diff options
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | Makefile.in | 14 | ||||
-rwxr-xr-x | configure | 27 | ||||
-rw-r--r-- | configure.ac | 15 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 7 | ||||
-rw-r--r-- | src/common.mk.in | 5 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 12 | ||||
-rw-r--r-- | src/firejail/dbus.c | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/preproc.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 22 | ||||
-rw-r--r-- | src/firejail/protocol.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 3 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/include/seccomp.h | 17 | ||||
-rw-r--r-- | src/lib/syscall.c | 16 | ||||
-rw-r--r-- | src/man/Makefile.in | 17 | ||||
-rw-r--r-- | src/man/preproc.c | 146 | ||||
-rwxr-xr-x | test/compile/compile.sh | 40 |
21 files changed, 206 insertions, 176 deletions
diff --git a/.gitignore b/.gitignore index 8142985b3..74f719ebc 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -8,6 +8,7 @@ | |||
8 | *.gcno | 8 | *.gcno |
9 | *.DS_Store | 9 | *.DS_Store |
10 | .directory | 10 | .directory |
11 | *.man | ||
11 | Makefile | 12 | Makefile |
12 | autom4te.cache/ | 13 | autom4te.cache/ |
13 | config.log | 14 | config.log |
@@ -35,7 +36,8 @@ src/fsec-optimize/fsec-optimize | |||
35 | src/fcopy/fcopy | 36 | src/fcopy/fcopy |
36 | src/fldd/fldd | 37 | src/fldd/fldd |
37 | src/fbuilder/fbuilder | 38 | src/fbuilder/fbuilder |
38 | etc/profstats | 39 | src/profstats/profstats |
40 | src/man/preproc | ||
39 | uids.h | 41 | uids.h |
40 | seccomp | 42 | seccomp |
41 | seccomp.debug | 43 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index 6ed22b007..5096ad44a 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -10,23 +10,20 @@ VERSION=@PACKAGE_VERSION@ | |||
10 | NAME=@PACKAGE_NAME@ | 10 | NAME=@PACKAGE_NAME@ |
11 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ | 11 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ |
12 | DOCDIR=@docdir@ | 12 | DOCDIR=@docdir@ |
13 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
14 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 13 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
15 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ | 14 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ |
16 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ | 15 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ |
17 | HAVE_SUID=@HAVE_SUID@ | 16 | HAVE_SUID=@HAVE_SUID@ |
18 | 17 | ||
19 | all: all_items man filters | 18 | all: all_items man filters |
20 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 19 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/man/preproc |
21 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee | 20 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee |
22 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 21 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
23 | MYDIRS = src/lib | 22 | MYDIRS = src/lib |
24 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 23 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
25 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 24 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
26 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | ||
27 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 25 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
28 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 26 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
29 | endif | ||
30 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 27 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
31 | 28 | ||
32 | .PHONY: all_items $(ALL_ITEMS) | 29 | .PHONY: all_items $(ALL_ITEMS) |
@@ -39,13 +36,13 @@ mydirs: mydirs $(MYDIRS) | |||
39 | $(MYDIRS): | 36 | $(MYDIRS): |
40 | $(MAKE) -C $@ | 37 | $(MAKE) -C $@ |
41 | 38 | ||
42 | $(MANPAGES): $(wildcard src/man/*.txt) | 39 | |
43 | ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@ | 40 | $(MANPAGES): $(wildcard src/man/*.man) |
41 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ | ||
44 | 42 | ||
45 | man: $(MANPAGES) | 43 | man: $(MANPAGES) |
46 | 44 | ||
47 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) | 45 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) |
48 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | ||
49 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | 46 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize |
50 | src/fseccomp/fseccomp default seccomp | 47 | src/fseccomp/fseccomp default seccomp |
51 | src/fsec-optimize/fsec-optimize seccomp | 48 | src/fsec-optimize/fsec-optimize seccomp |
@@ -66,7 +63,6 @@ seccomp.mdwx: src/fseccomp/fseccomp | |||
66 | 63 | ||
67 | seccomp.mdwx.32: src/fseccomp/fseccomp | 64 | seccomp.mdwx.32: src/fseccomp/fseccomp |
