Desktop notifications for blacklist violations

[netblue30]

From wordpress:

question about desktop notifications for blacklist violations.
Can this be set up something like that like this up here? I think that would be a good thing.

#! /bin/bash
# firejail desktop notification

while true
do
JAIL=$(grep “blacklist violation” /var/log/syslog)
if [ -z “$JAIL” ]
then
sleep 2
else
zenity –warning –title “FIREJAIL” –text “$JAIL” &
sed -i “/blacklist violation/d” /var/log/syslog
fi
done

[curiosity-seeker]

I think for distros using systemd it should something like

journalctl | grep -E 'blacklist.*violation'

as there is no syslog.

[ghost]

I think it generally should be more accessible to the user and not a fixed script that firejail distributes. Should be easy to change the command to run, other than copying the script and making your own version out of it. Not everyone wants to run zenity for notifications.

It could be done as some kind of "event-hook". Whenever a blacklist violation (or other events possibly?) happens, run the command specified by the user.

[netblue30]

The messages are sent to syslog, so they already go to systemd. I'll look into some sort of event-hook as suggested by @avoidr

[vn971]

By the way, do systemd-based distros actually get syslog events from firejail?
Can somebody report systemd working fine with ferjail?

I've migrated to ArchLinux a couple of months ago and I still can't make firejail and syslog work together. I had to stop using custom seccomp rules for this exact reason.:(

[netblue30]

It should work, I send the messages to syslog using the facilities available in glibc. I'll do a short check on Arch.

[vn971]

If you can, that'd be great, thank you! The attempts that failed for me were installing syslog-ng and watching for messages with journalctl -f -n 200.

[netblue30]

My understanding is systemd should collect by default all the messages that used to go to syslog. I'll have take a look.

[reinerh]

@vn971 Have you enabled ForwardToSyslog in journald?
Otherwise syslog-ng doesn't receive the logs from journald.

[vn971]

@reinerh yes, I have it enabled in /etc/systemd/journald.conf. If you do get notifications on ArchLinux, please mention it, it'd be very interesting to know.

[reinerh]

I'm not using Arch, but I see blacklist violations for example with firejail --tracelog cd ~/.ssh:

$ tail -f /var/log/syslog | grep blacklist
Jul 30 23:40:40 firejail[2]: blacklist violation - sandbox 24194, exe bash, syscall chdir, path /home/reiner/.ssh
Jul 30 23:40:40 firejail[2]: blacklist violation - sandbox 24194, exe bash, syscall chdir, path /home/reiner/.ssh

[vn971]

@reinerh this one I did (pleasantly and successfully) in ubundu/debian, too... Never so after moving to Arch. (I like Arch very much comparing to ubuntu, so switching back is not something I want..)

[chocolateboy]

I'll look into some sort of event-hook as suggested by @avoidr

I think D-Bus is the standard way to do this (possibly via sd-bus on systemd systems).

[rusty-snake]

#!/usr/bin/env bash

# Copyright © 2019 rusty-snake
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

function usage {
        echo "Usage:"
        echo "        NOTIFY_TOOL=\"<ZENITY|KDIALOG|NOTIFY_SEND>\" $0"
}

if [ "$1" == "--help" ] || [ "$1" == "-h" ] || [ "$1" == "-?" ]; then
        usage "$@"
        exit 0
fi

if [ ! -v "NOTIFY_TOOL" ]; then
        printf "Error: \"NOTIFY_TOOL\" not set.\n"
        usage "$@"
        exit 1
fi

if [ "$NOTIFY_TOOL" == "ZENITY" ]; then
        notify_cmd="zenity"
        notify_args=(--title "Blacklist violation" --no-wrap --warning --text)
elif [ "$NOTIFY_TOOL" == "KDIALOG" ]; then
        notify_cmd="kdialog"
        notify_args=(--title "Blacklist violation" --sorry)
elif [ "$NOTIFY_TOOL" == "NOTIFY-SEND" ]; then
        notify_cmd="notify-send"
        notify_args=(--icon "dialog-warning" "Blacklist violation")
else
        printf "Error: Invalid value for NOTIFY_TOOL.\n"
        usage "$@"
        exit 1
fi

journalctl --grep="blacklist violation" --output=json --follow | jq --unbuffered ".MESSAGE" | xargs -L1 -P0 "$notify_cmd" "${notify_args[@]}"

[rusty-snake]

Dependencies:

• jq
• zenity or kdialog or notify-send (apt: libnotify-bin; rpm: libnotify)

Features:

• use journalctl
• messages in a window (zenity, kdialog)
• desktop notifications (notify-send)

[curiosity-seeker]

@rusty-snake : Thanks., I was going to test the script but ran into the error:

/usr/bin/env: „bash\r“: Datei oder Verzeichnis nicht gefunden

shellcheck produced the following error several times:

^-- SC1017: Literal carriage return. Run script through tr -d '\r' .

See https://github.com/koalaman/shellcheck/wiki/SC1017

tr -d '\r' < oldscript > newsript fixed the problem.

I will do further testing.

[vn971]

But @rusty-snake didn't publish any line breaks, it must be your local editor? Anyway, I moved to using bubblewrap for security isolation, so I'll unsubscribe.

[rusty-snake]

\r WHAT?! 😱 I use \n (in vim) Maye copy&paste error 😕
For me:

$ shellcheck firejail_blacklist_violation_notify.sh
$

BUG: NOTIFY_SEND vs. NOTIFY-SEND

[curiosity-seeker]

Oops - yes, you're right. I'm using kate as my editor, and that had not happened before. Now it used the Windows/DOS style line terminator. Perhaps a regression in a recent update ...