diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rwxr-xr-x | configure | 53 | ||||
-rw-r--r-- | configure.ac | 21 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 17 | ||||
-rw-r--r-- | src/firejail/profile.c | 10 | ||||
-rw-r--r-- | src/firejail/usage.c | 24 |
7 files changed, 111 insertions, 21 deletions
@@ -1,7 +1,8 @@ | |||
1 | firejail (0.9.38) baseline; urgency=low | 1 | firejail (0.9.37) baseline; urgency=low |
2 | * IPv6 support (--ip6 and --netfilter6) | 2 | * IPv6 support (--ip6 and --netfilter6) |
3 | * --join command enhancement (--join-network, --join-filesystem) | 3 | * --join command enhancement (--join-network, --join-filesystem) |
4 | * --user command | 4 | * --user command |
5 | * --disable-network and --disable-userns compile time flags | ||
5 | * symlink invocation | 6 | * symlink invocation |
6 | * added KMail, Seamonkey, Telegram profiles | 7 | * added KMail, Seamonkey, Telegram profiles |
7 | * bugfixes | 8 | * bugfixes |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.38. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.37. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.38' | 583 | PACKAGE_VERSION='0.9.37' |
584 | PACKAGE_STRING='firejail 0.9.38' | 584 | PACKAGE_STRING='firejail 0.9.37' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -629,6 +629,8 @@ EGREP | |||
629 | GREP | 629 | GREP |
630 | CPP | 630 | CPP |
631 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
632 | HAVE_USERNS | ||
633 | HAVE_NETWORK | ||
632 | HAVE_BIND | 634 | HAVE_BIND |
633 | HAVE_CHROOT | 635 | HAVE_CHROOT |
634 | HAVE_SECCOMP | 636 | HAVE_SECCOMP |
@@ -687,6 +689,8 @@ enable_option_checking | |||
687 | enable_seccomp | 689 | enable_seccomp |
688 | enable_chroot | 690 | enable_chroot |
689 | enable_bind | 691 | enable_bind |
692 | enable_network | ||
693 | enable_userns | ||
690 | enable_fatal_warnings | 694 | enable_fatal_warnings |
691 | ' | 695 | ' |
692 | ac_precious_vars='build_alias | 696 | ac_precious_vars='build_alias |
@@ -1238,7 +1242,7 @@ if test "$ac_init_help" = "long"; then | |||
1238 | # Omit some internal or obsolete options to make the list less imposing. | 1242 | # Omit some internal or obsolete options to make the list less imposing. |
1239 | # This message is too long to be a string in the A/UX 3.1 sh. | 1243 | # This message is too long to be a string in the A/UX 3.1 sh. |
1240 | cat <<_ACEOF | 1244 | cat <<_ACEOF |
1241 | \`configure' configures firejail 0.9.38 to adapt to many kinds of systems. | 1245 | \`configure' configures firejail 0.9.37 to adapt to many kinds of systems. |
1242 | 1246 | ||
1243 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1247 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1244 | 1248 | ||
@@ -1299,7 +1303,7 @@ fi | |||
1299 | 1303 | ||
1300 | if test -n "$ac_init_help"; then | 1304 | if test -n "$ac_init_help"; then |
1301 | case $ac_init_help in | 1305 | case $ac_init_help in |
1302 | short | recursive ) echo "Configuration of firejail 0.9.38:";; | 1306 | short | recursive ) echo "Configuration of firejail 0.9.37:";; |
1303 | esac | 1307 | esac |
1304 | cat <<\_ACEOF | 1308 | cat <<\_ACEOF |
1305 | 1309 | ||
@@ -1310,6 +1314,8 @@ Optional Features: | |||
1310 | --disable-seccomp disable seccomp | 1314 | --disable-seccomp disable seccomp |
1311 | --disable-chroot disable chroot | 1315 | --disable-chroot disable chroot |
1312 | --disable-bind disable bind | 1316 | --disable-bind disable bind |
1317 | --disable-network disable network | ||
1318 | --disable-userns disable user namespace | ||
1313 | --enable-fatal-warnings -W -Wall -Werror | 1319 | --enable-fatal-warnings -W -Wall -Werror |
1314 | 1320 | ||
1315 | Some influential environment variables: | 1321 | Some influential environment variables: |
@@ -1389,7 +1395,7 @@ fi | |||
1389 | test -n "$ac_init_help" && exit $ac_status | 1395 | test -n "$ac_init_help" && exit $ac_status |
1390 | if $ac_init_version; then | 1396 | if $ac_init_version; then |
1391 | cat <<\_ACEOF | 1397 | cat <<\_ACEOF |
1392 | firejail configure 0.9.38 | 1398 | firejail configure 0.9.37 |
1393 | generated by GNU Autoconf 2.69 | 1399 | generated by GNU Autoconf 2.69 |
1394 | 1400 | ||