68 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 65 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
69 | endif | ||
70 | 66 | ||
71 | clean: | 67 | clean: |
72 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 68 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
@@ -249,9 +245,7 @@ test-environment: | |||
249 | cd test/environment; ./environment.sh | grep TESTING | 245 | cd test/environment; ./environment.sh | grep TESTING |
250 | 246 | ||
251 | test-filters: | 247 | test-filters: |
252 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | ||
253 | cd test/filters; ./filters.sh | grep TESTING | 248 | cd test/filters; ./filters.sh | grep TESTING |
254 | endif | ||
255 | 249 | ||
256 | test-arguments: | 250 | test-arguments: |
257 | cd test/arguments; ./arguments.sh | grep TESTING | 251 | cd test/arguments; ./arguments.sh | grep TESTING |
@@ -624,7 +624,6 @@ ac_includes_default="\ | |||
624 | 624 | ||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | ||
628 | EGREP | 627 | EGREP |
629 | GREP | 628 | GREP |
630 | CPP | 629 | CPP |
@@ -641,7 +640,6 @@ HAVE_USERNS | |||
641 | HAVE_NETWORK | 640 | HAVE_NETWORK |
642 | HAVE_GLOBALCFG | 641 | HAVE_GLOBALCFG |
643 | HAVE_CHROOT | 642 | HAVE_CHROOT |
644 | HAVE_SECCOMP | ||
645 | HAVE_PRIVATE_HOME | 643 | HAVE_PRIVATE_HOME |
646 | HAVE_FIRETUNNEL | 644 | HAVE_FIRETUNNEL |
647 | HAVE_OVERLAYFS | 645 | HAVE_OVERLAYFS |
@@ -710,7 +708,6 @@ enable_apparmor | |||
710 | enable_overlayfs | 708 | enable_overlayfs |
711 | enable_firetunnel | 709 | enable_firetunnel |
712 | enable_private_home | 710 | enable_private_home |
713 | enable_seccomp | ||
714 | enable_chroot | 711 | enable_chroot |
715 | enable_globalcfg | 712 | enable_globalcfg |
716 | enable_network | 713 | enable_network |
@@ -1363,7 +1360,6 @@ Optional Features: | |||
1363 | --disable-overlayfs disable overlayfs | 1360 | --disable-overlayfs disable overlayfs |
1364 | --disable-firetunnel disable firetunnel | 1361 | --disable-firetunnel disable firetunnel |
1365 | --disable-private-home disable private home feature | 1362 | --disable-private-home disable private home feature |
1366 | --disable-seccomp disable seccomp | ||
1367 | --disable-chroot disable chroot | 1363 | --disable-chroot disable chroot |
1368 | --disable-globalcfg if the global config file firejail.cfg is not | 1364 | --disable-globalcfg if the global config file firejail.cfg is not |
1369 | present, continue the program using defaults | 1365 | present, continue the program using defaults |
@@ -3537,19 +3533,6 @@ if test "x$enable_private_home" != "xno"; then : | |||
3537 | 3533 | ||
3538 | fi | 3534 | fi |
3539 | 3535 | ||
3540 | HAVE_SECCOMP="" | ||
3541 | # Check whether --enable-seccomp was given. | ||
3542 | if test "${enable_seccomp+set}" = set; then : | ||
3543 | enableval=$enable_seccomp; | ||
3544 | fi | ||
3545 | |||
3546 | if test "x$enable_seccomp" != "xno"; then : | ||
3547 | |||
3548 | HAVE_SECCOMP="-DHAVE_SECCOMP" | ||
3549 | |||
3550 | |||
3551 | fi | ||
3552 | |||
3553 | HAVE_CHROOT="" | 3536 | HAVE_CHROOT="" |
3554 | # Check whether --enable-chroot was given. | 3537 | # Check whether --enable-chroot was given. |
3555 | if test "${enable_chroot+set}" = set; then : | 3538 | if test "${enable_chroot+set}" = set; then : |
@@ -4173,14 +4156,13 @@ fi | |||
4173 | 4156 | ||
4174 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" | 4157 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" |
4175 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : | 4158 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : |
4176 | HAVE_SECCOMP_H="-DHAVE_SECCOMP_H" | 4159 | |
4177 | else | 4160 | else |
4178 | HAVE_SECCOMP_H="" | 4161 | as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5 |
4179 | fi | 4162 | fi |
4180 | 4163 | ||
4181 | 4164 | ||
4182 | 4165 | ||
4183 | |||
4184 | # set sysconfdir | 4166 | # set sysconfdir |
4185 | if test "$prefix" = /usr; then | 4167 | if test "$prefix" = /usr; then |
4186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" | 4168 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
@@ -4188,7 +4170,7 @@ fi | |||
4188 | 4170 | ||
4189 | ac_config_files="$ac_config_files mkdeb.sh" | 4171 | ac_config_files="$ac_config_files mkdeb.sh" |
4190 | 4172 | ||
4191 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" | 4173 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile" |
4192 | 4174 | ||
4193 | cat >confcache <<\_ACEOF | 4175 | cat >confcache <<\_ACEOF |
4194 | # This file is a shell script that caches the results of configure | 4176 | # This file is a shell script that caches the results of configure |
@@ -4918,6 +4900,7 @@ do | |||
