diff options
author | netblue30 <netblue30@yahoo.com> | 2017-02-05 11:50:04 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-02-05 11:50:04 -0500 |
commit | d17ce1322e6e42ca905393545db03a13570da1b0 (patch) | |
tree | 86b598adb3ac57adafe55a62996b9e37325a1eec | |
parent | enable strict seccomp filter on overlay options (diff) | |
download | firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.gz firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.zst firejail-d17ce1322e6e42ca905393545db03a13570da1b0.zip |
disable --git-install at compile time
-rwxr-xr-x | configure | 16 | ||||
-rw-r--r-- | configure.ac | 8 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs.c | 52 | ||||
-rw-r--r-- | src/firejail/git.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 |
8 files changed, 42 insertions, 53 deletions
@@ -625,6 +625,7 @@ ac_includes_default="\ | |||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | 627 | HAVE_SECCOMP_H |
628 | HAVE_GIT_INSTALL | ||
628 | HAVE_GCOV | 629 | HAVE_GCOV |
629 | BUSYBOX_WORKAROUND | 630 | BUSYBOX_WORKAROUND |
630 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
@@ -711,6 +712,7 @@ enable_whitelist | |||
711 | enable_fatal_warnings | 712 | enable_fatal_warnings |
712 | enable_busybox_workaround | 713 | enable_busybox_workaround |
713 | enable_gcov | 714 | enable_gcov |
715 | enable_git_install | ||
714 | ' | 716 | ' |
715 | ac_precious_vars='build_alias | 717 | ac_precious_vars='build_alias |
716 | host_alias | 718 | host_alias |
@@ -1349,6 +1351,7 @@ Optional Features: | |||
1349 | --enable-busybox-workaround | 1351 | --enable-busybox-workaround |
1350 | enable busybox workaround | 1352 | enable busybox workaround |
1351 | --enable-gcov Gcov instrumentation | 1353 | --enable-gcov Gcov instrumentation |
1354 | --disable-git-install disable git install feature | ||
1352 | 1355 | ||
1353 | Some influential environment variables: | 1356 | Some influential environment variables: |
1354 | CC C compiler command | 1357 | CC C compiler command |
@@ -3710,6 +3713,18 @@ if test "x$enable_gcov" = "xyes"; then : | |||
3710 | 3713 | ||
3711 | fi | 3714 | fi |
3712 | 3715 | ||
3716 | HAVE_GIT_INSTALL="" | ||
3717 | # Check whether --enable-git-install was given. | ||
3718 | if test "${enable_git_install+set}" = set; then : | ||
3719 | enableval=$enable_git_install; | ||
3720 | fi | ||
3721 | |||
3722 | if test "x$enable_git_install" != "xno"; then : | ||
3723 | |||
3724 | HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" | ||
3725 | |||
3726 | |||
3727 | fi | ||
3713 | 3728 | ||
3714 | 3729 | ||
3715 | # checking pthread library | 3730 | # checking pthread library |
@@ -4971,6 +4986,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
4971 | echo " private home support: $HAVE_PRIVATE_HOME" | 4986 | echo " private home support: $HAVE_PRIVATE_HOME" |
4972 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4987 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4973 | echo " overlayfs support: $HAVE_OVERLAYFS" | 4988 | echo " overlayfs support: $HAVE_OVERLAYFS" |
4989 | echo " git install support: $HAVE_GIT_INSTALL" | ||
4974 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 4990 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
4975 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 4991 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
4976 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4992 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
diff --git a/configure.ac b/configure.ac index f3076f2f8..252f82cde 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -145,6 +145,13 @@ AS_IF([test "x$enable_gcov" = "xyes"], [ | |||
145 | AC_SUBST(HAVE_GCOV) | 145 | AC_SUBST(HAVE_GCOV) |
146 | ]) | 146 | ]) |
147 | 147 | ||
148 | HAVE_GIT_INSTALL="" | ||
149 | AC_ARG_ENABLE([git-install], | ||
150 | AS_HELP_STRING([--disable-git-install], [disable git install feature])) | ||
151 | AS_IF([test "x$enable_git_install" != "xno"], [ | ||
152 | HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" | ||
153 | AC_SUBST(HAVE_GIT_INSTALL) | ||
154 | ]) | ||
