compile time: enable LTS

author: startx2017 <vradu.startx@protonmail.com> 2021-02-28 10:26:08 -0500
committer: startx2017 <vradu.startx@protonmail.com> 2021-02-28 10:26:08 -0500
commit: d1acb31c9714fe503082a890f1754f2026e71ee5 (patch)
tree: 1946a929c6c7bcc47bc04e1b988966d60f364b48
parent: compile time: disable --output (diff)
download: firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.tar.gz
firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.tar.zst
firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.zip
4 files changed, 178 insertions, 20 deletions
diff --git a/configure b/configure
index fc8048ffb..952f7af9b 100755
--- a/configure
+++ b/configure
@@ -627,7 +627,7 @@ LIBOBJS
 EGREP
 GREP
 CPP
-HAVE_SELINUX
+HAVE_LTS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
@@ -650,6 +650,7 @@ HAVE_OVERLAYFS
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
+HAVE_SELINUX
 HAVE_APPARMOR
 AA_LIBS
 AA_CFLAGS
@@ -711,6 +712,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_apparmor
+enable_selinux
 enable_dbusproxy
 enable_output
 enable_usertmpfs
@@ -729,7 +731,7 @@ enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
 enable_contrib_install
-enable_selinux
+enable_lts
 '
      ac_precious_vars='build_alias
 host_alias
@@ -1367,6 +1369,7 @@ Optional Features:
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-analyzer       enable GCC 10 static analyzer
  --enable-apparmor       enable apparmor
+  --enable-selinux        SELinux labeling support
  --disable-dbusproxy     disable dbus proxy
  --disable-output        disable --output logging
  --disable-usertmpfs     disable tmpfs as regular user
@@ -1388,7 +1391,7 @@ Optional Features:
  --enable-gcov           Gcov instrumentation
  --enable-contrib-install
                          install contrib scripts
-  --enable-selinux        SELinux labeling support
+  --enable-lts            enable long-term support software version (LTS)
 Some influential environment variables:
  CC          C compiler command
@@ -3514,6 +3517,20 @@ fi
 fi
+HAVE_SELINUX=""
+# Check whether --enable-selinux was given.
+if test "${enable_selinux+set}" = set; then :
+  enableval=$enable_selinux;
+fi
+if test "x$enable_selinux" = "xyes"; then :
+        HAVE_SELINUX="-DHAVE_SELINUX"
+        EXTRA_LDFLAGS+=" -lselinux "
+fi
@@ -3808,20 +3825,67 @@ else
 fi
-HAVE_SELINUX=""
+HAVE_LTS=""
-# Check whether --enable-selinux was given.
+# Check whether --enable-lts was given.
-if test "${enable_selinux+set}" = set; then :
+if test "${enable_lts+set}" = set; then :
-  enableval=$enable_selinux;
+  enableval=$enable_lts;
 fi
-if test "x$enable_selinux" = "xyes"; then :
+if test "x$enable_lts" = "xyes"; then :
+        HAVE_LTS="-DHAVE_LTS"
+        HAVE_DBUSPROXY=""
+        HAVE_OVERLAYFS=""
+        HAVE_OUTPUT=""
-        HAVE_SELINUX="-DHAVE_SELINUX"
-        EXTRA_LDFLAGS+=" -lselinux "
+        HAVE_USERTMPFS=""
+        HAVE_MAN="-DHAVE_MAN"
+        HAVE_FIRETUNNEL=""
+        HAVE_PRIVATEHOME=""
+        HAVE_CHROOT=""
+        HAVE_GLOBALCFG=""
+        HAVE_USERNS=""
+        HAVE_X11=""
+        HAVE_FILE_TRANSFER=""
+        HAVE_SUID="yes"
+        BUSYBOX_WORKAROUND="no"
+        HAVE_CONTRIB_INSTALL="no",
 fi
 # checking pthread library
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
 $as_echo_n "checking for main in -lpthread... " >&6; }
@@ -5485,6 +5549,7 @@ echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   apparmor: $HAVE_APPARMOR"
+echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   network: $HAVE_NETWORK"
@@ -5506,6 +5571,19 @@ echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   Gcov instrumentation: $HAVE_GCOV"
 echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   Install as a SUID executable: $HAVE_SUID"
+echo "   LTS: $HAVE_LTS"
 echo
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        echo