4918 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; | 4900 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; |
4919 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 4901 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
4920 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | 4902 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; |
4903 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; | ||
4921 | 4904 | ||
4922 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4905 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4923 | esac | 4906 | esac |
@@ -5382,8 +5365,6 @@ echo | |||
5382 | echo "Configuration options:" | 5365 | echo "Configuration options:" |
5383 | echo " prefix: $prefix" | 5366 | echo " prefix: $prefix" |
5384 | echo " sysconfdir: $sysconfdir" | 5367 | echo " sysconfdir: $sysconfdir" |
5385 | echo " seccomp: $HAVE_SECCOMP" | ||
5386 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | ||
5387 | echo " apparmor: $HAVE_APPARMOR" | 5368 | echo " apparmor: $HAVE_APPARMOR" |
5388 | echo " global config: $HAVE_GLOBALCFG" | 5369 | echo " global config: $HAVE_GLOBALCFG" |
5389 | echo " chroot: $HAVE_CHROOT" | 5370 | echo " chroot: $HAVE_CHROOT" |
diff --git a/configure.ac b/configure.ac index feb0b38a6..241865968 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -76,14 +76,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [ | |||
76 | AC_SUBST(HAVE_PRIVATE_HOME) | 76 | AC_SUBST(HAVE_PRIVATE_HOME) |
77 | ]) | 77 | ]) |
78 | 78 | ||
79 | HAVE_SECCOMP="" | ||
80 | AC_ARG_ENABLE([seccomp], | ||
81 | AS_HELP_STRING([--disable-seccomp], [disable seccomp])) | ||
82 | AS_IF([test "x$enable_seccomp" != "xno"], [ | ||
83 | HAVE_SECCOMP="-DHAVE_SECCOMP" | ||
84 | AC_SUBST(HAVE_SECCOMP) | ||
85 | ]) | ||
86 | |||
87 | HAVE_CHROOT="" | 79 | HAVE_CHROOT="" |
88 | AC_ARG_ENABLE([chroot], | 80 | AC_ARG_ENABLE([chroot], |
89 | AS_HELP_STRING([--disable-chroot], [disable chroot])) | 81 | AS_HELP_STRING([--disable-chroot], [disable chroot])) |
@@ -196,8 +188,7 @@ AS_IF([test "x$enable_selinux" = "xyes"], [ | |||
196 | # checking pthread library | 188 | # checking pthread library |
197 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 189 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
198 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 190 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
199 | AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="") | 191 | AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])) |
200 | AC_SUBST(HAVE_SECCOMP_H) | ||
201 | 192 | ||
202 | # set sysconfdir | 193 | # set sysconfdir |
203 | if test "$prefix" = /usr; then | 194 | if test "$prefix" = /usr; then |
@@ -208,14 +199,12 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | |||
208 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 199 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
209 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 200 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
210 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 201 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
211 | src/profstats/Makefile) | 202 | src/profstats/Makefile src/man/Makefile) |
212 | 203 | ||
213 | echo | 204 | echo |
214 | echo "Configuration options:" | 205 | echo "Configuration options:" |
215 | echo " prefix: $prefix" | 206 | echo " prefix: $prefix" |
216 | echo " sysconfdir: $sysconfdir" | 207 | echo " sysconfdir: $sysconfdir" |
217 | echo " seccomp: $HAVE_SECCOMP" | ||
218 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | ||
219 | echo " apparmor: $HAVE_APPARMOR" | 208 | echo " apparmor: $HAVE_APPARMOR" |
220 | echo " global config: $HAVE_GLOBALCFG" | 209 | echo " global config: $HAVE_GLOBALCFG" |
221 | echo " chroot: $HAVE_CHROOT" | 210 | echo " chroot: $HAVE_CHROOT" |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ea3b5a6b0..c454887dd 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -33,7 +33,7 @@ Definition of groups | |||
33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execve,prctl | 38 | @default-keep=execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |
@@ -62,15 +62,14 @@ Inheritance of groups | |||
62 | 62 | ||
63 | +---------------+ | 63 | +---------------+ |
64 | | @default-keep | | 64 | | @default-keep | |
65 | | @mount | | ||
66 | +---------------+ | 65 | +---------------+ |
67 | 66 | ||
68 | +----------------+ +---------+ +--------+ +--------------+ | 67 | +----------------+ +---------+ +--------+ +--------------+ |
69 | | @cpu-emulation | | @clock | | @chown | | @aio | | 68 | | @cpu-emulation | | @clock | | @chown | | @aio | |
70 | | @debug | | @module | +--------+ | @basic-io | | 69 | | @debug | | @module | +--------+ | @basic-io | |
