tracelog disabled by default in /etc/firejail/firejail.config file

README

@@ -252,6 +252,8 @@ cayday (https://github.com/caydey)
 Christian Pinedo (https://github.com/chrpinedo)
 	- added nicotine profile
 	- allow python3 in totem profile
+ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
+	- Landlock support
 creideiki (https://github.com/creideiki)
 	- make the sandbox process reap all children
 	- tor browser profile fix

etc/firejail.config

@@ -57,6 +57,11 @@
 # to the specified period of time to allow sandbox setup to finish.
 # join-timeout 5
 
+# tracelog enables auditing blacklisted files and directories. A message
+# is sent to syslog in case the file or the directory is accessed.
+# Disabled by default.
+# tracelog no
+
 # Enable or disable sandbox name change, default enabled.
 # name-change yes
 

src/firejail/checkcfg.c

@@ -62,6 +62,7 @@ int checkcfg(int val) {
 		cfg_val[CFG_CHROOT] = 0;
 		cfg_val[CFG_SECCOMP_LOG] = 0;
 		cfg_val[CFG_PRIVATE_LIB] = 0;
+		cfg_val[CFG_TRACELOG] = 0;
 
 		// open configuration file
 		const char *fname = SYSCONFDIR "/firejail.config";
@@ -111,6 +112,7 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_SECCOMP, "seccomp")
 			PARSE_YESNO(CFG_NETWORK, "network")
 			PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
+			PARSE_YESNO(CFG_TRACELOG, "tracelog")
 			PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
 			PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
 			PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")

src/firejail/firejail.h

@@ -32,25 +32,6 @@
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
-#ifdef HAVE_LANDLOCK
-
-extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
-
-extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
-
-extern int landlock_restrict_self(int fd,__u32 flags);
-
-extern int create_full_ruleset();
-
-extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
-
-extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
-
-extern int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
-
-extern int add_execute_rule_by_path(int rset_fd,char *allowed_path);
-
-#endif
 
 // profiles
 #define DEFAULT_USER_PROFILE	"default"
@@ -857,6 +838,7 @@ enum {
 	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
 	CFG_ALLOW_TRAY,
 	CFG_SECCOMP_LOG,
+	CFG_TRACELOG,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
@@ -963,4 +945,16 @@ void run_ids(int argc, char **argv);
 // oom.c
 void oom_set(const char *oom_string);
 
+// landlock.c
+#ifdef HAVE_LANDLOCK
+int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
+int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
+int landlock_restrict_self(int fd,__u32 flags);
+int create_full_ruleset();
+int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
+int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
+int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
+int add_execute_rule_by_path(int rset_fd,char *allowed_path);
+#endif
+
 #endif

src/firejail/main.c

@@ -348,7 +348,8 @@ void check_user_namespace(void) {
 
 
 static void exit_err_feature(const char *feature) {
-	fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
+	fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n",
+		feature, SYSCONFDIR "/firejail.config");
 	exit(1);
 }
 
@@ -1570,8 +1571,12 @@ int main(int argc, char **argv, char **envp) {
 				arg_tracefile = tmp;
 			}
 		}
-		else if (strcmp(argv[i], "--tracelog") == 0)
-			arg_tracelog = 1;
+		else if (strcmp(argv[i], "--tracelog") == 0) {
+			if (checkcfg(CFG_TRACELOG))
+				arg_tracelog = 1;
+			else
+				exit_err_feature("tracelog");
+		}
 		else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
 			check_unsigned(argv[i] + 13, "Error: invalid rlimit");
 			sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);

src/firejail/profile.c

@@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "tracelog") == 0) {
-		arg_tracelog = 1;
+		if (checkcfg(CFG_TRACELOG))
+			arg_tracelog = 1;
+		// no warning, we have tracelog in over 400 profiles
 		return 0;
 	}
 	else if (strcmp(ptr, "private") == 0) {