1395 | Copyright (C) 2012 Free Software Foundation, Inc. | 1401 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1691,7 +1697,7 @@ cat >config.log <<_ACEOF | |||
1691 | This file contains any messages produced by compilers while | 1697 | This file contains any messages produced by compilers while |
1692 | running configure, to aid debugging if configure makes a mistake. | 1698 | running configure, to aid debugging if configure makes a mistake. |
1693 | 1699 | ||
1694 | It was created by firejail $as_me 0.9.38, which was | 1700 | It was created by firejail $as_me 0.9.37, which was |
1695 | generated by GNU Autoconf 2.69. Invocation command line was | 1701 | generated by GNU Autoconf 2.69. Invocation command line was |
1696 | 1702 | ||
1697 | $ $0 $@ | 1703 | $ $0 $@ |
@@ -3087,6 +3093,32 @@ if test "x$enable_bind" != "xno"; then : | |||
3087 | 3093 | ||
3088 | fi | 3094 | fi |
3089 | 3095 | ||
3096 | HAVE_NETWORK="" | ||
3097 | # Check whether --enable-network was given. | ||
3098 | if test "${enable_network+set}" = set; then : | ||
3099 | enableval=$enable_network; | ||
3100 | fi | ||
3101 | |||
3102 | if test "x$enable_network" != "xno"; then : | ||
3103 | |||
3104 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
3105 | |||
3106 | |||
3107 | fi | ||
3108 | |||
3109 | HAVE_USERNS="" | ||
3110 | # Check whether --enable-userns was given. | ||
3111 | if test "${enable_userns+set}" = set; then : | ||
3112 | enableval=$enable_userns; | ||
3113 | fi | ||
3114 | |||
3115 | if test "x$enable_userns" != "xno"; then : | ||
3116 | |||
3117 | HAVE_USERNS="-DHAVE_USERNS" | ||
3118 | |||
3119 | |||
3120 | fi | ||
3121 | |||
3090 | HAVE_FATAL_WARNINGS="" | 3122 | HAVE_FATAL_WARNINGS="" |
3091 | # Check whether --enable-fatal_warnings was given. | 3123 | # Check whether --enable-fatal_warnings was given. |
3092 | if test "${enable_fatal_warnings+set}" = set; then : | 3124 | if test "${enable_fatal_warnings+set}" = set; then : |
@@ -3100,6 +3132,7 @@ if test "x$enable_fatal_warnings" = "xyes"; then : | |||
3100 | 3132 | ||
3101 | fi | 3133 | fi |
3102 | 3134 | ||
3135 | |||
3103 | # checking pthread library | 3136 | # checking pthread library |
3104 | 3137 | ||
3105 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3138 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
@@ -4107,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4107 | # report actual input values of CONFIG_FILES etc. instead of their | 4140 | # report actual input values of CONFIG_FILES etc. instead of their |
4108 | # values after options handling. | 4141 | # values after options handling. |
4109 | ac_log=" | 4142 | ac_log=" |
4110 | This file was extended by firejail $as_me 0.9.38, which was | 4143 | This file was extended by firejail $as_me 0.9.37, which was |
4111 | generated by GNU Autoconf 2.69. Invocation command line was | 4144 | generated by GNU Autoconf 2.69. Invocation command line was |
4112 | 4145 | ||
4113 | CONFIG_FILES = $CONFIG_FILES | 4146 | CONFIG_FILES = $CONFIG_FILES |
@@ -4161,7 +4194,7 @@ _ACEOF | |||
4161 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4194 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4162 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4195 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4163 | ac_cs_version="\\ | 4196 | ac_cs_version="\\ |
4164 | firejail config.status 0.9.38 | 4197 | firejail config.status 0.9.37 |
4165 | configured by $0, generated by GNU Autoconf 2.69, | 4198 | configured by $0, generated by GNU Autoconf 2.69, |
4166 | with options \\"\$ac_cs_config\\" | 4199 | with options \\"\$ac_cs_config\\" |
4167 | 4200 | ||
@@ -4742,6 +4775,8 @@ echo " seccomp: $HAVE_SECCOMP" | |||
4742 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 4775 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
4743 | echo " chroot: $HAVE_CHROOT" | 4776 | echo " chroot: $HAVE_CHROOT" |
4744 | echo " bind: $HAVE_BIND" | 4777 | echo " bind: $HAVE_BIND" |
4778 | echo " network: $HAVE_NETWORK" | ||
4779 | echo " user namespace: $HAVE_USERNS" | ||
4745 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4780 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4746 | echo | 4781 | echo |
4747 | 4782 | ||
