diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-20 07:54:20 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-20 07:54:20 -0400 |
commit | ccf7230e0b4e74d21ba9030793b4486250d30507 (patch) | |
tree | f260e93febf31c5183dbd1b8e991dbad5e4f7016 | |
parent | small fixes for command args (diff) | |
download | firejail-ccf7230e0b4e74d21ba9030793b4486250d30507.tar.gz firejail-ccf7230e0b4e74d21ba9030793b4486250d30507.tar.zst firejail-ccf7230e0b4e74d21ba9030793b4486250d30507.zip |
compile time config option for overlayfs
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs.c | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/x11.c | 22 | ||||
-rw-r--r-- | src/lib/common.c | 2 | ||||
-rwxr-xr-x | test/dist-compile/compile.sh | 39 |
10 files changed, 80 insertions, 29 deletions
@@ -636,6 +636,7 @@ HAVE_GLOBALCFG | |||
636 | HAVE_BIND | 636 | HAVE_BIND |
637 | HAVE_CHROOT | 637 | HAVE_CHROOT |
638 | HAVE_SECCOMP | 638 | HAVE_SECCOMP |
639 | HAVE_OVERLAYFS | ||
639 | EXTRA_LDFLAGS | 640 | EXTRA_LDFLAGS |
640 | EGREP | 641 | EGREP |
641 | GREP | 642 | GREP |
@@ -694,6 +695,7 @@ ac_subst_files='' | |||
694 | ac_user_opts=' | 695 | ac_user_opts=' |
695 | enable_option_checking | 696 | enable_option_checking |
696 | enable_apparmor | 697 | enable_apparmor |
698 | enable_overlayfs | ||
697 | enable_seccomp | 699 | enable_seccomp |
698 | enable_chroot | 700 | enable_chroot |
699 | enable_bind | 701 | enable_bind |
@@ -1325,6 +1327,7 @@ Optional Features: | |||
1325 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | 1327 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) |
1326 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1328 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1327 | --enable-apparmor enable apparmor | 1329 | --enable-apparmor enable apparmor |
1330 | --disable-overlayfs disable overlayfs | ||
1328 | --disable-seccomp disable seccomp | 1331 | --disable-seccomp disable seccomp |
1329 | --disable-chroot disable chroot | 1332 | --disable-chroot disable chroot |
1330 | --disable-bind disable bind | 1333 | --disable-bind disable bind |
@@ -3511,6 +3514,19 @@ if test "x$enable_apparmor" = "xyes"; then : | |||
3511 | fi | 3514 | fi |
3512 | 3515 | ||
3513 | 3516 | ||
3517 | HAVE_OVERLAYFS="" | ||
3518 | # Check whether --enable-overlayfs was given. | ||
3519 | if test "${enable_overlayfs+set}" = set; then : | ||
3520 | enableval=$enable_overlayfs; | ||
3521 | fi | ||
3522 | |||
3523 | if test "x$enable_overlayfs" != "xno"; then : | ||
3524 | |||
3525 | HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | ||
3526 | |||
3527 | |||
3528 | fi | ||
3529 | |||
3514 | HAVE_SECCOMP="" | 3530 | HAVE_SECCOMP="" |
3515 | # Check whether --enable-seccomp was given. | 3531 | # Check whether --enable-seccomp was given. |
3516 | if test "${enable_seccomp+set}" = set; then : | 3532 | if test "${enable_seccomp+set}" = set; then : |
@@ -4922,6 +4938,7 @@ echo " user namespace: $HAVE_USERNS" | |||
4922 | echo " X11 sandboxing support: $HAVE_X11" | 4938 | echo " X11 sandboxing support: $HAVE_X11" |
4923 | echo " whitelisting: $HAVE_WHITELIST" | 4939 | echo " whitelisting: $HAVE_WHITELIST" |
4924 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4940 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4941 | echo " overlayfs support: $HAVE_OVERLAYFS" | ||
4925 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4942 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4926 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 4943 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
4927 | printf " uid_min: "; grep UID_MIN uids.h | 4944 | printf " uid_min: "; grep UID_MIN uids.h |
diff --git a/configure.ac b/configure.ac index 149f76eae..2a5bd5e54 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -30,6 +30,14 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ | |||
30 | ]) | 30 | ]) |
31 | AC_SUBST([EXTRA_LDFLAGS]) | 31 | AC_SUBST([EXTRA_LDFLAGS]) |
32 | 32 | ||
33 | HAVE_OVERLAYFS="" | ||
34 | AC_ARG_ENABLE([overlayfs], | ||
35 | AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) | ||
36 | AS_IF([test "x$enable_overlayfs" != "xno"], [ | ||
37 | HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | ||
38 | AC_SUBST(HAVE_OVERLAYFS) | ||
39 | ]) | ||
40 | |||
