diff options
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/x11.c | 4 | ||||
-rwxr-xr-x | test/compile/compile.sh | 19 |
6 files changed, 56 insertions, 1 deletions
@@ -629,6 +629,7 @@ EGREP | |||
629 | GREP | 629 | GREP |
630 | CPP | 630 | CPP |
631 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
632 | HAVE_X11 | ||
632 | HAVE_USERNS | 633 | HAVE_USERNS |
633 | HAVE_NETWORK | 634 | HAVE_NETWORK |
634 | HAVE_BIND | 635 | HAVE_BIND |
@@ -691,6 +692,7 @@ enable_chroot | |||
691 | enable_bind | 692 | enable_bind |
692 | enable_network | 693 | enable_network |
693 | enable_userns | 694 | enable_userns |
695 | enable_x11 | ||
694 | enable_fatal_warnings | 696 | enable_fatal_warnings |
695 | ' | 697 | ' |
696 | ac_precious_vars='build_alias | 698 | ac_precious_vars='build_alias |
@@ -1316,6 +1318,7 @@ Optional Features: | |||
1316 | --disable-bind disable bind | 1318 | --disable-bind disable bind |
1317 | --disable-network disable network | 1319 | --disable-network disable network |
1318 | --disable-userns disable user namespace | 1320 | --disable-userns disable user namespace |
1321 | --disable-x11 disable X11 support | ||
1319 | --enable-fatal-warnings -W -Wall -Werror | 1322 | --enable-fatal-warnings -W -Wall -Werror |
1320 | 1323 | ||
1321 | Some influential environment variables: | 1324 | Some influential environment variables: |
@@ -3119,6 +3122,19 @@ if test "x$enable_userns" != "xno"; then : | |||
3119 | 3122 | ||
3120 | fi | 3123 | fi |
3121 | 3124 | ||
3125 | HAVE_X11="" | ||
3126 | # Check whether --enable-x11 was given. | ||
3127 | if test "${enable_x11+set}" = set; then : | ||
3128 | enableval=$enable_x11; | ||
3129 | fi | ||
3130 | |||
3131 | if test "x$enable_x11" != "xno"; then : | ||
3132 | |||
3133 | HAVE_X11="-DHAVE_X11" | ||
3134 | |||
3135 | |||
3136 | fi | ||
3137 | |||
3122 | HAVE_FATAL_WARNINGS="" | 3138 | HAVE_FATAL_WARNINGS="" |
3123 | # Check whether --enable-fatal_warnings was given. | 3139 | # Check whether --enable-fatal_warnings was given. |
3124 | if test "${enable_fatal_warnings+set}" = set; then : | 3140 | if test "${enable_fatal_warnings+set}" = set; then : |
@@ -4777,6 +4793,7 @@ echo " chroot: $HAVE_CHROOT" | |||
4777 | echo " bind: $HAVE_BIND" | 4793 | echo " bind: $HAVE_BIND" |
4778 | echo " network: $HAVE_NETWORK" | 4794 | echo " network: $HAVE_NETWORK" |
4779 | echo " user namespace: $HAVE_USERNS" | 4795 | echo " user namespace: $HAVE_USERNS" |
4796 | echo " X11 support: $HAVE_X11" | ||
4780 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4797 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4781 | echo | 4798 | echo |
4782 | 4799 | ||
diff --git a/configure.ac b/configure.ac index f9d0a3f65..b5dcd6855 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -49,6 +49,14 @@ AS_IF([test "x$enable_userns" != "xno"], [ | |||
49 | AC_SUBST(HAVE_USERNS) | 49 | AC_SUBST(HAVE_USERNS) |
50 | ]) | 50 | ]) |
51 | 51 | ||
52 | HAVE_X11="" | ||
53 | AC_ARG_ENABLE([x11], | ||
54 | AS_HELP_STRING([--disable-x11], [disable X11 support])) | ||
55 | AS_IF([test "x$enable_x11" != "xno"], [ | ||
56 | HAVE_X11="-DHAVE_X11" | ||
57 | AC_SUBST(HAVE_X11) | ||
58 | ]) | ||
59 | |||
52 | HAVE_FATAL_WARNINGS="" | 60 | HAVE_FATAL_WARNINGS="" |
53 | AC_ARG_ENABLE([fatal_warnings], | 61 | AC_ARG_ENABLE([fatal_warnings], |
54 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) | 62 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) |
@@ -81,6 +89,7 @@ echo " chroot: $HAVE_CHROOT" | |||
81 | echo " bind: $HAVE_BIND" | 89 | echo " bind: $HAVE_BIND" |
82 | echo " network: $HAVE_NETWORK" | 90 | echo " network: $HAVE_NETWORK" |
83 | echo " user namespace: $HAVE_USERNS" | 91 | echo " user namespace: $HAVE_USERNS" |
92 | echo " X11 support: $HAVE_X11" | ||
84 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 93 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
85 | echo | 94 | echo |
86 | 95 | ||
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index cf57d96d5..ba6bda0a5 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -14,13 +14,14 @@ HAVE_BIND=@HAVE_BIND@ | |||
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
15 | HAVE_NETWORK=@HAVE_NETWORK@ | 15 | HAVE_NETWORK=@HAVE_NETWORK@ |
16 | HAVE_USERNS=@HAVE_USERNS@ | 16 | HAVE_USERNS=@HAVE_USERNS@ |
17 | HAVE_X11=@HAVE_X11@ | ||
17 | 18 | ||
18 | 19 | ||
19 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 20 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
20 | C_FILE_LIST = $(sort $(wildcard *.c)) | 21 | C_FILE_LIST = $(sort $(wildcard *.c)) |
21 | OBJS = $(C_FILE_LIST:.c=.o) | 22 | OBJS = $(C_FILE_LIST:.c=.o) |
22 | BINOBJS = $(foreach file, $(OBJS), $file) | 23 | BINOBJS = $(foreach file, $(OBJS), $file) |
