diff options
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 18 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rwxr-xr-x | test/compile/compile.sh | 20 |
6 files changed, 66 insertions, 3 deletions
@@ -642,6 +642,7 @@ HAVE_GLOBALCFG | |||
642 | HAVE_CHROOT | 642 | HAVE_CHROOT |
643 | HAVE_SECCOMP | 643 | HAVE_SECCOMP |
644 | HAVE_PRIVATE_HOME | 644 | HAVE_PRIVATE_HOME |
645 | HAVE_FIRETUNNEL | ||
645 | HAVE_OVERLAYFS | 646 | HAVE_OVERLAYFS |
646 | EXTRA_LDFLAGS | 647 | EXTRA_LDFLAGS |
647 | EXTRA_CFLAGS | 648 | EXTRA_CFLAGS |
@@ -706,6 +707,7 @@ ac_user_opts=' | |||
706 | enable_option_checking | 707 | enable_option_checking |
707 | enable_apparmor | 708 | enable_apparmor |
708 | enable_overlayfs | 709 | enable_overlayfs |
710 | enable_firetunnel | ||
709 | enable_private_home | 711 | enable_private_home |
710 | enable_seccomp | 712 | enable_seccomp |
711 | enable_chroot | 713 | enable_chroot |
@@ -1357,6 +1359,7 @@ Optional Features: | |||
1357 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1359 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1358 | --enable-apparmor enable apparmor | 1360 | --enable-apparmor enable apparmor |
1359 | --disable-overlayfs disable overlayfs | 1361 | --disable-overlayfs disable overlayfs |
1362 | --disable-firetunnel disable firetunnel | ||
1360 | --disable-private-home disable private home feature | 1363 | --disable-private-home disable private home feature |
1361 | --disable-seccomp disable seccomp | 1364 | --disable-seccomp disable seccomp |
1362 | --disable-chroot disable chroot | 1365 | --disable-chroot disable chroot |
@@ -3433,6 +3436,19 @@ if test "x$enable_overlayfs" != "xno"; then : | |||
3433 | 3436 | ||
3434 | fi | 3437 | fi |
3435 | 3438 | ||
3439 | HAVE_FIRETUNNEL="" | ||
3440 | # Check whether --enable-firetunnel was given. | ||
3441 | if test "${enable_firetunnel+set}" = set; then : | ||
3442 | enableval=$enable_firetunnel; | ||
3443 | fi | ||
3444 | |||
3445 | if test "x$enable_firetunnel" != "xno"; then : | ||
3446 | |||
3447 | HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" | ||
3448 | |||
3449 | |||
3450 | fi | ||
3451 | |||
3436 | HAVE_PRIVATEHOME="" | 3452 | HAVE_PRIVATEHOME="" |
3437 | # Check whether --enable-private-home was given. | 3453 | # Check whether --enable-private-home was given. |
3438 | if test "${enable_private_home+set}" = set; then : | 3454 | if test "${enable_private_home+set}" = set; then : |
@@ -5280,6 +5296,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
5280 | echo " private home support: $HAVE_PRIVATE_HOME" | 5296 | echo " private home support: $HAVE_PRIVATE_HOME" |
5281 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 5297 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
5282 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5298 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5299 | echo " firetunnel support: $HAVE_FIRETUNNEL" | ||
5283 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5300 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
5284 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 5301 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
5285 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 5302 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
diff --git a/configure.ac b/configure.ac index c3ca7d912..675c8fd65 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,3 +1,12 @@ | |||
1 | # | ||
2 | # Note: | ||
3 | # | ||
4 | # If for any reason autoconf fails, run "autoreconf -i --install " and try again. | ||
5 | # We rely soley on autoconf, without automake. Apparently, in this case | ||
6 | # the macros from m4 directory are not picked up by default by automake. | ||
7 | # "autoreconf -i --install" seems to fix the problem. | ||
8 | # | ||
9 | |||
1 | AC_PREREQ([2.68]) | 10 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com) | 11 | AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 12 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
@@ -39,6 +48,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [ | |||
39 | AC_SUBST(HAVE_OVERLAYFS) | 48 | AC_SUBST(HAVE_OVERLAYFS) |
40 | ]) | 49 | ]) |
41 | 50 | ||
51 | HAVE_FIRETUNNEL="" | ||
52 | AC_ARG_ENABLE([firetunnel], | ||
53 | AS_HELP_STRING([--disable-firetunnel], [disable firetunnel])) | ||
54 | AS_IF([test "x$enable_firetunnel" != "xno"], [ | ||
55 | HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" | ||
56 | AC_SUBST(HAVE_FIRETUNNEL) | ||
57 | ]) | ||
58 | |||
42 | HAVE_PRIVATEHOME="" | 59 | HAVE_PRIVATEHOME="" |
43 | AC_ARG_ENABLE([private-home], | 60 | AC_ARG_ENABLE([private-home], |
44 | AS_HELP_STRING([--disable-private-home], [disable private home feature])) | 61 | AS_HELP_STRING([--disable-private-home], [disable private home feature])) |
@@ -186,6 +203,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
186 | echo " private home support: $HAVE_PRIVATE_HOME" | 203 | echo " private home support: $HAVE_PRIVATE_HOME" |
187 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 204 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
188 | echo " overlayfs support: $HAVE_OVERLAYFS" | 205 | echo " overlayfs support: $HAVE_OVERLAYFS" |
206 | echo " firetunnel support: $HAVE_FIRETUNNEL" | ||
189 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 207 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