diff --git a/configure.ac b/configure.ac index cc505ef5f..5cd3ef6f0 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.38, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.37, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
@@ -33,6 +33,22 @@ AS_IF([test "x$enable_bind" != "xno"], [ | |||
33 | AC_SUBST(HAVE_BIND) | 33 | AC_SUBST(HAVE_BIND) |
34 | ]) | 34 | ]) |
35 | 35 | ||
36 | HAVE_NETWORK="" | ||
37 | AC_ARG_ENABLE([network], | ||
38 | AS_HELP_STRING([--disable-network], [disable network])) | ||
39 | AS_IF([test "x$enable_network" != "xno"], [ | ||
40 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
41 | AC_SUBST(HAVE_NETWORK) | ||
42 | ]) | ||
43 | |||
44 | HAVE_USERNS="" | ||
45 | AC_ARG_ENABLE([userns], | ||
46 | AS_HELP_STRING([--disable-userns], [disable user namespace])) | ||
47 | AS_IF([test "x$enable_userns" != "xno"], [ | ||
48 | HAVE_USERNS="-DHAVE_USERNS" | ||
49 | AC_SUBST(HAVE_USERNS) | ||
50 | ]) | ||
51 | |||
36 | HAVE_FATAL_WARNINGS="" | 52 | HAVE_FATAL_WARNINGS="" |
37 | AC_ARG_ENABLE([fatal_warnings], | 53 | AC_ARG_ENABLE([fatal_warnings], |
38 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) | 54 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) |
@@ -41,6 +57,7 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [ | |||
41 | AC_SUBST(HAVE_FATAL_WARNINGS) | 57 | AC_SUBST(HAVE_FATAL_WARNINGS) |
42 | ]) | 58 | ]) |
43 | 59 | ||
60 | |||
44 | # checking pthread library | 61 | # checking pthread library |
45 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 62 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
46 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 63 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -62,6 +79,8 @@ echo " seccomp: $HAVE_SECCOMP" | |||
62 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 79 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
63 | echo " chroot: $HAVE_CHROOT" | 80 | echo " chroot: $HAVE_CHROOT" |
64 | echo " bind: $HAVE_BIND" | 81 | echo " bind: $HAVE_BIND" |
82 | echo " network: $HAVE_NETWORK" | ||
83 | echo " user namespace: $HAVE_USERNS" | ||
65 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 84 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
66 | echo | 85 | echo |
67 | 86 | ||
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 87cda9ab2..83a2b0592 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@ | |||
12 | HAVE_CHROOT=@HAVE_CHROOT@ | 12 | HAVE_CHROOT=@HAVE_CHROOT@ |
13 | HAVE_BIND=@HAVE_BIND@ | 13 | HAVE_BIND=@HAVE_BIND@ |
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
15 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
16 | HAVE_USERNS=@HAVE_USERNS@ | ||
15 | 17 | ||
16 | 18 | ||
17 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 19 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
18 | C_FILE_LIST = $(sort $(wildcard *.c)) | 20 | C_FILE_LIST = $(sort $(wildcard *.c)) |
19 | OBJS = $(C_FILE_LIST:.c=.o) | 21 | OBJS = $(C_FILE_LIST:.c=.o) |
20 | BINOBJS = $(foreach file, $(OBJS), $file) | 22 | BINOBJS = $(foreach file, $(OBJS), $file) |
21 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 23 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
22 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 24 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
23 | 25 | ||
24 | %.o : %.c $(H_FILE_LIST) | 26 | %.o : %.c $(H_FILE_LIST) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 014ea8cae..2fda8f1ab 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -208,7 +208,7 @@ static void check_network(Bridge *br) { | |||
208 | } | 208 | } |
209 | } | 209 | } |
210 | 210 | ||
211 | 211 | #ifdef HAVE_USERNS | |
212 | void check_user_namespace(void) { | 212 | void check_user_namespace(void) { |
213 | if (getuid() == 0) { | 213 | if (getuid() == 0) { |
214 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); | 214 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); |
@@ -228,6 +228,7 @@ void check_user_namespace(void) { | |||
228 | arg_noroot = 0; | 228 | arg_noroot = 0; |
229 | } | 229 | } |
230 | } | 230 | } |
231 | #endif | ||
231 | 232 | ||
232 | // exit commands | 233 | // exit commands |
233 | static void run_cmd_and_exit(int i, int argc, char **argv) { | 234 | static void run_cmd_and_exit(int i, int argc, char **argv) { |
@@ -243,6 +244,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
