diff options
| author |  netblue30 <netblue30@protonmail.com> | 2022-05-25 07:36:42 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2022-05-25 07:36:42 -0400 |
| commit | 880f2c98a1dee26228530875fc45d54db68ed1c8 (patch) | |
| tree | efeda54d345b7bab410f4dd5e59575391e8c0e17 /src | |
| parent | build(deps): bump github/codeql-action from 2.1.10 to 2.1.11 (diff) | |
| download | firejail-880f2c98a1dee26228530875fc45d54db68ed1c8.tar.gz firejail-880f2c98a1dee26228530875fc45d54db68ed1c8.tar.zst firejail-880f2c98a1dee26228530875fc45d54db68ed1c8.zip | |
Removed IDS feature from the default build. To enable it, use --enable-ids at compile time.
Diffstat (limited to 'src')
| -rw-r--r-- | src/common.mk.in | 3 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 10 | ||||
| -rw-r--r-- | src/firejail/main.c | 9 | ||||
| -rw-r--r-- | src/man/firejail.txt | 4 |
4 files changed, 23 insertions, 3 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index 38c05bc69..64ed774ad 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
| @@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
| 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
| 21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | 21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ |
| 22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
| 23 | HAVE_IDS=@HAVE_IDS@ | ||
| 23 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
| 24 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
| 25 | HAVE_SUID=@HAVE_SUID@ | 26 | HAVE_SUID=@HAVE_SUID@ |
| @@ -38,7 +39,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
| 38 | CFLAGS = @CFLAGS@ | 39 | CFLAGS = @CFLAGS@ |
| 39 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 40 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
| 40 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' | 41 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' |
| 41 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 42 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
| 42 | CFLAGS += $(MANFLAGS) | 43 | CFLAGS += $(MANFLAGS) |
| 43 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 44 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
| 44 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 45 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 8f8f5b6c3..e1acaf632 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -365,6 +365,14 @@ void print_compiletime_support(void) { | |||
| 365 | #endif | 365 | #endif |
| 366 | ); | 366 | ); |
| 367 | 367 | ||
| 368 | printf("\t- IDS support is %s\n", | ||
| 369 | #ifdef HAVE_IDS | ||
| 370 | "enabled" | ||
| 371 | #else | ||
| 372 | "disabled" | ||
| 373 | #endif | ||
| 374 | ); | ||
| 375 | |||
| 368 | printf("\t- networking support is %s\n", | 376 | printf("\t- networking support is %s\n", |
| 369 | #ifdef HAVE_NETWORK | 377 | #ifdef HAVE_NETWORK |
| 370 | "enabled" | 378 | "enabled" |
| @@ -427,6 +435,4 @@ void print_compiletime_support(void) { | |||
| 427 | "disabled" | 435 | "disabled" |
| 428 | #endif | 436 | #endif |
| 429 | ); | 437 | ); |
| 430 | |||
| 431 | |||
| 432 | } | 438 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1bcec667e..cbf9df79f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) { | |||
| 1090 | run_builder(argc, argv); // this function will not return | 1090 | run_builder(argc, argv); // this function will not return |
| 1091 | 1091 | ||
| 1092 | // intrusion detection system | 1092 | // intrusion detection system |
| 1093 | #ifdef HAVE_IDS | ||
| 1093 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check | 1094 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check |
| 1094 | run_ids(argc, argv); // this function will not return | 1095 | run_ids(argc, argv); // this function will not return |
| 1096 | #else | ||
| 1097 | if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check | ||
| 1098 | fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n" | ||
| 1099 | "\tTo enable it, configure your build system using --enable-ids.\n" | ||
| 1100 | "\tExample: ./configure --prefix=/usr --enable-ids\n\n"); | ||
| 1101 | exit(1); | ||
| 1102 | } | ||
| 1103 | #endif | ||
| 1095 | 1104 | ||
| 1096 | EUID_ROOT(); | 1105 | EUID_ROOT(); |
| 1097 | #ifndef HAVE_SUID | 1106 | #ifndef HAVE_SUID |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 366a4e061..420a96ab5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -820,6 +820,7 @@ Example: | |||
| 820 | .br | 820 | .br |
| 821 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
| 822 | 822 | ||
| 823 | #ifdef HAVE_IDS | ||
| 823 | .TP | 824 | .TP |
| 824 | \fB\-\-ids-check | 825 | \fB\-\-ids-check |
| 825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | 826 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. |
| @@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | |||
| 839 | Example: | 840 | Example: |
| 840 | .br | 841 | .br |
| 841 | $ firejail \-\-ids-init | 842 | $ firejail \-\-ids-init |
| 843 | #endif | ||
| 842 | 844 | ||
| 843 | .TP | 845 | .TP |
| 844 | \fB\-\-ignore=command | 846 | \fB\-\-ignore=command |
| @@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc | |||
| 3342 | .br | 3344 | .br |
| 3343 | #endif | 3345 | #endif |
| 3344 | 3346 | ||
| 3347 | #ifdef HAVE_IDS | ||
| 3345 | .SH INTRUSION DETECTION SYSTEM (IDS) | 3348 | .SH INTRUSION DETECTION SYSTEM (IDS) |
| 3346 | The host-based intrusion detection system tracks down and audits user and system file modifications. | 3349 | The host-based intrusion detection system tracks down and audits user and system file modifications. |
| 3347 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | 3350 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, |
| @@ -3399,6 +3402,7 @@ New files and deleted files are also flagged. | |||
| 3399 | 3402 | ||
| 3400 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | 3403 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. |
| 3401 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | 3404 | The program can also be run as root (sudo firejail --ids-init/--ids-check). |
| 3405 | #endif | ||
| 3402 | 3406 | ||
| 3403 | .SH MONITORING | 3407 | .SH MONITORING |
| 3404 | Option \-\-list prints a list of all sandboxes. The format | 3408 | Option \-\-list prints a list of all sandboxes. The format |