curiosity-seeker
commented
8 years ago I think for distros using systemd it should something like
journalctl | grep -E 'blacklist.*violation'
as there is no syslog.
Open netblue30 opened 8 years ago
curiosity-seeker
commented
8 years ago I think for distros using systemd it should something like
journalctl | grep -E 'blacklist.*violation'
as there is no syslog.
ghost
commented
8 years ago I think it generally should be more accessible to the user and not a fixed script that firejail distributes. Should be easy to change the command to run, other than copying the script and making your own version out of it. Not everyone wants to run zenity for notifications.
It could be done as some kind of "event-hook". Whenever a blacklist violation (or other events possibly?) happens, run the command specified by the user.
netblue30
commented
8 years ago The messages are sent to syslog, so they already go to systemd. I'll look into some sort of event-hook as suggested by @avoidr
vn971
commented
8 years ago By the way, do systemd-based distros actually get syslog events from firejail?
Can somebody report systemd working fine with ferjail?
I've migrated to ArchLinux a couple of months ago and I still can't make firejail and syslog work together. I had to stop using custom seccomp rules for this exact reason.:(
netblue30
commented
8 years ago It should work, I send the messages to syslog using the facilities available in glibc. I'll do a short check on Arch.
vn971
commented
8 years ago If you can, that'd be great, thank you! The attempts that failed for me were installing syslog-ng and watching for messages with journalctl -f -n 200.
netblue30
commented
8 years ago My understanding is systemd should collect by default all the messages that used to go to syslog. I'll have take a look.
reinerh
commented
8 years ago @vn971 Have you enabled ForwardToSyslog in journald? Otherwise syslog-ng doesn't receive the logs from journald.
vn971
commented
8 years ago @reinerh yes, I have it enabled in /etc/systemd/journald.conf. If you do get notifications on ArchLinux, please mention it, it'd be very interesting to know.
reinerh
commented
8 years ago I'm not using Arch, but I see blacklist violations for example with firejail --tracelog cd ~/.ssh:
$ tail -f /var/log/syslog | grep blacklist Jul 30 23:40:40 firejail[2]: blacklist violation - sandbox 24194, exe bash, syscall chdir, path /home/reiner/.ssh Jul 30 23:40:40 firejail[2]: blacklist violation - sandbox 24194, exe bash, syscall chdir, path /home/reiner/.ssh
vn971
commented
8 years ago @reinerh this one I did (pleasantly and successfully) in ubundu/debian, too... Never so after moving to Arch. (I like Arch very much comparing to ubuntu, so switching back is not something I want..)
chocolateboy
commented
6 years ago I'll look into some sort of event-hook as suggested by @avoidr
I think D-Bus is the standard way to do this (possibly via sd-bus on systemd systems).
rusty-snake
commented
5 years ago #!/usr/bin/env bash
# Copyright © 2019 rusty-snake
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
function usage {
echo "Usage:"
echo " NOTIFY_TOOL=\"<ZENITY|KDIALOG|NOTIFY_SEND>\" $0"
}
if [ "$1" == "--help" ] || [ "$1" == "-h" ] || [ "$1" == "-?" ]; then
usage "$@"
exit 0
fi
if [ ! -v "NOTIFY_TOOL" ]; then
printf "Error: \"NOTIFY_TOOL\" not set.\n"
usage "$@"
exit 1
fi
if [ "$NOTIFY_TOOL" == "ZENITY" ]; then
notify_cmd="zenity"
notify_args=(--title "Blacklist violation" --no-wrap --warning --text)
elif [ "$NOTIFY_TOOL" == "KDIALOG" ]; then
notify_cmd="kdialog"
notify_args=(--title "Blacklist violation" --sorry)
elif [ "$NOTIFY_TOOL" == "NOTIFY-SEND" ]; then
notify_cmd="notify-send"
notify_args=(--icon "dialog-warning" "Blacklist violation")
else
printf "Error: Invalid value for NOTIFY_TOOL.\n"
usage "$@"
exit 1
fi
journalctl --grep="blacklist violation" --output=json --follow | jq --unbuffered ".MESSAGE" | xargs -L1 -P0 "$notify_cmd" "${notify_args[@]}"Dependencies:
Features:
curiosity-seeker
commented
5 years ago @rusty-snake : Thanks., I was going to test the script but ran into the error:
/usr/bin/env: „bash\r“: Datei oder Verzeichnis nicht gefundenshellcheck produced the following error several times:
^-- SC1017: Literal carriage return. Run script through tr -d '\r' .See https://github.com/koalaman/shellcheck/wiki/SC1017
tr -d '\r' < oldscript > newsript fixed the problem.
I will do further testing.
vn971
commented
5 years ago But @rusty-snake didn't publish any line breaks, it must be your local editor? Anyway, I moved to using bubblewrap for security isolation, so I'll unsubscribe.
rusty-snake
commented
5 years ago ~\r WHAT?! :scream: I use \n (in vim)~ Maye copy&paste error :confused:
For me:
$ shellcheck firejail_blacklist_violation_notify.sh
$BUG: NOTIFY_SEND vs. NOTIFY-SEND
curiosity-seeker
commented
5 years ago Oops - yes, you're right. I'm using kate as my editor, and that had not happened before. Now it used the Windows/DOS style line terminator. Perhaps a regression in a recent update ...
From wordpress:
question about desktop notifications for blacklist violations. Can this be set up something like that like this up here? I think that would be a good thing.