190 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 208 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
191 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 209 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
diff --git a/src/common.mk.in b/src/common.mk.in index b9af977ae..1b6ad91a5 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -20,6 +20,7 @@ HAVE_WHITELIST=@HAVE_WHITELIST@ | |||
20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
21 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 21 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
23 | HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | ||
23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
24 | HAVE_GCOV=@HAVE_GCOV@ | 25 | HAVE_GCOV=@HAVE_GCOV@ |
25 | 26 | ||
@@ -28,7 +29,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
28 | OBJS = $(C_FILE_LIST:.c=.o) | 29 | OBJS = $(C_FILE_LIST:.c=.o) |
29 | BINOBJS = $(foreach file, $(OBJS), $file) | 30 | BINOBJS = $(foreach file, $(OBJS), $file) |
30 | 31 | ||
31 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 32 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
32 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 33 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
33 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 34 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
34 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ | 35 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7ca72bf30..b11d795a9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -278,6 +278,14 @@ void print_compiletime_support(void) { | |||
278 | #endif | 278 | #endif |
279 | ); | 279 | ); |
280 | 280 | ||
281 | printf("\t- firetunnel support is %s\n", | ||
282 | #ifdef HAVE_FIRETUNNEL | ||
283 | "enabled" | ||
284 | #else | ||
285 | "disabled" | ||
286 | #endif | ||
287 | ); | ||
288 | |||
281 | printf("\t- networking support is %s\n", | 289 | printf("\t- networking support is %s\n", |
282 | #ifdef HAVE_NETWORK | 290 | #ifdef HAVE_NETWORK |
283 | "enabled" | 291 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c50ed4dc4..2403cafa1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1498,6 +1498,7 @@ int main(int argc, char **argv) { | |||
1498 | exit_err_feature("overlayfs"); | 1498 | exit_err_feature("overlayfs"); |
1499 | } | 1499 | } |
1500 | #endif | 1500 | #endif |
1501 | #ifdef HAVE_FIRETUNNEL | ||
1501 | else if (strcmp(argv[i], "--tunnel") == 0) { | 1502 | else if (strcmp(argv[i], "--tunnel") == 0) { |
1502 | // try to connect to the default client side of the tunnel | 1503 | // try to connect to the default client side of the tunnel |
1503 | // if this fails, try the default server side of the tunnel | 1504 | // if this fails, try the default server side of the tunnel |
@@ -1523,7 +1524,7 @@ int main(int argc, char **argv) { | |||
1523 | exit(1); | 1524 | exit(1); |
1524 | } | 1525 | } |
1525 | } | 1526 | } |
1526 | 1527 | #endif | |
1527 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1528 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1528 | // multiple profile files are allowed! | 1529 | // multiple profile files are allowed! |
1529 | 1530 | ||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index adacab616..e662b4d30 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -3,7 +3,7 @@ | |||
3 | arr[1]="TEST 1: standard compilation" | 3 | arr[1]="TEST 1: standard compilation" |
4 | arr[2]="TEST 2: compile seccomp disabled" | 4 | arr[2]="TEST 2: compile seccomp disabled" |
5 | arr[3]="TEST 3: compile chroot disabled" | 5 | arr[3]="TEST 3: compile chroot disabled" |
6 | arr[4]="deprecated: TEST 4: compile bind disabled" | 6 | arr[4]="TEST 4: compile firetunnel disabled" |
7 | arr[5]="TEST 5: compile user namespace disabled" | 7 | arr[5]="TEST 5: compile user namespace disabled" |
8 | arr[6]="TEST 6: compile network disabled" | 8 | arr[6]="TEST 6: compile network disabled" |
9 | arr[7]="TEST 7: compile X11 disabled" | 9 | arr[7]="TEST 7: compile X11 disabled" |
@@ -108,6 +108,24 @@ cp output-make om3 | |||
108 | rm output-configure output-make | 108 | rm output-configure output-make |
109 | 109 | ||
110 | #***************************************************************** | 110 | #***************************************************************** |
111 | # TEST 4 | ||
112 | #***************************************************************** | ||
113 | # - disable firetunnel configuration | ||
114 | #***************************************************************** | ||
115 | print_title "${arr[4]}" | ||
116 | # seccomp | ||
117 | cd firejail | ||
118 | make distclean | ||
119 | ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
120 | make -j4 2>&1 | tee ../output-make | ||
121 | cd .. | ||
122 | grep Warning output-configure output-make > ./report-test4 | ||
123 | grep Error output-configure output-make >> ./report-test4 | ||
124 | cp output-configure oc4 | ||
125 | cp output-make om4 | ||
126 | rm output-configure output-make | ||
127 | |||
128 | #***************************************************************** | ||
111 | # TEST 5 | 129 | # TEST 5 |
112 | #***************************************************************** | 130 | #***************************************************************** |
113 | # - disable user namespace configuration | 131 | # - disable user namespace configuration |