148 | 155 | ||
149 | 156 | ||
150 | # checking pthread library | 157 | # checking pthread library |
@@ -179,6 +186,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
179 | echo " private home support: $HAVE_PRIVATE_HOME" | 186 | echo " private home support: $HAVE_PRIVATE_HOME" |
180 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 187 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
181 | echo " overlayfs support: $HAVE_OVERLAYFS" | 188 | echo " overlayfs support: $HAVE_OVERLAYFS" |
189 | echo " git install support: $HAVE_GIT_INSTALL" | ||
182 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 190 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
183 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 191 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
184 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 192 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 6e5071925..80f35ff4d 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
24 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
25 | HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 26 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
26 | 27 | ||
27 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 28 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
28 | C_FILE_LIST = $(sort $(wildcard *.c)) | 29 | C_FILE_LIST = $(sort $(wildcard *.c)) |
29 | OBJS = $(C_FILE_LIST:.c=.o) | 30 | OBJS = $(C_FILE_LIST:.c=.o) |
30 | BINOBJS = $(foreach file, $(OBJS), $file) | 31 | BINOBJS = $(foreach file, $(OBJS), $file) |
31 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 32 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
32 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 33 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
33 | 34 | ||
34 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h | 35 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index c3eedc510..73fa6e46b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -351,6 +351,13 @@ void print_compiletime_support(void) { | |||
351 | #endif | 351 | #endif |
352 | ); | 352 | ); |
353 | 353 | ||
354 | printf("\t- git install support is %s\n", | ||
355 | #ifdef HAVE_GIT_INSTALL | ||
356 | "enabled" | ||
357 | #else | ||
358 | "disabled" | ||
359 | #endif | ||
360 | ); | ||
354 | 361 | ||
355 | #ifdef HAVE_NETWORK_RESTRICTED | 362 | #ifdef HAVE_NETWORK_RESTRICTED |
356 | printf("\t- networking features are available only to root user\n"); | 363 | printf("\t- networking features are available only to root user\n"); |
@@ -395,4 +402,5 @@ void print_compiletime_support(void) { | |||
395 | "disabled" | 402 | "disabled" |
396 | #endif | 403 | #endif |
397 | ); | 404 | ); |
405 | |||
398 | } | 406 | } |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 69b9d77bc..2a2e97419 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -572,58 +572,6 @@ void fs_proc_sys_dev_boot(void) { | |||
572 | } | 572 | } |
573 | free(fname); | 573 | free(fname); |
574 | 574 | ||
575 | // todo: investigate | ||
576 | #if 0 | ||
577 | // breaks too many applications, option needed | ||
578 | /* // disable /run/user/{uid}/bus */ | ||
579 | /* char *fnamebus; */ | ||
580 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
581 | /* errExit("asprintf"); */ | ||
582 | /* if (stat(fnamebus, &s) == 0) */ | ||
583 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
584 | /* free(fnamebus); */ | ||
585 | |||
586 | // WARNING: not working | ||
587 | // disable /run/user/{uid}/kdeinit* | ||
588 | //char *fnamekde; | ||
589 | //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) | ||
590 | // errExit("asprintf"); | ||
591 | //if (stat(fnamekde, &s) == 0) | ||
592 | // disable_file(BLACKLIST_FILE, fnamekde); | ||
593 | //free(fnamekde); | ||
594 | |||
595 | |||
596 | // disable /run/user/{uid}/pulse | ||
597 | /* char *fnamepulse; */ | ||
598 | /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ | ||
599 | /* errExit("asprintf"); */ | ||
600 | /* if (stat(fnamepulse, &s) == 0) */ | ||
601 | /* disable_file(BLACKLIST_FILE, fnamepulse); */ | ||
602 | /* free(fnamepulse); */ | ||
