diff options
-rw-r--r-- | Makefile.in | 3 | ||||
-rwxr-xr-x | configure | 19 | ||||
-rw-r--r-- | configure.ac | 10 | ||||
-rwxr-xr-x | mketc.sh | 14 |
4 files changed, 45 insertions, 1 deletions
diff --git a/Makefile.in b/Makefile.in index 5269170c2..6c98742b7 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -16,6 +16,7 @@ NAME=@PACKAGE_NAME@ | |||
16 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ | 16 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ |
17 | DOCDIR=@docdir@ | 17 | DOCDIR=@docdir@ |
18 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 18 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
19 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ | ||
19 | 20 | ||
20 | .PHONY: mylibs $(MYLIBS) | 21 | .PHONY: mylibs $(MYLIBS) |
21 | mylibs: $(MYLIBS) | 22 | mylibs: $(MYLIBS) |
@@ -79,7 +80,7 @@ realinstall: | |||
79 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. | 80 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. |
80 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. | 81 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. |
81 | # etc files | 82 | # etc files |
82 | ./mketc.sh $(sysconfdir) | 83 | ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) |
83 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 84 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
84 | for file in .etc/* etc/firejail.config; do \ | 85 | for file in .etc/* etc/firejail.config; do \ |
85 | install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ | 86 | install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ |
@@ -625,6 +625,7 @@ ac_includes_default="\ | |||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | 627 | HAVE_SECCOMP_H |
628 | BUSYBOX_WORKAROUND | ||
628 | HAVE_FATAL_WARNINGS | 629 | HAVE_FATAL_WARNINGS |
629 | HAVE_WHITELIST | 630 | HAVE_WHITELIST |
630 | HAVE_FILE_TRANSFER | 631 | HAVE_FILE_TRANSFER |
@@ -703,6 +704,7 @@ enable_x11 | |||
703 | enable_file_transfer | 704 | enable_file_transfer |
704 | enable_whitelist | 705 | enable_whitelist |
705 | enable_fatal_warnings | 706 | enable_fatal_warnings |
707 | enable_busybox_workaround | ||
706 | ' | 708 | ' |
707 | ac_precious_vars='build_alias | 709 | ac_precious_vars='build_alias |
708 | host_alias | 710 | host_alias |
@@ -1336,6 +1338,8 @@ Optional Features: | |||
1336 | --disable-file-transfer disable file transfer | 1338 | --disable-file-transfer disable file transfer |
1337 | --disable-whitelist disable whitelist | 1339 | --disable-whitelist disable whitelist |
1338 | --enable-fatal-warnings -W -Wall -Werror | 1340 | --enable-fatal-warnings -W -Wall -Werror |
1341 | --enable-busybox-workaround | ||
1342 | enable busybox workaround | ||
1339 | 1343 | ||
1340 | Some influential environment variables: | 1344 | Some influential environment variables: |
1341 | CC C compiler command | 1345 | CC C compiler command |
@@ -3647,6 +3651,20 @@ if test "x$enable_fatal_warnings" = "xyes"; then : | |||
3647 | 3651 | ||
3648 | fi | 3652 | fi |
3649 | 3653 | ||
3654 | BUSYBOX_WORKAROUND="no" | ||
3655 | # Check whether --enable-busybox-workaround was given. | ||
3656 | if test "${enable_busybox_workaround+set}" = set; then : | ||
3657 | enableval=$enable_busybox_workaround; | ||
3658 | fi | ||
3659 | |||
3660 | if test "x$enable_busybox_workaround" = "xyes"; then : | ||
3661 | |||
3662 | BUSYBOX_WORKAROUND="yes" | ||
3663 | |||
3664 | |||
3665 | fi | ||
3666 | |||
3667 | |||
3650 | 3668 | ||
3651 | # checking pthread library | 3669 | # checking pthread library |
3652 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3670 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
@@ -4905,6 +4923,7 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
4905 | echo " whitelisting: $HAVE_WHITELIST" | 4923 | echo " whitelisting: $HAVE_WHITELIST" |
4906 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4924 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4907 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4925 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4926 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | ||
4908 | printf " uid_min: "; grep UID_MIN uids.h | 4927 | printf " uid_min: "; grep UID_MIN uids.h |
4909 | printf " gid_min: "; grep GID_MIN uids.h | 4928 | printf " gid_min: "; grep GID_MIN uids.h |
4910 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 4929 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
diff --git a/configure.ac b/configure.ac index 315c25038..149f76eae 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -115,6 +115,15 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [ | |||
115 | AC_SUBST(HAVE_FATAL_WARNINGS) | 115 | AC_SUBST(HAVE_FATAL_WARNINGS) |
116 | ]) | 116 | ]) |
117 | 117 | ||
118 | BUSYBOX_WORKAROUND="no" | ||
119 | AC_ARG_ENABLE([busybox-workaround], | ||
120 | AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])) | ||
121 | AS_IF([test "x$enable_busybox_workaround" = "xyes"], [ | ||
122 | BUSYBOX_WORKAROUND="yes" | ||
123 | AC_SUBST(BUSYBOX_WORKAROUND) | ||
124 | ]) | ||
125 | |||
126 | |||
118 | 127 | ||
119 | # checking pthread library | 128 | # checking pthread library |
120 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 129 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -148,6 +157,7 @@ echo " X11 sandboxing support: $HAVE_X11" | |||
148 | echo " whitelisting: $HAVE_WHITELIST" | 157 | echo " whitelisting: $HAVE_WHITELIST" |
149 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 158 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
150 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 159 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
160 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | ||
151 | printf " uid_min: "; grep UID_MIN uids.h | 161 | printf " uid_min: "; grep UID_MIN uids.h |
152 | printf " gid_min: "; grep GID_MIN uids.h | 162 | printf " gid_min: "; grep GID_MIN uids.h |
153 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 163 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
@@ -6,3 +6,17 @@ for file in etc/*.profile etc/*.inc etc/*.net; | |||
6 | do | 6 | do |
7 | sed "s;/etc/firejail;$1/firejail;g" $file > .$file | 7 | sed "s;/etc/firejail;$1/firejail;g" $file > .$file |
8 | done | 8 | done |
9 | |||
10 | if [ "x$2" = "xyes" ] | ||
11 | then | ||
12 | sed -i -e ' | ||
13 | 1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\ | ||
14 | # If this is not your case you can remove --enable-busybox-workaround from\ | ||
15 | # ./configure options, for added security.\ | ||
16 | noblacklist \${PATH}/mount\ | ||
17 | noblacklist \${PATH}/umount\ | ||
18 | noblacklist \${PATH}/su\ | ||
19 | noblacklist \${PATH}/sudo\ | ||
20 | noblacklist \${PATH}/nc\ | ||
21 | ' .etc/disable-common.inc | ||
22 | fi | ||