Commit 873b9d16 authored by netblue30's avatar netblue30

traclog added to various profiles

parent 85ed40ed
......@@ -26,6 +26,7 @@ rogshdo (https://github.com/rogshdo)
avoidr (https://github.com/avoidr)
- whitelist fix
- recently-used.xbel fix
- added parole profile
- blacklist ncat, manpage fixes,
- hostname support in profile file
- Google Chrome profile rework
......
firejail (0.9.35) baseline; urgency=low
* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat
and rtorrent profiles
* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
parole and rtorrent profiles
* Google Chrome profile rework
* added google-chrome-stable profile
* added google-chrome-beta profile
......
......@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
#
netfilter
tracelog
whitelist ${DOWNLOADS}
whitelist ~/.config/chromium
whitelist ~/.cache/chromium
......
......@@ -7,6 +7,7 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
whitelist ~/.conkeror.mozdev.org
whitelist ~/Downloads
......
......@@ -12,5 +12,7 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -5,4 +5,5 @@ include /etc/firejail/disable-mgmt.inc
private
private-dev
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
tracelog
......@@ -11,3 +11,5 @@ caps
seccomp
protocol unix,inet,inet6
noroot
tracelog
......@@ -12,3 +12,4 @@ caps.drop all
seccomp
protocol unix,inet,inet6
noroot
tracelog
......@@ -13,5 +13,6 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -11,5 +11,6 @@ seccomp
protocol unix,inet,inet6
noroot
netfilter
tracelog
......@@ -8,6 +8,7 @@ caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ~/.mozilla
......
......@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
#
netfilter
tracelog
whitelist ${DOWNLOADS}
whitelist ~/.config/google-chrome-beta
whitelist ~/.cache/google-chrome-beta
......
......@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
#
netfilter
tracelog
whitelist ${DOWNLOADS}
whitelist ~/.config/google-chrome-unstable
whitelist ~/.cache/google-chrome-unstable
......
......@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc
#
netfilter
tracelog
whitelist ${DOWNLOADS}
whitelist ~/.config/google-chrome
whitelist ~/.cache/google-chrome
......
......@@ -8,4 +8,5 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
......@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
netfilter
tracelog
whitelist ~/.config/opera-beta
whitelist ${DOWNLOADS}
whitelist ~/.cache/opera-beta
......
......@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
netfilter
tracelog
whitelist ~/.config/opera
whitelist ${DOWNLOADS}
whitelist ~/.cache/opera
......
......@@ -12,5 +12,6 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -7,4 +7,5 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
tracelog
noroot
seccomp
protocol unix,inet,inet6
......@@ -16,5 +16,6 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -7,6 +7,7 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
tracelog
noroot
seccomp
protocol unix,inet,inet6
......@@ -21,5 +21,6 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -13,4 +13,6 @@ seccomp
protocol unix,inet,inet6
netfilter
noroot
tracelog
......@@ -12,5 +12,6 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -7,4 +7,5 @@ caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
tracelog
noroot
......@@ -8,5 +8,6 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
tracelog
noroot
seccomp
......@@ -59,8 +59,11 @@ void fs_trace(void) {
errExit("fopen");
if (arg_trace)
fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
else if (arg_tracelog)
else if (arg_tracelog) {
fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
if (!arg_quiet)
printf("Blacklist violations are logged to syslog\n");
}
else
assert(0);
......
......@@ -120,6 +120,10 @@ int profile_check_line(char *ptr, int lineno) {
arg_shell_none = 1;
return 0;
}
else if (strcmp(ptr, "tracelog") == 0) {
arg_tracelog = 1;
return 0;
}
else if (strcmp(ptr, "private") == 0) {
arg_private = 1;
return 0;
......
......@@ -158,7 +158,9 @@ All modifications are discarded when the sandbox is closed.
Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
The modifications to file_or_directory are persistent, everything else is discarded
when the sandbox is closed.
.TP
\f\ tracelog
Blacklist violations logged to syslog.
.SH Filters
\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment