--disable-network --disable-userns compile time options

7 files changed, 111 insertions, 21 deletions

diff --git a/RELNOTES b/RELNOTES
index 4b6cd2dca..e29646086 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,8 @@
-firejail (0.9.38) baseline; urgency=low
+firejail (0.9.37) baseline; urgency=low
   * IPv6 support (--ip6 and --netfilter6)
   * --join command enhancement (--join-network, --join-filesystem)
   * --user command
+  * --disable-network and --disable-userns compile time flags
   * symlink invocation
   * added KMail, Seamonkey, Telegram profiles
   * bugfixes
diff --git a/configure b/configure
index 414c70ccb..ea7812f63 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.38.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.37.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.38'
-PACKAGE_STRING='firejail 0.9.38'
+PACKAGE_VERSION='0.9.37'
+PACKAGE_STRING='firejail 0.9.37'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -629,6 +629,8 @@ EGREP
 GREP
 CPP
 HAVE_FATAL_WARNINGS
+HAVE_USERNS
+HAVE_NETWORK
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
@@ -687,6 +689,8 @@ enable_option_checking
 enable_seccomp
 enable_chroot
 enable_bind
+enable_network
+enable_userns
 enable_fatal_warnings
 '
       ac_precious_vars='build_alias
@@ -1238,7 +1242,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.38 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.37 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1299,7 +1303,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.38:";;
+     short | recursive ) echo "Configuration of firejail 0.9.37:";;
    esac
   cat <<\_ACEOF
 
@@ -1310,6 +1314,8 @@ Optional Features:
   --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-bind          disable bind
+  --disable-network       disable network
+  --disable-userns        disable user namespace
   --enable-fatal-warnings -W -Wall -Werror
 
 Some influential environment variables:
@@ -1389,7 +1395,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.38
+firejail configure 0.9.37
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1691,7 +1697,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.38, which was
+It was created by firejail $as_me 0.9.37, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3087,6 +3093,32 @@ if test "x$enable_bind" != "xno"; then :
 
 fi
 
+HAVE_NETWORK=""
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+
+if test "x$enable_network" != "xno"; then :
+
+        HAVE_NETWORK="-DHAVE_NETWORK"
+
+
+fi
+
+HAVE_USERNS=""
+# Check whether --enable-userns was given.
+if test "${enable_userns+set}" = set; then :
+  enableval=$enable_userns;
+fi
+
+if test "x$enable_userns" != "xno"; then :
+
+        HAVE_USERNS="-DHAVE_USERNS"
+
+
+fi
+
 HAVE_FATAL_WARNINGS=""
 # Check whether --enable-fatal_warnings was given.
 if test "${enable_fatal_warnings+set}" = set; then :
@@ -3100,6 +3132,7 @@ if test "x$enable_fatal_warnings" = "xyes"; then :
 
 fi
 
+
 # checking pthread library
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
@@ -4107,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.38, which was
+This file was extended by firejail $as_me 0.9.37, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4161,7 +4194,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.38
+firejail config.status 0.9.37
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -4742,6 +4775,8 @@ echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
+echo "   network: $HAVE_NETWORK"
+echo "   user namespace: $HAVE_USERNS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
 
diff --git a/configure.ac b/configure.ac
index cc505ef5f..5cd3ef6f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.38, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.37, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
@@ -33,6 +33,22 @@ AS_IF([test "x$enable_bind" != "xno"], [
         AC_SUBST(HAVE_BIND)
 ])
 
+HAVE_NETWORK=""
+AC_ARG_ENABLE([network],
+    AS_HELP_STRING([--disable-network], [disable network]))
+AS_IF([test "x$enable_network" != "xno"], [
+        HAVE_NETWORK="-DHAVE_NETWORK"
+        AC_SUBST(HAVE_NETWORK)
+])
+
+HAVE_USERNS=""
+AC_ARG_ENABLE([userns],
+    AS_HELP_STRING([--disable-userns], [disable user namespace]))
+AS_IF([test "x$enable_userns" != "xno"], [
+        HAVE_USERNS="-DHAVE_USERNS"
+        AC_SUBST(HAVE_USERNS)
+])
+
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
     AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -41,6 +57,7 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
         AC_SUBST(HAVE_FATAL_WARNINGS)
 ])
 
+
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -62,6 +79,8 @@ echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
+echo "   network: $HAVE_NETWORK"
+echo "   user namespace: $HAVE_USERNS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
 
