diff options
author | startx2017 <vradu.startx@protonmail.com> | 2021-02-28 10:26:08 -0500 |
---|---|---|
committer | startx2017 <vradu.startx@protonmail.com> | 2021-02-28 10:26:08 -0500 |
commit | d1acb31c9714fe503082a890f1754f2026e71ee5 (patch) | |
tree | 1946a929c6c7bcc47bc04e1b988966d60f364b48 | |
parent | compile time: disable --output (diff) | |
download | firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.tar.gz firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.tar.zst firejail-d1acb31c9714fe503082a890f1754f2026e71ee5.zip |
compile time: enable LTS
-rwxr-xr-x | configure | 100 | ||||
-rw-r--r-- | configure.ac | 86 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 |
4 files changed, 178 insertions, 20 deletions
@@ -627,7 +627,7 @@ LIBOBJS | |||
627 | EGREP | 627 | EGREP |
628 | GREP | 628 | GREP |
629 | CPP | 629 | CPP |
630 | HAVE_SELINUX | 630 | HAVE_LTS |
631 | HAVE_CONTRIB_INSTALL | 631 | HAVE_CONTRIB_INSTALL |
632 | HAVE_GCOV | 632 | HAVE_GCOV |
633 | BUSYBOX_WORKAROUND | 633 | BUSYBOX_WORKAROUND |
@@ -650,6 +650,7 @@ HAVE_OVERLAYFS | |||
650 | HAVE_DBUSPROXY | 650 | HAVE_DBUSPROXY |
651 | EXTRA_LDFLAGS | 651 | EXTRA_LDFLAGS |
652 | EXTRA_CFLAGS | 652 | EXTRA_CFLAGS |
653 | HAVE_SELINUX | ||
653 | HAVE_APPARMOR | 654 | HAVE_APPARMOR |
654 | AA_LIBS | 655 | AA_LIBS |
655 | AA_CFLAGS | 656 | AA_CFLAGS |
@@ -711,6 +712,7 @@ ac_user_opts=' | |||
711 | enable_option_checking | 712 | enable_option_checking |
712 | enable_analyzer | 713 | enable_analyzer |
713 | enable_apparmor | 714 | enable_apparmor |
715 | enable_selinux | ||
714 | enable_dbusproxy | 716 | enable_dbusproxy |
715 | enable_output | 717 | enable_output |
716 | enable_usertmpfs | 718 | enable_usertmpfs |
@@ -729,7 +731,7 @@ enable_fatal_warnings | |||
729 | enable_busybox_workaround | 731 | enable_busybox_workaround |
730 | enable_gcov | 732 | enable_gcov |
731 | enable_contrib_install | 733 | enable_contrib_install |
732 | enable_selinux | 734 | enable_lts |
733 | ' | 735 | ' |
734 | ac_precious_vars='build_alias | 736 | ac_precious_vars='build_alias |
735 | host_alias | 737 | host_alias |
@@ -1367,6 +1369,7 @@ Optional Features: | |||
1367 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1369 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1368 | --enable-analyzer enable GCC 10 static analyzer | 1370 | --enable-analyzer enable GCC 10 static analyzer |
1369 | --enable-apparmor enable apparmor | 1371 | --enable-apparmor enable apparmor |
1372 | --enable-selinux SELinux labeling support | ||
1370 | --disable-dbusproxy disable dbus proxy | 1373 | --disable-dbusproxy disable dbus proxy |
1371 | --disable-output disable --output logging | 1374 | --disable-output disable --output logging |
1372 | --disable-usertmpfs disable tmpfs as regular user | 1375 | --disable-usertmpfs disable tmpfs as regular user |
@@ -1388,7 +1391,7 @@ Optional Features: | |||
1388 | --enable-gcov Gcov instrumentation | 1391 | --enable-gcov Gcov instrumentation |
1389 | --enable-contrib-install | 1392 | --enable-contrib-install |
1390 | install contrib scripts | 1393 | install contrib scripts |
1391 | --enable-selinux SELinux labeling support | 1394 | --enable-lts enable long-term support software version (LTS) |
1392 | 1395 | ||
1393 | Some influential environment variables: | 1396 | Some influential environment variables: |
1394 | CC C compiler command | 1397 | CC C compiler command |
@@ -3514,6 +3517,20 @@ fi | |||
3514 | 3517 | ||
3515 | fi | 3518 | fi |
3516 | 3519 | ||
3520 | HAVE_SELINUX="" | ||
3521 | # Check whether --enable-selinux was given. | ||
3522 | if test "${enable_selinux+set}" = set; then : | ||
