disable --git-install at compile time

author: netblue30 <netblue30@yahoo.com> 2017-02-05 11:50:04 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-02-05 11:50:04 -0500
commit: d17ce1322e6e42ca905393545db03a13570da1b0 (patch)
tree: 86b598adb3ac57adafe55a62996b9e37325a1eec
parent: enable strict seccomp filter on overlay options (diff)
download: firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.gz
firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.zst
firejail-d17ce1322e6e42ca905393545db03a13570da1b0.zip
8 files changed, 42 insertions, 53 deletions
diff --git a/configure b/configure
index 9efba1b1d..bdffba2ad 100755
--- a/configure
+++ b/configure
@@ -625,6 +625,7 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 HAVE_SECCOMP_H
+HAVE_GIT_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
@@ -711,6 +712,7 @@ enable_whitelist
 enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
+enable_git_install
 '
      ac_precious_vars='build_alias
 host_alias
@@ -1349,6 +1351,7 @@ Optional Features:
  --enable-busybox-workaround
                          enable busybox workaround
  --enable-gcov           Gcov instrumentation
+  --disable-git-install   disable git install feature
 Some influential environment variables:
  CC          C compiler command
@@ -3710,6 +3713,18 @@ if test "x$enable_gcov" = "xyes"; then :
 fi
+HAVE_GIT_INSTALL=""
+# Check whether --enable-git-install was given.
+if test "${enable_git_install+set}" = set; then :
+  enableval=$enable_git_install;
+fi
+if test "x$enable_git_install" != "xno"; then :
+        HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
+fi
 # checking pthread library
@@ -4971,6 +4986,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   git install support: $HAVE_GIT_INSTALL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
diff --git a/configure.ac b/configure.ac
index f3076f2f8..252f82cde 100644
--- a/configure.ac
+++ b/configure.ac
@@ -145,6 +145,13 @@ AS_IF([test "x$enable_gcov" = "xyes"], [
        AC_SUBST(HAVE_GCOV)
 ])
+HAVE_GIT_INSTALL=""
+AC_ARG_ENABLE([git-install],
+    AS_HELP_STRING([--disable-git-install], [disable git install feature]))
+AS_IF([test "x$enable_git_install" != "xno"], [
+        HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
+        AC_SUBST(HAVE_GIT_INSTALL)
+])
 # checking pthread library
@@ -179,6 +186,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   git install support: $HAVE_GIT_INSTALL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 6e5071925..80f35ff4d 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index c3eedc510..73fa6e46b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -351,6 +351,13 @@ void print_compiletime_support(void) {
 #endif
                );
+        printf("\t- git install support is %s\n",
+#ifdef HAVE_GIT_INSTALL
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
 #ifdef HAVE_NETWORK_RESTRICTED
        printf("\t- networking features are available only to root user\n");
@@ -395,4 +402,5 @@ void print_compiletime_support(void) {
                "disabled"
 #endif
                );
+                
 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 69b9d77bc..2a2e97419 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -572,58 +572,6 @@ void fs_proc_sys_dev_boot(void) {
        }
        free(fname);
        
-// todo: investigate
-#if 0
-        // breaks too many applications, option needed
-        /* // disable /run/user/{uid}/bus */
-        /* char *fnamebus; */
-        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamebus, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamebus); */
-        /* free(fnamebus); */
-        // WARNING: not working
-        // disable /run/user/{uid}/kdeinit*
-        //char *fnamekde;
-        //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
-        //    errExit("asprintf");
-        //if (stat(fnamekde, &s) == 0)
-        //    disable_file(BLACKLIST_FILE, fnamekde);
-        //free(fnamekde);
-        
-        
-        // disable /run/user/{uid}/pulse
-        /* char *fnamepulse; */
-        /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamepulse, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamepulse); */
-        /* free(fnamepulse); */
-        // disable /run/user/{uid}/dconf
-        /* char *fnamedconf; */
-        /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamedconf, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
-        /* free(fnamedconf); */
-        // dirs in /run/user/{uid}/
-        // using gnome:
-        // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
-        // using kde:
-        // kdeinit__0, ...
-                
-        // more files with sockets to be blacklisted
-        // /run/dbus /run/systemd /run/udev /run/lvm
-        // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
-        
-#endif
        if (getuid() != 0) {
                // disable /dev/kmsg and /proc/kmsg
                disable_file(BLACKLIST_FILE, "/dev/kmsg");
diff --git a/src/firejail/git.c b/src/firejail/git.c
index 1cfbb1bf4..b67339c8b 100644
--- a/src/firejail/git.c
+++ b/src/firejail/git.c
@@ -17,6 +17,9 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifdef HAVE_GIT_INSTALL
+ 
 #include "firejail.h"
 #include <sys/utsname.h>
 #include <sched.h>
@@ -84,3 +87,4 @@ void git_uninstall(void) {
        exit(0);
 }
        
+#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ee89a7281..0d4cf2595 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -846,11 +846,13 @@ int main(int argc, char **argv) {
        EUID_INIT();
        EUID_USER();
+#ifdef HAVE_GIT_INSTALL
        // process git-install and git-uninstall
        if (check_arg(argc, argv, "--git-install"))
                git_install(); // this function will not return
        if (check_arg(argc, argv, "--git-uninstall"))
                git_uninstall(); // this function will not return
+#endif
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b9fff2011..dc8fcdfef 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -76,9 +76,11 @@ void usage(void) {
        printf("    --env=name=value - set environment variable.\n");
        printf("    --fs.print=name|pid - print the filesystem log.\n");
        printf("    --get=name|pid filename - get a file from sandbox container.\n");
+#ifdef HAVE_GIT_INSTALL
        printf("    --git-install - download, compile and install mainline git version\n");
        printf("\tof Firejail.\n");
        printf("    --git-uninstall - uninstall mainline git version of Firejail\n");
+#endif
        printf("    --help, -? - this help screen.\n");
        printf("    --hostname=name - set sandbox hostname.\n");
        printf("    --hosts-file=file - use file as /etc/hosts.\n");
author	netblue30 <netblue30@yahoo.com>	2017-02-05 11:50:04 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-02-05 11:50:04 -0500
commit	d17ce1322e6e42ca905393545db03a13570da1b0 (patch)
tree	86b598adb3ac57adafe55a62996b9e37325a1eec
parent	enable strict seccomp filter on overlay options (diff)
download	firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.gz firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.zst firejail-d17ce1322e6e42ca905393545db03a13570da1b0.zip