support to disable enforcing firejail.config

author: netblue30 <netblue30@yahoo.com> 2016-06-12 07:27:21 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-12 07:27:21 -0400
commit: d28f1d7157c87076771498f062f5af7e932bd20f (patch)
tree: 60761b47463e090cebc5391163506f52cdde34ec /src
parent: Merge pull request #564 from probonopd/patch-1 (diff)
download: firejail-d28f1d7157c87076771498f062f5af7e932bd20f.tar.gz
firejail-d28f1d7157c87076771498f062f5af7e932bd20f.tar.zst
firejail-d28f1d7157c87076771498f062f5af7e932bd20f.zip
7 files changed, 41 insertions, 18 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index a8af1a4e0..21f415ba5 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -17,13 +17,13 @@ HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
 HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index a69c2831e..6636e7efe 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -48,8 +48,13 @@ int checkcfg(int val) {
                FILE *fp = fopen(fname, "r");
                if (!fp) {
+#ifdef HAVE_GLOBALCFG                   
                        fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
                        exit(1);
+#else
+                        initialized = 1;
+                        return  cfg_val[val];
+#endif  
                }
                
                // read configuration file
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 8cae9191c..acc03e412 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -652,26 +652,27 @@ void fs_proc_sys_dev_boot(void) {
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
 static void disable_firejail_config(void) {
        struct stat s;
-        if (stat("/etc/firejail", &s) == 0)
+//      if (stat("/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/etc/firejail");
+//              disable_file(BLACKLIST_FILE, "/etc/firejail");
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(fname, &s) == 0)
                disable_file(BLACKLIST_FILE, fname);
+        free(fname);
        
-        if (stat("/usr/local/etc/firejail", &s) == 0)
+//      if (stat("/usr/local/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
+//              disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
+//
-        if (strcmp(PREFIX, "/usr/local")) {
+//      if (strcmp(PREFIX, "/usr/local")) {
-                if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
+//              if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-                        errExit("asprintf");
+//                      errExit("asprintf");
-                if (stat(fname, &s) == 0)
+//              if (stat(fname, &s) == 0)
-                        disable_file(BLACKLIST_FILE, fname);
+//                      disable_file(BLACKLIST_FILE, fname);
-        }
+//              free(fname);
+//      }
        
-        free(fname);
        
        // disable run time information
        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d027eb697..423df3752 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -854,7 +854,7 @@ int main(int argc, char **argv) {
        
        
        // check for force-nonewprivs in /etc/firejail/firejail.config file
-        if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))
+        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
        
        // parse arguments
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index f07cf2868..b6d341bf4 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -36,12 +36,12 @@ extern uid_t firejail_uid;
 static inline void EUID_ROOT(void) {
        if (seteuid(0) == -1)
-                fprintf(stderr, "Error: cannot switch euid to root\n");
+                fprintf(stderr, "Warning: cannot switch euid to root\n");
 }
 static inline void EUID_USER(void) {
        if (seteuid(firejail_uid) == -1)
-                fprintf(stderr, "Error: cannot switch euid to user\n");
+                fprintf(stderr, "Warning: cannot switch euid to user\n");
 }
 static inline void EUID_PRINT(void) {
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index e2e4229b0..c12bf7731 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -10,7 +10,7 @@ sandbox applications automatically, just by clicking on a regular desktop
 menus and icons.
 The symbolic links are placed in /usr/local/bin. For more information, see
-DESKTOP INTEGRATION section in man 1 firejail.
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH OPTIONS
 .TP
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 6a66c7f75..bc29dc977 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -74,6 +74,23 @@ xephyr-screen 1024x768
 .br
 xephyr-screen 1280x1024
+.TP
+\fBxephyr-window-title
+Firejail window title in Xephry, default enabled.
+.TP
+\fBxephyr-extra-params
+Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
+.br
+.br
+xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+.br
+xephyr-extra-params -grayscale
+.SH COMPILE TIME CONFIGURATION
+Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
 .SH FILES
 /etc/firejail/firejail.config
author	netblue30 <netblue30@yahoo.com>	2016-06-12 07:27:21 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-12 07:27:21 -0400
commit	d28f1d7157c87076771498f062f5af7e932bd20f (patch)
tree	60761b47463e090cebc5391163506f52cdde34ec /src
parent	Merge pull request #564 from probonopd/patch-1 (diff)
download	firejail-d28f1d7157c87076771498f062f5af7e932bd20f.tar.gz firejail-d28f1d7157c87076771498f062f5af7e932bd20f.tar.zst firejail-d28f1d7157c87076771498f062f5af7e932bd20f.zip

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index a8af1a4e0..21f415ba5 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -17,13 +17,13 @@ HAVE_USERNS=@HAVE_USERNS@
17	HAVE_X11=@HAVE_X11@	17	HAVE_X11=@HAVE_X11@
18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@	18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
19	HAVE_WHITELIST=@HAVE_WHITELIST@	19	HAVE_WHITELIST=@HAVE_WHITELIST@
20		20	HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
21		21
22	H_FILE_LIST = $(sort $(wildcard *.[h]))	22	H_FILE_LIST = $(sort $(wildcard *.[h]))
23	C_FILE_LIST = $(sort $(wildcard *.c))	23	C_FILE_LIST = $(sort $(wildcard *.c))
24	OBJS = $(C_FILE_LIST:.c=.o)	24	OBJS = $(C_FILE_LIST:.c=.o)
25	BINOBJS = $(foreach file, $(OBJS), $file)	25	BINOBJS = $(foreach file, $(OBJS), $file)
26	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	26	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
27	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	27	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
28		28
29	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h	29	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index a69c2831e..6636e7efe 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -48,8 +48,13 @@ int checkcfg(int val) {
48		48
49	FILE *fp = fopen(fname, "r");	49	FILE *fp = fopen(fname, "r");
50	if (!fp) {	50	if (!fp) {
		51	#ifdef HAVE_GLOBALCFG
51	fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);	52	fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
52	exit(1);	53	exit(1);
		54	#else
		55	initialized = 1;
		56	return cfg_val[val];
		57	#endif
53	}	58	}
54		59
55	// read configuration file	60	// read configuration file


