aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar rusty-snake <41237666+rusty-snake@users.noreply.github.com>2021-03-01 12:40:02 +0100
committerLibravatar rusty-snake <41237666+rusty-snake@users.noreply.github.com>2021-03-01 12:40:02 +0100
commitb02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e (patch)
treee50efc1e1dcb77e7b250fab9b0a50ca4b2082acf
parentfixes (diff)
downloadfirejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.gz
firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.zst
firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.zip
Add ./configure --enable-force-nonewprivs
This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
Diffstat
-rwxr-xr-xconfigure18
-rw-r--r--configure.ac9
-rw-r--r--src/common.mk.in3
-rw-r--r--src/firejail/checkcfg.c8
-rw-r--r--src/firejail/sandbox.c7
5 files changed, 43 insertions, 2 deletions
diff --git a/configure b/configure
index 952f7af9b..7ef95075e 100755
--- a/configure
+++ b/configure
@@ -628,6 +628,7 @@ EGREP
628GREP 628GREP
629CPP 629CPP
630HAVE_LTS 630HAVE_LTS
631HAVE_FORCE_NONEWPRIVS
631HAVE_CONTRIB_INSTALL 632HAVE_CONTRIB_INSTALL
632HAVE_GCOV 633HAVE_GCOV
633BUSYBOX_WORKAROUND 634BUSYBOX_WORKAROUND
@@ -731,6 +732,7 @@ enable_fatal_warnings
731enable_busybox_workaround 732enable_busybox_workaround
732enable_gcov 733enable_gcov
733enable_contrib_install 734enable_contrib_install
735enable_force_nonewprivs
734enable_lts 736enable_lts
735' 737'
736 ac_precious_vars='build_alias 738 ac_precious_vars='build_alias
@@ -1391,6 +1393,8 @@ Optional Features:
1391 --enable-gcov Gcov instrumentation 1393 --enable-gcov Gcov instrumentation
1392 --enable-contrib-install 1394 --enable-contrib-install
1393 install contrib scripts 1395 install contrib scripts
1396 --enable-force-nonewprivs
1397 enable force nonewprivs
1394 --enable-lts enable long-term support software version (LTS) 1398 --enable-lts enable long-term support software version (LTS)
1395 1399
1396Some influential environment variables: 1400Some influential environment variables:
@@ -3825,6 +3829,19 @@ else
3825fi 3829fi
3826 3830
3827 3831
3832HAVE_FORCE_NONEWPRIVS=""
3833# Check whether --enable-force-nonewprivs was given.
3834if test "${enable_force_nonewprivs+set}" = set; then :
3835 enableval=$enable_force_nonewprivs;
3836fi
3837
3838if test "x$enable_force_nonewprivs" = "xyes"; then :
3839
3840 HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
3841
3842
3843fi
3844
3828HAVE_LTS="" 3845HAVE_LTS=""
3829# Check whether --enable-lts was given. 3846# Check whether --enable-lts was given.
3830if test "${enable_lts+set}" = set; then : 3847if test "${enable_lts+set}" = set; then :
@@ -5573,6 +5590,7 @@ echo " Gcov instrumentation: $HAVE_GCOV"
5573echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" 5590echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
5574echo " Install as a SUID executable: $HAVE_SUID" 5591echo " Install as a SUID executable: $HAVE_SUID"
5575echo " LTS: $HAVE_LTS" 5592echo " LTS: $HAVE_LTS"
5593echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
5576echo 5594echo
5577 5595
5578 5596
diff --git a/configure.ac b/configure.ac
index 449b8b436..2654a2699 100644
--- a/configure.ac
+++ b/configure.ac
@@ -228,6 +228,14 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
228) 228)
229AC_SUBST(HAVE_CONTRIB_INSTALL) 229AC_SUBST(HAVE_CONTRIB_INSTALL)
230 230
231HAVE_FORCE_NONEWPRIVS=""
232AC_ARG_ENABLE([force-nonewprivs],
233 AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs]))
234AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
235 HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
236 AC_SUBST(HAVE_FORCE_NONEWPRIVS)
237])
238
231HAVE_LTS="" 239HAVE_LTS=""
232AC_ARG_ENABLE([lts], 240AC_ARG_ENABLE([lts],
233 AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) 241 AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
@@ -330,6 +338,7 @@ echo " Gcov instrumentation: $HAVE_GCOV"
330echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" 338echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
331echo " Install as a SUID executable: $HAVE_SUID" 339echo " Install as a SUID executable: $HAVE_SUID"
332echo " LTS: $HAVE_LTS" 340echo " LTS: $HAVE_LTS"
341echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
333echo 342echo
334 343
335 344
diff --git a/src/common.mk.in b/src/common.mk.in
index eae4138c0..a3df4abb6 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -27,6 +27,7 @@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
27HAVE_USERTMPFS=@HAVE_USERTMPFS@ 27HAVE_USERTMPFS=@HAVE_USERTMPFS@
28HAVE_OUTPUT=@HAVE_OUTPUT@ 28HAVE_OUTPUT=@HAVE_OUTPUT@
29HAVE_LTS=@HAVE_LTS@ 29HAVE_LTS=@HAVE_LTS@
30HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
30 31
31H_FILE_LIST = $(sort $(wildcard *.[h])) 32H_FILE_LIST = $(sort $(wildcard *.[h]))
32C_FILE_LIST = $(sort $(wildcard *.c)) 33C_FILE_LIST = $(sort $(wildcard *.c))
@@ -36,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
36CFLAGS = @CFLAGS@ 37CFLAGS = @CFLAGS@
37CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) 38CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
38CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' 39CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
39MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) 40MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS)
40CFLAGS += $(MANFLAGS) 41CFLAGS += $(MANFLAGS)
41CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security 42CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
42LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread 43LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 9d327933f..a277e76d9 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -388,4 +388,12 @@ void print_compiletime_support(void) {
388 "disabled" 388 "disabled"
389#endif 389#endif
390 ); 390 );
391
392 printf("\t- Always force nonewprivs support is %s\n",
393#ifdef HAVE_FORCE_NONEWPRIVS
394 "enabled"
395#else
396 "disabled"
397#endif
398 );
391} 399}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ff5f4cb1e..e320e77f9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) {
795 exit(rv); 795 exit(rv);
796 } 796 }
797 797
798#ifdef HAVE_FORCE_NONEWPRIVS
799 bool always_enforce_filters = true;
800#else
801 bool always_enforce_filters = false;
802#endif
798 // need ld.so.preload if tracing or seccomp with any non-default lists 803 // need ld.so.preload if tracing or seccomp with any non-default lists
799 bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; 804 bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
800 // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS 805 // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
801 // and drop all capabilities 806 // and drop all capabilities
802 if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { 807 if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) {
803 enforce_filters(); 808 enforce_filters();
804 need_preload = arg_trace || arg_tracelog; 809 need_preload = arg_trace || arg_tracelog;
805 } 810 }
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-18 21:42:36 +0000