diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-08-22 08:32:01 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-08-22 08:32:01 -0400 |
commit | ddd307e3447e609241abadb8d073e97b948a5bb0 (patch) | |
tree | 041028cc53f7ab392f124d68dff4cf3f11375de7 | |
parent | relax restrictions imposed on filesystem log (fslogger) in ec7f59b8d370c29bd2... (diff) | |
download | firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.tar.gz firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.tar.zst firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.zip |
removed --disable-bind configuration option; some ohter minor cleanup
-rw-r--r-- | RELNOTES | 1 | ||||
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/arg-checking.txt | 84 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/network.txt | 95 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rwxr-xr-x | test/compile/compile.sh | 27 |
11 files changed, 7 insertions, 244 deletions
@@ -2,6 +2,7 @@ firejail (0.9.56~rc1) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * modif: removed CFG_CHROOT_DESKTOP configuration option | 3 | * modif: removed CFG_CHROOT_DESKTOP configuration option |
4 | * modif: removed compile time --enable-network=restricted | 4 | * modif: removed compile time --enable-network=restricted |
5 | * modif: removed compile time --disable-bind | ||
5 | * modif: --net=none allowed even if networking was disabled at compile | 6 | * modif: --net=none allowed even if networking was disabled at compile |
6 | time or at run time | 7 | time or at run time |
7 | * support wireless devices in --net option | 8 | * support wireless devices in --net option |
@@ -636,7 +636,6 @@ HAVE_X11 | |||
636 | HAVE_USERNS | 636 | HAVE_USERNS |
637 | HAVE_NETWORK | 637 | HAVE_NETWORK |
638 | HAVE_GLOBALCFG | 638 | HAVE_GLOBALCFG |
639 | HAVE_BIND | ||
640 | HAVE_CHROOT | 639 | HAVE_CHROOT |
641 | HAVE_SECCOMP | 640 | HAVE_SECCOMP |
642 | HAVE_PRIVATE_HOME | 641 | HAVE_PRIVATE_HOME |
@@ -705,7 +704,6 @@ enable_overlayfs | |||
705 | enable_private_home | 704 | enable_private_home |
706 | enable_seccomp | 705 | enable_seccomp |
707 | enable_chroot | 706 | enable_chroot |
708 | enable_bind | ||
709 | enable_globalcfg | 707 | enable_globalcfg |
710 | enable_network | 708 | enable_network |
711 | enable_userns | 709 | enable_userns |
@@ -1352,7 +1350,6 @@ Optional Features: | |||
1352 | --disable-private-home disable private home feature | 1350 | --disable-private-home disable private home feature |
1353 | --disable-seccomp disable seccomp | 1351 | --disable-seccomp disable seccomp |
1354 | --disable-chroot disable chroot | 1352 | --disable-chroot disable chroot |
1355 | --disable-bind disable bind | ||
1356 | --disable-globalcfg if the global config file firejail.cfg is not | 1353 | --disable-globalcfg if the global config file firejail.cfg is not |
1357 | present, continue the program using defaults | 1354 | present, continue the program using defaults |
1358 | --disable-network disable network | 1355 | --disable-network disable network |
@@ -3626,19 +3623,6 @@ if test "x$enable_chroot" != "xno"; then : | |||
3626 | 3623 | ||
3627 | fi | 3624 | fi |
3628 | 3625 | ||
3629 | HAVE_BIND="" | ||
3630 | # Check whether --enable-bind was given. | ||
3631 | if test "${enable_bind+set}" = set; then : | ||
3632 | enableval=$enable_bind; | ||
3633 | fi | ||
3634 | |||
3635 | if test "x$enable_bind" != "xno"; then : | ||
3636 | |||
3637 | HAVE_BIND="-DHAVE_BIND" | ||
3638 | |||
3639 | |||
3640 | fi | ||
3641 | |||
3642 | HAVE_GLOBALCFG="" | 3626 | HAVE_GLOBALCFG="" |
3643 | # Check whether --enable-globalcfg was given. | 3627 | # Check whether --enable-globalcfg was given. |