+        echo
+        echo "*********************************************************"
+        echo "*    Warning: Long-term support (LTS) was enabled!      *"
+        echo "*    Most compile-time options have bean rewritten!     *"
+        echo "*********************************************************"
+        echo
+        echo
+fi
diff --git a/configure.ac b/configure.ac
index 0556da374..449b8b436 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
        AC_SUBST(HAVE_APPARMOR)
 ])
+HAVE_SELINUX=""
+AC_ARG_ENABLE([selinux],
+    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+AS_IF([test "x$enable_selinux" = "xyes"], [
+        HAVE_SELINUX="-DHAVE_SELINUX"
+        EXTRA_LDFLAGS+=" -lselinux "
+        AC_SUBST(HAVE_SELINUX)
+])
 AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
@@ -219,15 +228,62 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
 )
 AC_SUBST(HAVE_CONTRIB_INSTALL)
-HAVE_SELINUX=""
+HAVE_LTS=""
-AC_ARG_ENABLE([selinux],
+AC_ARG_ENABLE([lts],
-    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+    AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
-AS_IF([test "x$enable_selinux" = "xyes"], [
+AS_IF([test "x$enable_lts" = "xyes"], [
-        HAVE_SELINUX="-DHAVE_SELINUX"
+        HAVE_LTS="-DHAVE_LTS"
-        EXTRA_LDFLAGS+=" -lselinux "
+        AC_SUBST(HAVE_LTS)
-        AC_SUBST(HAVE_SELINUX)
+        HAVE_DBUSPROXY=""
+        AC_SUBST(HAVE_DBUSPROXY)
+        HAVE_OVERLAYFS=""
+        AC_SUBST(HAVE_OVERLAYFS)
+        HAVE_OUTPUT=""
+        AC_SUBST(HAVE_OUTPUT)
+        HAVE_USERTMPFS=""
+        AC_SUBST(HAVE_USERTMPFS)
+        HAVE_MAN="-DHAVE_MAN"
+        AC_SUBST(HAVE_MAN)
+        HAVE_FIRETUNNEL=""
+        AC_SUBST(HAVE_FIRETUNNEL)
+        HAVE_PRIVATEHOME=""
+        AC_SUBST(HAVE_PRIVATE_HOME)
+        HAVE_CHROOT=""
+        AC_SUBST(HAVE_CHROOT)
+        HAVE_GLOBALCFG=""
+        AC_SUBST(HAVE_GLOBALCFG)
+        HAVE_USERNS=""
+        AC_SUBST(HAVE_USERNS)
+        HAVE_X11=""
+        AC_SUBST(HAVE_X11)
+        HAVE_FILE_TRANSFER=""
+        AC_SUBST(HAVE_FILE_TRANSFER)
+        HAVE_SUID="yes"
+        AC_SUBST(HAVE_SUID)
+        BUSYBOX_WORKAROUND="no"
+        AC_SUBST(BUSYBOX_WORKAROUND)
+        HAVE_CONTRIB_INSTALL="no",
+        AC_SUBST(HAVE_CONTRIB_INSTALL)
 ])
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -250,6 +306,7 @@ echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   apparmor: $HAVE_APPARMOR"
+echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   network: $HAVE_NETWORK"
@@ -271,6 +328,19 @@ echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   Gcov instrumentation: $HAVE_GCOV"
 echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   Install as a SUID executable: $HAVE_SUID"
+echo "   LTS: $HAVE_LTS"
 echo
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        echo
+        echo
+        echo "*********************************************************"
+        echo "*    Warning: Long-term support (LTS) was enabled!      *"
+        echo "*    Most compile-time options have bean rewritten!     *"
+        echo "*********************************************************"
+        echo
+        echo
+fi
diff --git a/src/common.mk.in b/src/common.mk.in
index 77d8539ef..eae4138c0 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -26,6 +26,7 @@ HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
+HAVE_LTS=@HAVE_LTS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -35,7 +36,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b251f8191..639b171cd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -42,6 +42,15 @@ Miscellaneous:
 firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
 .RE
 .SH DESCRIPTION
+#ifdef HAVE_LTS
+This is Firejail long-term support (LTS), an enterprise focused version of the software,
+LTS is usually supported for two or three years.
