diff options
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
5 files changed, 44 insertions, 3 deletions
@@ -628,6 +628,7 @@ EGREP | |||
628 | GREP | 628 | GREP |
629 | CPP | 629 | CPP |
630 | HAVE_LTS | 630 | HAVE_LTS |
631 | HAVE_FORCE_NONEWPRIVS | ||
631 | HAVE_CONTRIB_INSTALL | 632 | HAVE_CONTRIB_INSTALL |
632 | HAVE_GCOV | 633 | HAVE_GCOV |
633 | BUSYBOX_WORKAROUND | 634 | BUSYBOX_WORKAROUND |
@@ -731,6 +732,7 @@ enable_fatal_warnings | |||
731 | enable_busybox_workaround | 732 | enable_busybox_workaround |
732 | enable_gcov | 733 | enable_gcov |
733 | enable_contrib_install | 734 | enable_contrib_install |
735 | enable_force_nonewprivs | ||
734 | enable_lts | 736 | enable_lts |
735 | ' | 737 | ' |
736 | ac_precious_vars='build_alias | 738 | ac_precious_vars='build_alias |
@@ -1391,6 +1393,8 @@ Optional Features: | |||
1391 | --enable-gcov Gcov instrumentation | 1393 | --enable-gcov Gcov instrumentation |
1392 | --enable-contrib-install | 1394 | --enable-contrib-install |
1393 | install contrib scripts | 1395 | install contrib scripts |
1396 | --enable-force-nonewprivs | ||
1397 | enable force nonewprivs | ||
1394 | --enable-lts enable long-term support software version (LTS) | 1398 | --enable-lts enable long-term support software version (LTS) |
1395 | 1399 | ||
1396 | Some influential environment variables: | 1400 | Some influential environment variables: |
@@ -3825,6 +3829,19 @@ else | |||
3825 | fi | 3829 | fi |
3826 | 3830 | ||
3827 | 3831 | ||
3832 | HAVE_FORCE_NONEWPRIVS="" | ||
3833 | # Check whether --enable-force-nonewprivs was given. | ||
3834 | if test "${enable_force_nonewprivs+set}" = set; then : | ||
3835 | enableval=$enable_force_nonewprivs; | ||
3836 | fi | ||
3837 | |||
3838 | if test "x$enable_force_nonewprivs" = "xyes"; then : | ||
3839 | |||
3840 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" | ||
3841 | |||
3842 | |||
3843 | fi | ||
3844 | |||
3828 | HAVE_LTS="" | 3845 | HAVE_LTS="" |
3829 | # Check whether --enable-lts was given. | 3846 | # Check whether --enable-lts was given. |
3830 | if test "${enable_lts+set}" = set; then : | 3847 | if test "${enable_lts+set}" = set; then : |
@@ -5573,6 +5590,7 @@ echo " Gcov instrumentation: $HAVE_GCOV" | |||
5573 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 5590 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
5574 | echo " Install as a SUID executable: $HAVE_SUID" | 5591 | echo " Install as a SUID executable: $HAVE_SUID" |
5575 | echo " LTS: $HAVE_LTS" | 5592 | echo " LTS: $HAVE_LTS" |
5593 | echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" | ||
5576 | echo | 5594 | echo |
5577 | 5595 | ||
5578 | 5596 | ||
diff --git a/configure.ac b/configure.ac index 449b8b436..2654a2699 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -228,6 +228,14 @@ AS_IF([test "x$enable_contrib_install" = "xno"], | |||
228 | ) | 228 | ) |
229 | AC_SUBST(HAVE_CONTRIB_INSTALL) | 229 | AC_SUBST(HAVE_CONTRIB_INSTALL) |
230 | 230 | ||
231 | HAVE_FORCE_NONEWPRIVS="" | ||
232 | AC_ARG_ENABLE([force-nonewprivs], | ||
233 | AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])) | ||
234 | AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ | ||
235 | HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" | ||
236 | AC_SUBST(HAVE_FORCE_NONEWPRIVS) | ||
237 | ]) | ||
238 | |||
231 | HAVE_LTS="" | 239 | HAVE_LTS="" |
232 | AC_ARG_ENABLE([lts], | 240 | AC_ARG_ENABLE([lts], |
233 | AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) | 241 | AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) |
@@ -330,6 +338,7 @@ echo " Gcov instrumentation: $HAVE_GCOV" | |||
330 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 338 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
331 | echo " Install as a SUID executable: $HAVE_SUID" | 339 | echo " Install as a SUID executable: $HAVE_SUID" |
332 | echo " LTS: $HAVE_LTS" | 340 | echo " LTS: $HAVE_LTS" |
341 | echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" | ||
333 | echo | 342 | echo |
334 | 343 | ||
335 | 344 | ||
diff --git a/src/common.mk.in b/src/common.mk.in index eae4138c0..a3df4abb6 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -27,6 +27,7 @@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | |||
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | 27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ |
28 | HAVE_OUTPUT=@HAVE_OUTPUT@ | 28 | HAVE_OUTPUT=@HAVE_OUTPUT@ |
29 | HAVE_LTS=@HAVE_LTS@ | 29 | HAVE_LTS=@HAVE_LTS@ |
30 | HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ | ||
30 | 31 | ||
31 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 32 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
32 | C_FILE_LIST = $(sort $(wildcard *.c)) | 33 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -36,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
36 | CFLAGS = @CFLAGS@ | 37 | CFLAGS = @CFLAGS@ |
37 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 38 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
38 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 39 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
39 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 40 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS) |
40 | CFLAGS += $(MANFLAGS) | 41 | CFLAGS += $(MANFLAGS) |
41 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 42 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
42 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 43 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 9d327933f..a277e76d9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -388,4 +388,12 @@ void print_compiletime_support(void) { | |||
388 | "disabled" | 388 | "disabled" |
389 | #endif | 389 | #endif |
390 | ); | 390 | ); |
391 | |||
392 | printf("\t- Always force nonewprivs support is %s\n", | ||
393 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
394 | "enabled" | ||
395 | #else | ||
396 | "disabled" | ||
397 | #endif | ||
398 | ); | ||
391 | } | 399 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff5f4cb1e..f1ab895db 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -594,7 +594,7 @@ static void enforce_filters(void) { | |||
594 | force_nonewprivs = 1; | 594 | force_nonewprivs = 1; |
595 | 595 | ||
596 | // disable all capabilities | 596 | // disable all capabilities |
597 | fmessage("\n** Warning: dropping all Linux capabilities **\n\n"); | 597 | fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n"); |
598 | arg_caps_drop_all = 1; | 598 | arg_caps_drop_all = 1; |
599 | 599 | ||
600 | // drop all supplementary groups; /etc/group file inside chroot | 600 | // drop all supplementary groups; /etc/group file inside chroot |
@@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) { | |||
795 | exit(rv); | 795 | exit(rv); |
796 | } | 796 | } |
797 | 797 | ||
798 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
799 | bool always_enforce_filters = true; | ||
800 | #else | ||
801 | bool always_enforce_filters = false; | ||
802 | #endif | ||
798 | // need ld.so.preload if tracing or seccomp with any non-default lists | 803 | // need ld.so.preload if tracing or seccomp with any non-default lists |
799 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 804 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
800 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 805 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
801 | // and drop all capabilities | 806 | // and drop all capabilities |
802 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | 807 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) { |
803 | enforce_filters(); | 808 | enforce_filters(); |
804 | need_preload = arg_trace || arg_tracelog; | 809 | need_preload = arg_trace || arg_tracelog; |
805 | } | 810 | } |