3644 | if test "${enable_globalcfg+set}" = set; then : | 3628 | if test "${enable_globalcfg+set}" = set; then : |
@@ -5043,7 +5027,6 @@ echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | |||
5043 | echo " apparmor: $HAVE_APPARMOR" | 5027 | echo " apparmor: $HAVE_APPARMOR" |
5044 | echo " global config: $HAVE_GLOBALCFG" | 5028 | echo " global config: $HAVE_GLOBALCFG" |
5045 | echo " chroot: $HAVE_CHROOT" | 5029 | echo " chroot: $HAVE_CHROOT" |
5046 | echo " bind: $HAVE_BIND" | ||
5047 | echo " network: $HAVE_NETWORK" | 5030 | echo " network: $HAVE_NETWORK" |
5048 | echo " user namespace: $HAVE_USERNS" | 5031 | echo " user namespace: $HAVE_USERNS" |
5049 | echo " X11 sandboxing support: $HAVE_X11" | 5032 | echo " X11 sandboxing support: $HAVE_X11" |
diff --git a/configure.ac b/configure.ac index 8c6459335..73736abc2 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -83,14 +83,6 @@ AS_IF([test "x$enable_chroot" != "xno"], [ | |||
83 | AC_SUBST(HAVE_CHROOT) | 83 | AC_SUBST(HAVE_CHROOT) |
84 | ]) | 84 | ]) |
85 | 85 | ||
86 | HAVE_BIND="" | ||
87 | AC_ARG_ENABLE([bind], | ||
88 | AS_HELP_STRING([--disable-bind], [disable bind])) | ||
89 | AS_IF([test "x$enable_bind" != "xno"], [ | ||
90 | HAVE_BIND="-DHAVE_BIND" | ||
91 | AC_SUBST(HAVE_BIND) | ||
92 | ]) | ||
93 | |||
94 | HAVE_GLOBALCFG="" | 86 | HAVE_GLOBALCFG="" |
95 | AC_ARG_ENABLE([globalcfg], | 87 | AC_ARG_ENABLE([globalcfg], |
96 | AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) | 88 | AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) |
@@ -207,7 +199,6 @@ echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | |||
207 | echo " apparmor: $HAVE_APPARMOR" | 199 | echo " apparmor: $HAVE_APPARMOR" |
208 | echo " global config: $HAVE_GLOBALCFG" | 200 | echo " global config: $HAVE_GLOBALCFG" |
209 | echo " chroot: $HAVE_CHROOT" | 201 | echo " chroot: $HAVE_CHROOT" |
210 | echo " bind: $HAVE_BIND" | ||
211 | echo " network: $HAVE_NETWORK" | 202 | echo " network: $HAVE_NETWORK" |
212 | echo " user namespace: $HAVE_USERNS" | 203 | echo " user namespace: $HAVE_USERNS" |
213 | echo " X11 sandboxing support: $HAVE_X11" | 204 | echo " X11 sandboxing support: $HAVE_X11" |
diff --git a/src/common.mk.in b/src/common.mk.in index fd9f2e5a5..7a2056e7b 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -11,7 +11,6 @@ NAME=@PACKAGE_NAME@ | |||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | 11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ |
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | 12 | HAVE_SECCOMP=@HAVE_SECCOMP@ |
13 | HAVE_CHROOT=@HAVE_CHROOT@ | 13 | HAVE_CHROOT=@HAVE_CHROOT@ |
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
16 | HAVE_NETWORK=@HAVE_NETWORK@ | 15 | HAVE_NETWORK=@HAVE_NETWORK@ |
17 | HAVE_USERNS=@HAVE_USERNS@ | 16 | HAVE_USERNS=@HAVE_USERNS@ |
@@ -29,7 +28,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
29 | OBJS = $(C_FILE_LIST:.c=.o) | 28 | OBJS = $(C_FILE_LIST:.c=.o) |
30 | BINOBJS = $(foreach file, $(OBJS), $file) | 29 | BINOBJS = $(foreach file, $(OBJS), $file) |
31 | 30 | ||
32 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 31 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
33 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 32 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
34 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 33 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
35 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ | 34 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ |
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt deleted file mode 100644 index cfed454f8..000000000 --- a/src/firejail/arg-checking.txt +++ /dev/null | |||
@@ -1,84 +0,0 @@ | |||
1 | arg checking: | ||
