diff options
author | Dmitry Chestnykh <d.chestnyh@omp.ru> | 2022-02-25 10:33:58 +0300 |
---|---|---|
committer | Dmitry Chestnyh <d.chestnyh@omp.ru> | 2022-02-28 23:26:36 +0300 |
commit | c238147fc1728bbd3479dd059049b4cfce54c7b8 (patch) | |
tree | 3b424cbcadc1ec2f67565f7b364a5ce96b993983 | |
parent | RELNOTES: add bugfix/ci/docs (diff) | |
download | firejail-c238147fc1728bbd3479dd059049b4cfce54c7b8.tar.gz firejail-c238147fc1728bbd3479dd059049b4cfce54c7b8.tar.zst firejail-c238147fc1728bbd3479dd059049b4cfce54c7b8.zip |
Add ability to disable user profiles at compile time.
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firecfg/desktop_files.c | 9 | ||||
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 |
6 files changed, 44 insertions, 1 deletions
@@ -628,6 +628,7 @@ EGREP | |||
628 | GREP | 628 | GREP |
629 | CPP | 629 | CPP |
630 | HAVE_LTS | 630 | HAVE_LTS |
631 | HAVE_ONLY_SYSCFG_PROFILES | ||
631 | HAVE_FORCE_NONEWPRIVS | 632 | HAVE_FORCE_NONEWPRIVS |
632 | HAVE_CONTRIB_INSTALL | 633 | HAVE_CONTRIB_INSTALL |
633 | HAVE_GCOV | 634 | HAVE_GCOV |
@@ -732,6 +733,7 @@ enable_busybox_workaround | |||
732 | enable_gcov | 733 | enable_gcov |
733 | enable_contrib_install | 734 | enable_contrib_install |
734 | enable_force_nonewprivs | 735 | enable_force_nonewprivs |
736 | enable_only_syscfg_profiles | ||
735 | enable_lts | 737 | enable_lts |
736 | ' | 738 | ' |
737 | ac_precious_vars='build_alias | 739 | ac_precious_vars='build_alias |
@@ -1395,6 +1397,8 @@ Optional Features: | |||
1395 | install contrib scripts | 1397 | install contrib scripts |
1396 | --enable-force-nonewprivs | 1398 | --enable-force-nonewprivs |
1397 | enable force nonewprivs | 1399 | enable force nonewprivs |
1400 | --enable-only-syscfg-profiles | ||
1401 | disable profiles in $HOME/.config/firejail | ||
1398 | --enable-lts enable long-term support software version (LTS) | 1402 | --enable-lts enable long-term support software version (LTS) |
1399 | 1403 | ||
1400 | Some influential environment variables: | 1404 | Some influential environment variables: |
@@ -3830,6 +3834,19 @@ if test "x$enable_force_nonewprivs" = "xyes"; then : | |||
3830 | 3834 | ||
3831 | fi | 3835 | fi |
3832 | 3836 | ||
3837 | HAVE_ONLY_SYSCFG_PROFILES="" | ||
3838 | |||
3839 | # Check whether --enable-only-syscfg-profiles was given. | ||
3840 | if test "${enable_only_syscfg_profiles+set}" = set; then : | ||
3841 | enableval=$enable_only_syscfg_profiles; | ||
3842 | fi | ||
3843 | |||
3844 | if test "x$enable_only_syscfg_profiles" = "xyes"; then : | ||
3845 | |||
3846 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" | ||
3847 | |||
3848 | fi | ||
3849 | |||
3833 | HAVE_LTS="" | 3850 | HAVE_LTS="" |
3834 | 3851 | ||
3835 | # Check whether --enable-lts was given. | 3852 | # Check whether --enable-lts was given. |
@@ -5497,6 +5514,7 @@ Configuration options: | |||
5497 | Install as a SUID executable: $HAVE_SUID | 5514 | Install as a SUID executable: $HAVE_SUID |
5498 | LTS: $HAVE_LTS | 5515 | LTS: $HAVE_LTS |
5499 | Always enforce filters: $HAVE_FORCE_NONEWPRIVS | 5516 | Always enforce filters: $HAVE_FORCE_NONEWPRIVS |
5517 | Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES | ||
5500 | 5518 | ||
5501 | EOF | 5519 | EOF |
5502 | 5520 | ||
diff --git a/configure.ac b/configure.ac index 0ae9362cc..4ca30e6d7 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -237,6 +237,14 @@ AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ | |||
237 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" | 237 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" |
238 | ]) | 238 | ]) |
239 | 239 | ||
240 | HAVE_ONLY_SYSCFG_PROFILES="" | ||
241 | AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES]) | ||
242 | AC_ARG_ENABLE([only-syscfg-profiles], | ||
243 | [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])]) | ||
244 | AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [ | ||
245 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" | ||
246 | ]) | ||
247 | |||
240 | HAVE_LTS="" | 248 | HAVE_LTS="" |
241 | AC_SUBST([HAVE_LTS]) | 249 | AC_SUBST([HAVE_LTS]) |
242 | AC_ARG_ENABLE([lts], | 250 | AC_ARG_ENABLE([lts], |
@@ -305,6 +313,7 @@ Configuration options: | |||
305 | Install as a SUID executable: $HAVE_SUID | 313 | Install as a SUID executable: $HAVE_SUID |
306 | LTS: $HAVE_LTS | 314 | LTS: $HAVE_LTS |
307 | Always enforce filters: $HAVE_FORCE_NONEWPRIVS | 315 | Always enforce filters: $HAVE_FORCE_NONEWPRIVS |
316 | Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES | ||
308 | 317 | ||
309 | EOF | 318 | EOF |
310 | 319 | ||
diff --git a/src/common.mk.in b/src/common.mk.in index c55c26f42..38c05bc69 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -28,6 +28,7 @@ HAVE_USERTMPFS=@HAVE_USERTMPFS@ | |||
28 | HAVE_OUTPUT=@HAVE_OUTPUT@ | 28 | HAVE_OUTPUT=@HAVE_OUTPUT@ |
29 | HAVE_LTS=@HAVE_LTS@ | 29 | HAVE_LTS=@HAVE_LTS@ |
30 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | 30 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ |
31 | HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ | ||
31 | 32 | ||
