diff options
| author |  netblue30 <netblue30@protonmail.com> | 2022-10-24 09:06:01 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2022-10-24 09:06:01 -0400 |
| commit | 3d3365cb31d91661b503a04488873aca17a86636 (patch) | |
| tree | a66f9af470b3fe4fb14a3c49384f81830a1565b1 | |
| parent | --icmptrace (diff) | |
| download | firejail-3d3365cb31d91661b503a04488873aca17a86636.tar.gz firejail-3d3365cb31d91661b503a04488873aca17a86636.tar.zst firejail-3d3365cb31d91661b503a04488873aca17a86636.zip | |
removed grsecurity support
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 23 | ||||
| -rw-r--r-- | src/firejail/profile.c | 15 |
4 files changed, 3 insertions, 37 deletions
diff --git a/.gitignore b/.gitignore index b5d29dc19..7333b1c8d 100644 --- a/.gitignore +++ b/.gitignore | |||
| @@ -27,6 +27,7 @@ firecfg.1 | |||
| 27 | jailcheck.1 | 27 | jailcheck.1 |
| 28 | src/fnettrace-dns/fnettrace-dns | 28 | src/fnettrace-dns/fnettrace-dns |
| 29 | src/fnettrace-sni/fnettrace-sni | 29 | src/fnettrace-sni/fnettrace-sni |
| 30 | src/fnettrace-icmp/fnettrace-icmp | ||
| 30 | src/firejail/firejail | 31 | src/firejail/firejail |
| 31 | src/firemon/firemon | 32 | src/firemon/firemon |
| 32 | src/firecfg/firecfg | 33 | src/firecfg/firecfg |
| @@ -17,6 +17,7 @@ firejail (0.9.71) baseline; urgency=low | |||
| 17 | (#5190 #5216) | 17 | (#5190 #5216) |
| 18 | * modif: disabled tracelog by default in /etc/firejail/firejail.config | 18 | * modif: disabled tracelog by default in /etc/firejail/firejail.config |
| 19 | (#5190) | 19 | (#5190) |
| 20 | * modif: removed grsecurity support | ||
| 20 | * bugfix: Flood of seccomp audit log entries (#5207) | 21 | * bugfix: Flood of seccomp audit log entries (#5207) |
| 21 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | 22 | * build: deduplicate configure-time vars into new config files (#5140 #5284) |
| 22 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 23 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index ed5b4901b..1eda26f99 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -728,8 +728,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 728 | #ifdef HAVE_NETWORK | 728 | #ifdef HAVE_NETWORK |
| 729 | else if (strcmp(argv[i], "--netstats") == 0) { | 729 | else if (strcmp(argv[i], "--netstats") == 0) { |
| 730 | if (checkcfg(CFG_NETWORK)) { | 730 | if (checkcfg(CFG_NETWORK)) { |
| 731 | struct stat s; | 731 | if (pid_hidepid()) |
| 732 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) | ||
| 733 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 732 | sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
| 734 | 2, PATH_FIREMON, "--netstats"); | 733 | 2, PATH_FIREMON, "--netstats"); |
| 735 | else | 734 | else |
| @@ -1747,11 +1746,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1747 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1746 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
| 1748 | exit(1); | 1747 | exit(1); |
| 1749 | } | 1748 | } |
| 1750 | struct stat s; | ||
| 1751 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1752 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1753 | exit(1); | ||
| 1754 | } | ||
| 1755 | arg_overlay = 1; | 1749 | arg_overlay = 1; |
| 1756 | arg_overlay_keep = 1; | 1750 | arg_overlay_keep = 1; |
| 1757 | 1751 | ||
| @@ -1775,11 +1769,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1775 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1769 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
| 1776 | exit(1); | 1770 | exit(1); |
| 1777 | } | 1771 | } |
| 1778 | struct stat s; | ||
| 1779 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1780 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1781 | exit(1); | ||
| 1782 | } | ||
| 1783 | arg_overlay = 1; | 1772 | arg_overlay = 1; |
| 1784 | arg_overlay_keep = 1; | 1773 | arg_overlay_keep = 1; |
| 1785 | arg_overlay_reuse = 1; | 1774 | arg_overlay_reuse = 1; |
| @@ -1811,11 +1800,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1811 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1800 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
| 1812 | exit(1); | 1801 | exit(1); |
| 1813 | } | 1802 | } |
| 1814 | struct stat s; | ||
| 1815 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1816 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1817 | exit(1); | ||
| 1818 | } | ||
| 1819 | arg_overlay = 1; | 1803 | arg_overlay = 1; |
| 1820 | } | 1804 | } |
| 1821 | else | 1805 | else |
| @@ -1954,11 +1938,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1954 | exit(1); | 1938 | exit(1); |
| 1955 | } | 1939 | } |
| 1956 | 1940 | ||
| 1957 | struct stat s; | ||
| 1958 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1959 | fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); | ||
| 1960 | exit(1); | ||
| 1961 | } | ||
| 1962 | // extract chroot dirname | 1941 | // extract chroot dirname |
| 1963 | cfg.chrootdir = argv[i] + 9; | 1942 | cfg.chrootdir = argv[i] + 9; |
| 1964 | if (*cfg.chrootdir == '\0') { | 1943 | if (*cfg.chrootdir == '\0') { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 641bb09b1..24964d40d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1418,11 +1418,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1418 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1418 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
| 1419 | exit(1); | 1419 | exit(1); |
| 1420 | } | 1420 | } |
| 1421 | struct stat s; | ||
| 1422 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1423 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1424 | exit(1); | ||
| 1425 | } | ||
| 1426 | arg_overlay = 1; | 1421 | arg_overlay = 1; |
| 1427 | arg_overlay_keep = 1; | 1422 | arg_overlay_keep = 1; |
| 1428 | arg_overlay_reuse = 1; | 1423 | arg_overlay_reuse = 1; |
| @@ -1455,11 +1450,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1455 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1450 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
| 1456 | exit(1); | 1451 | exit(1); |
| 1457 | } | 1452 | } |
| 1458 | struct stat s; | ||
| 1459 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1460 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1461 | exit(1); | ||
| 1462 | } | ||
| 1463 | arg_overlay = 1; | 1453 | arg_overlay = 1; |
| 1464 | } | 1454 | } |
| 1465 | else | 1455 | else |
| @@ -1476,11 +1466,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1476 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1466 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
| 1477 | exit(1); | 1467 | exit(1); |
| 1478 | } | 1468 | } |
| 1479 | struct stat s; | ||
| 1480 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1481 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1482 | exit(1); | ||
| 1483 | } | ||
| 1484 | arg_overlay = 1; | 1469 | arg_overlay = 1; |
| 1485 | arg_overlay_keep = 1; | 1470 | arg_overlay_keep = 1; |
| 1486 | 1471 | ||