3523 | enableval=$enable_selinux; | ||
3524 | fi | ||
3525 | |||
3526 | if test "x$enable_selinux" = "xyes"; then : | ||
3527 | |||
3528 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
3529 | EXTRA_LDFLAGS+=" -lselinux " | ||
3530 | |||
3531 | |||
3532 | fi | ||
3533 | |||
3517 | 3534 | ||
3518 | 3535 | ||
3519 | 3536 | ||
@@ -3808,20 +3825,67 @@ else | |||
3808 | fi | 3825 | fi |
3809 | 3826 | ||
3810 | 3827 | ||
3811 | HAVE_SELINUX="" | 3828 | HAVE_LTS="" |
3812 | # Check whether --enable-selinux was given. | 3829 | # Check whether --enable-lts was given. |
3813 | if test "${enable_selinux+set}" = set; then : | 3830 | if test "${enable_lts+set}" = set; then : |
3814 | enableval=$enable_selinux; | 3831 | enableval=$enable_lts; |
3815 | fi | 3832 | fi |
3816 | 3833 | ||
3817 | if test "x$enable_selinux" = "xyes"; then : | 3834 | if test "x$enable_lts" = "xyes"; then : |
3835 | |||
3836 | HAVE_LTS="-DHAVE_LTS" | ||
3837 | |||
3838 | |||
3839 | HAVE_DBUSPROXY="" | ||
3840 | |||
3841 | |||
3842 | HAVE_OVERLAYFS="" | ||
3843 | |||
3844 | |||
3845 | HAVE_OUTPUT="" | ||
3818 | 3846 | ||
3819 | HAVE_SELINUX="-DHAVE_SELINUX" | 3847 | |
3820 | EXTRA_LDFLAGS+=" -lselinux " | 3848 | HAVE_USERTMPFS="" |
3849 | |||
3850 | |||
3851 | HAVE_MAN="-DHAVE_MAN" | ||
3852 | |||
3853 | |||
3854 | HAVE_FIRETUNNEL="" | ||
3855 | |||
3856 | |||
3857 | HAVE_PRIVATEHOME="" | ||
3858 | |||
3859 | |||
3860 | HAVE_CHROOT="" | ||
3861 | |||
3862 | |||
3863 | HAVE_GLOBALCFG="" | ||
3864 | |||
3865 | |||
3866 | HAVE_USERNS="" | ||
3867 | |||
3868 | |||
3869 | HAVE_X11="" | ||
3870 | |||
3871 | |||
3872 | HAVE_FILE_TRANSFER="" | ||
3873 | |||
3874 | |||
3875 | HAVE_SUID="yes" | ||
3876 | |||
3877 | |||
3878 | BUSYBOX_WORKAROUND="no" | ||
3879 | |||
3880 | |||
3881 | HAVE_CONTRIB_INSTALL="no", | ||
3821 | 3882 | ||
3822 | 3883 | ||
3823 | fi | 3884 | fi |
3824 | 3885 | ||
3886 | |||
3887 | |||
3888 | |||
3825 | # checking pthread library | 3889 | # checking pthread library |
3826 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3890 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
3827 | $as_echo_n "checking for main in -lpthread... " >&6; } | 3891 | $as_echo_n "checking for main in -lpthread... " >&6; } |
@@ -5485,6 +5549,7 @@ echo "Configuration options:" | |||
5485 | echo " prefix: $prefix" | 5549 | echo " prefix: $prefix" |
5486 | echo " sysconfdir: $sysconfdir" | 5550 | echo " sysconfdir: $sysconfdir" |
5487 | echo " apparmor: $HAVE_APPARMOR" | 5551 | echo " apparmor: $HAVE_APPARMOR" |
5552 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5488 | echo " global config: $HAVE_GLOBALCFG" | 5553 | echo " global config: $HAVE_GLOBALCFG" |
5489 | echo " chroot: $HAVE_CHROOT" | 5554 | echo " chroot: $HAVE_CHROOT" |
5490 | echo " network: $HAVE_NETWORK" | 5555 | echo " network: $HAVE_NETWORK" |
@@ -5506,6 +5571,19 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
5506 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 5571 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
5507 | echo " Gcov instrumentation: $HAVE_GCOV" | 5572 | echo " Gcov instrumentation: $HAVE_GCOV" |
5508 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 5573 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
5509 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5510 | echo " Install as a SUID executable: $HAVE_SUID" | 5574 | echo " Install as a SUID executable: $HAVE_SUID" |
5575 | echo " LTS: $HAVE_LTS" | ||
5511 | echo | 5576 | echo |
5577 | |||
5578 | |||
5579 | if test "$HAVE_LTS" = -DHAVE_LTS; then | ||
5580 | echo | ||
5581 | echo | ||
5582 | echo "*********************************************************" | ||
