disable --git-install at compile time

author: netblue30 <netblue30@yahoo.com> 2017-02-05 11:50:04 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-02-05 11:50:04 -0500
commit: d17ce1322e6e42ca905393545db03a13570da1b0 (patch)
tree: 86b598adb3ac57adafe55a62996b9e37325a1eec /src
parent: enable strict seccomp filter on overlay options (diff)
download: firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.gz
firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.zst
firejail-d17ce1322e6e42ca905393545db03a13570da1b0.zip
6 files changed, 18 insertions, 53 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 6e5071925..80f35ff4d 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index c3eedc510..73fa6e46b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -351,6 +351,13 @@ void print_compiletime_support(void) {
 #endif
                );
+        printf("\t- git install support is %s\n",
+#ifdef HAVE_GIT_INSTALL
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
 #ifdef HAVE_NETWORK_RESTRICTED
        printf("\t- networking features are available only to root user\n");
@@ -395,4 +402,5 @@ void print_compiletime_support(void) {
                "disabled"
 #endif
                );
+                
 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 69b9d77bc..2a2e97419 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -572,58 +572,6 @@ void fs_proc_sys_dev_boot(void) {
        }
        free(fname);
        
-// todo: investigate
-#if 0
-        // breaks too many applications, option needed
-        /* // disable /run/user/{uid}/bus */
-        /* char *fnamebus; */
-        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamebus, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamebus); */
-        /* free(fnamebus); */
-        // WARNING: not working
-        // disable /run/user/{uid}/kdeinit*
-        //char *fnamekde;
-        //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
-        //    errExit("asprintf");
-        //if (stat(fnamekde, &s) == 0)
-        //    disable_file(BLACKLIST_FILE, fnamekde);
-        //free(fnamekde);
-        
-        
-        // disable /run/user/{uid}/pulse
-        /* char *fnamepulse; */
-        /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamepulse, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamepulse); */
-        /* free(fnamepulse); */
-        // disable /run/user/{uid}/dconf
-        /* char *fnamedconf; */
-        /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamedconf, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
-        /* free(fnamedconf); */
-        // dirs in /run/user/{uid}/
-        // using gnome:
-        // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
-        // using kde:
-        // kdeinit__0, ...
-                
-        // more files with sockets to be blacklisted
-        // /run/dbus /run/systemd /run/udev /run/lvm
-        // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
-        
-#endif
        if (getuid() != 0) {
                // disable /dev/kmsg and /proc/kmsg
                disable_file(BLACKLIST_FILE, "/dev/kmsg");
diff --git a/src/firejail/git.c b/src/firejail/git.c
index 1cfbb1bf4..b67339c8b 100644
--- a/src/firejail/git.c
+++ b/src/firejail/git.c
@@ -17,6 +17,9 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifdef HAVE_GIT_INSTALL
+ 
 #include "firejail.h"
 #include <sys/utsname.h>
 #include <sched.h>
@@ -84,3 +87,4 @@ void git_uninstall(void) {
        exit(0);
 }
        
+#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ee89a7281..0d4cf2595 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -846,11 +846,13 @@ int main(int argc, char **argv) {
        EUID_INIT();
        EUID_USER();
+#ifdef HAVE_GIT_INSTALL
        // process git-install and git-uninstall
        if (check_arg(argc, argv, "--git-install"))
                git_install(); // this function will not return
        if (check_arg(argc, argv, "--git-uninstall"))
                git_uninstall(); // this function will not return
+#endif
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b9fff2011..dc8fcdfef 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -76,9 +76,11 @@ void usage(void) {
        printf("    --env=name=value - set environment variable.\n");
        printf("    --fs.print=name|pid - print the filesystem log.\n");
        printf("    --get=name|pid filename - get a file from sandbox container.\n");
+#ifdef HAVE_GIT_INSTALL
        printf("    --git-install - download, compile and install mainline git version\n");
        printf("\tof Firejail.\n");
        printf("    --git-uninstall - uninstall mainline git version of Firejail\n");
+#endif
        printf("    --help, -? - this help screen.\n");
        printf("    --hostname=name - set sandbox hostname.\n");
        printf("    --hosts-file=file - use file as /etc/hosts.\n");
author	netblue30 <netblue30@yahoo.com>	2017-02-05 11:50:04 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-02-05 11:50:04 -0500
commit	d17ce1322e6e42ca905393545db03a13570da1b0 (patch)
tree	86b598adb3ac57adafe55a62996b9e37325a1eec /src
parent	enable strict seccomp filter on overlay options (diff)
download	firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.gz firejail-d17ce1322e6e42ca905393545db03a13570da1b0.tar.zst firejail-d17ce1322e6e42ca905393545db03a13570da1b0.zip