243 | printf("firejail version %s\n", VERSION); | 244 | printf("firejail version %s\n", VERSION); |
244 | exit(0); | 245 | exit(0); |
245 | } | 246 | } |
247 | #ifdef HAVE_NETWORK | ||
246 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 248 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
247 | logargs(argc, argv); | 249 | logargs(argc, argv); |
248 | 250 | ||
@@ -303,7 +305,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 305 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
304 | exit(0); | 306 | exit(0); |
305 | } | 307 | } |
306 | 308 | #endif | |
307 | //************************************* | 309 | //************************************* |
308 | // independent commands - the program will exit! | 310 | // independent commands - the program will exit! |
309 | //************************************* | 311 | //************************************* |
@@ -382,10 +384,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
382 | top(); | 384 | top(); |
383 | exit(0); | 385 | exit(0); |
384 | } | 386 | } |
387 | #ifdef HAVE_NETWORK | ||
385 | else if (strcmp(argv[i], "--netstats") == 0) { | 388 | else if (strcmp(argv[i], "--netstats") == 0) { |
386 | netstats(); | 389 | netstats(); |
387 | exit(0); | 390 | exit(0); |
388 | } | 391 | } |
392 | #endif | ||
389 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 393 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
390 | logargs(argc, argv); | 394 | logargs(argc, argv); |
391 | 395 | ||
@@ -397,6 +401,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
397 | join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); | 401 | join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); |
398 | exit(0); | 402 | exit(0); |
399 | } | 403 | } |
404 | #ifdef HAVE_NETWORK | ||
400 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { | 405 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { |
401 | logargs(argc, argv); | 406 | logargs(argc, argv); |
402 | arg_join_network = 1; | 407 | arg_join_network = 1; |
@@ -413,6 +418,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
413 | join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); | 418 | join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); |
414 | exit(0); | 419 | exit(0); |
415 | } | 420 | } |
421 | #endif | ||
416 | else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { | 422 | else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { |
417 | logargs(argc, argv); | 423 | logargs(argc, argv); |
418 | arg_join_filesystem = 1; | 424 | arg_join_filesystem = 1; |
@@ -962,9 +968,11 @@ int main(int argc, char **argv) { | |||
962 | } | 968 | } |
963 | else if (strcmp(argv[i], "--nogroups") == 0) | 969 | else if (strcmp(argv[i], "--nogroups") == 0) |
964 | arg_nogroups = 1; | 970 | arg_nogroups = 1; |
971 | #ifdef HAVE_USERNS | ||
965 | else if (strcmp(argv[i], "--noroot") == 0) { | 972 | else if (strcmp(argv[i], "--noroot") == 0) { |
966 | check_user_namespace(); | 973 | check_user_namespace(); |
967 | } | 974 | } |
975 | #endif | ||
968 | else if (strncmp(argv[i], "--env=", 6) == 0) | 976 | else if (strncmp(argv[i], "--env=", 6) == 0) |
969 | env_store(argv[i] + 6); | 977 | env_store(argv[i] + 6); |
970 | else if (strncmp(argv[i], "--nosound", 9) == 0) { | 978 | else if (strncmp(argv[i], "--nosound", 9) == 0) { |
@@ -975,6 +983,7 @@ int main(int argc, char **argv) { | |||
975 | //************************************* | 983 | //************************************* |
976 | // network | 984 | // network |
977 | //************************************* | 985 | //************************************* |
986 | #ifdef HAVE_NETWORK | ||
978 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 987 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
979 | // checks | 988 | // checks |
980 | if (arg_nonetwork) { | 989 | if (arg_nonetwork) { |
@@ -1164,6 +1173,7 @@ int main(int argc, char **argv) { | |||
1164 | return 1; | 1173 | return 1; |
1165 | } | 1174 | } |
1166 | } | 1175 | } |
1176 | #endif | ||
1167 | else if (strncmp(argv[i], "--dns=", 6) == 0) { | 1177 | else if (strncmp(argv[i], "--dns=", 6) == 0) { |
1168 | uint32_t dns; | 1178 | uint32_t dns; |
1169 | if (atoip(argv[i] + 6, &dns)) { | 1179 | if (atoip(argv[i] + 6, &dns)) { |