33 | HAVE_SECCOMP="" | 41 | HAVE_SECCOMP="" |
34 | AC_ARG_ENABLE([seccomp], | 42 | AC_ARG_ENABLE([seccomp], |
35 | AS_HELP_STRING([--disable-seccomp], [disable seccomp])) | 43 | AS_HELP_STRING([--disable-seccomp], [disable seccomp])) |
@@ -156,6 +164,7 @@ echo " user namespace: $HAVE_USERNS" | |||
156 | echo " X11 sandboxing support: $HAVE_X11" | 164 | echo " X11 sandboxing support: $HAVE_X11" |
157 | echo " whitelisting: $HAVE_WHITELIST" | 165 | echo " whitelisting: $HAVE_WHITELIST" |
158 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 166 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
167 | echo " overlayfs support: $HAVE_OVERLAYFS" | ||
159 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 168 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
160 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 169 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
161 | printf " uid_min: "; grep UID_MIN uids.h | 170 | printf " uid_min: "; grep UID_MIN uids.h |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 15253b5ab..f56137308 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -19,13 +19,14 @@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | |||
19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | 19 | HAVE_WHITELIST=@HAVE_WHITELIST@ |
20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
21 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 21 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
22 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 23 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
23 | 24 | ||
24 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 25 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
25 | C_FILE_LIST = $(sort $(wildcard *.c)) | 26 | C_FILE_LIST = $(sort $(wildcard *.c)) |
26 | OBJS = $(C_FILE_LIST:.c=.o) | 27 | OBJS = $(C_FILE_LIST:.c=.o) |
27 | BINOBJS = $(foreach file, $(OBJS), $file) | 28 | BINOBJS = $(foreach file, $(OBJS), $file) |
28 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 29 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
29 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 30 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
30 | 31 | ||
31 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 32 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 019b54773..f5ea7439b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -272,6 +272,14 @@ void print_compiletime_support(void) { | |||
272 | #endif | 272 | #endif |
273 | ); | 273 | ); |
274 | 274 | ||
275 | printf("\t- overlayfs support is %s\n", | ||
276 | #ifdef HAVE_OVERLAYFS | ||
277 | "enabled" | ||
278 | #else | ||
279 | "disabled" | ||
280 | #endif | ||
281 | ); | ||
282 | |||
275 | printf("\t- file and directory whitelisting support is %s\n", | 283 | printf("\t- file and directory whitelisting support is %s\n", |
276 | #ifdef HAVE_WHITELIST | 284 | #ifdef HAVE_WHITELIST |
277 | "enabled" | 285 | "enabled" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 63ffa8bff..ddb25c2dd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -815,6 +815,7 @@ void fs_basic_fs(void) { | |||
815 | 815 | ||
816 | 816 | ||
817 | 817 | ||
818 | #ifdef HAVE_OVERLAYFS | ||
818 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | 819 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { |
819 | // create ~/.firejail directory | 820 | // create ~/.firejail directory |
820 | struct stat s; | 821 | struct stat s; |
@@ -1121,7 +1122,7 @@ void fs_overlayfs(void) { | |||
1121 | free(oroot); | 1122 | free(oroot); |
1122 | free(odiff); | 1123 | free(odiff); |
1123 | } | 1124 | } |
1124 | 1125 | #endif | |
1125 | 1126 | ||
1126 | 1127 | ||
1127 | #ifdef HAVE_CHROOT | 1128 | #ifdef HAVE_CHROOT |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8e18ec724..c366390cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -264,6 +264,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
264 | printf("\n"); | 264 | printf("\n"); |
265 | exit(0); | 265 | exit(0); |
266 | } | 266 | } |
267 | #ifdef HAVE_OVERLAYFS | ||
267 | else if (strcmp(argv[i], "--overlay-clean") == 0) { | 268 | else if (strcmp(argv[i], "--overlay-clean") == 0) { |
268 | char *path; | 269 | char *path; |
269 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | 270 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) |