2 | |||
3 | 1. --output=filename | ||
4 | - not supported in profiles | ||
5 | - checking no "..", | ||
6 | - checking no link, | ||
7 | - checking no dir, | ||
8 | - checking same permissions, | ||
9 | - checking no hard links | ||
10 | - unit test | ||
11 | |||
12 | 2. --chroot=dirname | ||
13 | - not supported in profiles | ||
14 | - expand "~" | ||
15 | - checking no "..", | ||
16 | - checking is dir, | ||
17 | - checking no link | ||
18 | - checking directory structure | ||
19 | - unit test | ||
20 | |||
21 | 3. --bind=dirname1,dirname2, --bind=filename1,filenam2 | ||
22 | - supported in profiles | ||
23 | - accepted only when running as root | ||
24 | - checking string chars | ||
25 | - checking no ".." | ||
26 | - unit test non root | ||
27 | |||
28 | 4. --tmpfs=dirname | ||
29 | - supported in profiles | ||
30 | - checking string chars | ||
31 | - checking no ".." | ||
32 | - unit test | ||
33 | |||
34 | 5. --blacklist=filename, --blacklist=dirname | ||
35 | - supported in profiles | ||
36 | - checking string chars | ||
37 | - checking no ".." | ||
38 | - unit test | ||
39 | |||
40 | 6. --read-only=filename, --read-only=dirname | ||
41 | - supported in profiles | ||
42 | - checking string chars | ||
43 | - checking no ".." | ||
44 | - unit test | ||
45 | |||
46 | 7. --profile=filename | ||
47 | - check access as real GID/UID | ||
48 | - checking no dir | ||
49 | - checking no link | ||
50 | - checking no ".." | ||
51 | - unit test | ||
52 | |||
53 | 8. --private=dirname | ||
54 | - supported in profiles | ||
55 | - expand "~" | ||
56 | - check is dir | ||
57 | - check no link | ||
58 | - checking no ".." | ||
59 | - check same owner | ||
60 | - unit test | ||
61 | |||
62 | 9. --private-home=filelist | ||
63 | - supported in profiles | ||
64 | - checking no ".." | ||
65 | - checking file found | ||
66 | - checking same owner | ||
67 | - checking no link | ||
68 | - unit test | ||
69 | |||
70 | 10. --netfilter=filename | ||
71 | - supported in profiles | ||
72 | - check access as real GID/UID | ||
73 | - checking no dir | ||
74 | - checking no link | ||
75 | - checking no ".." | ||
76 | - unit test | ||
77 | |||
78 | 11. --shell=filename | ||
79 | - not supported in profiles | ||
80 | - check access as real GID/UID | ||
81 | - checking no dir | ||
82 | - checking no link | ||
83 | - checking no ".." | ||
84 | - unit test | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7483136f4..06820ce24 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -410,14 +410,6 @@ void print_compiletime_support(void) { | |||
410 | #endif | 410 | #endif |
411 | ); | 411 | ); |
412 | 412 | ||
413 | printf("\t- bind support is %s\n", | ||
414 | #ifdef HAVE_BIND | ||
415 | "enabled" | ||
416 | #else | ||
417 | "disabled" | ||
418 | #endif | ||
419 | ); | ||
420 | |||
421 | printf("\t- chroot support is %s\n", | 413 | printf("\t- chroot support is %s\n", |
422 | #ifdef HAVE_CHROOT | 414 | #ifdef HAVE_CHROOT |
423 | "enabled" | 415 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4faef025a..b3a8dcfd7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1270,7 +1270,6 @@ int main(int argc, char **argv) { | |||
1270 | //************************************* | 1270 | //************************************* |
1271 | else if (strcmp(argv[i], "--allusers") == 0) | 1271 | else if (strcmp(argv[i], "--allusers") == 0) |
1272 | arg_allusers = 1; | 1272 | arg_allusers = 1; |
1273 | #ifdef HAVE_BIND | ||
1274 | else if (strncmp(argv[i], "--bind=", 7) == 0) { | 1273 | else if (strncmp(argv[i], "--bind=", 7) == 0) { |
1275 | if (checkcfg(CFG_BIND)) { | 1274 | if (checkcfg(CFG_BIND)) { |
1276 | char *line; | 1275 | char *line; |
