diff options
author | netblue30 <netblue30@protonmail.com> | 2022-05-25 07:36:42 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-05-25 07:36:42 -0400 |
commit | 880f2c98a1dee26228530875fc45d54db68ed1c8 (patch) | |
tree | efeda54d345b7bab410f4dd5e59575391e8c0e17 /src | |
parent | build(deps): bump github/codeql-action from 2.1.10 to 2.1.11 (diff) | |
download | firejail-880f2c98a1dee26228530875fc45d54db68ed1c8.tar.gz firejail-880f2c98a1dee26228530875fc45d54db68ed1c8.tar.zst firejail-880f2c98a1dee26228530875fc45d54db68ed1c8.zip |
Removed IDS feature from the default build. To enable it, use --enable-ids at compile time.
Diffstat (limited to 'src')
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
4 files changed, 23 insertions, 3 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index 38c05bc69..64ed774ad 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | 21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ |
22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
23 | HAVE_IDS=@HAVE_IDS@ | ||
23 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
24 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
25 | HAVE_SUID=@HAVE_SUID@ | 26 | HAVE_SUID=@HAVE_SUID@ |
@@ -38,7 +39,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
38 | CFLAGS = @CFLAGS@ | 39 | CFLAGS = @CFLAGS@ |
39 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 40 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
40 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' | 41 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' |
41 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 42 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
42 | CFLAGS += $(MANFLAGS) | 43 | CFLAGS += $(MANFLAGS) |
43 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 44 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
44 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 45 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 8f8f5b6c3..e1acaf632 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -365,6 +365,14 @@ void print_compiletime_support(void) { | |||
365 | #endif | 365 | #endif |
366 | ); | 366 | ); |
367 | 367 | ||
368 | printf("\t- IDS support is %s\n", | ||
369 | #ifdef HAVE_IDS | ||
370 | "enabled" | ||
371 | #else | ||
372 | "disabled" | ||
373 | #endif | ||
374 | ); | ||
375 | |||
368 | printf("\t- networking support is %s\n", | 376 | printf("\t- networking support is %s\n", |
369 | #ifdef HAVE_NETWORK | 377 | #ifdef HAVE_NETWORK |
370 | "enabled" | 378 | "enabled" |
@@ -427,6 +435,4 @@ void print_compiletime_support(void) { | |||
427 | "disabled" | 435 | "disabled" |
428 | #endif | 436 | #endif |
429 | ); | 437 | ); |
430 | |||
431 | |||
432 | } | 438 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1bcec667e..cbf9df79f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) { | |||
1090 | run_builder(argc, argv); // this function will not return | 1090 | run_builder(argc, argv); // this function will not return |
1091 | 1091 | ||
1092 | // intrusion detection system | 1092 | // intrusion detection system |
1093 | #ifdef HAVE_IDS | ||
1093 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check | 1094 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check |
1094 | run_ids(argc, argv); // this function will not return | 1095 | run_ids(argc, argv); // this function will not return |
1096 | #else | ||
1097 | if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check | ||
1098 | fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n" | ||
1099 | "\tTo enable it, configure your build system using --enable-ids.\n" | ||
1100 | "\tExample: ./configure --prefix=/usr --enable-ids\n\n"); | ||
1101 | exit(1); | ||
1102 | } | ||
1103 | #endif | ||
1095 | 1104 | ||
1096 | EUID_ROOT(); | 1105 | EUID_ROOT(); |
1097 | #ifndef HAVE_SUID | 1106 | #ifndef HAVE_SUID |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 366a4e061..420a96ab5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -820,6 +820,7 @@ Example: | |||
820 | .br | 820 | .br |
821 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
822 | 822 | ||
823 | #ifdef HAVE_IDS | ||
823 | .TP | 824 | .TP |
824 | \fB\-\-ids-check | 825 | \fB\-\-ids-check |
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | 826 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. |
@@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | |||
839 | Example: | 840 | Example: |
840 | .br | 841 | .br |
841 | $ firejail \-\-ids-init | 842 | $ firejail \-\-ids-init |
843 | #endif | ||
842 | 844 | ||
843 | .TP | 845 | .TP |
844 | \fB\-\-ignore=command | 846 | \fB\-\-ignore=command |
@@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc | |||
3342 | .br | 3344 | .br |
3343 | #endif | 3345 | #endif |
3344 | 3346 | ||
3347 | #ifdef HAVE_IDS | ||
3345 | .SH INTRUSION DETECTION SYSTEM (IDS) | 3348 | .SH INTRUSION DETECTION SYSTEM (IDS) |
3346 | The host-based intrusion detection system tracks down and audits user and system file modifications. | 3349 | The host-based intrusion detection system tracks down and audits user and system file modifications. |
3347 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | 3350 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, |
@@ -3399,6 +3402,7 @@ New files and deleted files are also flagged. | |||
3399 | 3402 | ||
3400 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | 3403 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. |
3401 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | 3404 | The program can also be run as root (sudo firejail --ids-init/--ids-check). |
3405 | #endif | ||
3402 | 3406 | ||
3403 | .SH MONITORING | 3407 | .SH MONITORING |
3404 | Option \-\-list prints a list of all sandboxes. The format | 3408 | Option \-\-list prints a list of all sandboxes. The format |