@@ -281,6 +282,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
281 | } | 282 | } |
282 | exit(0); | 283 | exit(0); |
283 | } | 284 | } |
285 | #endif | ||
284 | #ifdef HAVE_X11 | 286 | #ifdef HAVE_X11 |
285 | else if (strcmp(argv[i], "--x11") == 0) { | 287 | else if (strcmp(argv[i], "--x11") == 0) { |
286 | if (checkcfg(CFG_X11)) { | 288 | if (checkcfg(CFG_X11)) { |
@@ -1279,6 +1281,7 @@ int main(int argc, char **argv) { | |||
1279 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1281 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1280 | profile_add(line); | 1282 | profile_add(line); |
1281 | } | 1283 | } |
1284 | #ifdef HAVE_OVERLAYFS | ||
1282 | else if (strcmp(argv[i], "--overlay") == 0) { | 1285 | else if (strcmp(argv[i], "--overlay") == 0) { |
1283 | if (cfg.chrootdir) { | 1286 | if (cfg.chrootdir) { |
1284 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1287 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
@@ -1353,6 +1356,7 @@ int main(int argc, char **argv) { | |||
1353 | } | 1356 | } |
1354 | arg_overlay = 1; | 1357 | arg_overlay = 1; |
1355 | } | 1358 | } |
1359 | #endif | ||
1356 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1360 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1357 | if (arg_noprofile) { | 1361 | if (arg_noprofile) { |
1358 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | 1362 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c40ff1d03..a33c81937 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -500,9 +500,11 @@ int sandbox(void* sandbox_arg) { | |||
500 | } | 500 | } |
501 | else | 501 | else |
502 | #endif | 502 | #endif |
503 | #ifdef HAVE_OVERLAYFS | ||
503 | if (arg_overlay) | 504 | if (arg_overlay) |
504 | fs_overlayfs(); | 505 | fs_overlayfs(); |
505 | else | 506 | else |
507 | #endif | ||
506 | fs_basic_fs(); | 508 | fs_basic_fs(); |
507 | 509 | ||
508 | //**************************** | 510 | //**************************** |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ed6fa3741..3d0918b2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <stdlib.h> | 26 | #include <stdlib.h> |
27 | #include <dirent.h> | 27 | #include <dirent.h> |
28 | #include <sys/mount.h> | 28 | #include <sys/mount.h> |
29 | #include <sys/wait.h> | ||
29 | 30 | ||
30 | #ifdef HAVE_X11 | 31 | #ifdef HAVE_X11 |
31 | // return 1 if xpra is installed on the system | 32 | // return 1 if xpra is installed on the system |
@@ -163,7 +164,7 @@ void fs_x11(void) { | |||
163 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox | 164 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox |
164 | void x11_start_xephyr(int argc, char **argv) { | 165 | void x11_start_xephyr(int argc, char **argv) { |
165 | EUID_ASSERT(); | 166 | EUID_ASSERT(); |
166 | size_t i; | 167 | int i; |
167 | struct stat s; | 168 | struct stat s; |
168 | pid_t jail = 0; | 169 | pid_t jail = 0; |
169 | pid_t server = 0; | 170 | pid_t server = 0; |
@@ -204,12 +205,12 @@ void x11_start_xephyr(int argc, char **argv) { | |||
204 | // parse xephyr_extra_params | 205 | // parse xephyr_extra_params |
205 | // very basic quoting support | 206 | // very basic quoting support |
206 | char *temp = strdup(xephyr_extra_params); | 207 | char *temp = strdup(xephyr_extra_params); |
207 | if (xephyr_extra_params != "") { | 208 | if (*xephyr_extra_params != '\0') { |
208 | if (!temp) | 209 | if (!temp) |
209 | errExit("strdup"); | 210 | errExit("strdup"); |
210 | bool dquote = false; | 211 | bool dquote = false; |
211 | bool squote = false; | 212 | bool squote = false; |
212 | for (i = 0; i < strlen(xephyr_extra_params); i++) { | 213 | for (i = 0; i < (int) strlen(xephyr_extra_params); i++) { |
213 | if (temp[i] == '\"') { | 214 | if (temp[i] == '\"') { |
214 | dquote = !dquote; | 215 | dquote = !dquote; |
215 | if (dquote) temp[i] = '\0'; // replace closing quote by \0 | 216 | if (dquote) temp[i] = '\0'; // replace closing quote by \0 |
@@ -229,7 +230,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
229 | exit(1); | 230 | exit(1); |
230 | } | 231 | } |
231 | 232 | ||
232 | for (i = 0; i < strlen(xephyr_extra_params)-1; i++) { | 233 | for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { |