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8cae9191c..acc03e412 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -652,26 +652,27 @@ void fs_proc_sys_dev_boot(void) {
652	// disable firejail configuration in /etc/firejail and in ~/.config/firejail	652	// disable firejail configuration in /etc/firejail and in ~/.config/firejail
653	static void disable_firejail_config(void) {	653	static void disable_firejail_config(void) {
654	struct stat s;	654	struct stat s;
655	if (stat("/etc/firejail", &s) == 0)	655	// if (stat("/etc/firejail", &s) == 0)
656	disable_file(BLACKLIST_FILE, "/etc/firejail");	656	// disable_file(BLACKLIST_FILE, "/etc/firejail");
657		657
658	char *fname;	658	char *fname;
659	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)	659	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
660	errExit("asprintf");	660	errExit("asprintf");
661	if (stat(fname, &s) == 0)	661	if (stat(fname, &s) == 0)
662	disable_file(BLACKLIST_FILE, fname);	662	disable_file(BLACKLIST_FILE, fname);
		663	free(fname);
663		664
664	if (stat("/usr/local/etc/firejail", &s) == 0)	665	// if (stat("/usr/local/etc/firejail", &s) == 0)
665	disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");	666	// disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
666		667	//
667	if (strcmp(PREFIX, "/usr/local")) {	668	// if (strcmp(PREFIX, "/usr/local")) {
668	if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)	669	// if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
669	errExit("asprintf");	670	// errExit("asprintf");
670	if (stat(fname, &s) == 0)	671	// if (stat(fname, &s) == 0)
671	disable_file(BLACKLIST_FILE, fname);	672	// disable_file(BLACKLIST_FILE, fname);
672	}	673	// free(fname);
		674	// }
673		675
674	free(fname);
675		676
676	// disable run time information	677	// disable run time information
677	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)	678	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)


diff --git a/src/firejail/main.c b/src/firejail/main.c index d027eb697..423df3752 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -854,7 +854,7 @@ int main(int argc, char **argv) {
854		854
855		855
856	// check for force-nonewprivs in /etc/firejail/firejail.config file	856	// check for force-nonewprivs in /etc/firejail/firejail.config file
857	if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))	857	if (checkcfg(CFG_FORCE_NONEWPRIVS))
858	arg_nonewprivs = 1;	858	arg_nonewprivs = 1;
859		859
860	// parse arguments	860	// parse arguments


diff --git a/src/include/euid_common.h b/src/include/euid_common.h index f07cf2868..b6d341bf4 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h
@@ -36,12 +36,12 @@ extern uid_t firejail_uid;
36		36
37	static inline void EUID_ROOT(void) {	37	static inline void EUID_ROOT(void) {
38	if (seteuid(0) == -1)	38	if (seteuid(0) == -1)
39	fprintf(stderr, "Error: cannot switch euid to root\n");	39	fprintf(stderr, "Warning: cannot switch euid to root\n");
40	}	40	}
41		41
42	static inline void EUID_USER(void) {	42	static inline void EUID_USER(void) {
43	if (seteuid(firejail_uid) == -1)	43	if (seteuid(firejail_uid) == -1)
44	fprintf(stderr, "Error: cannot switch euid to user\n");	44	fprintf(stderr, "Warning: cannot switch euid to user\n");
45	}	45	}
46		46
47	static inline void EUID_PRINT(void) {	47	static inline void EUID_PRINT(void) {


diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index e2e4229b0..c12bf7731 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt
@@ -10,7 +10,7 @@ sandbox applications automatically, just by clicking on a regular desktop
10	menus and icons.	10	menus and icons.
11		11
12	The symbolic links are placed in /usr/local/bin. For more information, see	12	The symbolic links are placed in /usr/local/bin. For more information, see
13	DESKTOP INTEGRATION section in man 1 firejail.	13	\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
14		14
15	.SH OPTIONS	15	.SH OPTIONS
16	.TP	16	.TP


diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 6a66c7f75..bc29dc977 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt
@@ -74,6 +74,23 @@ xephyr-screen 1024x768
74	.br	74	.br
75	xephyr-screen 1280x1024	75	xephyr-screen 1280x1024
76		76
		77	.TP
		78	\fBxephyr-window-title
		79	Firejail window title in Xephry, default enabled.
		80
		81	.TP
		82	\fBxephyr-extra-params
		83	Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
		84	.br
		85
		86	.br
		87	xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
		88	.br
		89	xephyr-extra-params -grayscale
		90
		91	.SH COMPILE TIME CONFIGURATION
		92	Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
		93
77	.SH FILES	94	.SH FILES
78	/etc/firejail/firejail.config	95	/etc/firejail/firejail.config
79		96