71 | | @obsolete | | @raw-io | : : | @file-system | | 70 | | @obsolete | | @raw-io | : : | @file-system | |
72 | +----------------+ | @reboot | : : | @io-event | | 71 | | @mount | | @reboot | : : | @io-event | |
73 | : | @swap | : : | @ipc | | 72 | +----------------+ | @swap | : : | @ipc | |
74 | : +---------+ : : | @keyring | | 73 | : +---------+ : : | @keyring | |
75 | : : : : : | @memlock | | 74 | : : : : : | @memlock | |
76 | : ..............: : : : | @network-io | | 75 | : ..............: : : : | @network-io | |
diff --git a/src/common.mk.in b/src/common.mk.in index 8104bc258..22c25c6aa 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@ | |||
9 | 9 | ||
10 | VERSION=@PACKAGE_VERSION@ | 10 | VERSION=@PACKAGE_VERSION@ |
11 | NAME=@PACKAGE_NAME@ | 11 | NAME=@PACKAGE_NAME@ |
12 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
13 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
14 | HAVE_CHROOT=@HAVE_CHROOT@ | 12 | HAVE_CHROOT=@HAVE_CHROOT@ |
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 13 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
16 | HAVE_NETWORK=@HAVE_NETWORK@ | 14 | HAVE_NETWORK=@HAVE_NETWORK@ |
@@ -34,7 +32,8 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
34 | CFLAGS = @CFLAGS@ | 32 | CFLAGS = @CFLAGS@ |
35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 34 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
37 | CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 35 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
36 | CFLAGS += $(MANFLAGS) | ||
38 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 37 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
39 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 38 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
40 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 39 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f6b3b3252..fb19e8f5a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -226,7 +226,6 @@ int checkcfg(int val) { | |||
226 | 226 | ||
227 | // seccomp error action | 227 | // seccomp error action |
228 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 228 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
229 | #ifdef HAVE_SECCOMP | ||
230 | if (strcmp(ptr + 21, "kill") == 0) | 229 | if (strcmp(ptr + 21, "kill") == 0) |
231 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; | 230 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; |
232 | else if (strcmp(ptr + 21, "log") == 0) | 231 | else if (strcmp(ptr + 21, "log") == 0) |
@@ -239,9 +238,6 @@ int checkcfg(int val) { | |||
239 | config_seccomp_error_action_str = strdup(ptr + 21); | 238 | config_seccomp_error_action_str = strdup(ptr + 21); |
240 | if (!config_seccomp_error_action_str) | 239 | if (!config_seccomp_error_action_str) |
241 | errExit("strdup"); | 240 | errExit("strdup"); |
242 | #else | ||
243 | warning_feature_disabled("seccomp"); | ||
244 | #endif | ||
245 | } | 241 | } |
246 | 242 | ||
247 | else | 243 | else |
@@ -347,14 +343,6 @@ void print_compiletime_support(void) { | |||
347 | #endif | 343 | #endif |
348 | ); | 344 | ); |
349 | 345 | ||
350 | printf("\t- seccomp-bpf support is %s\n", | ||
351 | #ifdef HAVE_SECCOMP | ||
352 | "enabled" | ||
353 | #else | ||
354 | "disabled" | ||
355 | #endif | ||
356 | ); | ||
357 | |||
358 | printf("\t- SELinux support is %s\n", | 346 | printf("\t- SELinux support is %s\n", |
359 | #ifdef HAVE_SELINUX | 347 | #ifdef HAVE_SELINUX |
360 | "enabled" | 348 | "enabled" |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 36d110ac7..f0ba10afc 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -555,10 +555,8 @@ void dbus_apply_policy(void) { | |||
555 | return; | 555 | return; |
556 | 556 | ||
557 | // --protocol=unix | 557 | // --protocol=unix |
558 | #ifdef HAVE_SECCOMP | ||
559 | if (cfg.protocol && !strstr(cfg.protocol, "unix")) | 558 | if (cfg.protocol && !strstr(cfg.protocol, "unix")) |
560 | return; | 559 | return; |
561 | #endif | ||
562 | 560 | ||
563 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | 561 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); |
564 | } | 562 | } |
diff --git a/src/firejail/join.c b/src/firejail/join.c index c7619ef3b..7fd5ec3d3 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -465,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
465 | EUID_ROOT(); | 465 | EUID_ROOT(); |
466 | if (apply_caps == 1) // not available for uid 0 | 466 | if (apply_caps == 1) // not available for uid 0 |
467 | caps_set(caps); | 467 | caps_set(caps); |
468 | #ifdef HAVE_SECCOMP | ||
469 | if (getuid() != 0) | 468 | if (getuid() != 0) |
470 | seccomp_load_file_list(); | 469 | seccomp_load_file_list(); |
471 | #endif | ||
472 | 470 | ||
473 | // mount user namespace or drop privileges | 471 | // mount user namespace or drop privileges |