@@ -1182,6 +1192,7 @@ int main(int argc, char **argv) { | |||
1182 | return 1; | 1192 | return 1; |
1183 | } | 1193 | } |
1184 | } | 1194 | } |
1195 | #ifdef HAVE_NETWORK | ||
1185 | else if (strcmp(argv[i], "--netfilter") == 0) | 1196 | else if (strcmp(argv[i], "--netfilter") == 0) |
1186 | arg_netfilter = 1; | 1197 | arg_netfilter = 1; |
1187 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1198 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
@@ -1194,7 +1205,7 @@ int main(int argc, char **argv) { | |||
1194 | arg_netfilter6_file = argv[i] + 13; | 1205 | arg_netfilter6_file = argv[i] + 13; |
1195 | check_netfilter_file(arg_netfilter6_file); | 1206 | check_netfilter_file(arg_netfilter6_file); |
1196 | } | 1207 | } |
1197 | 1208 | #endif | |
1198 | //************************************* | 1209 | //************************************* |
1199 | // command | 1210 | // command |
1200 | //************************************* | 1211 | //************************************* |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f6b062d2b..2d7b07c6d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
110 | } | 110 | } |
111 | // seccomp, caps, private, user namespace | 111 | // seccomp, caps, private, user namespace |
112 | else if (strcmp(ptr, "noroot") == 0) { | 112 | else if (strcmp(ptr, "noroot") == 0) { |
113 | #if HAVE_USERNS | ||
113 | check_user_namespace(); | 114 | check_user_namespace(); |
115 | #endif | ||
114 | return 0; | 116 | return 0; |
115 | } | 117 | } |
116 | else if (strcmp(ptr, "seccomp") == 0) { | 118 | else if (strcmp(ptr, "seccomp") == 0) { |
@@ -146,31 +148,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
146 | return 0; | 148 | return 0; |
147 | } | 149 | } |
148 | else if (strcmp(ptr, "netfilter") == 0) { | 150 | else if (strcmp(ptr, "netfilter") == 0) { |
151 | #ifdef HAVE_NETWORK | ||
149 | arg_netfilter = 1; | 152 | arg_netfilter = 1; |
153 | #endif | ||
150 | return 0; | 154 | return 0; |
151 | } | 155 | } |
152 | else if (strncmp(ptr, "netfilter ", 10) == 0) { | 156 | else if (strncmp(ptr, "netfilter ", 10) == 0) { |
157 | #ifdef HAVE_NETWORK | ||
153 | arg_netfilter = 1; | 158 | arg_netfilter = 1; |
154 | arg_netfilter_file = strdup(ptr + 10); | 159 | arg_netfilter_file = strdup(ptr + 10); |
155 | if (!arg_netfilter_file) | 160 | if (!arg_netfilter_file) |
156 | errExit("strdup"); | 161 | errExit("strdup"); |
157 | check_netfilter_file(arg_netfilter_file); | 162 | check_netfilter_file(arg_netfilter_file); |
163 | #endif | ||
158 | return 0; | 164 | return 0; |
159 | } | 165 | } |
160 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { | 166 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { |
167 | #ifdef HAVE_NETWORK | ||
161 | arg_netfilter6 = 1; | 168 | arg_netfilter6 = 1; |
162 | arg_netfilter6_file = strdup(ptr + 11); | 169 | arg_netfilter6_file = strdup(ptr + 11); |
163 | if (!arg_netfilter6_file) | 170 | if (!arg_netfilter6_file) |
164 | errExit("strdup"); | 171 | errExit("strdup"); |
165 | check_netfilter_file(arg_netfilter6_file); | 172 | check_netfilter_file(arg_netfilter6_file); |
173 | #endif | ||
166 | return 0; | 174 | return 0; |
167 | } | 175 | } |
168 | else if (strcmp(ptr, "net none") == 0) { | 176 | else if (strcmp(ptr, "net none") == 0) { |
177 | #ifdef HAVE_NETWORK | ||
169 | arg_nonetwork = 1; | 178 | arg_nonetwork = 1; |
170 | cfg.bridge0.configured = 0; | 179 | cfg.bridge0.configured = 0; |
171 | cfg.bridge1.configured = 0; | 180 | cfg.bridge1.configured = 0; |
172 | cfg.bridge2.configured = 0; | 181 | cfg.bridge2.configured = 0; |
173 | cfg.bridge3.configured = 0; | 182 | cfg.bridge3.configured = 0; |
183 | #endif | ||
174 | return 0; | 184 | return 0; |
175 | } | 185 | } |
176 | 186 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3ebefaae..6a033b922 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,10 +34,12 @@ void usage(void) { | |||
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); | 36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); |
37 | #ifdef HAVE_NETWORK | ||
37 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); | 38 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); |
38 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); | 39 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); |