@@ -1283,7 +1282,6 @@ int main(int argc, char **argv) { | |||
1283 | else | 1282 | else |
1284 | exit_err_feature("bind"); | 1283 | exit_err_feature("bind"); |
1285 | } | 1284 | } |
1286 | #endif | ||
1287 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { | 1285 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { |
1288 | char *line; | 1286 | char *line; |
1289 | if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) | 1287 | if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) |
diff --git a/src/firejail/network.txt b/src/firejail/network.txt deleted file mode 100644 index 75bdc346d..000000000 --- a/src/firejail/network.txt +++ /dev/null | |||
@@ -1,95 +0,0 @@ | |||
1 | struct Bridge { | ||
2 | char *dev; // bridge device name | ||
3 | uint32_t ip; // bridge device IP address | ||
4 | uint32_t mask; // bridge device mask | ||
5 | uint32_t ipsandbox // sandbox interface IP address | ||
6 | } | ||
7 | |||
8 | net_configure_bridge(br, device) { | ||
9 | br->dev = devname; | ||
10 | br->ip = extracted from kernel device - using net_get_if_addr() in network.c | ||
11 | br->mask = extracted from kernel device - using net_get_if_addr() in network.c | ||
12 | check available network range; /31 networks are not supported | ||
13 | } | ||
14 | |||
15 | net_configure_sandbox_ip(br) { | ||
16 | if br->ip_sandbox | ||
17 | check br->ipsandbox inside the bridge network | ||
18 | arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address | ||
19 | else | ||
20 | br->ipsandbox = arp_assign(); | ||
21 | } | ||
22 | |||
23 | net_configure_veth_pair { | ||
24 | create a veth pair | ||
25 | place one interface end in the bridge | ||
26 | place the other end in the namespace of the child process | ||
27 | } | ||
28 | |||
29 | net_bridge_wait_ip { | ||
30 | arp_check br->ipsandbox address to come up | ||
31 | wait for not more than 5 seconds | ||
32 | } | ||
33 | |||
34 | main() { | ||
35 | |||
36 | foreach argv[i] { | ||
37 | if --net | ||
38 | br = next bridge available | ||
39 | net_configure_bridge(br, device name from argv[i]); | ||
40 | else if --ip | ||
41 | br = last bridge configured | ||
42 | br->ipsandbox = ip address extracted from argv[i] | ||
43 | else if --defaultgw | ||
44 | cfg.defaultgw = ip address extracted from argv[i] | ||
45 | } | ||
46 | |||
47 | net_check_cfg(); // check the validity of network configuration so far | ||
48 | |||
49 | if (any bridge configured) { | ||
50 | lock /var/lock/firejail.lock file | ||
51 | for each bridge | ||
52 | net_configure_sandbox_ip(br) | ||
53 | } | ||
54 | |||
55 | clone (new network namespace if any bridge configured or --net=none) | ||
56 | |||
57 | if (any bridge configured) { | ||
58 | for each bridge | ||
59 | net_configure_veth_pair | ||
60 | } | ||
61 | |||
62 | notify child init is done | ||
63 | |||
64 | if (any bridge configured) { | ||
65 | for each bridge | ||
66 | net_bridge_wait_ip | ||
67 | unlock /var/lock/firejail.lock file | ||
68 | } | ||
69 | |||
70 | wait on child | ||
71 | exit | ||
72 | } | ||
73 | |||
74 | |||
75 | ****************************************************** | ||
76 | * macvlan notes | ||
77 | ****************************************************** | ||
78 | Configure a macvlan interface | ||
79 | |||
80 | # ip link add virtual0 link eth0 type macvlan mode bridge | ||
81 | (you can configure it with # ifconfig virtual0 192.168.1.52/24 up) | ||
82 | |||
83 | Create a new network namespace and move the interface in the new network namespace | ||
84 | |||
85 | # ip netns add dummy0 | ||
86 | # ip link set virtual0 netns dummy0 | ||
87 | |||
88 | Join the namespace and configure the interfaces | ||
89 | |||
90 | # ip netns exec dummy0 bash | ||
91 | # ifconfig lo up | ||
