diff options
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
-rw-r--r-- | README.md | 11 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 10 | ||||
-rw-r--r-- | etc/profile-a-l/git.profile | 7 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/man/firecfg.txt | 10 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/compile/compile.sh | 19 |
11 files changed, 101 insertions, 6 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dbc9929ca..5ee1cac9b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -47,7 +47,7 @@ jobs: | |||
47 | 47 | ||
48 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
49 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
50 | uses: github/codeql-action/init@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b | 50 | uses: github/codeql-action/init@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108 |
51 | with: | 51 | with: |
52 | languages: ${{ matrix.language }} | 52 | languages: ${{ matrix.language }} |
53 | # If you wish to specify custom queries, you can do so here or in a config file. | 53 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -58,7 +58,7 @@ jobs: | |||
58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
59 | # If this step fails, then you should remove it and run the build manually (see below) | 59 | # If this step fails, then you should remove it and run the build manually (see below) |
60 | - name: Autobuild | 60 | - name: Autobuild |
61 | uses: github/codeql-action/autobuild@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b | 61 | uses: github/codeql-action/autobuild@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108 |
62 | 62 | ||
63 | # âšī¸ Command-line programs to run using the OS shell. | 63 | # âšī¸ Command-line programs to run using the OS shell. |
64 | # đ https://git.io/JvXDl | 64 | # đ https://git.io/JvXDl |
@@ -72,4 +72,4 @@ jobs: | |||
72 | # make release | 72 | # make release |
73 | 73 | ||
74 | - name: Perform CodeQL Analysis | 74 | - name: Perform CodeQL Analysis |
75 | uses: github/codeql-action/analyze@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b | 75 | uses: github/codeql-action/analyze@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108 |
@@ -233,6 +233,17 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
233 | $ firejail --oom=300 firefox | 233 | $ firejail --oom=300 firefox |
234 | ````` | 234 | ````` |
235 | 235 | ||
236 | ### Guided configuration | ||
237 | ````` | ||
238 | $ man firecfg | ||
239 | [...] | ||
240 | --guide | ||
241 | Guided configuration for new users. | ||
242 | |||
243 | Example: | ||
244 | $ sudo firecfg --guide | ||
245 | ````` | ||
246 | |||
236 | ### Profile Statistics | 247 | ### Profile Statistics |
237 | 248 | ||
238 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 249 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -658,6 +658,7 @@ PKG_CONFIG_LIBDIR | |||
658 | PKG_CONFIG_PATH | 658 | PKG_CONFIG_PATH |
659 | PKG_CONFIG | 659 | PKG_CONFIG |
660 | HAVE_APPARMOR | 660 | HAVE_APPARMOR |
661 | HAVE_IDS | ||
661 | OBJEXT | 662 | OBJEXT |
662 | EXEEXT | 663 | EXEEXT |
663 | ac_ct_CC | 664 | ac_ct_CC |
@@ -709,6 +710,7 @@ ac_user_opts=' | |||
709 | enable_option_checking | 710 | enable_option_checking |
710 | enable_analyzer | 711 | enable_analyzer |
711 | enable_sanitizer | 712 | enable_sanitizer |
713 | enable_ids | ||
712 | enable_apparmor | 714 | enable_apparmor |
713 | enable_selinux | 715 | enable_selinux |
714 | enable_dbusproxy | 716 | enable_dbusproxy |
@@ -1369,6 +1371,7 @@ Optional Features: | |||
1369 | --enable-analyzer enable GCC static analyzer | 1371 | --enable-analyzer enable GCC static analyzer |
1370 | --enable-sanitizer=[address | memory | undefined] | 1372 | --enable-sanitizer=[address | memory | undefined] |
1371 | enable a compiler-based sanitizer (debug) | 1373 | enable a compiler-based sanitizer (debug) |
1374 | --enable-ids enable ids | ||
1372 | --enable-apparmor enable apparmor | 1375 | --enable-apparmor enable apparmor |
1373 | --enable-selinux SELinux labeling support | 1376 | --enable-selinux SELinux labeling support |
1374 | --disable-dbusproxy disable dbus proxy | 1377 | --disable-dbusproxy disable dbus proxy |
@@ -3088,6 +3091,19 @@ fi | |||
3088 | 3091 | ||
3089 | fi | 3092 | fi |
3090 | 3093 | ||