233 | if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { | 234 | if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { |
234 | fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); | 235 | fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); |
235 | exit(1); | 236 | exit(1); |
@@ -257,7 +258,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
257 | 258 | ||
258 | // remove --x11 arg | 259 | // remove --x11 arg |
259 | char *jail_argv[argc+2]; | 260 | char *jail_argv[argc+2]; |
260 | size_t j = 0; | 261 | int j = 0; |
261 | for (i = 0; i < argc; i++) { | 262 | for (i = 0; i < argc; i++) { |
262 | if (strcmp(argv[i], "--x11") == 0) | 263 | if (strcmp(argv[i], "--x11") == 0) |
263 | continue; | 264 | continue; |
@@ -359,7 +360,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
359 | 360 | ||
360 | void x11_start_xpra(int argc, char **argv) { | 361 | void x11_start_xpra(int argc, char **argv) { |
361 | EUID_ASSERT(); | 362 | EUID_ASSERT(); |
362 | size_t i; | 363 | int i; |
363 | struct stat s; | 364 | struct stat s; |
364 | pid_t client = 0; | 365 | pid_t client = 0; |
365 | pid_t server = 0; | 366 | pid_t server = 0; |
@@ -464,7 +465,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
464 | 465 | ||
465 | // build jail command | 466 | // build jail command |
466 | char *firejail_argv[argc+2]; | 467 | char *firejail_argv[argc+2]; |
467 | unsigned pos = 0; | 468 | int pos = 0; |
468 | for (i = 0; i < argc; i++) { | 469 | for (i = 0; i < argc; i++) { |
469 | if (strcmp(argv[i], "--x11") == 0) | 470 | if (strcmp(argv[i], "--x11") == 0) |
470 | continue; | 471 | continue; |
@@ -477,7 +478,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
477 | } | 478 | } |
478 | firejail_argv[pos] = NULL; | 479 | firejail_argv[pos] = NULL; |
479 | 480 | ||
480 | assert(pos < argc+2); | 481 | assert(pos < (argc+2)); |
481 | assert(!firejail_argv[pos]); | 482 | assert(!firejail_argv[pos]); |
482 | 483 | ||
483 | // start jail | 484 | // start jail |
@@ -524,12 +525,13 @@ void x11_start_xpra(int argc, char **argv) { | |||
524 | break; | 525 | break; |
525 | } | 526 | } |
526 | 527 | ||
527 | if (arg_debug) | 528 | if (arg_debug) { |
528 | if (n == 10) | 529 | if (n == 10) |
529 | printf("failed to stop xpra server gratefully\n"); | 530 | printf("failed to stop xpra server gratefully\n"); |
530 | else | 531 | else |
531 | printf("xpra server successfully stoped in %d secs\n", n); | 532 | printf("xpra server successfully stoped in %d secs\n", n); |
532 | 533 | } | |
534 | |||
533 | // kill xpra server and xpra client | 535 | // kill xpra server and xpra client |
534 | kill(client, SIGTERM); | 536 | kill(client, SIGTERM); |
535 | kill(server, SIGTERM); | 537 | kill(server, SIGTERM); |
diff --git a/src/lib/common.c b/src/lib/common.c index fe5c62536..acb6bd3b4 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -241,7 +241,7 @@ int pid_proc_cmdline_x11(const pid_t pid) { | |||
241 | i++; | 241 | i++; |
242 | if (i >= len) | 242 | if (i >= len) |
243 | break; | 243 | break; |
244 | char *arg = buffer + i; | 244 | char *arg = (char *)buffer + i; |
245 | 245 | ||
246 | // detect the last command line option | 246 | // detect the last command line option |
247 | if (strcmp(arg, "--") == 0) | 247 | if (strcmp(arg, "--") == 0) |
diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index f762b457d..76a7162b7 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh | |||
@@ -12,7 +12,8 @@ arr[9]="TEST 9: compile file transfer disabled" | |||
12 | arr[10]="TEST 10: compile disable whitelist" | 12 | arr[10]="TEST 10: compile disable whitelist" |
13 | arr[11]="TEST 11: compile disable global config" | 13 | arr[11]="TEST 11: compile disable global config" |
14 | arr[12]="TEST 12: compile apparmor" | 14 | arr[12]="TEST 12: compile apparmor" |
15 | arr[12]="TEST 13: compile busybox" | 15 | arr[13]="TEST 13: compile busybox" |
16 | arr[14]="TEST 14: compile overlayfs disabled" | ||
16 | 17 | ||
17 | # remove previous reports and output file | 18 | # remove previous reports and output file |
18 | cleanup() { | 19 | cleanup() { |
@@ -52,8 +53,6 @@ cleanup | |||
52 | # TEST 1 | 53 | # TEST 1 |
53 | #***************************************************************** | 54 | #***************************************************************** |