39 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); | 40 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); |
40 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); | 41 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); |
42 | #endif | ||
41 | #ifdef HAVE_BIND | 43 | #ifdef HAVE_BIND |
42 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); | 44 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); |
43 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); | 45 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); |
@@ -81,8 +83,10 @@ void usage(void) { | |||
81 | 83 | ||
82 | 84 | ||
83 | 85 | ||
86 | #ifdef HAVE_NETWORK | ||
84 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 87 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
85 | printf("\t\tnetwork namespace.\n\n"); | 88 | printf("\t\tnetwork namespace.\n\n"); |
89 | #endif | ||
86 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); | 90 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); |
87 | printf("\t\tservers can be defined.\n\n"); | 91 | printf("\t\tservers can be defined.\n\n"); |
88 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); | 92 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); |
@@ -99,15 +103,16 @@ void usage(void) { | |||
99 | printf("\t--help, -? - this help screen.\n\n"); | 103 | printf("\t--help, -? - this help screen.\n\n"); |
100 | printf("\t--hostname=name - set sandbox hostname.\n\n"); | 104 | printf("\t--hostname=name - set sandbox hostname.\n\n"); |
101 | printf("\t--ignore=command - ignore command in profile files.\n\n"); | 105 | printf("\t--ignore=command - ignore command in profile files.\n\n"); |
106 | #ifdef HAVE_NETWORK | ||
102 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); | 107 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); |
103 | printf("\t\tfour --interface options can be sepcified.\n\n"); | 108 | printf("\t\tfour --interface options can be sepcified.\n\n"); |
104 | |||
105 | printf("\t--ip=address - set interface IP address.\n\n"); | 109 | printf("\t--ip=address - set interface IP address.\n\n"); |
106 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); | 110 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); |
107 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); | 111 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); |
108 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); | 112 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); |
109 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); | 113 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); |
110 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); | 114 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); |
115 | #endif | ||
111 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); | 116 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); |
112 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); | 117 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); |
113 | printf("\t\tthe sandbox is started as root.\n\n"); | 118 | printf("\t\tthe sandbox is started as root.\n\n"); |
@@ -117,14 +122,19 @@ void usage(void) { | |||
117 | printf("\t\tidentified by name.\n\n"); | 122 | printf("\t\tidentified by name.\n\n"); |
118 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); | 123 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); |
119 | printf("\t\tidentified by PID.\n\n"); | 124 | printf("\t\tidentified by PID.\n\n"); |
125 | #ifdef HAVE_NETWORK | ||
120 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); | 126 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); |
121 | printf("\t\tidentified by name.\n\n"); | 127 | printf("\t\tidentified by name.\n\n"); |
122 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); | 128 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); |
123 | printf("\t\tidentified by PID.\n\n"); | 129 | printf("\t\tidentified by PID.\n\n"); |
130 | #endif | ||
124 | printf("\t--list - list all sandboxes.\n\n"); | 131 | printf("\t--list - list all sandboxes.\n\n"); |
132 | #ifdef HAVE_NETWORK | ||
125 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); | 133 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); |