5583 | echo "* Warning: Long-term support (LTS) was enabled! *" | ||
5584 | echo "* Most compile-time options have bean rewritten! *" | ||
5585 | echo "*********************************************************" | ||
5586 | echo | ||
5587 | echo | ||
5588 | fi | ||
5589 | |||
diff --git a/configure.ac b/configure.ac index 0556da374..449b8b436 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ | |||
54 | AC_SUBST(HAVE_APPARMOR) | 54 | AC_SUBST(HAVE_APPARMOR) |
55 | ]) | 55 | ]) |
56 | 56 | ||
57 | HAVE_SELINUX="" | ||
58 | AC_ARG_ENABLE([selinux], | ||
59 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | ||
60 | AS_IF([test "x$enable_selinux" = "xyes"], [ | ||
61 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
62 | EXTRA_LDFLAGS+=" -lselinux " | ||
63 | AC_SUBST(HAVE_SELINUX) | ||
64 | ]) | ||
65 | |||
57 | AC_SUBST([EXTRA_CFLAGS]) | 66 | AC_SUBST([EXTRA_CFLAGS]) |
58 | AC_SUBST([EXTRA_LDFLAGS]) | 67 | AC_SUBST([EXTRA_LDFLAGS]) |
59 | 68 | ||
@@ -219,15 +228,62 @@ AS_IF([test "x$enable_contrib_install" = "xno"], | |||
219 | ) | 228 | ) |
220 | AC_SUBST(HAVE_CONTRIB_INSTALL) | 229 | AC_SUBST(HAVE_CONTRIB_INSTALL) |
221 | 230 | ||
222 | HAVE_SELINUX="" | 231 | HAVE_LTS="" |
223 | AC_ARG_ENABLE([selinux], | 232 | AC_ARG_ENABLE([lts], |
224 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | 233 | AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) |
225 | AS_IF([test "x$enable_selinux" = "xyes"], [ | 234 | AS_IF([test "x$enable_lts" = "xyes"], [ |
226 | HAVE_SELINUX="-DHAVE_SELINUX" | 235 | HAVE_LTS="-DHAVE_LTS" |
227 | EXTRA_LDFLAGS+=" -lselinux " | 236 | AC_SUBST(HAVE_LTS) |
228 | AC_SUBST(HAVE_SELINUX) | 237 | |
238 | HAVE_DBUSPROXY="" | ||
239 | AC_SUBST(HAVE_DBUSPROXY) | ||
240 | |||
241 | HAVE_OVERLAYFS="" | ||
242 | AC_SUBST(HAVE_OVERLAYFS) | ||
243 | |||
244 | HAVE_OUTPUT="" | ||
245 | AC_SUBST(HAVE_OUTPUT) | ||
246 | |||
247 | HAVE_USERTMPFS="" | ||
248 | AC_SUBST(HAVE_USERTMPFS) | ||
249 | |||
250 | HAVE_MAN="-DHAVE_MAN" | ||
251 | AC_SUBST(HAVE_MAN) | ||
252 | |||
253 | HAVE_FIRETUNNEL="" | ||
254 | AC_SUBST(HAVE_FIRETUNNEL) | ||
255 | |||
256 | HAVE_PRIVATEHOME="" | ||
257 | AC_SUBST(HAVE_PRIVATE_HOME) | ||
258 | |||
259 | HAVE_CHROOT="" | ||
260 | AC_SUBST(HAVE_CHROOT) | ||
261 | |||
262 | HAVE_GLOBALCFG="" | ||
263 | AC_SUBST(HAVE_GLOBALCFG) | ||
264 | |||
265 | HAVE_USERNS="" | ||
266 | AC_SUBST(HAVE_USERNS) | ||
267 | |||
268 | HAVE_X11="" | ||
269 | AC_SUBST(HAVE_X11) | ||
270 | |||
271 | HAVE_FILE_TRANSFER="" | ||
272 | AC_SUBST(HAVE_FILE_TRANSFER) | ||
273 | |||
274 | HAVE_SUID="yes" | ||
275 | AC_SUBST(HAVE_SUID) | ||
276 | |||
277 | BUSYBOX_WORKAROUND="no" | ||
278 | AC_SUBST(BUSYBOX_WORKAROUND) | ||
279 | |||
280 | HAVE_CONTRIB_INSTALL="no", | ||
281 | AC_SUBST(HAVE_CONTRIB_INSTALL) | ||
229 | ]) | 282 | ]) |
230 | 283 | ||
284 | |||
285 | |||
286 | |||
231 | # checking pthread library | 287 | # checking pthread library |
232 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 288 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
233 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 289 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -250,6 +306,7 @@ echo "Configuration options:" | |||
250 | echo " prefix: $prefix" | 306 | echo " prefix: $prefix" |
251 | echo " sysconfdir: $sysconfdir" | 307 | echo " sysconfdir: $sysconfdir" |
252 | echo " apparmor: $HAVE_APPARMOR" | 308 | echo " apparmor: $HAVE_APPARMOR" |
309 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
253 | echo " global config: $HAVE_GLOBALCFG" | 310 | echo " global config: $HAVE_GLOBALCFG" |
254 | echo " chroot: $HAVE_CHROOT" | 311 | echo " chroot: $HAVE_CHROOT" |
