diff options
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 10 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/compile/compile.sh | 19 |
7 files changed, 70 insertions, 3 deletions
@@ -658,6 +658,7 @@ PKG_CONFIG_LIBDIR | |||
658 | PKG_CONFIG_PATH | 658 | PKG_CONFIG_PATH |
659 | PKG_CONFIG | 659 | PKG_CONFIG |
660 | HAVE_APPARMOR | 660 | HAVE_APPARMOR |
661 | HAVE_IDS | ||
661 | OBJEXT | 662 | OBJEXT |
662 | EXEEXT | 663 | EXEEXT |
663 | ac_ct_CC | 664 | ac_ct_CC |
@@ -709,6 +710,7 @@ ac_user_opts=' | |||
709 | enable_option_checking | 710 | enable_option_checking |
710 | enable_analyzer | 711 | enable_analyzer |
711 | enable_sanitizer | 712 | enable_sanitizer |
713 | enable_ids | ||
712 | enable_apparmor | 714 | enable_apparmor |
713 | enable_selinux | 715 | enable_selinux |
714 | enable_dbusproxy | 716 | enable_dbusproxy |
@@ -1369,6 +1371,7 @@ Optional Features: | |||
1369 | --enable-analyzer enable GCC static analyzer | 1371 | --enable-analyzer enable GCC static analyzer |
1370 | --enable-sanitizer=[address | memory | undefined] | 1372 | --enable-sanitizer=[address | memory | undefined] |
1371 | enable a compiler-based sanitizer (debug) | 1373 | enable a compiler-based sanitizer (debug) |
1374 | --enable-ids enable ids | ||
1372 | --enable-apparmor enable apparmor | 1375 | --enable-apparmor enable apparmor |
1373 | --enable-selinux SELinux labeling support | 1376 | --enable-selinux SELinux labeling support |
1374 | --disable-dbusproxy disable dbus proxy | 1377 | --disable-dbusproxy disable dbus proxy |
@@ -3088,6 +3091,19 @@ fi | |||
3088 | 3091 | ||
3089 | fi | 3092 | fi |
3090 | 3093 | ||
3094 | HAVE_IDS="" | ||
3095 | |||
3096 | # Check whether --enable-ids was given. | ||
3097 | if test "${enable_ids+set}" = set; then : | ||
3098 | enableval=$enable_ids; | ||
3099 | fi | ||
3100 | |||
3101 | if test "x$enable_ids" = "xyes"; then : | ||
3102 | |||
3103 | HAVE_IDS="-DHAVE_IDS" | ||
3104 | |||
3105 | fi | ||
3106 | |||
3091 | HAVE_APPARMOR="" | 3107 | HAVE_APPARMOR="" |
3092 | 3108 | ||
3093 | # Check whether --enable-apparmor was given. | 3109 | # Check whether --enable-apparmor was given. |
@@ -3639,6 +3655,7 @@ fi | |||
3639 | if test "x$enable_lts" = "xyes"; then : | 3655 | if test "x$enable_lts" = "xyes"; then : |
3640 | 3656 | ||
3641 | HAVE_LTS="-DHAVE_LTS" | 3657 | HAVE_LTS="-DHAVE_LTS" |
3658 | HAVE_IDS="" | ||
3642 | HAVE_DBUSPROXY="" | 3659 | HAVE_DBUSPROXY="" |
3643 | HAVE_OVERLAYFS="" | 3660 | HAVE_OVERLAYFS="" |
3644 | HAVE_OUTPUT="" | 3661 | HAVE_OUTPUT="" |
@@ -5282,6 +5299,7 @@ Configuration options: | |||
5282 | allow tmpfs as regular user: $HAVE_USERTMPFS | 5299 | allow tmpfs as regular user: $HAVE_USERTMPFS |
5283 | enable --ouput logging: $HAVE_OUTPUT | 5300 | enable --ouput logging: $HAVE_OUTPUT |
5284 | Manpage support: $HAVE_MAN | 5301 | Manpage support: $HAVE_MAN |
5302 | IDS support: $HAVE_IDS | ||
5285 | firetunnel support: $HAVE_FIRETUNNEL | 5303 | firetunnel support: $HAVE_FIRETUNNEL |
5286 | busybox workaround: $BUSYBOX_WORKAROUND | 5304 | busybox workaround: $BUSYBOX_WORKAROUND |
5287 | Spectre compiler patch: $HAVE_SPECTRE | 5305 | Spectre compiler patch: $HAVE_SPECTRE |
diff --git a/configure.ac b/configure.ac index 28e6b7837..8a9afe793 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -54,6 +54,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], | |||
54 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] | 54 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] |
55 | )]) | 55 | )]) |
56 | 56 | ||
57 | HAVE_IDS="" | ||
58 | AC_SUBST([HAVE_IDS]) | ||
59 | AC_ARG_ENABLE([ids], | ||
60 | [AS_HELP_STRING([--enable-ids], [enable ids])]) | ||
61 | AS_IF([test "x$enable_ids" = "xyes"], [ | ||
62 | HAVE_IDS="-DHAVE_IDS" | ||
63 | ]) | ||
64 | |||
57 | HAVE_APPARMOR="" | 65 | HAVE_APPARMOR="" |
58 | AC_SUBST([HAVE_APPARMOR]) | 66 | AC_SUBST([HAVE_APPARMOR]) |
59 | AC_ARG_ENABLE([apparmor], | 67 | AC_ARG_ENABLE([apparmor], |
@@ -249,6 +257,7 @@ AC_ARG_ENABLE([lts], | |||
249 | [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) | 257 | [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) |
