aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/codeql-analysis.yml6
-rw-r--r--README.md11
-rwxr-xr-xconfigure18
-rw-r--r--configure.ac10
-rw-r--r--etc/profile-a-l/git.profile7
-rw-r--r--src/common.mk.in3
-rw-r--r--src/firejail/checkcfg.c10
-rw-r--r--src/firejail/main.c9
-rw-r--r--src/man/firecfg.txt10
-rw-r--r--src/man/firejail.txt4
-rwxr-xr-xtest/compile/compile.sh19
11 files changed, 101 insertions, 6 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index dbc9929ca..5ee1cac9b 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
47 47
48 # Initializes the CodeQL tools for scanning. 48 # Initializes the CodeQL tools for scanning.
49 - name: Initialize CodeQL 49 - name: Initialize CodeQL
50 uses: github/codeql-action/init@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b 50 uses: github/codeql-action/init@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108
51 with: 51 with:
52 languages: ${{ matrix.language }} 52 languages: ${{ matrix.language }}
53 # If you wish to specify custom queries, you can do so here or in a config file. 53 # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
58 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 58 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
59 # If this step fails, then you should remove it and run the build manually (see below) 59 # If this step fails, then you should remove it and run the build manually (see below)
60 - name: Autobuild 60 - name: Autobuild
61 uses: github/codeql-action/autobuild@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b 61 uses: github/codeql-action/autobuild@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108
62 62
63 # ℹī¸ Command-line programs to run using the OS shell. 63 # ℹī¸ Command-line programs to run using the OS shell.
64 # 📚 https://git.io/JvXDl 64 # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
72 # make release 72 # make release
73 73
74 - name: Perform CodeQL Analysis 74 - name: Perform CodeQL Analysis
75 uses: github/codeql-action/analyze@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b 75 uses: github/codeql-action/analyze@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108
diff --git a/README.md b/README.md
index 9b570d0bd..efcaf502d 100644
--- a/README.md
+++ b/README.md
@@ -233,6 +233,17 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1
233 $ firejail --oom=300 firefox 233 $ firejail --oom=300 firefox
234````` 234`````
235 235
236### Guided configuration
237`````
238$ man firecfg
239[...]
240 --guide
241 Guided configuration for new users.
242
243 Example:
244 $ sudo firecfg --guide
245`````
246
236### Profile Statistics 247### Profile Statistics
237 248
238A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. 249A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
diff --git a/configure b/configure
index 02c18e1b3..c7cc7cbee 100755
--- a/configure
+++ b/configure
@@ -658,6 +658,7 @@ PKG_CONFIG_LIBDIR
658PKG_CONFIG_PATH 658PKG_CONFIG_PATH
659PKG_CONFIG 659PKG_CONFIG
660HAVE_APPARMOR 660HAVE_APPARMOR
661HAVE_IDS
661OBJEXT 662OBJEXT
662EXEEXT 663EXEEXT
663ac_ct_CC 664ac_ct_CC
@@ -709,6 +710,7 @@ ac_user_opts='
709enable_option_checking 710enable_option_checking
710enable_analyzer 711enable_analyzer
711enable_sanitizer 712enable_sanitizer
713enable_ids
712enable_apparmor 714enable_apparmor
713enable_selinux 715enable_selinux
714enable_dbusproxy 716enable_dbusproxy
@@ -1369,6 +1371,7 @@ Optional Features:
1369 --enable-analyzer enable GCC static analyzer 1371 --enable-analyzer enable GCC static analyzer
1370 --enable-sanitizer=[address | memory | undefined] 1372 --enable-sanitizer=[address | memory | undefined]
1371 enable a compiler-based sanitizer (debug) 1373 enable a compiler-based sanitizer (debug)
1374 --enable-ids enable ids
1372 --enable-apparmor enable apparmor 1375 --enable-apparmor enable apparmor
1373 --enable-selinux SELinux labeling support 1376 --enable-selinux SELinux labeling support
1374 --disable-dbusproxy disable dbus proxy 1377 --disable-dbusproxy disable dbus proxy
@@ -3088,6 +3091,19 @@ fi
3088 3091
3089fi 3092fi
3090 3093
3094HAVE_IDS=""
3095
3096# Check whether --enable-ids was given.