603 | |||
604 | // disable /run/user/{uid}/dconf | ||
605 | /* char *fnamedconf; */ | ||
606 | /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ | ||
607 | /* errExit("asprintf"); */ | ||
608 | /* if (stat(fnamedconf, &s) == 0) */ | ||
609 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ | ||
610 | /* free(fnamedconf); */ | ||
611 | |||
612 | |||
613 | // dirs in /run/user/{uid}/ | ||
614 | // using gnome: | ||
615 | // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd | ||
616 | |||
617 | // using kde: | ||
618 | // kdeinit__0, ... | ||
619 | |||
620 | // more files with sockets to be blacklisted | ||
621 | // /run/dbus /run/systemd /run/udev /run/lvm | ||
622 | |||
623 | // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications | ||
624 | |||
625 | #endif | ||
626 | |||
627 | if (getuid() != 0) { | 575 | if (getuid() != 0) { |
628 | // disable /dev/kmsg and /proc/kmsg | 576 | // disable /dev/kmsg and /proc/kmsg |
629 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | 577 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); |
diff --git a/src/firejail/git.c b/src/firejail/git.c index 1cfbb1bf4..b67339c8b 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c | |||
@@ -17,6 +17,9 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | |||
21 | #ifdef HAVE_GIT_INSTALL | ||
22 | |||
20 | #include "firejail.h" | 23 | #include "firejail.h" |
21 | #include <sys/utsname.h> | 24 | #include <sys/utsname.h> |
22 | #include <sched.h> | 25 | #include <sched.h> |
@@ -84,3 +87,4 @@ void git_uninstall(void) { | |||
84 | exit(0); | 87 | exit(0); |
85 | } | 88 | } |
86 | 89 | ||
90 | #endif // HAVE_GIT_INSTALL | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index ee89a7281..0d4cf2595 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -846,11 +846,13 @@ int main(int argc, char **argv) { | |||
846 | EUID_INIT(); | 846 | EUID_INIT(); |
847 | EUID_USER(); | 847 | EUID_USER(); |
848 | 848 | ||
849 | #ifdef HAVE_GIT_INSTALL | ||
849 | // process git-install and git-uninstall | 850 | // process git-install and git-uninstall |
850 | if (check_arg(argc, argv, "--git-install")) | 851 | if (check_arg(argc, argv, "--git-install")) |
851 | git_install(); // this function will not return | 852 | git_install(); // this function will not return |
852 | if (check_arg(argc, argv, "--git-uninstall")) | 853 | if (check_arg(argc, argv, "--git-uninstall")) |
853 | git_uninstall(); // this function will not return | 854 | git_uninstall(); // this function will not return |
855 | #endif | ||
854 | 856 | ||
855 | // check argv[0] symlink wrapper if this is not a login shell | 857 | // check argv[0] symlink wrapper if this is not a login shell |
856 | if (*argv[0] != '-') | 858 | if (*argv[0] != '-') |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b9fff2011..dc8fcdfef 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -76,9 +76,11 @@ void usage(void) { | |||
76 | printf(" --env=name=value - set environment variable.\n"); | 76 | printf(" --env=name=value - set environment variable.\n"); |
77 | printf(" --fs.print=name|pid - print the filesystem log.\n"); | 77 | printf(" --fs.print=name|pid - print the filesystem log.\n"); |
78 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); | 78 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); |
79 | #ifdef HAVE_GIT_INSTALL | ||
79 | printf(" --git-install - download, compile and install mainline git version\n"); | 80 | printf(" --git-install - download, compile and install mainline git version\n"); |
80 | printf("\tof Firejail.\n"); | 81 | printf("\tof Firejail.\n"); |
81 | printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); | 82 | printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); |
83 | #endif | ||
82 | printf(" --help, -? - this help screen.\n"); | 84 | printf(" --help, -? - this help screen.\n"); |
83 | printf(" --hostname=name - set sandbox hostname.\n"); | 85 | printf(" --hostname=name - set sandbox hostname.\n"); |
84 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); | 86 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); |