250 | AS_IF([test "x$enable_lts" = "xyes"], [ | 258 | AS_IF([test "x$enable_lts" = "xyes"], [ |
251 | HAVE_LTS="-DHAVE_LTS" | 259 | HAVE_LTS="-DHAVE_LTS" |
260 | HAVE_IDS="" | ||
252 | HAVE_DBUSPROXY="" | 261 | HAVE_DBUSPROXY="" |
253 | HAVE_OVERLAYFS="" | 262 | HAVE_OVERLAYFS="" |
254 | HAVE_OUTPUT="" | 263 | HAVE_OUTPUT="" |
@@ -300,6 +309,7 @@ Configuration options: | |||
300 | allow tmpfs as regular user: $HAVE_USERTMPFS | 309 | allow tmpfs as regular user: $HAVE_USERTMPFS |
301 | enable --ouput logging: $HAVE_OUTPUT | 310 | enable --ouput logging: $HAVE_OUTPUT |
302 | Manpage support: $HAVE_MAN | 311 | Manpage support: $HAVE_MAN |
312 | IDS support: $HAVE_IDS | ||
303 | firetunnel support: $HAVE_FIRETUNNEL | 313 | firetunnel support: $HAVE_FIRETUNNEL |
304 | busybox workaround: $BUSYBOX_WORKAROUND | 314 | busybox workaround: $BUSYBOX_WORKAROUND |
305 | Spectre compiler patch: $HAVE_SPECTRE | 315 | Spectre compiler patch: $HAVE_SPECTRE |
diff --git a/src/common.mk.in b/src/common.mk.in index 38c05bc69..64ed774ad 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | 21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ |
22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
23 | HAVE_IDS=@HAVE_IDS@ | ||
23 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
24 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
25 | HAVE_SUID=@HAVE_SUID@ | 26 | HAVE_SUID=@HAVE_SUID@ |
@@ -38,7 +39,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
38 | CFLAGS = @CFLAGS@ | 39 | CFLAGS = @CFLAGS@ |
39 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 40 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
40 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' | 41 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' |
41 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 42 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
42 | CFLAGS += $(MANFLAGS) | 43 | CFLAGS += $(MANFLAGS) |
43 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 44 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
44 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 45 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 8f8f5b6c3..e1acaf632 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -365,6 +365,14 @@ void print_compiletime_support(void) { | |||
365 | #endif | 365 | #endif |
366 | ); | 366 | ); |
367 | 367 | ||
368 | printf("\t- IDS support is %s\n", | ||
369 | #ifdef HAVE_IDS | ||
370 | "enabled" | ||
371 | #else | ||
372 | "disabled" | ||
373 | #endif | ||
374 | ); | ||
375 | |||
368 | printf("\t- networking support is %s\n", | 376 | printf("\t- networking support is %s\n", |
369 | #ifdef HAVE_NETWORK | 377 | #ifdef HAVE_NETWORK |
370 | "enabled" | 378 | "enabled" |
@@ -427,6 +435,4 @@ void print_compiletime_support(void) { | |||
427 | "disabled" | 435 | "disabled" |
428 | #endif | 436 | #endif |
429 | ); | 437 | ); |
430 | |||
431 | |||
432 | } | 438 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1bcec667e..cbf9df79f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) { | |||
1090 | run_builder(argc, argv); // this function will not return | 1090 | run_builder(argc, argv); // this function will not return |
1091 | 1091 | ||
1092 | // intrusion detection system | 1092 | // intrusion detection system |
1093 | #ifdef HAVE_IDS | ||
1093 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check | 1094 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check |
1094 | run_ids(argc, argv); // this function will not return | 1095 | run_ids(argc, argv); // this function will not return |
1096 | #else | ||
1097 | if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check | ||
1098 | fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n" | ||
1099 | "\tTo enable it, configure your build system using --enable-ids.\n" | ||
1100 | "\tExample: ./configure --prefix=/usr --enable-ids\n\n"); | ||
1101 | exit(1); | ||
1102 | } | ||
1103 | #endif | ||
1095 | 1104 | ||
1096 | EUID_ROOT(); | 1105 | EUID_ROOT(); |