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 87cda9ab2..83a2b0592 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
 HAVE_BIND=@HAVE_BIND@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
 
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 014ea8cae..2fda8f1ab 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -208,7 +208,7 @@ static void check_network(Bridge *br) {
         }
 }
 
-
+#ifdef HAVE_USERNS
 void check_user_namespace(void) {
         if (getuid() == 0) {
                 fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");
@@ -228,6 +228,7 @@ void check_user_namespace(void) {
                 arg_noroot = 0;
         }
 }
+#endif
 
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
@@ -243,6 +244,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 printf("firejail version %s\n", VERSION);
                 exit(0);
         }
+#ifdef HAVE_NETWORK     
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 logargs(argc, argv);
                 
@@ -303,7 +305,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         bandwidth_name(argv[i] + 12, cmd, dev, down, up);
                 exit(0);
         }
-
+#endif
         //*************************************
         // independent commands - the program will exit!
         //*************************************
@@ -382,10 +384,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 top();
                 exit(0);
         }
+#ifdef HAVE_NETWORK     
         else if (strcmp(argv[i], "--netstats") == 0) {
                 netstats();
                 exit(0);
         }
+#endif  
         else if (strncmp(argv[i], "--join=", 7) == 0) {
                 logargs(argc, argv);
                 
@@ -397,6 +401,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);
                 exit(0);
         }
+#ifdef HAVE_NETWORK     
         else if (strncmp(argv[i], "--join-network=", 15) == 0) {
                 logargs(argc, argv);
                 arg_join_network = 1;
@@ -413,6 +418,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);
                 exit(0);
         }
+#endif
         else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {
                 logargs(argc, argv);
                 arg_join_filesystem = 1;
@@ -962,9 +968,11 @@ int main(int argc, char **argv) {
                 }
                 else if (strcmp(argv[i], "--nogroups") == 0)
                         arg_nogroups = 1;
+#ifdef HAVE_USERNS
                 else if (strcmp(argv[i], "--noroot") == 0) {
                         check_user_namespace();
                 }
+#endif
                 else if (strncmp(argv[i], "--env=", 6) == 0)
                         env_store(argv[i] + 6);
                 else if (strncmp(argv[i], "--nosound", 9) == 0) {
@@ -975,6 +983,7 @@ int main(int argc, char **argv) {
                 //*************************************
                 // network
                 //*************************************
+#ifdef HAVE_NETWORK     
                 else if (strncmp(argv[i], "--interface=", 12) == 0) {
                         // checks
                         if (arg_nonetwork) {
@@ -1164,6 +1173,7 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+#endif          
                 else if (strncmp(argv[i], "--dns=", 6) == 0) {
                         uint32_t dns;
                         if (atoip(argv[i] + 6, &dns)) {
@@ -1182,6 +1192,7 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+#ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0)
                         arg_netfilter = 1;
                 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
@@ -1194,7 +1205,7 @@ int main(int argc, char **argv) {
                         arg_netfilter6_file = argv[i] + 13;
                         check_netfilter_file(arg_netfilter6_file);
                 }
-
+#endif
                 //*************************************
                 // command
                 //*************************************
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f6b062d2b..2d7b07c6d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         // seccomp, caps, private, user namespace
         else if (strcmp(ptr, "noroot") == 0) {
+#if HAVE_USERNS
                 check_user_namespace();
+#endif
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
@@ -146,31 +148,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
+#ifdef HAVE_NETWORK
                 arg_netfilter = 1;
+#endif
                 return 0;
         }
         else if (strncmp(ptr, "netfilter ", 10) == 0) {
+#ifdef HAVE_NETWORK
                 arg_netfilter = 1;
                 arg_netfilter_file = strdup(ptr + 10);
                 if (!arg_netfilter_file)
                         errExit("strdup");
                 check_netfilter_file(arg_netfilter_file);
+#endif
                 return 0;
         }
         else if (strncmp(ptr, "netfilter6 ", 11) == 0) {
+#ifdef HAVE_NETWORK
                 arg_netfilter6 = 1;
                 arg_netfilter6_file = strdup(ptr + 11);
                 if (!arg_netfilter6_file)
                         errExit("strdup");
                 check_netfilter_file(arg_netfilter6_file);
+#endif
                 return 0;
         }
         else if (strcmp(ptr, "net none") == 0) {
+#ifdef HAVE_NETWORK
                 arg_nonetwork  = 1;
                 cfg.bridge0.configured = 0;
                 cfg.bridge1.configured = 0;
                 cfg.bridge2.configured = 0;
                 cfg.bridge3.configured = 0;
+#endif
                 return 0;
         }
         
