Merge pull request #4990 from chestnykh/user_profiles

Add ability to disable user profiles at compile time.
author: netblue30 <netblue30@protonmail.com> 2022-03-05 07:31:11 -0500
committer: GitHub <noreply@github.com> 2022-03-05 07:31:11 -0500
commit: baeec77b760cb7789dba99f885d0d65a817a335b (patch)
tree: 5c9232a95b0d163e74d70c10759e0eb73b64d95f
parent: whitelist /usr/share/gnupg2 for consistency (#5007) (diff)
parent: Add ability to disable user profiles at compile time. (diff)
download: firejail-baeec77b760cb7789dba99f885d0d65a817a335b.tar.gz
firejail-baeec77b760cb7789dba99f885d0d65a817a335b.tar.zst
firejail-baeec77b760cb7789dba99f885d0d65a817a335b.zip
6 files changed, 44 insertions, 1 deletions
diff --git a/configure b/configure
index 716418785..6611a8817 100755
--- a/configure
+++ b/configure
@@ -628,6 +628,7 @@ EGREP
 GREP
 CPP
 HAVE_LTS
+HAVE_ONLY_SYSCFG_PROFILES
 HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
@@ -732,6 +733,7 @@ enable_busybox_workaround
 enable_gcov
 enable_contrib_install
 enable_force_nonewprivs
+enable_only_syscfg_profiles
 enable_lts
 '
      ac_precious_vars='build_alias
@@ -1395,6 +1397,8 @@ Optional Features:
                          install contrib scripts
  --enable-force-nonewprivs
                          enable force nonewprivs
+  --enable-only-syscfg-profiles
+                          disable profiles in $HOME/.config/firejail
  --enable-lts            enable long-term support software version (LTS)
 Some influential environment variables:
@@ -3830,6 +3834,19 @@ if test "x$enable_force_nonewprivs" = "xyes"; then :
 fi
+HAVE_ONLY_SYSCFG_PROFILES=""
+# Check whether --enable-only-syscfg-profiles was given.
+if test "${enable_only_syscfg_profiles+set}" = set; then :
+  enableval=$enable_only_syscfg_profiles;
+fi
+if test "x$enable_only_syscfg_profiles" = "xyes"; then :
+    HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
+fi
 HAVE_LTS=""
 # Check whether --enable-lts was given.
@@ -5497,6 +5514,7 @@ Configuration options:
   Install as a SUID executable: $HAVE_SUID
   LTS: $HAVE_LTS
   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+   Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
 EOF
diff --git a/configure.ac b/configure.ac
index 0ae9362cc..4ca30e6d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -237,6 +237,14 @@ AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
        HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
 ])
+HAVE_ONLY_SYSCFG_PROFILES=""
+AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
+AC_ARG_ENABLE([only-syscfg-profiles],
+    [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
+AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
+    HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
+])
 HAVE_LTS=""
 AC_SUBST([HAVE_LTS])
 AC_ARG_ENABLE([lts],
@@ -305,6 +313,7 @@ Configuration options:
   Install as a SUID executable: $HAVE_SUID
   LTS: $HAVE_LTS
   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+   Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
 EOF
diff --git a/src/common.mk.in b/src/common.mk.in
index c55c26f42..38c05bc69 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -28,6 +28,7 @@ HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_LTS=@HAVE_LTS@
 HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
+HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
 H_FILE_LIST       = $(sort $(wildcard *.h))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -37,7 +38,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index d434cb95e..408662907 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -24,11 +24,16 @@
 static int check_profile(const char *name, const char *homedir) {
        // build profile name
        char *profname1;
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        char *profname2;
+#endif
        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
                errExit("asprintf");
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
                errExit("asprintf");
+#endif
        int rv = 0;
        if (access(profname1, R_OK) == 0) {
@@ -36,14 +41,18 @@ static int check_profile(const char *name, const char *homedir) {
                        printf("found %s\n", profname1);
                rv = 1;
        }
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        else if (access(profname2, R_OK) == 0) {
                if (arg_debug)
                        printf("found %s\n", profname2);
                rv = 1;
        }
+#endif
        free(profname1);
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        free(profname2);
+#endif
        return rv;
 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 04ea715cd..c03cd7a12 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -825,11 +825,13 @@ void fs_proc_sys_dev_boot(void) {
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
        EUID_USER();
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
        disable_file(BLACKLIST_FILE, fname);
        free(fname);
+#endif
        // disable run time information
        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 0b258e6bb..5bc77263a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -72,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) {
 // search and read the profile specified by name from firejail directories
 // return  1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        // look for a profile in ~/.config/firejail directory
        char *usercfgdir;
        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
@@ -84,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) {
                rv = profile_find(name, SYSCONFDIR, add_ext);
        return rv;
+#else
+        return profile_find(name, SYSCONFDIR, add_ext);
+#endif
 }
 //***************************************************
author	netblue30 <netblue30@protonmail.com>	2022-03-05 07:31:11 -0500
committer	GitHub <noreply@github.com>	2022-03-05 07:31:11 -0500
commit	baeec77b760cb7789dba99f885d0d65a817a335b (patch)
tree	5c9232a95b0d163e74d70c10759e0eb73b64d95f
parent	whitelist /usr/share/gnupg2 for consistency (#5007) (diff)
parent	Add ability to disable user profiles at compile time. (diff)
download	firejail-baeec77b760cb7789dba99f885d0d65a817a335b.tar.gz firejail-baeec77b760cb7789dba99f885d0d65a817a335b.tar.zst firejail-baeec77b760cb7789dba99f885d0d65a817a335b.zip