23 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 24 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
24 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 25 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
25 | 26 | ||
26 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 27 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a5ded984..d2a093520 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -261,12 +261,17 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
261 | #ifndef HAVE_CHROOT | 261 | #ifndef HAVE_CHROOT |
262 | printf("Chroot support is disabled.\n"); | 262 | printf("Chroot support is disabled.\n"); |
263 | #endif | 263 | #endif |
264 | #ifndef HAVE_X11 | ||
265 | printf("X11 support is disabled.\n"); | ||
266 | #endif | ||
264 | exit(0); | 267 | exit(0); |
265 | } | 268 | } |
269 | #ifdef HAVE_X11 | ||
266 | else if (strcmp(argv[i], "--x11") == 0) { | 270 | else if (strcmp(argv[i], "--x11") == 0) { |
267 | x11_start(argc, argv); | 271 | x11_start(argc, argv); |
268 | exit(0); | 272 | exit(0); |
269 | } | 273 | } |
274 | #endif | ||
270 | #ifdef HAVE_NETWORK | 275 | #ifdef HAVE_NETWORK |
271 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 276 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
272 | logargs(argc, argv); | 277 | logargs(argc, argv); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5e8fb9bbd..218113f46 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -27,6 +27,7 @@ | |||
27 | #include <sys/mount.h> | 27 | #include <sys/mount.h> |
28 | 28 | ||
29 | void fs_x11(void) { | 29 | void fs_x11(void) { |
30 | #ifdef HAVE_X11 | ||
30 | // extract display | 31 | // extract display |
31 | char *d = getenv("DISPLAY"); | 32 | char *d = getenv("DISPLAY"); |
32 | if (!d) | 33 | if (!d) |
@@ -94,9 +95,11 @@ void fs_x11(void) { | |||
94 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1) | 95 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1) |
95 | errExit("mount"); | 96 | errExit("mount"); |
96 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); | 97 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); |
98 | #endif | ||
97 | } | 99 | } |
98 | 100 | ||
99 | 101 | ||
102 | #ifdef HAVE_X11 | ||
100 | void x11_start(int argc, char **argv) { | 103 | void x11_start(int argc, char **argv) { |
101 | EUID_ASSERT(); | 104 | EUID_ASSERT(); |
102 | int i; | 105 | int i; |
@@ -215,3 +218,4 @@ void x11_start(int argc, char **argv) { | |||
215 | printf("Xpra server pid %d, client pid %d\n", server, client); | 218 | printf("Xpra server pid %d, client pid %d\n", server, client); |
216 | exit(0); | 219 | exit(0); |
217 | } | 220 | } |
221 | #endif | ||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 789ebbf28..d191b4d2b 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -6,6 +6,7 @@ arr[3]="TEST 3: compile chroot disabled" | |||
6 | arr[4]="TEST 4: compile bind disabled" | 6 | arr[4]="TEST 4: compile bind disabled" |
7 | arr[5]="TEST 5: compile user namespace disabled" | 7 | arr[5]="TEST 5: compile user namespace disabled" |
8 | arr[6]="TEST 6: compile network disabled" | 8 | arr[6]="TEST 6: compile network disabled" |
9 | arr[7]="TEST 7: compile X11 disabled" | ||
9 | 10 | ||
10 | 11 | ||
11 | # remove previous reports and output file | 12 | # remove previous reports and output file |
@@ -146,6 +147,23 @@ grep Warning output-configure output-make > ./report-test6 | |||
146 | grep Error output-configure output-make >> ./report-test6 | 147 | grep Error output-configure output-make >> ./report-test6 |
147 | rm output-configure output-make | 148 | rm output-configure output-make |
148 | 149 | ||
150 | #***************************************************************** | ||
151 | # TEST 7 | ||
152 | #***************************************************************** | ||
153 | # - disable X11 support | ||
154 | # - check compilation | ||
155 | #***************************************************************** | ||
156 | print_title "${arr[6]}" | ||
157 | # seccomp | ||
158 | cd firejail | ||
159 | make distclean | ||
160 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
161 | make -j4 2>&1 | tee ../output-make | ||
162 | cd .. | ||
163 | grep Warning output-configure output-make > ./report-test7 | ||
164 | grep Error output-configure output-make >> ./report-test7 | ||
165 | rm output-configure output-make | ||
166 | |||
149 | 167 | ||
150 | #***************************************************************** | 168 | #***************************************************************** |
151 | # PRINT REPORTS | 169 | # PRINT REPORTS |
@@ -167,3 +185,4 @@ echo ${arr[3]} | |||
167 | echo ${arr[4]} | 185 | echo ${arr[4]} |
168 | echo ${arr[5]} | 186 | echo ${arr[5]} |
169 | echo ${arr[6]} | 187 | echo ${arr[6]} |
188 | echo ${arr[7]} | ||