+During this time  only bugs and the occasional documentation problems are fixed.
+The attack surface of the SUID executable was greatly reduced by removing some of the features.
+.br
+.br
+#endif
 Firejail is a SUID sandbox program that reduces the risk of security breaches by
 restricting the running environment of untrusted applications using Linux
 namespaces, seccomp-bpf and Linux capabilities.
author	startx2017 <vradu.startx@protonmail.com>	2021-02-28 10:26:08 -0500
committer	startx2017 <vradu.startx@protonmail.com>	2021-02-28 10:26:08 -0500
commit	d1acb31c9714fe503082a890f1754f2026e71ee5 (patch)
tree	1946a929c6c7bcc47bc04e1b988966d60f364b48
parent	compile time: disable --output (diff)
download	firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.tar.gz firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.tar.zst firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.zip

diff --git a/configure b/configure index fc8048ffb..952f7af9b 100755 --- a/configure +++ b/configure
@@ -627,7 +627,7 @@ LIBOBJS
627	EGREP	627	EGREP
628	GREP	628	GREP
629	CPP	629	CPP
630	HAVE_SELINUX	630	HAVE_LTS
631	HAVE_CONTRIB_INSTALL	631	HAVE_CONTRIB_INSTALL
632	HAVE_GCOV	632	HAVE_GCOV
633	BUSYBOX_WORKAROUND	633	BUSYBOX_WORKAROUND
@@ -650,6 +650,7 @@ HAVE_OVERLAYFS
650	HAVE_DBUSPROXY	650	HAVE_DBUSPROXY
651	EXTRA_LDFLAGS	651	EXTRA_LDFLAGS
652	EXTRA_CFLAGS	652	EXTRA_CFLAGS
		653	HAVE_SELINUX
653	HAVE_APPARMOR	654	HAVE_APPARMOR
654	AA_LIBS	655	AA_LIBS
655	AA_CFLAGS	656	AA_CFLAGS
@@ -711,6 +712,7 @@ ac_user_opts='
711	enable_option_checking	712	enable_option_checking
712	enable_analyzer	713	enable_analyzer
713	enable_apparmor	714	enable_apparmor
		715	enable_selinux
714	enable_dbusproxy	716	enable_dbusproxy
715	enable_output	717	enable_output
716	enable_usertmpfs	718	enable_usertmpfs
@@ -729,7 +731,7 @@ enable_fatal_warnings
729	enable_busybox_workaround	731	enable_busybox_workaround
730	enable_gcov	732	enable_gcov
731	enable_contrib_install	733	enable_contrib_install
732	enable_selinux	734	enable_lts
733	'	735	'
734	ac_precious_vars='build_alias	736	ac_precious_vars='build_alias
735	host_alias	737	host_alias
@@ -1367,6 +1369,7 @@ Optional Features:
1367	--enable-FEATURE[=ARG] include FEATURE [ARG=yes]	1369	--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
1368	--enable-analyzer enable GCC 10 static analyzer	1370	--enable-analyzer enable GCC 10 static analyzer
1369	--enable-apparmor enable apparmor	1371	--enable-apparmor enable apparmor
		1372	--enable-selinux SELinux labeling support
1370	--disable-dbusproxy disable dbus proxy	1373	--disable-dbusproxy disable dbus proxy
1371	--disable-output disable --output logging	1374	--disable-output disable --output logging
1372	--disable-usertmpfs disable tmpfs as regular user	1375	--disable-usertmpfs disable tmpfs as regular user
@@ -1388,7 +1391,7 @@ Optional Features:
1388	--enable-gcov Gcov instrumentation	1391	--enable-gcov Gcov instrumentation
1389	--enable-contrib-install	1392	--enable-contrib-install
1390	install contrib scripts	1393	install contrib scripts
1391	--enable-selinux SELinux labeling support	1394	--enable-lts enable long-term support software version (LTS)
1392		1395
1393	Some influential environment variables:	1396	Some influential environment variables:
1394	CC C compiler command	1397	CC C compiler command
@@ -3514,6 +3517,20 @@ fi
3514		3517
3515	fi	3518	fi
3516		3519
		3520	HAVE_SELINUX=""
		3521	# Check whether --enable-selinux was given.
