diff options
-rw-r--r-- | Makefile.in | 2 | ||||
-rwxr-xr-x | contrib/update_src.sh | 11 | ||||
-rwxr-xr-x | src/fgit/fgit-install.sh | 20 | ||||
-rw-r--r-- | src/fgit/fgit-uninstall.sh | 16 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/git.c | 91 | ||||
-rw-r--r-- | src/firejail/main.c | 7 |
7 files changed, 139 insertions, 12 deletions
diff --git a/Makefile.in b/Makefile.in index fb6460dfd..7152019d4 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -82,6 +82,8 @@ realinstall: | |||
82 | install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. | 82 | install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. |
83 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. | 83 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. |
84 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. | 84 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. |
85 | install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. | ||
86 | install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/. | ||
85 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. | 87 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. |
86 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. | 88 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. |
87 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. | 89 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. |
diff --git a/contrib/update_src.sh b/contrib/update_src.sh deleted file mode 100755 index a61244c49..000000000 --- a/contrib/update_src.sh +++ /dev/null | |||
@@ -1,11 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. | ||
3 | set -e | ||
4 | git clone --depth=1 https://www.github.com/netblue30/firejail.git | ||
5 | cd firejail | ||
6 | ./configure | ||
7 | make | ||
8 | sudo make install-strip | ||
9 | echo "Firejail was updated!" | ||
10 | cd .. | ||
11 | rm -rf firejail | ||
diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh new file mode 100755 index 000000000..9e43559a1 --- /dev/null +++ b/src/fgit/fgit-install.sh | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. | ||
3 | # | ||
4 | |||
5 | set -e # exit immediately if one of the commands fails | ||
6 | cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp | ||
7 | git clone --depth=1 https://www.github.com/netblue30/firejail.git | ||
8 | cd firejail | ||
9 | ./configure | ||
10 | make | ||
11 | sudo make install-strip | ||
12 | echo "**********************************************************************" | ||
13 | echo "Mainline git Firejail version was installed in /usr/local." | ||
14 | echo "If you want to remove it, run" | ||
15 | echo | ||
16 | echo " firejail --git-uninstall" | ||
17 | echo | ||
18 | echo "**********************************************************************" | ||
19 | cd .. | ||
20 | rm -rf firejail | ||
diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh new file mode 100644 index 000000000..9a370546d --- /dev/null +++ b/src/fgit/fgit-uninstall.sh | |||
@@ -0,0 +1,16 @@ | |||
1 | #!/bin/sh | ||
2 | # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. | ||
3 | # | ||
4 | |||
5 | set -e # exit immediately if one of the commands fails | ||
6 | cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp | ||
7 | git clone --depth=1 https://www.github.com/netblue30/firejail.git | ||
8 | cd firejail | ||
9 | ./configure | ||
10 | sudo make uninstall | ||
11 | echo "**********************************************************************" | ||
12 | echo "Firejail mainline git version uninstalled from /usr/local" | ||
13 | echo | ||
14 | echo "**********************************************************************" | ||
15 | cd .. | ||
16 | rm -rf firejail | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7e5412630..40d81f3aa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -720,5 +720,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
720 | int sbox_run(unsigned filter, int num, ...); | 720 | int sbox_run(unsigned filter, int num, ...); |
721 | 721 | ||
722 | 722 | ||
723 | // git.c | ||
724 | void git_install(); | ||
725 | void git_uninstall(); | ||
726 | |||
723 | #endif | 727 | #endif |
724 | 728 | ||
diff --git a/src/firejail/git.c b/src/firejail/git.c new file mode 100644 index 000000000..bacceba59 --- /dev/null +++ b/src/firejail/git.c | |||
@@ -0,0 +1,91 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/utsname.h> | ||
22 | #include <sched.h> | ||
23 | #include <sys/mount.h> | ||
24 | |||
25 | // install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp | ||
26 | static void sbox_ns(void) { | ||
27 | if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) | ||
28 | errExit("unshare"); | ||
29 | |||
30 | if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) | ||
31 | errExit("mount"); | ||
32 | } | ||
33 | |||
34 | void git_install() { | ||
35 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | ||
36 | EUID_ASSERT(); | ||
37 | EUID_ROOT(); | ||
38 | |||
39 | // install a mount namespace with a tmpfs on top of /tmp | ||
40 | sbox_ns(); | ||
41 | |||
42 | // drop privileges | ||
43 | if (setgid(getgid()) < 0) | ||
44 | errExit("setgid/getgid"); | ||
45 | if (setuid(getuid()) < 0) | ||
46 | errExit("setuid/getuid"); | ||
47 | assert(getenv("LD_PRELOAD") == NULL); | ||
48 | |||
49 | printf("Running as "); fflush(0); | ||
50 | int rv = system("whoami"); | ||
51 | (void) rv; | ||
52 | printf("/tmp directory: "); fflush(0); | ||
53 | rv = system("ls -l /tmp"); | ||
54 | (void) rv; | ||
55 | |||
56 | // run command | ||
57 | const char *cmd = LIBDIR "/firejail/fgit-install.sh"; | ||
58 | rv = system(cmd); | ||
59 | (void) rv; | ||
60 | exit(0); | ||
61 | } | ||
62 | |||
63 | void git_uninstall() { | ||
64 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | ||
65 | EUID_ASSERT(); | ||
66 | EUID_ROOT(); | ||
67 | |||
68 | // install a mount namespace with a tmpfs on top of /tmp | ||
69 | sbox_ns(); | ||
70 | |||
71 | // drop privileges | ||
72 | if (setgid(getgid()) < 0) | ||
73 | errExit("setgid/getgid"); | ||
74 | if (setuid(getuid()) < 0) | ||
75 | errExit("setuid/getuid"); | ||
76 | assert(getenv("LD_PRELOAD") == NULL); | ||
77 | |||
78 | printf("Running as "); fflush(0); | ||
79 | int rv = system("whoami"); | ||
80 | (void) rv; | ||
81 | printf("/tmp directory: "); fflush(0); | ||
82 | rv = system("ls -l /tmp"); | ||
83 | (void) rv; | ||
84 | |||
85 | // run command | ||
86 | const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; | ||
87 | rv = system(cmd); | ||
88 | (void) rv; | ||
89 | exit(0); | ||
90 | } | ||
91 | |||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7c6568903..ee89a7281 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -846,10 +846,15 @@ int main(int argc, char **argv) { | |||
846 | EUID_INIT(); | 846 | EUID_INIT(); |
847 | EUID_USER(); | 847 | EUID_USER(); |
848 | 848 | ||
849 | // process git-install and git-uninstall | ||
850 | if (check_arg(argc, argv, "--git-install")) | ||
851 | git_install(); // this function will not return | ||
852 | if (check_arg(argc, argv, "--git-uninstall")) | ||
853 | git_uninstall(); // this function will not return | ||
849 | 854 | ||
850 | // check argv[0] symlink wrapper if this is not a login shell | 855 | // check argv[0] symlink wrapper if this is not a login shell |
851 | if (*argv[0] != '-') | 856 | if (*argv[0] != '-') |
852 | run_symlink(argc, argv); | 857 | run_symlink(argc, argv); // this function will not return |
853 | 858 | ||
854 | // check if we already have a sandbox running | 859 | // check if we already have a sandbox running |
855 | // If LXC is detected, start firejail sandbox | 860 | // If LXC is detected, start firejail sandbox |