3097if test "${enable_ids+set}" = set; then :
3098 enableval=$enable_ids;
3099fi
3100
3101if test "x$enable_ids" = "xyes"; then :
3102
3103 HAVE_IDS="-DHAVE_IDS"
3104
3105fi
3106
3091HAVE_APPARMOR="" 3107HAVE_APPARMOR=""
3092 3108
3093# Check whether --enable-apparmor was given. 3109# Check whether --enable-apparmor was given.
@@ -3639,6 +3655,7 @@ fi
3639if test "x$enable_lts" = "xyes"; then : 3655if test "x$enable_lts" = "xyes"; then :
3640 3656
3641 HAVE_LTS="-DHAVE_LTS" 3657 HAVE_LTS="-DHAVE_LTS"
3658 HAVE_IDS=""
3642 HAVE_DBUSPROXY="" 3659 HAVE_DBUSPROXY=""
3643 HAVE_OVERLAYFS="" 3660 HAVE_OVERLAYFS=""
3644 HAVE_OUTPUT="" 3661 HAVE_OUTPUT=""
@@ -5282,6 +5299,7 @@ Configuration options:
5282 allow tmpfs as regular user: $HAVE_USERTMPFS 5299 allow tmpfs as regular user: $HAVE_USERTMPFS
5283 enable --ouput logging: $HAVE_OUTPUT 5300 enable --ouput logging: $HAVE_OUTPUT
5284 Manpage support: $HAVE_MAN 5301 Manpage support: $HAVE_MAN
5302 IDS support: $HAVE_IDS
5285 firetunnel support: $HAVE_FIRETUNNEL 5303 firetunnel support: $HAVE_FIRETUNNEL
5286 busybox workaround: $BUSYBOX_WORKAROUND 5304 busybox workaround: $BUSYBOX_WORKAROUND
5287 Spectre compiler patch: $HAVE_SPECTRE 5305 Spectre compiler patch: $HAVE_SPECTRE
diff --git a/configure.ac b/configure.ac
index 28e6b7837..8a9afe793 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ],
54 ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] 54 ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]
55)]) 55)])
56 56
57HAVE_IDS=""
58AC_SUBST([HAVE_IDS])
59AC_ARG_ENABLE([ids],
60 [AS_HELP_STRING([--enable-ids], [enable ids])])
61AS_IF([test "x$enable_ids" = "xyes"], [
62 HAVE_IDS="-DHAVE_IDS"
63])
64
57HAVE_APPARMOR="" 65HAVE_APPARMOR=""
58AC_SUBST([HAVE_APPARMOR]) 66AC_SUBST([HAVE_APPARMOR])
59AC_ARG_ENABLE([apparmor], 67AC_ARG_ENABLE([apparmor],
@@ -249,6 +257,7 @@ AC_ARG_ENABLE([lts],
249 [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) 257 [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
250AS_IF([test "x$enable_lts" = "xyes"], [ 258AS_IF([test "x$enable_lts" = "xyes"], [
251 HAVE_LTS="-DHAVE_LTS" 259 HAVE_LTS="-DHAVE_LTS"
260 HAVE_IDS=""
252 HAVE_DBUSPROXY="" 261 HAVE_DBUSPROXY=""
253 HAVE_OVERLAYFS="" 262 HAVE_OVERLAYFS=""
254 HAVE_OUTPUT="" 263 HAVE_OUTPUT=""
@@ -300,6 +309,7 @@ Configuration options:
300 allow tmpfs as regular user: $HAVE_USERTMPFS 309 allow tmpfs as regular user: $HAVE_USERTMPFS
301 enable --ouput logging: $HAVE_OUTPUT 310 enable --ouput logging: $HAVE_OUTPUT
302 Manpage support: $HAVE_MAN 311 Manpage support: $HAVE_MAN
312 IDS support: $HAVE_IDS
303 firetunnel support: $HAVE_FIRETUNNEL 313 firetunnel support: $HAVE_FIRETUNNEL
304 busybox workaround: $BUSYBOX_WORKAROUND 314 busybox workaround: $BUSYBOX_WORKAROUND
305 Spectre compiler patch: $HAVE_SPECTRE 315 Spectre compiler patch: $HAVE_SPECTRE
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index b0318e4a3..4e71f0d5e 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -12,12 +12,19 @@ noblacklist ${HOME}/.config/nano
12noblacklist ${HOME}/.emacs 12noblacklist ${HOME}/.emacs
13noblacklist ${HOME}/.emacs.d 13noblacklist ${HOME}/.emacs.d
14noblacklist ${HOME}/.gitconfig 14noblacklist ${HOME}/.gitconfig
15noblacklist ${HOME}/.git-credential-cache
15noblacklist ${HOME}/.git-credentials 16noblacklist ${HOME}/.git-credentials
16noblacklist ${HOME}/.gnupg 17noblacklist ${HOME}/.gnupg
17noblacklist ${HOME}/.nanorc 18noblacklist ${HOME}/.nanorc
18noblacklist ${HOME}/.vim 19noblacklist ${HOME}/.vim
19noblacklist ${HOME}/.viminfo 20noblacklist ${HOME}/.viminfo
20 21
22# Allow environment variables (rmenv'ed by disable-common.inc)
23ignore rmenv GH_TOKEN
24ignore rmenv GITHUB_TOKEN