3094 | HAVE_IDS="" | ||
3095 | |||
3096 | # Check whether --enable-ids was given. | ||
3097 | if test "${enable_ids+set}" = set; then : | ||
3098 | enableval=$enable_ids; | ||
3099 | fi | ||
3100 | |||
3101 | if test "x$enable_ids" = "xyes"; then : | ||
3102 | |||
3103 | HAVE_IDS="-DHAVE_IDS" | ||
3104 | |||
3105 | fi | ||
3106 | |||
3091 | HAVE_APPARMOR="" | 3107 | HAVE_APPARMOR="" |
3092 | 3108 | ||
3093 | # Check whether --enable-apparmor was given. | 3109 | # Check whether --enable-apparmor was given. |
@@ -3639,6 +3655,7 @@ fi | |||
3639 | if test "x$enable_lts" = "xyes"; then : | 3655 | if test "x$enable_lts" = "xyes"; then : |
3640 | 3656 | ||
3641 | HAVE_LTS="-DHAVE_LTS" | 3657 | HAVE_LTS="-DHAVE_LTS" |
3658 | HAVE_IDS="" | ||
3642 | HAVE_DBUSPROXY="" | 3659 | HAVE_DBUSPROXY="" |
3643 | HAVE_OVERLAYFS="" | 3660 | HAVE_OVERLAYFS="" |
3644 | HAVE_OUTPUT="" | 3661 | HAVE_OUTPUT="" |
@@ -5282,6 +5299,7 @@ Configuration options: | |||
5282 | allow tmpfs as regular user: $HAVE_USERTMPFS | 5299 | allow tmpfs as regular user: $HAVE_USERTMPFS |
5283 | enable --ouput logging: $HAVE_OUTPUT | 5300 | enable --ouput logging: $HAVE_OUTPUT |
5284 | Manpage support: $HAVE_MAN | 5301 | Manpage support: $HAVE_MAN |
5302 | IDS support: $HAVE_IDS | ||
5285 | firetunnel support: $HAVE_FIRETUNNEL | 5303 | firetunnel support: $HAVE_FIRETUNNEL |
5286 | busybox workaround: $BUSYBOX_WORKAROUND | 5304 | busybox workaround: $BUSYBOX_WORKAROUND |
5287 | Spectre compiler patch: $HAVE_SPECTRE | 5305 | Spectre compiler patch: $HAVE_SPECTRE |
diff --git a/configure.ac b/configure.ac index 28e6b7837..8a9afe793 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -54,6 +54,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], | |||
54 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] | 54 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] |
55 | )]) | 55 | )]) |
56 | 56 | ||
57 | HAVE_IDS="" | ||
58 | AC_SUBST([HAVE_IDS]) | ||
59 | AC_ARG_ENABLE([ids], | ||
60 | [AS_HELP_STRING([--enable-ids], [enable ids])]) | ||
61 | AS_IF([test "x$enable_ids" = "xyes"], [ | ||
62 | HAVE_IDS="-DHAVE_IDS" | ||
63 | ]) | ||
64 | |||
57 | HAVE_APPARMOR="" | 65 | HAVE_APPARMOR="" |
58 | AC_SUBST([HAVE_APPARMOR]) | 66 | AC_SUBST([HAVE_APPARMOR]) |
59 | AC_ARG_ENABLE([apparmor], | 67 | AC_ARG_ENABLE([apparmor], |
@@ -249,6 +257,7 @@ AC_ARG_ENABLE([lts], | |||
249 | [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) | 257 | [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) |
250 | AS_IF([test "x$enable_lts" = "xyes"], [ | 258 | AS_IF([test "x$enable_lts" = "xyes"], [ |
251 | HAVE_LTS="-DHAVE_LTS" | 259 | HAVE_LTS="-DHAVE_LTS" |
260 | HAVE_IDS="" | ||
252 | HAVE_DBUSPROXY="" | 261 | HAVE_DBUSPROXY="" |
253 | HAVE_OVERLAYFS="" | 262 | HAVE_OVERLAYFS="" |
254 | HAVE_OUTPUT="" | 263 | HAVE_OUTPUT="" |
@@ -300,6 +309,7 @@ Configuration options: | |||
300 | allow tmpfs as regular user: $HAVE_USERTMPFS | 309 | allow tmpfs as regular user: $HAVE_USERTMPFS |
301 | enable --ouput logging: $HAVE_OUTPUT | 310 | enable --ouput logging: $HAVE_OUTPUT |
302 | Manpage support: $HAVE_MAN | 311 | Manpage support: $HAVE_MAN |
312 | IDS support: $HAVE_IDS | ||
303 | firetunnel support: $HAVE_FIRETUNNEL | 313 | firetunnel support: $HAVE_FIRETUNNEL |
304 | busybox workaround: $BUSYBOX_WORKAROUND | 314 | busybox workaround: $BUSYBOX_WORKAROUND |
305 | Spectre compiler patch: $HAVE_SPECTRE | 315 | Spectre compiler patch: $HAVE_SPECTRE |
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index b0318e4a3..4e71f0d5e 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile | |||
@@ -12,12 +12,19 @@ noblacklist ${HOME}/.config/nano | |||
12 | noblacklist ${HOME}/.emacs | 12 | noblacklist ${HOME}/.emacs |
13 | noblacklist ${HOME}/.emacs.d | 13 | noblacklist ${HOME}/.emacs.d |
14 | noblacklist ${HOME}/.gitconfig | 14 | noblacklist ${HOME}/.gitconfig |
15 | noblacklist ${HOME}/.git-credential-cache | ||
15 | noblacklist ${HOME}/.git-credentials | 16 | noblacklist ${HOME}/.git-credentials |
16 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.gnupg |
17 | noblacklist ${HOME}/.nanorc | 18 | noblacklist ${HOME}/.nanorc |
18 | noblacklist ${HOME}/.vim | 19 | noblacklist ${HOME}/.vim |
19 | noblacklist ${HOME}/.viminfo | 20 | noblacklist ${HOME}/.viminfo |