474 | if (arg_noroot) { // not available for uid 0 | 472 | if (arg_noroot) { // not available for uid 0 |
diff --git a/src/firejail/main.c b/src/firejail/main.c index df890ecea..75324b66a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -479,7 +479,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
479 | //************************************* | 479 | //************************************* |
480 | // independent commands - the program will exit! | 480 | // independent commands - the program will exit! |
481 | //************************************* | 481 | //************************************* |
482 | #ifdef HAVE_SECCOMP | ||
483 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 482 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
484 | if (checkcfg(CFG_SECCOMP)) { | 483 | if (checkcfg(CFG_SECCOMP)) { |
485 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); | 484 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); |
@@ -529,7 +528,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
529 | exit_err_feature("seccomp"); | 528 | exit_err_feature("seccomp"); |
530 | exit(0); | 529 | exit(0); |
531 | } | 530 | } |
532 | #endif | ||
533 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { | 531 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { |
534 | pid_t pid = require_pid(argv[i] + 16); | 532 | pid_t pid = require_pid(argv[i] + 16); |
535 | 533 | ||
@@ -950,7 +948,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b | |||
950 | (void) native; | 948 | (void) native; |
951 | } | 949 | } |
952 | 950 | ||
953 | #ifdef HAVE_SECCOMP | ||
954 | static int check_postexec(const char *list) { | 951 | static int check_postexec(const char *list) { |
955 | char *prelist, *postlist; | 952 | char *prelist, *postlist; |
956 | 953 | ||
@@ -961,7 +958,6 @@ static int check_postexec(const char *list) { | |||
961 | } | 958 | } |
962 | return 0; | 959 | return 0; |
963 | } | 960 | } |
964 | #endif | ||
965 | 961 | ||
966 | //******************************************* | 962 | //******************************************* |
967 | // Main program | 963 | // Main program |
@@ -1264,7 +1260,6 @@ int main(int argc, char **argv, char **envp) { | |||
1264 | else if (strcmp(argv[i], "--apparmor") == 0) | 1260 | else if (strcmp(argv[i], "--apparmor") == 0) |
1265 | arg_apparmor = 1; | 1261 | arg_apparmor = 1; |
1266 | #endif | 1262 | #endif |
1267 | #ifdef HAVE_SECCOMP | ||
1268 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1263 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1269 | if (checkcfg(CFG_SECCOMP)) { | 1264 | if (checkcfg(CFG_SECCOMP)) { |
1270 | if (cfg.protocol) { | 1265 | if (cfg.protocol) { |
@@ -1402,7 +1397,6 @@ int main(int argc, char **argv, char **envp) { | |||
1402 | } else | 1397 | } else |
1403 | exit_err_feature("seccomp"); | 1398 | exit_err_feature("seccomp"); |
1404 | } | 1399 | } |
1405 | #endif | ||
1406 | else if (strcmp(argv[i], "--caps") == 0) { | 1400 | else if (strcmp(argv[i], "--caps") == 0) { |
1407 | arg_caps_default_filter = 1; | 1401 | arg_caps_default_filter = 1; |
1408 | arg_caps_cmdline = 1; | 1402 | arg_caps_cmdline = 1; |
@@ -2783,10 +2777,9 @@ int main(int argc, char **argv, char **envp) { | |||
2783 | // check network configuration options - it will exit if anything went wrong | 2777 | // check network configuration options - it will exit if anything went wrong |
2784 | net_check_cfg(); | 2778 | net_check_cfg(); |
2785 | 2779 | ||
2786 | #ifdef HAVE_SECCOMP | ||
2787 | if (arg_seccomp) | 2780 | if (arg_seccomp) |
2788 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); | 2781 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); |
2789 | #endif | 2782 | |
2790 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 2783 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
2791 | if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32)) | 2784 | if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32)) |
2792 | fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n"); | 2785 | fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n"); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index c0b09e945..836526593 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) { | |||
103 | if (arg_tracefile) | 103 | if (arg_tracefile) |
104 | fs_tracefile(); | 104 | fs_tracefile(); |
105 | 105 | ||
106 | #ifdef HAVE_SECCOMP | ||
107 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); | 106 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); |
108 | 107 | ||
109 | if (arg_seccomp_block_secondary) | 108 | if (arg_seccomp_block_secondary) |
@@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) { | |||
132 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); | 131 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); |