25ignore rmenv GH_ENTERPRISE_TOKEN
26ignore rmenv GITHUB_ENTERPRISE_TOKEN
27
21# Allow ssh (blacklisted by disable-common.inc) 28# Allow ssh (blacklisted by disable-common.inc)
22include allow-ssh.inc 29include allow-ssh.inc
23 30
diff --git a/src/common.mk.in b/src/common.mk.in
index 38c05bc69..64ed774ad 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
20HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ 20HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
21HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ 21HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
22HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ 22HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
23HAVE_IDS=@HAVE_IDS@
23HAVE_GCOV=@HAVE_GCOV@ 24HAVE_GCOV=@HAVE_GCOV@
24HAVE_SELINUX=@HAVE_SELINUX@ 25HAVE_SELINUX=@HAVE_SELINUX@
25HAVE_SUID=@HAVE_SUID@ 26HAVE_SUID=@HAVE_SUID@
@@ -38,7 +39,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
38CFLAGS = @CFLAGS@ 39CFLAGS = @CFLAGS@
39CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) 40CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
40CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' 41CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"'
41MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) 42MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
42CFLAGS += $(MANFLAGS) 43CFLAGS += $(MANFLAGS)
43CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security 44CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
44LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now 45LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 8f8f5b6c3..e1acaf632 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -365,6 +365,14 @@ void print_compiletime_support(void) {
365#endif 365#endif
366 ); 366 );
367 367
368 printf("\t- IDS support is %s\n",
369#ifdef HAVE_IDS
370 "enabled"
371#else
372 "disabled"
373#endif
374 );
375
368 printf("\t- networking support is %s\n", 376 printf("\t- networking support is %s\n",
369#ifdef HAVE_NETWORK 377#ifdef HAVE_NETWORK
370 "enabled" 378 "enabled"
@@ -427,6 +435,4 @@ void print_compiletime_support(void) {
427 "disabled" 435 "disabled"
428#endif 436#endif
429 ); 437 );
430
431
432} 438}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1bcec667e..cbf9df79f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) {
1090 run_builder(argc, argv); // this function will not return 1090 run_builder(argc, argv); // this function will not return
1091 1091
1092 // intrusion detection system 1092 // intrusion detection system
1093#ifdef HAVE_IDS
1093 if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check 1094 if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
1094 run_ids(argc, argv); // this function will not return 1095 run_ids(argc, argv); // this function will not return
1096#else
1097 if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check
1098 fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n"
1099 "\tTo enable it, configure your build system using --enable-ids.\n"
1100 "\tExample: ./configure --prefix=/usr --enable-ids\n\n");
1101 exit(1);
1102 }
1103#endif
1095 1104
1096 EUID_ROOT(); 1105 EUID_ROOT();
1097#ifndef HAVE_SUID 1106#ifndef HAVE_SUID
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 189e9cc8d..280a4aff1 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -82,6 +82,16 @@ a long time ago, and the introduction of PID namespace in Linux kernel breaks th
82reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run 82reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run
83"firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes. 83"firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes.