54 | # - checkout source code | 55 | # - checkout source code |
55 | # - check compilation | ||
56 | # - install | ||
57 | #***************************************************************** | 56 | #***************************************************************** |
58 | print_title "${arr[1]}" | 57 | print_title "${arr[1]}" |
59 | echo "$DIST" | 58 | echo "$DIST" |
@@ -75,7 +74,6 @@ rm output-configure output-make | |||
75 | # TEST 2 | 74 | # TEST 2 |
76 | #***************************************************************** | 75 | #***************************************************************** |
77 | # - disable seccomp configuration | 76 | # - disable seccomp configuration |
78 | # - check compilation | ||
79 | #***************************************************************** | 77 | #***************************************************************** |
80 | print_title "${arr[2]}" | 78 | print_title "${arr[2]}" |
81 | # seccomp | 79 | # seccomp |
@@ -94,7 +92,6 @@ rm output-configure output-make | |||
94 | # TEST 3 | 92 | # TEST 3 |
95 | #***************************************************************** | 93 | #***************************************************************** |
96 | # - disable chroot configuration | 94 | # - disable chroot configuration |
97 | # - check compilation | ||
98 | #***************************************************************** | 95 | #***************************************************************** |
99 | print_title "${arr[3]}" | 96 | print_title "${arr[3]}" |
100 | # seccomp | 97 | # seccomp |
@@ -113,7 +110,6 @@ rm output-configure output-make | |||
113 | # TEST 4 | 110 | # TEST 4 |
114 | #***************************************************************** | 111 | #***************************************************************** |
115 | # - disable bind configuration | 112 | # - disable bind configuration |
116 | # - check compilation | ||
117 | #***************************************************************** | 113 | #***************************************************************** |
118 | print_title "${arr[4]}" | 114 | print_title "${arr[4]}" |
119 | # seccomp | 115 | # seccomp |
@@ -132,7 +128,6 @@ rm output-configure output-make | |||
132 | # TEST 5 | 128 | # TEST 5 |
133 | #***************************************************************** | 129 | #***************************************************************** |
134 | # - disable user namespace configuration | 130 | # - disable user namespace configuration |
135 | # - check compilation | ||
136 | #***************************************************************** | 131 | #***************************************************************** |
137 | print_title "${arr[5]}" | 132 | print_title "${arr[5]}" |
138 | # seccomp | 133 | # seccomp |
@@ -170,7 +165,6 @@ rm output-configure output-make | |||
170 | # TEST 7 | 165 | # TEST 7 |
171 | #***************************************************************** | 166 | #***************************************************************** |
172 | # - disable X11 support | 167 | # - disable X11 support |
173 | # - check compilation | ||
174 | #***************************************************************** | 168 | #***************************************************************** |
175 | print_title "${arr[7]}" | 169 | print_title "${arr[7]}" |
176 | # seccomp | 170 | # seccomp |
@@ -190,7 +184,6 @@ rm output-configure output-make | |||
190 | # TEST 8 | 184 | # TEST 8 |
191 | #***************************************************************** | 185 | #***************************************************************** |
192 | # - enable network restricted | 186 | # - enable network restricted |
193 | # - check compilation | ||
194 | #***************************************************************** | 187 | #***************************************************************** |
195 | print_title "${arr[8]}" | 188 | print_title "${arr[8]}" |
196 | # seccomp | 189 | # seccomp |
@@ -210,7 +203,6 @@ rm output-configure output-make | |||
210 | # TEST 9 | 203 | # TEST 9 |
211 | #***************************************************************** | 204 | #***************************************************************** |
212 | # - disable file transfer | 205 | # - disable file transfer |