133 | if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) | 132 | if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) |
134 | errExit("set_perms"); | 133 | errExit("set_perms"); |
135 | #endif | ||
136 | } | 134 | } |
137 | } | 135 | } |
138 | 136 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 970033899..8eaae9a30 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
327 | return 0; | 327 | return 0; |
328 | } | 328 | } |
329 | else if (strcmp(ptr, "seccomp") == 0) { | 329 | else if (strcmp(ptr, "seccomp") == 0) { |
330 | #ifdef HAVE_SECCOMP | ||
331 | if (checkcfg(CFG_SECCOMP)) | 330 | if (checkcfg(CFG_SECCOMP)) |
332 | arg_seccomp = 1; | 331 | arg_seccomp = 1; |
333 | else | 332 | else |
334 | warning_feature_disabled("seccomp"); | 333 | warning_feature_disabled("seccomp"); |
335 | #endif | ||
336 | return 0; | 334 | return 0; |
337 | } | 335 | } |
338 | else if (strcmp(ptr, "caps") == 0) { | 336 | else if (strcmp(ptr, "caps") == 0) { |
@@ -861,7 +859,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
861 | } | 859 | } |
862 | 860 | ||
863 | if (strncmp(ptr, "protocol ", 9) == 0) { | 861 | if (strncmp(ptr, "protocol ", 9) == 0) { |
864 | #ifdef HAVE_SECCOMP | ||
865 | if (checkcfg(CFG_SECCOMP)) { | 862 | if (checkcfg(CFG_SECCOMP)) { |
866 | if (cfg.protocol) { | 863 | if (cfg.protocol) { |
867 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); | 864 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); |
@@ -875,7 +872,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
875 | } | 872 | } |
876 | else | 873 | else |
877 | warning_feature_disabled("seccomp"); | 874 | warning_feature_disabled("seccomp"); |
878 | #endif | ||
879 | return 0; | 875 | return 0; |
880 | } | 876 | } |
881 | 877 | ||
@@ -890,102 +886,85 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
890 | 886 | ||
891 | // seccomp drop list on top of default list | 887 | // seccomp drop list on top of default list |
892 | if (strncmp(ptr, "seccomp ", 8) == 0) { | 888 | if (strncmp(ptr, "seccomp ", 8) == 0) { |
893 | #ifdef HAVE_SECCOMP | ||
894 | if (checkcfg(CFG_SECCOMP)) { | 889 | if (checkcfg(CFG_SECCOMP)) { |
895 | arg_seccomp = 1; | 890 | arg_seccomp = 1; |
896 | cfg.seccomp_list = seccomp_check_list(ptr + 8); | 891 | cfg.seccomp_list = seccomp_check_list(ptr + 8); |
897 | } | 892 | } |
898 | else if (!arg_quiet) | 893 | else if (!arg_quiet) |
899 | warning_feature_disabled("seccomp"); | 894 | warning_feature_disabled("seccomp"); |
900 | #endif | ||
901 | 895 | ||
902 | return 0; | 896 | return 0; |
903 | } | 897 | } |
904 | if (strncmp(ptr, "seccomp.32 ", 11) == 0) { | 898 | if (strncmp(ptr, "seccomp.32 ", 11) == 0) { |
905 | #ifdef HAVE_SECCOMP | ||
906 | if (checkcfg(CFG_SECCOMP)) { | 899 | if (checkcfg(CFG_SECCOMP)) { |
907 | arg_seccomp32 = 1; | 900 | arg_seccomp32 = 1; |
908 | cfg.seccomp_list32 = seccomp_check_list(ptr + 11); | 901 | cfg.seccomp_list32 = seccomp_check_list(ptr + 11); |
909 | } | 902 | } |
910 | else if (!arg_quiet) | 903 | else if (!arg_quiet) |
911 | warning_feature_disabled("seccomp"); | 904 | warning_feature_disabled("seccomp"); |
912 | #endif | ||
913 | 905 | ||
914 | return 0; | 906 | return 0; |
915 | } | 907 | } |
916 | 908 | ||
917 | if (strcmp(ptr, "seccomp.block-secondary") == 0) { | 909 | if (strcmp(ptr, "seccomp.block-secondary") == 0) { |
918 | #ifdef HAVE_SECCOMP | ||
919 | if (checkcfg(CFG_SECCOMP)) { | 910 | if (checkcfg(CFG_SECCOMP)) { |
920 | arg_seccomp_block_secondary = 1; | 911 | arg_seccomp_block_secondary = 1; |
921 | } | 912 | } |
922 | else | 913 | else |
923 | warning_feature_disabled("seccomp"); | 914 | warning_feature_disabled("seccomp"); |
924 | #endif | ||
925 | return 0; | 915 | return 0; |
926 | } | 916 | } |
927 | // seccomp drop list without default list | 917 | // seccomp drop list without default list |
928 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { | 918 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { |
929 | #ifdef HAVE_SECCOMP | ||
930 | if (checkcfg(CFG_SECCOMP)) { | 919 | if (checkcfg(CFG_SECCOMP)) { |
931 | arg_seccomp = 1; | 920 | arg_seccomp = 1; |
932 | cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); | 921 | cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); |
933 | } | 922 | } |
934 | else | 923 | else |
935 | warning_feature_disabled("seccomp"); | 924 | warning_feature_disabled("seccomp"); |
936 | #endif | ||
937 | return 0; | 925 | return 0; |
938 | } | 926 | } |
939 | if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { | 927 | if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { |
940 | #ifdef HAVE_SECCOMP | ||
941 | if (checkcfg(CFG_SECCOMP)) { | 928 | if (checkcfg(CFG_SECCOMP)) { |