		3522	if test "${enable_selinux+set}" = set; then :
		3523	enableval=$enable_selinux;
		3524	fi
		3525
		3526	if test "x$enable_selinux" = "xyes"; then :
		3527
		3528	HAVE_SELINUX="-DHAVE_SELINUX"
		3529	EXTRA_LDFLAGS+=" -lselinux "
		3530
		3531
		3532	fi
		3533
3517		3534
3518		3535
3519		3536
@@ -3808,20 +3825,67 @@ else
3808	fi	3825	fi
3809		3826
3810		3827
3811	HAVE_SELINUX=""	3828	HAVE_LTS=""
3812	# Check whether --enable-selinux was given.	3829	# Check whether --enable-lts was given.
3813	if test "${enable_selinux+set}" = set; then :	3830	if test "${enable_lts+set}" = set; then :
3814	enableval=$enable_selinux;	3831	enableval=$enable_lts;
3815	fi	3832	fi
3816		3833
3817	if test "x$enable_selinux" = "xyes"; then :	3834	if test "x$enable_lts" = "xyes"; then :
		3835
		3836	HAVE_LTS="-DHAVE_LTS"
		3837
		3838
		3839	HAVE_DBUSPROXY=""
		3840
		3841
		3842	HAVE_OVERLAYFS=""
		3843
		3844
		3845	HAVE_OUTPUT=""
3818		3846
3819	HAVE_SELINUX="-DHAVE_SELINUX"	3847
3820	EXTRA_LDFLAGS+=" -lselinux "	3848	HAVE_USERTMPFS=""
		3849
		3850
		3851	HAVE_MAN="-DHAVE_MAN"
		3852
		3853
		3854	HAVE_FIRETUNNEL=""
		3855
		3856
		3857	HAVE_PRIVATEHOME=""
		3858
		3859
		3860	HAVE_CHROOT=""
		3861
		3862
		3863	HAVE_GLOBALCFG=""
		3864
		3865
		3866	HAVE_USERNS=""
		3867
		3868
		3869	HAVE_X11=""
		3870
		3871
		3872	HAVE_FILE_TRANSFER=""
		3873
		3874
		3875	HAVE_SUID="yes"
		3876
		3877
		3878	BUSYBOX_WORKAROUND="no"
		3879
		3880
		3881	HAVE_CONTRIB_INSTALL="no",
3821		3882
3822		3883
3823	fi	3884	fi
3824		3885
		3886
		3887
		3888
3825	# checking pthread library	3889	# checking pthread library
3826	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5	3890	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
3827	$as_echo_n "checking for main in -lpthread... " >&6; }	3891	$as_echo_n "checking for main in -lpthread... " >&6; }
@@ -5485,6 +5549,7 @@ echo "Configuration options:"
5485	echo " prefix: $prefix"	5549	echo " prefix: $prefix"
5486	echo " sysconfdir: $sysconfdir"	5550	echo " sysconfdir: $sysconfdir"
5487	echo " apparmor: $HAVE_APPARMOR"	5551	echo " apparmor: $HAVE_APPARMOR"
		5552	echo " SELinux labeling support: $HAVE_SELINUX"
5488	echo " global config: $HAVE_GLOBALCFG"	5553	echo " global config: $HAVE_GLOBALCFG"
5489	echo " chroot: $HAVE_CHROOT"	5554	echo " chroot: $HAVE_CHROOT"
5490	echo " network: $HAVE_NETWORK"	5555	echo " network: $HAVE_NETWORK"
@@ -5506,6 +5571,19 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS"
5506	echo " fatal warnings: $HAVE_FATAL_WARNINGS"	5571	echo " fatal warnings: $HAVE_FATAL_WARNINGS"
5507	echo " Gcov instrumentation: $HAVE_GCOV"	5572	echo " Gcov instrumentation: $HAVE_GCOV"
5508	echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"	5573	echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
5509	echo " SELinux labeling support: $HAVE_SELINUX"
5510	echo " Install as a SUID executable: $HAVE_SUID"	5574	echo " Install as a SUID executable: $HAVE_SUID"
		5575	echo " LTS: $HAVE_LTS"
5511	echo	5576	echo
		5577
		5578
		5579	if test "$HAVE_LTS" = -DHAVE_LTS; then
		5580	echo
		5581	echo
		5582	echo "*********************************************************"
		5583	echo "* Warning: Long-term support (LTS) was enabled! *"
		5584	echo "* Most compile-time options have bean rewritten! *"
		5585	echo "*********************************************************"
		5586	echo
		5587	echo
		5588	fi
		5589