126 | printf("\t--mtu=number - set interface MTU.\n\n"); | 134 | printf("\t--mtu=number - set interface MTU.\n\n"); |
135 | #endif | ||
127 | printf("\t--name=name - set sandbox name.\n\n"); | 136 | printf("\t--name=name - set sandbox name.\n\n"); |
137 | #ifdef HAVE_NETWORK | ||
128 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); | 138 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); |
129 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); | 139 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); |
130 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); | 140 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); |
@@ -163,6 +173,7 @@ void usage(void) { | |||
163 | 173 | ||
164 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | 174 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); |
165 | printf("\t\tnetwork namespace.\n\n"); | 175 | printf("\t\tnetwork namespace.\n\n"); |
176 | #endif | ||
166 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); | 177 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); |
167 | printf("\t\tor file.\n\n"); | 178 | printf("\t\tor file.\n\n"); |
168 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); | 179 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); |
@@ -175,11 +186,11 @@ void usage(void) { | |||
175 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); | 186 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); |
176 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); | 187 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); |
177 | printf("\t\troot.\n\n"); | 188 | printf("\t\troot.\n\n"); |
178 | 189 | #ifdef HAVE_USERNS | |
179 | printf("\t--noroot - install a user namespace with a single user - the current\n"); | 190 | printf("\t--noroot - install a user namespace with a single user - the current\n"); |
180 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); | 191 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); |
181 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); | 192 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); |
182 | 193 | #endif | |
183 | printf("\t--nosound - disable sound system\n\n"); | 194 | printf("\t--nosound - disable sound system\n\n"); |
184 | 195 | ||
185 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); | 196 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); |
@@ -239,11 +250,11 @@ void usage(void) { | |||
239 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); | 250 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); |
240 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); | 251 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); |
241 | printf("\t\tfor a process.\n\n"); | 252 | printf("\t\tfor a process.\n\n"); |
242 | 253 | #ifdef HAVE_NETWORK | |
243 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); | 254 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); |
244 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); | 255 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); |
245 | printf("\t\trunning on the current host.\n\n"); | 256 | printf("\t\trunning on the current host.\n\n"); |
246 | 257 | #endif | |
247 | #ifdef HAVE_SECCOMP | 258 | #ifdef HAVE_SECCOMP |
248 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); | 259 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); |
249 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); | 260 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); |
@@ -294,6 +305,7 @@ void usage(void) { | |||
294 | printf("\n"); | 305 | printf("\n"); |
295 | 306 | ||
296 | 307 | ||
308 | #ifdef HAVE_NETWORK | ||
297 | printf("Traffic Shaping\n\n"); | 309 | printf("Traffic Shaping\n\n"); |
298 | 310 | ||
299 | printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); | 311 | printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); |
@@ -323,7 +335,7 @@ void usage(void) { | |||
323 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); | 335 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); |
324 | printf("\n"); | 336 | printf("\n"); |
325 | printf("\n"); | 337 | printf("\n"); |
326 | 338 | #endif | |
327 | 339 | ||
328 | 340 | ||
329 | printf("Monitoring\n\n"); | 341 | printf("Monitoring\n\n"); |