255 | echo " network: $HAVE_NETWORK" | 312 | echo " network: $HAVE_NETWORK" |
@@ -271,6 +328,19 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
271 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 328 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
272 | echo " Gcov instrumentation: $HAVE_GCOV" | 329 | echo " Gcov instrumentation: $HAVE_GCOV" |
273 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 330 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
274 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
275 | echo " Install as a SUID executable: $HAVE_SUID" | 331 | echo " Install as a SUID executable: $HAVE_SUID" |
332 | echo " LTS: $HAVE_LTS" | ||
276 | echo | 333 | echo |
334 | |||
335 | |||
336 | if test "$HAVE_LTS" = -DHAVE_LTS; then | ||
337 | echo | ||
338 | echo | ||
339 | echo "*********************************************************" | ||
340 | echo "* Warning: Long-term support (LTS) was enabled! *" | ||
341 | echo "* Most compile-time options have bean rewritten! *" | ||
342 | echo "*********************************************************" | ||
343 | echo | ||
344 | echo | ||
345 | fi | ||
346 | |||
diff --git a/src/common.mk.in b/src/common.mk.in index 77d8539ef..eae4138c0 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -26,6 +26,7 @@ HAVE_SELINUX=@HAVE_SELINUX@ | |||
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | 26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ |
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | 27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ |
28 | HAVE_OUTPUT=@HAVE_OUTPUT@ | 28 | HAVE_OUTPUT=@HAVE_OUTPUT@ |
29 | HAVE_LTS=@HAVE_LTS@ | ||
29 | 30 | ||
30 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 31 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
31 | C_FILE_LIST = $(sort $(wildcard *.c)) | 32 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -35,7 +36,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
35 | CFLAGS = @CFLAGS@ | 36 | CFLAGS = @CFLAGS@ |
36 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 37 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
37 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 38 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
38 | MANFLAGS = $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 39 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
39 | CFLAGS += $(MANFLAGS) | 40 | CFLAGS += $(MANFLAGS) |
40 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 41 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
41 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 42 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b251f8191..639b171cd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -42,6 +42,15 @@ Miscellaneous: | |||
42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} | 42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} |
43 | .RE | 43 | .RE |
44 | .SH DESCRIPTION | 44 | .SH DESCRIPTION |
45 | #ifdef HAVE_LTS | ||
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | ||
47 | LTS is usually supported for two or three years. | ||
48 | During this time only bugs and the occasional documentation problems are fixed. | ||
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | ||
50 | .br | ||
51 | |||
52 | .br | ||
53 | #endif | ||
45 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 54 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
46 | restricting the running environment of untrusted applications using Linux | 55 | restricting the running environment of untrusted applications using Linux |
47 | namespaces, seccomp-bpf and Linux capabilities. | 56 | namespaces, seccomp-bpf and Linux capabilities. |