213 | # - check compilation | ||
214 | #***************************************************************** | 206 | #***************************************************************** |
215 | print_title "${arr[9]}" | 207 | print_title "${arr[9]}" |
216 | # seccomp | 208 | # seccomp |
@@ -229,7 +221,6 @@ rm output-configure output-make | |||
229 | # TEST 10 | 221 | # TEST 10 |
230 | #***************************************************************** | 222 | #***************************************************************** |
231 | # - disable whitelist | 223 | # - disable whitelist |
232 | # - check compilation | ||
233 | #***************************************************************** | 224 | #***************************************************************** |
234 | print_title "${arr[10]}" | 225 | print_title "${arr[10]}" |
235 | # seccomp | 226 | # seccomp |
@@ -248,7 +239,6 @@ rm output-configure output-make | |||
248 | # TEST 11 | 239 | # TEST 11 |
249 | #***************************************************************** | 240 | #***************************************************************** |
250 | # - disable global config | 241 | # - disable global config |
251 | # - check compilation | ||
252 | #***************************************************************** | 242 | #***************************************************************** |
253 | print_title "${arr[11]}" | 243 | print_title "${arr[11]}" |
254 | # seccomp | 244 | # seccomp |
@@ -267,9 +257,8 @@ rm output-configure output-make | |||
267 | # TEST 12 | 257 | # TEST 12 |
268 | #***************************************************************** | 258 | #***************************************************************** |
269 | # - enable apparmor | 259 | # - enable apparmor |
270 | # - check compilation | ||
271 | #***************************************************************** | 260 | #***************************************************************** |
272 | print_title "${arr[11]}" | 261 | print_title "${arr[12]}" |
273 | # seccomp | 262 | # seccomp |
274 | cd firejail | 263 | cd firejail |
275 | make distclean | 264 | make distclean |
@@ -286,9 +275,8 @@ rm output-configure output-make | |||
286 | # TEST 13 | 275 | # TEST 13 |
287 | #***************************************************************** | 276 | #***************************************************************** |
288 | # - enable busybox workaround | 277 | # - enable busybox workaround |
289 | # - check compilation | ||
290 | #***************************************************************** | 278 | #***************************************************************** |
291 | print_title "${arr[11]}" | 279 | print_title "${arr[13]}" |
292 | # seccomp | 280 | # seccomp |
293 | cd firejail | 281 | cd firejail |
294 | make distclean | 282 | make distclean |
@@ -301,6 +289,24 @@ cp output-configure oc13 | |||
301 | cp output-make om13 | 289 | cp output-make om13 |
302 | rm output-configure output-make | 290 | rm output-configure output-make |
303 | 291 | ||
292 | #***************************************************************** | ||
293 | # TEST 14 | ||
294 | #***************************************************************** | ||
295 | # - disable overlayfs | ||
296 | #***************************************************************** | ||
297 | print_title "${arr[14]}" | ||
298 | # seccomp | ||
299 | cd firejail | ||
300 | make distclean | ||
301 | ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
302 | make -j4 2>&1 | tee ../output-make | ||
303 | cd .. | ||
304 | grep Warning output-configure output-make > ./report-test14 | ||
305 | grep Error output-configure output-make >> ./report-test14 | ||
306 | cp output-configure oc14 | ||
307 | cp output-make om14 | ||
308 | rm output-configure output-make | ||
309 | |||
304 | 310 | ||
305 | #***************************************************************** | 311 | #***************************************************************** |
306 | # PRINT REPORTS | 312 | # PRINT REPORTS |
@@ -329,3 +335,4 @@ echo ${arr[10]} | |||
329 | echo ${arr[11]} | 335 | echo ${arr[11]} |
330 | echo ${arr[12]} | 336 | echo ${arr[12]} |
331 | echo ${arr[13]} | 337 | echo ${arr[13]} |
338 | echo ${arr[14]} | ||