diff --git a/configure.ac b/configure.ac index 0556da374..449b8b436 100644 --- a/configure.ac +++ b/configure.ac
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
54	AC_SUBST(HAVE_APPARMOR)	54	AC_SUBST(HAVE_APPARMOR)
55	])	55	])
56		56
		57	HAVE_SELINUX=""
		58	AC_ARG_ENABLE([selinux],
		59	AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
		60	AS_IF([test "x$enable_selinux" = "xyes"], [
		61	HAVE_SELINUX="-DHAVE_SELINUX"
		62	EXTRA_LDFLAGS+=" -lselinux "
		63	AC_SUBST(HAVE_SELINUX)
		64	])
		65
57	AC_SUBST([EXTRA_CFLAGS])	66	AC_SUBST([EXTRA_CFLAGS])
58	AC_SUBST([EXTRA_LDFLAGS])	67	AC_SUBST([EXTRA_LDFLAGS])
59		68
@@ -219,15 +228,62 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
219	)	228	)
220	AC_SUBST(HAVE_CONTRIB_INSTALL)	229	AC_SUBST(HAVE_CONTRIB_INSTALL)
221		230
222	HAVE_SELINUX=""	231	HAVE_LTS=""
223	AC_ARG_ENABLE([selinux],	232	AC_ARG_ENABLE([lts],
224	AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))	233	AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
225	AS_IF([test "x$enable_selinux" = "xyes"], [	234	AS_IF([test "x$enable_lts" = "xyes"], [
226	HAVE_SELINUX="-DHAVE_SELINUX"	235	HAVE_LTS="-DHAVE_LTS"
227	EXTRA_LDFLAGS+=" -lselinux "	236	AC_SUBST(HAVE_LTS)
228	AC_SUBST(HAVE_SELINUX)	237
		238	HAVE_DBUSPROXY=""
		239	AC_SUBST(HAVE_DBUSPROXY)
		240
		241	HAVE_OVERLAYFS=""
		242	AC_SUBST(HAVE_OVERLAYFS)
		243
		244	HAVE_OUTPUT=""
		245	AC_SUBST(HAVE_OUTPUT)
		246
		247	HAVE_USERTMPFS=""
		248	AC_SUBST(HAVE_USERTMPFS)
		249
		250	HAVE_MAN="-DHAVE_MAN"
		251	AC_SUBST(HAVE_MAN)
		252
		253	HAVE_FIRETUNNEL=""
		254	AC_SUBST(HAVE_FIRETUNNEL)
		255
		256	HAVE_PRIVATEHOME=""
		257	AC_SUBST(HAVE_PRIVATE_HOME)
		258
		259	HAVE_CHROOT=""
		260	AC_SUBST(HAVE_CHROOT)
		261
		262	HAVE_GLOBALCFG=""
		263	AC_SUBST(HAVE_GLOBALCFG)
		264
		265	HAVE_USERNS=""
		266	AC_SUBST(HAVE_USERNS)
		267
		268	HAVE_X11=""
		269	AC_SUBST(HAVE_X11)
		270
		271	HAVE_FILE_TRANSFER=""
		272	AC_SUBST(HAVE_FILE_TRANSFER)
		273
		274	HAVE_SUID="yes"
		275	AC_SUBST(HAVE_SUID)
		276
		277	BUSYBOX_WORKAROUND="no"
		278	AC_SUBST(BUSYBOX_WORKAROUND)
		279
		280	HAVE_CONTRIB_INSTALL="no",
		281	AC_SUBST(HAVE_CONTRIB_INSTALL)
229	])	282	])
230		283
		284
		285
		286
231	# checking pthread library	287	# checking pthread library
232	AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([* POSIX thread support not installed *]))	288	AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([* POSIX thread support not installed *]))
233	AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([* POSIX thread support not installed *]))	289	AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([* POSIX thread support not installed *]))
@@ -250,6 +306,7 @@ echo "Configuration options:"
250	echo " prefix: $prefix"	306	echo " prefix: $prefix"
251	echo " sysconfdir: $sysconfdir"	307	echo " sysconfdir: $sysconfdir"
252	echo " apparmor: $HAVE_APPARMOR"	308	echo " apparmor: $HAVE_APPARMOR"
		309	echo " SELinux labeling support: $HAVE_SELINUX"
253	echo " global config: $HAVE_GLOBALCFG"	310	echo " global config: $HAVE_GLOBALCFG"
254	echo " chroot: $HAVE_CHROOT"	311	echo " chroot: $HAVE_CHROOT"
255	echo " network: $HAVE_NETWORK"	312	echo " network: $HAVE_NETWORK"
@@ -271,6 +328,19 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS"
271	echo " fatal warnings: $HAVE_FATAL_WARNINGS"	328	echo " fatal warnings: $HAVE_FATAL_WARNINGS"