1097 | #ifndef HAVE_SUID | 1106 | #ifndef HAVE_SUID |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 366a4e061..420a96ab5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -820,6 +820,7 @@ Example: | |||
820 | .br | 820 | .br |
821 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
822 | 822 | ||
823 | #ifdef HAVE_IDS | ||
823 | .TP | 824 | .TP |
824 | \fB\-\-ids-check | 825 | \fB\-\-ids-check |
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | 826 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. |
@@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | |||
839 | Example: | 840 | Example: |
840 | .br | 841 | .br |
841 | $ firejail \-\-ids-init | 842 | $ firejail \-\-ids-init |
843 | #endif | ||
842 | 844 | ||
843 | .TP | 845 | .TP |
844 | \fB\-\-ignore=command | 846 | \fB\-\-ignore=command |
@@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc | |||
3342 | .br | 3344 | .br |
3343 | #endif | 3345 | #endif |
3344 | 3346 | ||
3347 | #ifdef HAVE_IDS | ||
3345 | .SH INTRUSION DETECTION SYSTEM (IDS) | 3348 | .SH INTRUSION DETECTION SYSTEM (IDS) |
3346 | The host-based intrusion detection system tracks down and audits user and system file modifications. | 3349 | The host-based intrusion detection system tracks down and audits user and system file modifications. |
3347 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | 3350 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, |
@@ -3399,6 +3402,7 @@ New files and deleted files are also flagged. | |||
3399 | 3402 | ||
3400 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | 3403 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. |
3401 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | 3404 | The program can also be run as root (sudo firejail --ids-init/--ids-check). |
3405 | #endif | ||
3402 | 3406 | ||
3403 | .SH MONITORING | 3407 | .SH MONITORING |
3404 | Option \-\-list prints a list of all sandboxes. The format | 3408 | Option \-\-list prints a list of all sandboxes. The format |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 0a87913f1..6b994ba70 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -31,6 +31,7 @@ arr[15]="TEST 15: compile private-home disabled" | |||
31 | arr[16]="TEST 16: compile disable manpages" | 31 | arr[16]="TEST 16: compile disable manpages" |
32 | arr[17]="TEST 17: disable tmpfs as regular user" | 32 | arr[17]="TEST 17: disable tmpfs as regular user" |
33 | arr[18]="TEST 18: disable private home" | 33 | arr[18]="TEST 18: disable private home" |
34 | arr[18]="TEST 19: enable ids" | ||
34 | 35 | ||
35 | # remove previous reports and output file | 36 | # remove previous reports and output file |
36 | cleanup() { | 37 | cleanup() { |
@@ -380,6 +381,23 @@ cp output-make om18 | |||
380 | rm output-configure output-make | 381 | rm output-configure output-make |
381 | 382 | ||
382 | #***************************************************************** | 383 | #***************************************************************** |
384 | # TEST 19 | ||
385 | #***************************************************************** | ||
386 | # - enable ids | ||
387 | #***************************************************************** | ||
388 | print_title "${arr[19]}" | ||
389 | cd firejail | ||
390 | make distclean | ||
391 | ./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
392 | make -j4 2>&1 | tee ../output-make | ||
393 | cd .. | ||
394 | grep Warning output-configure output-make > ./report-test19 | ||
395 | grep Error output-configure output-make >> ./report-test19 | ||
396 | cp output-configure oc19 | ||
397 | cp output-make om19 | ||
398 | rm output-configure output-make | ||
399 | |||
400 | #***************************************************************** | ||
383 | # PRINT REPORTS | 401 | # PRINT REPORTS |
384 | #***************************************************************** | 402 | #***************************************************************** |
385 | echo | 403 | echo |
@@ -411,3 +429,4 @@ echo ${arr[15]} | |||
411 | echo ${arr[16]} | 429 | echo ${arr[16]} |
412 | echo ${arr[17]} | 430 | echo ${arr[17]} |
413 | echo ${arr[18]} | 431 | echo ${arr[18]} |
432 | echo ${arr[19]} | ||