Add ./configure --enable-force-nonewprivs

This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-03-01 12:40:02 +0100
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-03-01 12:40:02 +0100
commit: b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e (patch)
tree: e50efc1e1dcb77e7b250fab9b0a50ca4b2082acf /src
parent: fixes (diff)
download: firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.gz
firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.zst
firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.zip
3 files changed, 16 insertions, 2 deletions
diff --git a/src/common.mk.in b/src/common.mk.in
index eae4138c0..a3df4abb6 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -27,6 +27,7 @@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_LTS=@HAVE_LTS@
+HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -36,7 +37,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 9d327933f..a277e76d9 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -388,4 +388,12 @@ void print_compiletime_support(void) {
                "disabled"
 #endif
                );
+        printf("\t- Always force nonewprivs support is %s\n",
+#ifdef HAVE_FORCE_NONEWPRIVS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ff5f4cb1e..e320e77f9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) {
                        exit(rv);
        }
+#ifdef HAVE_FORCE_NONEWPRIVS
+        bool always_enforce_filters = true;
+#else
+        bool always_enforce_filters = false;
+#endif
        // need ld.so.preload if tracing or seccomp with any non-default lists
        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
        // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
        // and drop all capabilities
-        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) {
+        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) {
                enforce_filters();
                need_preload = arg_trace || arg_tracelog;
        }
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-03-01 12:40:02 +0100
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-03-01 12:40:02 +0100
commit	b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e (patch)
tree	e50efc1e1dcb77e7b250fab9b0a50ca4b2082acf /src
parent	fixes (diff)
download	firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.gz firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.zst firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.zip