20 | 21 | ||
22 | # Allow environment variables (rmenv'ed by disable-common.inc) | ||
23 | ignore rmenv GH_TOKEN | ||
24 | ignore rmenv GITHUB_TOKEN | ||
25 | ignore rmenv GH_ENTERPRISE_TOKEN | ||
26 | ignore rmenv GITHUB_ENTERPRISE_TOKEN | ||
27 | |||
21 | # Allow ssh (blacklisted by disable-common.inc) | 28 | # Allow ssh (blacklisted by disable-common.inc) |
22 | include allow-ssh.inc | 29 | include allow-ssh.inc |
23 | 30 | ||
diff --git a/src/common.mk.in b/src/common.mk.in index 38c05bc69..64ed774ad 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | 21 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ |
22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 22 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
23 | HAVE_IDS=@HAVE_IDS@ | ||
23 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
24 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
25 | HAVE_SUID=@HAVE_SUID@ | 26 | HAVE_SUID=@HAVE_SUID@ |
@@ -38,7 +39,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
38 | CFLAGS = @CFLAGS@ | 39 | CFLAGS = @CFLAGS@ |
39 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 40 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
40 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' | 41 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' |
41 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 42 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
42 | CFLAGS += $(MANFLAGS) | 43 | CFLAGS += $(MANFLAGS) |
43 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 44 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
44 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | 45 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 8f8f5b6c3..e1acaf632 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -365,6 +365,14 @@ void print_compiletime_support(void) { | |||
365 | #endif | 365 | #endif |
366 | ); | 366 | ); |
367 | 367 | ||
368 | printf("\t- IDS support is %s\n", | ||
369 | #ifdef HAVE_IDS | ||
370 | "enabled" | ||
371 | #else | ||
372 | "disabled" | ||
373 | #endif | ||
374 | ); | ||
375 | |||
368 | printf("\t- networking support is %s\n", | 376 | printf("\t- networking support is %s\n", |
369 | #ifdef HAVE_NETWORK | 377 | #ifdef HAVE_NETWORK |
370 | "enabled" | 378 | "enabled" |
@@ -427,6 +435,4 @@ void print_compiletime_support(void) { | |||
427 | "disabled" | 435 | "disabled" |
428 | #endif | 436 | #endif |
429 | ); | 437 | ); |
430 | |||
431 | |||
432 | } | 438 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1bcec667e..cbf9df79f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) { | |||
1090 | run_builder(argc, argv); // this function will not return | 1090 | run_builder(argc, argv); // this function will not return |
1091 | 1091 | ||
1092 | // intrusion detection system | 1092 | // intrusion detection system |
1093 | #ifdef HAVE_IDS | ||
1093 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check | 1094 | if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check |
1094 | run_ids(argc, argv); // this function will not return | 1095 | run_ids(argc, argv); // this function will not return |
1096 | #else | ||
1097 | if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check | ||
1098 | fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n" | ||
1099 | "\tTo enable it, configure your build system using --enable-ids.\n" | ||
1100 | "\tExample: ./configure --prefix=/usr --enable-ids\n\n"); | ||
1101 | exit(1); | ||
1102 | } | ||
1103 | #endif | ||
1095 | 1104 | ||
1096 | EUID_ROOT(); | 1105 | EUID_ROOT(); |
1097 | #ifndef HAVE_SUID | 1106 | #ifndef HAVE_SUID |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 189e9cc8d..280a4aff1 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -82,6 +82,16 @@ a long time ago, and the introduction of PID namespace in Linux kernel breaks th | |||
82 | reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run | 82 | reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run |
83 | "firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes. | 83 | "firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes. |
84 | .TP | 84 | .TP |
85 | \fB\-\-guide | ||
86 | Guided configuration for new users. | ||
87 | .br | ||
88 | |||
89 | .br | ||
90 | Example: | ||
91 | .br | ||
92 | $ sudo firecfg --guide | ||
