace when I have everything blacklisted (I stopped collecting as soon as I Emacs crashed). [muttdebug.txt](https://github.com/netblue30/firejail/files/247555/muttdebug.txt)

gitea-mirror commented

2026-05-05 05:39:29 -06:00

Author

Owner

@netblue30 commented on GitHub (May 4, 2016):

First you need to find out where the messages go: /var/log/syslog for Debian-based distros, /var/log/audit/audit.log on CentoOS, and so on - every distro keeps them in a different place. Then you run:

$ firejail --noprofile --seccomp strace ls

In the log you get:

May  4 09:10:41 debian kernel: [594990.731182] audit: type=1326 audit(1462367441.661:55): auid=1000 uid=1000 gid=1000 ses=128 pid=14239 comm="strace" exe="/usr/bin/strace" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f632a8ee2be code=0x0

The message is generate by audit subsystem in the kernel. You should have a process kauditd running on your system.:

$ ps aux | grep audit
root       189  0.0  0.0      0     0 ?        S    Apr24   0:00 [kauditd]

Some distros also enable an auditd daemon in user space: http://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/

@netblue30 commented on GitHub (May 4, 2016): First you need to find out where the messages go: /var/log/syslog for Debian-based distros, /var/log/audit/audit.log on CentoOS, and so on - every distro keeps them in a different place. Then you run: ``` $ firejail --noprofile --seccomp strace ls ``` In the log you get: ``` May 4 09:10:41 debian kernel: [594990.731182] audit: type=1326 audit(1462367441.661:55): auid=1000 uid=1000 gid=1000 ses=128 pid=14239 comm="strace" exe="/usr/bin/strace" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f632a8ee2be code=0x0 ``` The message is generate by audit subsystem in the kernel. You should have a process kauditd running on your system.: ``` $ ps aux | grep audit root 189 0.0 0.0 0 0 ? S Apr24 0:00 [kauditd] ``` Some distros also enable an auditd daemon in user space: http://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/

gitea-mirror commented

2026-05-05 05:39:30 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 4, 2016):

Yeah I have absolutely no idea why audit messages aren't being logged to /var/log/syslog as they used to. Regardless, I installed auditd and used ausearch to find the syscall in question - no idea why kill is needed to resize the window(!) but whatever...now it works!

@chiraag-nataraj commented on GitHub (May 4, 2016): Yeah I have absolutely no idea why audit messages aren't being logged to `/var/log/syslog` as they used to. Regardless, I installed auditd and used ausearch to find the syscall in question - no idea why `kill` is needed to resize the window(!) but whatever...now it works!

gitea-mirror commented

2026-05-05 05:39:32 -06:00

Author

Owner

@netblue30 commented on GitHub (May 4, 2016):

Interesting, I just looked at debian testing and they moved all audit messages including seccomp to /var/log/audit/audit.log. You would need "sudo apt-get install auditd" to get them.

@netblue30 commented on GitHub (May 4, 2016): Interesting, I just looked at debian testing and they moved all audit messages including seccomp to /var/log/audit/audit.log. You would need "sudo apt-get install auditd" to get them.

gitea-mirror commented

2026-05-05 05:39:34 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (May 4, 2016):

The problem is that audit is not enabled in all distros, e.g. it isn't in Arch Linux. And journalctl doesn't report syscalls.

A nice alternative seems to be sysdig. Just execute it as

sudo sysdig proc.name=myprogram

and execute myprogram. sysdig will show all syscalls used. A nice introduction is https://sysdig.com/blog/fascinating-world-linux-system-calls/

@curiosity-seeker commented on GitHub (May 4, 2016): The problem is that audit is not enabled in all distros, e.g. it isn't in Arch Linux. And journalctl doesn't report syscalls. A nice alternative seems to be sysdig. Just execute it as `sudo sysdig proc.name=myprogram` and execute myprogram. sysdig will show all syscalls used. A nice introduction is https://sysdig.com/blog/fascinating-world-linux-system-calls/

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#350

No description provided.

Rows
Columns