942 | arg_seccomp32 = 1; | 929 | arg_seccomp32 = 1; |
943 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); | 930 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); |
944 | } | 931 | } |
945 | else | 932 | else |
946 | warning_feature_disabled("seccomp"); | 933 | warning_feature_disabled("seccomp"); |
947 | #endif | ||
948 | return 0; | 934 | return 0; |
949 | } | 935 | } |
950 | 936 | ||
951 | // seccomp keep list | 937 | // seccomp keep list |
952 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { | 938 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { |
953 | #ifdef HAVE_SECCOMP | ||
954 | if (checkcfg(CFG_SECCOMP)) { | 939 | if (checkcfg(CFG_SECCOMP)) { |
955 | arg_seccomp = 1; | 940 | arg_seccomp = 1; |
956 | cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); | 941 | cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); |
957 | } | 942 | } |
958 | else | 943 | else |
959 | warning_feature_disabled("seccomp"); | 944 | warning_feature_disabled("seccomp"); |
960 | #endif | ||
961 | return 0; | 945 | return 0; |
962 | } | 946 | } |
963 | if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { | 947 | if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { |
964 | #ifdef HAVE_SECCOMP | ||
965 | if (checkcfg(CFG_SECCOMP)) { | 948 | if (checkcfg(CFG_SECCOMP)) { |
966 | arg_seccomp32 = 1; | 949 | arg_seccomp32 = 1; |
967 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); | 950 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); |
968 | } | 951 | } |
969 | else | 952 | else |
970 | warning_feature_disabled("seccomp"); | 953 | warning_feature_disabled("seccomp"); |
971 | #endif | ||
972 | return 0; | 954 | return 0; |
973 | } | 955 | } |
974 | 956 | ||
975 | // memory deny write&execute | 957 | // memory deny write&execute |
976 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 958 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
977 | #ifdef HAVE_SECCOMP | ||
978 | if (checkcfg(CFG_SECCOMP)) | 959 | if (checkcfg(CFG_SECCOMP)) |
979 | arg_memory_deny_write_execute = 1; | 960 | arg_memory_deny_write_execute = 1; |
980 | else | 961 | else |
981 | warning_feature_disabled("seccomp"); | 962 | warning_feature_disabled("seccomp"); |
982 | #endif | ||
983 | return 0; | 963 | return 0; |
984 | } | 964 | } |
985 | 965 | ||
986 | // seccomp error action | 966 | // seccomp error action |
987 | if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 967 | if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
988 | #ifdef HAVE_SECCOMP | ||
989 | if (checkcfg(CFG_SECCOMP)) { | 968 | if (checkcfg(CFG_SECCOMP)) { |
990 | int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); | 969 | int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); |
991 | if (config_seccomp_error_action == -1) { | 970 | if (config_seccomp_error_action == -1) { |
@@ -1008,7 +987,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1008 | } | 987 | } |
1009 | } else | 988 | } else |
1010 | warning_feature_disabled("seccomp"); | 989 | warning_feature_disabled("seccomp"); |
1011 | #endif | ||
1012 | return 0; | 990 | return 0; |
1013 | } | 991 | } |
1014 | 992 | ||
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index a1594d6b9..cd54eb72d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_SECCOMP | ||
22 | #include "firejail.h" | 21 | #include "firejail.h" |
23 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
24 | 23 | ||
@@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) { | |||
93 | exit(1); | 92 | exit(1); |
94 | #endif | 93 | #endif |
95 | } | 94 | } |
96 | |||
97 | |||
98 | #endif // HAVE_SECCOMP | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5a4741a56..3bb4858c9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -141,7 +141,6 @@ void set_apparmor(void) { | |||
141 | } | 141 | } |
142 | #endif | 142 | #endif |
143 | 143 | ||
144 | #ifdef HAVE_SECCOMP | ||
145 | void seccomp_debug(void) { | 144 | void seccomp_debug(void) { |
146 | if (arg_debug == 0) | 145 | if (arg_debug == 0) |
147 | return; | 146 | return; |
@@ -158,7 +157,6 @@ void seccomp_debug(void) { | |||
158 | printf("No active seccomp files\n"); | 157 | printf("No active seccomp files\n"); |
159 | EUID_ROOT(); | 158 | EUID_ROOT(); |
160 | } | 159 | } |
161 | #endif | ||
162 | 160 | ||
163 | static void save_nogroups(void) { | 161 | static void save_nogroups(void) { |
164 | if (arg_nogroups == 0) | 162 | if (arg_nogroups == 0) |
@@ -497,9 +495,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
497 | #ifdef HAVE_GCOV | 495 | #ifdef HAVE_GCOV |
498 | __gcov_dump(); | 496 | __gcov_dump(); |
499 | #endif | 497 | #endif |
500 | #ifdef HAVE_SECCOMP | ||
501 | seccomp_install_filters(); | 498 | seccomp_install_filters(); |
502 | #endif | ||
