diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-03-01 12:40:02 +0100 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-03-01 12:40:02 +0100 |
commit | b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e (patch) | |
tree | e50efc1e1dcb77e7b250fab9b0a50ca4b2082acf /src | |
parent | fixes (diff) | |
download | firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.gz firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.zst firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.zip |
Add ./configure --enable-force-nonewprivs
This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
Diffstat (limited to 'src')
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 |
3 files changed, 16 insertions, 2 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index eae4138c0..a3df4abb6 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -27,6 +27,7 @@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | |||
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | 27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ |
28 | HAVE_OUTPUT=@HAVE_OUTPUT@ | 28 | HAVE_OUTPUT=@HAVE_OUTPUT@ |
29 | HAVE_LTS=@HAVE_LTS@ | 29 | HAVE_LTS=@HAVE_LTS@ |
30 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | ||
30 | 31 | ||
31 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 32 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
32 | C_FILE_LIST = $(sort $(wildcard *.c)) | 33 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -36,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
36 | CFLAGS = @CFLAGS@ | 37 | CFLAGS = @CFLAGS@ |
37 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 38 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
38 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 39 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
39 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 40 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS) |
40 | CFLAGS += $(MANFLAGS) | 41 | CFLAGS += $(MANFLAGS) |
41 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 42 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
42 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 43 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 9d327933f..a277e76d9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -388,4 +388,12 @@ void print_compiletime_support(void) { | |||
388 | "disabled" | 388 | "disabled" |
389 | #endif | 389 | #endif |
390 | ); | 390 | ); |
391 | |||
392 | printf("\t- Always force nonewprivs support is %s\n", | ||
393 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
394 | "enabled" | ||
395 | #else | ||
396 | "disabled" | ||
397 | #endif | ||
398 | ); | ||
391 | } | 399 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff5f4cb1e..e320e77f9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) { | |||
795 | exit(rv); | 795 | exit(rv); |
796 | } | 796 | } |
797 | 797 | ||
798 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
799 | bool always_enforce_filters = true; | ||
800 | #else | ||
801 | bool always_enforce_filters = false; | ||
802 | #endif | ||
798 | // need ld.so.preload if tracing or seccomp with any non-default lists | 803 | // need ld.so.preload if tracing or seccomp with any non-default lists |
799 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 804 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
800 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 805 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
801 | // and drop all capabilities | 806 | // and drop all capabilities |
802 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | 807 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) { |
803 | enforce_filters(); | 808 | enforce_filters(); |
804 | need_preload = arg_trace || arg_tracelog; | 809 | need_preload = arg_trace || arg_tracelog; |
805 | } | 810 | } |