272	echo " Gcov instrumentation: $HAVE_GCOV"	329	echo " Gcov instrumentation: $HAVE_GCOV"
273	echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"	330	echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
274	echo " SELinux labeling support: $HAVE_SELINUX"
275	echo " Install as a SUID executable: $HAVE_SUID"	331	echo " Install as a SUID executable: $HAVE_SUID"
		332	echo " LTS: $HAVE_LTS"
276	echo	333	echo
		334
		335
		336	if test "$HAVE_LTS" = -DHAVE_LTS; then
		337	echo
		338	echo
		339	echo "*********************************************************"
		340	echo "* Warning: Long-term support (LTS) was enabled! *"
		341	echo "* Most compile-time options have bean rewritten! *"
		342	echo "*********************************************************"
		343	echo
		344	echo
		345	fi
		346


diff --git a/src/common.mk.in b/src/common.mk.in index 77d8539ef..eae4138c0 100644 --- a/src/common.mk.in +++ b/src/common.mk.in
@@ -26,6 +26,7 @@ HAVE_SELINUX=@HAVE_SELINUX@
26	HAVE_DBUSPROXY=@HAVE_DBUSPROXY@	26	HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
27	HAVE_USERTMPFS=@HAVE_USERTMPFS@	27	HAVE_USERTMPFS=@HAVE_USERTMPFS@
28	HAVE_OUTPUT=@HAVE_OUTPUT@	28	HAVE_OUTPUT=@HAVE_OUTPUT@
		29	HAVE_LTS=@HAVE_LTS@
29		30
30	H_FILE_LIST = $(sort $(wildcard *.[h]))	31	H_FILE_LIST = $(sort $(wildcard *.[h]))
31	C_FILE_LIST = $(sort $(wildcard *.c))	32	C_FILE_LIST = $(sort $(wildcard *.c))
@@ -35,7 +36,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
35	CFLAGS = @CFLAGS@	36	CFLAGS = @CFLAGS@
36	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)	37	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
37	CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'	38	CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
38	MANFLAGS = $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)	39	MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
39	CFLAGS += $(MANFLAGS)	40	CFLAGS += $(MANFLAGS)
40	CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security	41	CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
41	LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread	42	LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b251f8191..639b171cd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -42,6 +42,15 @@ Miscellaneous:
42	firejail {\-? \| \-\-debug-caps \| \-\-debug-errnos \| \-\-debug-syscalls \| \-\-debug-syscalls32 \| \-\-debug-protocols \| \-\-help \| \-\-version}	42	firejail {\-? \| \-\-debug-caps \| \-\-debug-errnos \| \-\-debug-syscalls \| \-\-debug-syscalls32 \| \-\-debug-protocols \| \-\-help \| \-\-version}
43	.RE	43	.RE
44	.SH DESCRIPTION	44	.SH DESCRIPTION
		45	#ifdef HAVE_LTS
		46	This is Firejail long-term support (LTS), an enterprise focused version of the software,
		47	LTS is usually supported for two or three years.
		48	During this time only bugs and the occasional documentation problems are fixed.
		49	The attack surface of the SUID executable was greatly reduced by removing some of the features.
		50	.br
		51
		52	.br
		53	#endif
45	Firejail is a SUID sandbox program that reduces the risk of security breaches by	54	Firejail is a SUID sandbox program that reduces the risk of security breaches by
46	restricting the running environment of untrusted applications using Linux	55	restricting the running environment of untrusted applications using Linux
47	namespaces, seccomp-bpf and Linux capabilities.	56	namespaces, seccomp-bpf and Linux capabilities.