92 | # ifconfig virtual0 192.168.1.52/24 | ||
93 | |||
94 | Investigate ipvlan interface - added to linux kernel 3.19 | ||
95 | https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 606378908..168d7e268 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1044,7 +1044,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1044 | 1044 | ||
1045 | // filesystem bind | 1045 | // filesystem bind |
1046 | if (strncmp(ptr, "bind ", 5) == 0) { | 1046 | if (strncmp(ptr, "bind ", 5) == 0) { |
1047 | #ifdef HAVE_BIND | ||
1048 | if (checkcfg(CFG_BIND)) { | 1047 | if (checkcfg(CFG_BIND)) { |
1049 | if (getuid() != 0) { | 1048 | if (getuid() != 0) { |
1050 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | 1049 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); |
@@ -1077,7 +1076,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1077 | } | 1076 | } |
1078 | else | 1077 | else |
1079 | warning_feature_disabled("bind"); | 1078 | warning_feature_disabled("bind"); |
1080 | #endif | ||
1081 | return 0; | 1079 | return 0; |
1082 | } | 1080 | } |
1083 | 1081 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78cd30926..c8866da3a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -37,10 +37,8 @@ static char *usage_str = | |||
37 | #ifdef HAVE_NETWORK | 37 | #ifdef HAVE_NETWORK |
38 | " --bandwidth=name|pid - set bandwidth limits.\n" | 38 | " --bandwidth=name|pid - set bandwidth limits.\n" |
39 | #endif | 39 | #endif |
40 | #ifdef HAVE_BIND | ||
41 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
42 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
43 | #endif | ||
44 | " --blacklist=filename - blacklist directory or file.\n" | 42 | " --blacklist=filename - blacklist directory or file.\n" |
45 | " --build - build a whitelisted profile for the application.\n" | 43 | " --build - build a whitelisted profile for the application.\n" |
46 | " --build=filename - build a whitelisted profile for the application.\n" | 44 | " --build=filename - build a whitelisted profile for the application.\n" |
@@ -153,6 +151,7 @@ static char *usage_str = | |||
153 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" | 151 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" |
154 | " --private - temporary home directory.\n" | 152 | " --private - temporary home directory.\n" |
155 | " --private=directory - use directory as user home.\n" | 153 | " --private=directory - use directory as user home.\n" |
154 | " --private-cache - temporary ~/.cache directory.\n" | ||
156 | " --private-home=file,directory - build a new user home in a temporary\n" | 155 | " --private-home=file,directory - build a new user home in a temporary\n" |
157 | "\tfilesystem, and copy the files and directories in the list in\n" | 156 | "\tfilesystem, and copy the files and directories in the list in\n" |
158 | "\tthe new home.\n" | 157 | "\tthe new home.\n" |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 9d35bbcde..adacab616 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -3,7 +3,7 @@ | |||
3 | arr[1]="TEST 1: standard compilation" | 3 | arr[1]="TEST 1: standard compilation" |
4 | arr[2]="TEST 2: compile seccomp disabled" | 4 | arr[2]="TEST 2: compile seccomp disabled" |
5 | arr[3]="TEST 3: compile chroot disabled" | 5 | arr[3]="TEST 3: compile chroot disabled" |
6 | arr[4]="TEST 4: compile bind disabled" | 6 | arr[4]="deprecated: TEST 4: compile bind disabled" |
7 | arr[5]="TEST 5: compile user namespace disabled" | 7 | arr[5]="TEST 5: compile user namespace disabled" |
8 | arr[6]="TEST 6: compile network disabled" | 8 | arr[6]="TEST 6: compile network disabled" |
9 | arr[7]="TEST 7: compile X11 disabled" | 9 | arr[7]="TEST 7: compile X11 disabled" |