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d3ebefaae..6a033b922 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,10 +34,12 @@ void usage(void) {
         printf("\n");
         printf("Options:\n\n");
         printf("\t-- - signal the end of options and disables further option processing.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--bandwidth=name - set  bandwidth  limits  for  the sandbox identified\n");
         printf("\t\tby name, see Traffic Shaping section for more details.\n\n");
         printf("\t--bandwidth=pid - set  bandwidth  limits  for  the sandbox identified\n");
         printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
+#endif
 #ifdef HAVE_BIND                
         printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
         printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n");
@@ -81,8 +83,10 @@ void usage(void) {
 
 
 
+#ifdef HAVE_NETWORK     
         printf("\t--defaultgw=address - use this address as default gateway in the new\n");
         printf("\t\tnetwork namespace.\n\n");
+#endif
         printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n");
         printf("\t\tservers can be defined.\n\n");
         printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n");
@@ -99,15 +103,16 @@ void usage(void) {
         printf("\t--help, -? - this help screen.\n\n");
         printf("\t--hostname=name - set sandbox hostname.\n\n");
         printf("\t--ignore=command - ignore command in profile files.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--interface=name - move interface in a new network namespace. Up to\n");
         printf("\t\tfour --interface options can be sepcified.\n\n");
-        
         printf("\t--ip=address - set interface IP address.\n\n");
         printf("\t--ip=none - no IP address and no default gateway address are configured\n");
         printf("\t\tin the new network namespace. Use this option in case you intend\n");
         printf("\t\tto start an external DHCP client in the sandbox.\n\n");
         printf("\t--ip6=address - set interface IPv6 address.\n\n");
         printf("\t--iprange=address,address - configure an IP address in this range\n\n");
+#endif
         printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n");
         printf("\t\tas a regular user. IPC namespace is enabled by default only if\n");
         printf("\t\tthe sandbox is started as root.\n\n");
@@ -117,14 +122,19 @@ void usage(void) {
         printf("\t\tidentified by name.\n\n");
         printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
         printf("\t\tidentified by PID.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--join-network=name - join the network namespace of the sandbox\n");
         printf("\t\tidentified by name.\n\n");
         printf("\t--join-network=pid - join the network namespace of the sandbox\n");
         printf("\t\tidentified by PID.\n\n");
+#endif
         printf("\t--list - list all sandboxes.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
         printf("\t--mtu=number - set interface MTU.\n\n");
+#endif
         printf("\t--name=name - set sandbox name.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n");
         printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n");
         printf("\t\tIP address and a default gateway will be assigned automatically\n");
@@ -163,6 +173,7 @@ void usage(void) {
 
         printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
         printf("\t\tnetwork namespace.\n\n");
+#endif
         printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");
         printf("\t\tor file.\n\n");
         printf("\t--nogroups - disable supplementary groups. Without this option,\n");
@@ -175,11 +186,11 @@ void usage(void) {
         printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
         printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
         printf("\t\troot.\n\n");
-                        
+#ifdef HAVE_USERNS                      
         printf("\t--noroot - install a user namespace with a single user - the current\n");
         printf("\t\tuser. root user does not exist in the new namespace. This option\n");
         printf("\t\tis not supported for --chroot and --overlay configurations.\n\n");
-
+#endif
         printf("\t--nosound - disable sound system\n\n");
                 
         printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n");
@@ -239,11 +250,11 @@ void usage(void) {
         printf("\t\tcreated for the real user ID of the calling process.\n\n");
         printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n");
         printf("\t\tfor a process.\n\n");
-
+#ifdef HAVE_NETWORK     
         printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n");
         printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n");
         printf("\t\trunning on the current host.\n\n");
-        
+#endif  
 #ifdef HAVE_SECCOMP
         printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");
         printf("\t\tlist. The default list is as follows: mount, umount2,\n");
@@ -294,6 +305,7 @@ void usage(void) {
         printf("\n");
 
 
+#ifdef HAVE_NETWORK     
         printf("Traffic Shaping\n\n");
         
         printf("Network bandwidth is an expensive resource shared among  all  sandboxes\n");
@@ -323,7 +335,7 @@ void usage(void) {
             printf("\t$ firejail --bandwidth=mybrowser clear eth0\n");
         printf("\n");
         printf("\n");
-
+#endif
 
 
         printf("Monitoring\n\n");