84.TP 84.TP
85\fB\-\-guide
86Guided configuration for new users.
87.br
88
89.br
90Example:
91.br
92$ sudo firecfg --guide
93.br
94.TP
85\fB\-\-debug 95\fB\-\-debug
86Print debug messages. 96Print debug messages.
87.TP 97.TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 366a4e061..420a96ab5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -820,6 +820,7 @@ Example:
820.br 820.br
821$ firejail \-\-hosts-file=~/myhosts firefox 821$ firejail \-\-hosts-file=~/myhosts firefox
822 822
823#ifdef HAVE_IDS
823.TP 824.TP
824\fB\-\-ids-check 825\fB\-\-ids-check
825Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. 826Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
@@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
839Example: 840Example:
840.br 841.br
841$ firejail \-\-ids-init 842$ firejail \-\-ids-init
843#endif
842 844
843.TP 845.TP
844\fB\-\-ignore=command 846\fB\-\-ignore=command
@@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc
3342.br 3344.br
3343#endif 3345#endif
3344 3346
3347#ifdef HAVE_IDS
3345.SH INTRUSION DETECTION SYSTEM (IDS) 3348.SH INTRUSION DETECTION SYSTEM (IDS)
3346The host-based intrusion detection system tracks down and audits user and system file modifications. 3349The host-based intrusion detection system tracks down and audits user and system file modifications.
3347The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, 3350The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
@@ -3399,6 +3402,7 @@ New files and deleted files are also flagged.
3399 3402
3400Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. 3403Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
3401The program can also be run as root (sudo firejail --ids-init/--ids-check). 3404The program can also be run as root (sudo firejail --ids-init/--ids-check).
3405#endif
3402 3406
3403.SH MONITORING 3407.SH MONITORING
3404Option \-\-list prints a list of all sandboxes. The format 3408Option \-\-list prints a list of all sandboxes. The format
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 0a87913f1..6b994ba70 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -31,6 +31,7 @@ arr[15]="TEST 15: compile private-home disabled"
31arr[16]="TEST 16: compile disable manpages" 31arr[16]="TEST 16: compile disable manpages"
32arr[17]="TEST 17: disable tmpfs as regular user" 32arr[17]="TEST 17: disable tmpfs as regular user"
33arr[18]="TEST 18: disable private home" 33arr[18]="TEST 18: disable private home"
34arr[18]="TEST 19: enable ids"
34 35
35# remove previous reports and output file 36# remove previous reports and output file
36cleanup() { 37cleanup() {
@@ -380,6 +381,23 @@ cp output-make om18
380rm output-configure output-make 381rm output-configure output-make
381 382
382#***************************************************************** 383#*****************************************************************
384# TEST 19
385#*****************************************************************
386# - enable ids
387#*****************************************************************
388print_title "${arr[19]}"
389cd firejail
390make distclean
391./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure
392make -j4 2>&1 | tee ../output-make
393cd ..
394grep Warning output-configure output-make > ./report-test19
395grep Error output-configure output-make >> ./report-test19
396cp output-configure oc19
397cp output-make om19
398rm output-configure output-make
399
400#*****************************************************************
383# PRINT REPORTS 401# PRINT REPORTS
384#***************************************************************** 402#*****************************************************************
385echo 403echo
@@ -411,3 +429,4 @@ echo ${arr[15]}
411echo ${arr[16]} 429echo ${arr[16]}
412echo ${arr[17]} 430echo ${arr[17]}
413echo ${arr[18]} 431echo ${arr[18]}
432echo ${arr[19]}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-24 04:15:19 +0000