93 | .br | ||
94 | .TP | ||
85 | \fB\-\-debug | 95 | \fB\-\-debug |
86 | Print debug messages. | 96 | Print debug messages. |
87 | .TP | 97 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 366a4e061..420a96ab5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -820,6 +820,7 @@ Example: | |||
820 | .br | 820 | .br |
821 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
822 | 822 | ||
823 | #ifdef HAVE_IDS | ||
823 | .TP | 824 | .TP |
824 | \fB\-\-ids-check | 825 | \fB\-\-ids-check |
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | 826 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. |
@@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | |||
839 | Example: | 840 | Example: |
840 | .br | 841 | .br |
841 | $ firejail \-\-ids-init | 842 | $ firejail \-\-ids-init |
843 | #endif | ||
842 | 844 | ||
843 | .TP | 845 | .TP |
844 | \fB\-\-ignore=command | 846 | \fB\-\-ignore=command |
@@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc | |||
3342 | .br | 3344 | .br |
3343 | #endif | 3345 | #endif |
3344 | 3346 | ||
3347 | #ifdef HAVE_IDS | ||
3345 | .SH INTRUSION DETECTION SYSTEM (IDS) | 3348 | .SH INTRUSION DETECTION SYSTEM (IDS) |
3346 | The host-based intrusion detection system tracks down and audits user and system file modifications. | 3349 | The host-based intrusion detection system tracks down and audits user and system file modifications. |
3347 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | 3350 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, |
@@ -3399,6 +3402,7 @@ New files and deleted files are also flagged. | |||
3399 | 3402 | ||
3400 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | 3403 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. |
3401 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | 3404 | The program can also be run as root (sudo firejail --ids-init/--ids-check). |
3405 | #endif | ||
3402 | 3406 | ||
3403 | .SH MONITORING | 3407 | .SH MONITORING |
3404 | Option \-\-list prints a list of all sandboxes. The format | 3408 | Option \-\-list prints a list of all sandboxes. The format |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 0a87913f1..6b994ba70 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -31,6 +31,7 @@ arr[15]="TEST 15: compile private-home disabled" | |||
31 | arr[16]="TEST 16: compile disable manpages" | 31 | arr[16]="TEST 16: compile disable manpages" |
32 | arr[17]="TEST 17: disable tmpfs as regular user" | 32 | arr[17]="TEST 17: disable tmpfs as regular user" |
33 | arr[18]="TEST 18: disable private home" | 33 | arr[18]="TEST 18: disable private home" |
34 | arr[18]="TEST 19: enable ids" | ||
34 | 35 | ||
35 | # remove previous reports and output file | 36 | # remove previous reports and output file |
36 | cleanup() { | 37 | cleanup() { |
@@ -380,6 +381,23 @@ cp output-make om18 | |||
380 | rm output-configure output-make | 381 | rm output-configure output-make |
381 | 382 | ||
382 | #***************************************************************** | 383 | #***************************************************************** |
384 | # TEST 19 | ||
385 | #***************************************************************** | ||
386 | # - enable ids | ||
387 | #***************************************************************** | ||
388 | print_title "${arr[19]}" | ||
389 | cd firejail | ||
390 | make distclean | ||
391 | ./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
392 | make -j4 2>&1 | tee ../output-make | ||
393 | cd .. | ||
394 | grep Warning output-configure output-make > ./report-test19 | ||
395 | grep Error output-configure output-make >> ./report-test19 | ||
396 | cp output-configure oc19 | ||
397 | cp output-make om19 | ||
398 | rm output-configure output-make | ||
399 | |||
400 | #***************************************************************** | ||
383 | # PRINT REPORTS | 401 | # PRINT REPORTS |
384 | #***************************************************************** | 402 | #***************************************************************** |
385 | echo | 403 | echo |
@@ -411,3 +429,4 @@ echo ${arr[15]} | |||
411 | echo ${arr[16]} | 429 | echo ${arr[16]} |
412 | echo ${arr[17]} | 430 | echo ${arr[17]} |
413 | echo ${arr[18]} | 431 | echo ${arr[18]} |
432 | echo ${arr[19]} | ||