32 | H_FILE_LIST = $(sort $(wildcard *.h)) | 33 | H_FILE_LIST = $(sort $(wildcard *.h)) |
33 | C_FILE_LIST = $(sort $(wildcard *.c)) | 34 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -37,7 +38,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
37 | CFLAGS = @CFLAGS@ | 38 | CFLAGS = @CFLAGS@ |
38 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 39 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
39 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' | 40 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' |
40 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) | 41 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
41 | CFLAGS += $(MANFLAGS) | 42 | CFLAGS += $(MANFLAGS) |
42 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 43 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
43 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 44 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index d434cb95e..408662907 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -24,11 +24,16 @@ | |||
24 | static int check_profile(const char *name, const char *homedir) { | 24 | static int check_profile(const char *name, const char *homedir) { |
25 | // build profile name | 25 | // build profile name |
26 | char *profname1; | 26 | char *profname1; |
27 | #ifndef HAVE_ONLY_SYSCFG_PROFILES | ||
27 | char *profname2; | 28 | char *profname2; |
29 | #endif | ||
28 | if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1) | 30 | if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1) |
29 | errExit("asprintf"); | 31 | errExit("asprintf"); |
32 | |||
33 | #ifndef HAVE_ONLY_SYSCFG_PROFILES | ||
30 | if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1) | 34 | if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1) |
31 | errExit("asprintf"); | 35 | errExit("asprintf"); |
36 | #endif | ||
32 | 37 | ||
33 | int rv = 0; | 38 | int rv = 0; |
34 | if (access(profname1, R_OK) == 0) { | 39 | if (access(profname1, R_OK) == 0) { |
@@ -36,14 +41,18 @@ static int check_profile(const char *name, const char *homedir) { | |||
36 | printf("found %s\n", profname1); | 41 | printf("found %s\n", profname1); |
37 | rv = 1; | 42 | rv = 1; |
38 | } | 43 | } |
44 | #ifndef HAVE_ONLY_SYSCFG_PROFILES | ||
39 | else if (access(profname2, R_OK) == 0) { | 45 | else if (access(profname2, R_OK) == 0) { |
40 | if (arg_debug) | 46 | if (arg_debug) |
41 | printf("found %s\n", profname2); | 47 | printf("found %s\n", profname2); |
42 | rv = 1; | 48 | rv = 1; |
43 | } | 49 | } |
50 | #endif | ||
44 | 51 | ||
45 | free(profname1); | 52 | free(profname1); |
53 | #ifndef HAVE_ONLY_SYSCFG_PROFILES | ||
46 | free(profname2); | 54 | free(profname2); |
55 | #endif | ||
47 | return rv; | 56 | return rv; |
48 | } | 57 | } |
49 | 58 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 04ea715cd..c03cd7a12 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -825,11 +825,13 @@ void fs_proc_sys_dev_boot(void) { | |||
825 | // disable firejail configuration in ~/.config/firejail | 825 | // disable firejail configuration in ~/.config/firejail |
826 | void disable_config(void) { | 826 | void disable_config(void) { |
827 | EUID_USER(); | 827 | EUID_USER(); |
828 | #ifndef HAVE_ONLY_SYSCFG_PROFILES | ||
828 | char *fname; | 829 | char *fname; |
829 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) | 830 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) |
830 | errExit("asprintf"); | 831 | errExit("asprintf"); |
831 | disable_file(BLACKLIST_FILE, fname); | 832 | disable_file(BLACKLIST_FILE, fname); |
832 | free(fname); | 833 | free(fname); |
834 | #endif | ||
833 | 835 | ||
834 | // disable run time information | 836 | // disable run time information |
835 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); | 837 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 794668dc6..0e1829559 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -72,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) { | |||
72 | // search and read the profile specified by name from firejail directories | 72 | // search and read the profile specified by name from firejail directories |
73 | // return 1 if a profile was found | 73 | // return 1 if a profile was found |
74 | int profile_find_firejail(const char *name, int add_ext) { | 74 | int profile_find_firejail(const char *name, int add_ext) { |
75 | #ifndef HAVE_ONLY_SYSCFG_PROFILES | ||
75 | // look for a profile in ~/.config/firejail directory | 76 | // look for a profile in ~/.config/firejail directory |
76 | char *usercfgdir; | 77 | char *usercfgdir; |
77 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | 78 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) |
@@ -84,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) { | |||
84 | rv = profile_find(name, SYSCONFDIR, add_ext); | 85 | rv = profile_find(name, SYSCONFDIR, add_ext); |
85 | 86 | ||
86 | return rv; | 87 | return rv; |
88 | #else | ||
89 | return profile_find(name, SYSCONFDIR, add_ext); | ||
90 | #endif | ||
87 | } | 91 | } |
88 | 92 | ||
89 | //*************************************************** | 93 | //*************************************************** |