@@ -14,7 +14,7 @@ arr[11]="TEST 11: compile disable global config" | |||
14 | arr[12]="TEST 12: compile apparmor" | 14 | arr[12]="TEST 12: compile apparmor" |
15 | arr[13]="TEST 13: compile busybox" | 15 | arr[13]="TEST 13: compile busybox" |
16 | arr[14]="TEST 14: compile overlayfs disabled" | 16 | arr[14]="TEST 14: compile overlayfs disabled" |
17 | arr[15]="TEST 15: compile apparmor enabled" | 17 | arr[14]="TEST 15: compile private-home disabled" |
18 | 18 | ||
19 | # remove previous reports and output file | 19 | # remove previous reports and output file |
20 | cleanup() { | 20 | cleanup() { |
@@ -108,24 +108,6 @@ cp output-make om3 | |||
108 | rm output-configure output-make | 108 | rm output-configure output-make |
109 | 109 | ||
110 | #***************************************************************** | 110 | #***************************************************************** |
111 | # TEST 4 | ||
112 | #***************************************************************** | ||
113 | # - disable bind configuration | ||
114 | #***************************************************************** | ||
115 | print_title "${arr[4]}" | ||
116 | # seccomp | ||
117 | cd firejail | ||
118 | make distclean | ||
119 | ./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
120 | make -j4 2>&1 | tee ../output-make | ||
121 | cd .. | ||
122 | grep Warning output-configure output-make > ./report-test4 | ||
123 | grep Error output-configure output-make >> ./report-test4 | ||
124 | cp output-configure oc4 | ||
125 | cp output-make om4 | ||
126 | rm output-configure output-make | ||
127 | |||
128 | #***************************************************************** | ||
129 | # TEST 5 | 111 | # TEST 5 |
130 | #***************************************************************** | 112 | #***************************************************************** |
131 | # - disable user namespace configuration | 113 | # - disable user namespace configuration |
@@ -292,13 +274,13 @@ rm output-configure output-make | |||
292 | #***************************************************************** | 274 | #***************************************************************** |
293 | # TEST 15 | 275 | # TEST 15 |
294 | #***************************************************************** | 276 | #***************************************************************** |
295 | # - enable apparmor | 277 | # - disable private home |
296 | #***************************************************************** | 278 | #***************************************************************** |
297 | print_title "${arr[15]}" | 279 | print_title "${arr[15]}" |
298 | # seccomp | 280 | # seccomp |
299 | cd firejail | 281 | cd firejail |
300 | make distclean | 282 | make distclean |
301 | ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure | 283 | ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure |
302 | make -j4 2>&1 | tee ../output-make | 284 | make -j4 2>&1 | tee ../output-make |
303 | cd .. | 285 | cd .. |
304 | grep Warning output-configure output-make > ./report-test15 | 286 | grep Warning output-configure output-make > ./report-test15 |
@@ -307,7 +289,6 @@ cp output-configure oc15 | |||
307 | cp output-make om15 | 289 | cp output-make om15 |
308 | rm output-configure output-make | 290 | rm output-configure output-make |
309 | 291 | ||
310 | |||
311 | #***************************************************************** | 292 | #***************************************************************** |
312 | # PRINT REPORTS | 293 | # PRINT REPORTS |
313 | #***************************************************************** | 294 | #***************************************************************** |