503 | if (set_sandbox_status) | 499 | if (set_sandbox_status) |
504 | *set_sandbox_status = SANDBOX_DONE; | 500 | *set_sandbox_status = SANDBOX_DONE; |
505 | execl(arg_audit_prog, arg_audit_prog, NULL); | 501 | execl(arg_audit_prog, arg_audit_prog, NULL); |
@@ -536,9 +532,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
536 | #ifdef HAVE_GCOV | 532 | #ifdef HAVE_GCOV |
537 | __gcov_dump(); | 533 | __gcov_dump(); |
538 | #endif | 534 | #endif |
539 | #ifdef HAVE_SECCOMP | ||
540 | seccomp_install_filters(); | 535 | seccomp_install_filters(); |
541 | #endif | 536 | |
542 | if (set_sandbox_status) | 537 | if (set_sandbox_status) |
543 | *set_sandbox_status = SANDBOX_DONE; | 538 | *set_sandbox_status = SANDBOX_DONE; |
544 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 539 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
@@ -591,9 +586,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
591 | #ifdef HAVE_GCOV | 586 | #ifdef HAVE_GCOV |
592 | __gcov_dump(); | 587 | __gcov_dump(); |
593 | #endif | 588 | #endif |
594 | #ifdef HAVE_SECCOMP | ||
595 | seccomp_install_filters(); | 589 | seccomp_install_filters(); |
596 | #endif | 590 | |
597 | if (set_sandbox_status) | 591 | if (set_sandbox_status) |
598 | *set_sandbox_status = SANDBOX_DONE; | 592 | *set_sandbox_status = SANDBOX_DONE; |
599 | execvp(arg[0], arg); | 593 | execvp(arg[0], arg); |
@@ -797,7 +791,6 @@ int sandbox(void* sandbox_arg) { | |||
797 | // - build seccomp filters | 791 | // - build seccomp filters |
798 | // - create an empty /etc/ld.so.preload | 792 | // - create an empty /etc/ld.so.preload |
799 | //**************************** | 793 | //**************************** |
800 | #ifdef HAVE_SECCOMP | ||
801 | if (cfg.protocol) { | 794 | if (cfg.protocol) { |
802 | if (arg_debug) | 795 | if (arg_debug) |
803 | printf("Build protocol filter: %s\n", cfg.protocol); | 796 | printf("Build protocol filter: %s\n", cfg.protocol); |
@@ -808,7 +801,6 @@ int sandbox(void* sandbox_arg) { | |||
808 | if (rv) | 801 | if (rv) |
809 | exit(rv); | 802 | exit(rv); |
810 | } | 803 | } |
811 | #endif | ||
812 | 804 | ||
813 | // need ld.so.preload if tracing or seccomp with any non-default lists | 805 | // need ld.so.preload if tracing or seccomp with any non-default lists |
814 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 806 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
@@ -1107,7 +1099,6 @@ int sandbox(void* sandbox_arg) { | |||
1107 | save_cgroup(); | 1099 | save_cgroup(); |
1108 | 1100 | ||
1109 | // set seccomp | 1101 | // set seccomp |
1110 | #ifdef HAVE_SECCOMP | ||
1111 | // install protocol filter | 1102 | // install protocol filter |
1112 | #ifdef SYS_socket | 1103 | #ifdef SYS_socket |
1113 | if (cfg.protocol) { | 1104 | if (cfg.protocol) { |
@@ -1151,7 +1142,6 @@ int sandbox(void* sandbox_arg) { | |||
1151 | // make seccomp filters read-only | 1142 | // make seccomp filters read-only |
1152 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); | 1143 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); |
1153 | seccomp_debug(); | 1144 | seccomp_debug(); |
1154 | #endif | ||
1155 | 1145 | ||
1156 | // set capabilities | 1146 | // set capabilities |
1157 | set_caps(); | 1147 | set_caps(); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7f55ccc0e..e47e6c910 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_SECCOMP | ||
22 | #include "firejail.h" | 21 | #include "firejail.h" |
23 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 23 | #include <sys/mman.h> |
@@ -445,5 +444,3 @@ errexit: | |||
445 | printf("Cannot access seccomp filter.\n"); | 444 | printf("Cannot access seccomp filter.\n"); |
446 | exit(1); | 445 | exit(1); |
447 | } | 446 | } |
448 | |||
449 | #endif // HAVE_SECCOMP | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2390706f2..d58bbb409 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -123,10 +123,8 @@ static char *usage_str = | |||
123 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" | 123 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
124 | #endif | 124 | #endif |
125 | " --machine-id - preserve /etc/machine-id\n" | 125 | " --machine-id - preserve /etc/machine-id\n" |
126 | #ifdef HAVE_SECCOMP | ||
127 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" | 126 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
128 | "\tmemory mappings that are both writable and executable.\n" | 127 | "\tmemory mappings that are both writable and executable.\n" |
129 | #endif | ||
130 | #ifdef HAVE_NETWORK | 128 | #ifdef HAVE_NETWORK |
131 | " --mtu=number - set interface MTU.\n" | 129 | " --mtu=number - set interface MTU.\n" |
132 | #endif | 130 | #endif |
@@ -215,7 +213,6 @@ static char *usage_str = | |||
215 | #ifdef HAVE_NETWORK | 213 | #ifdef HAVE_NETWORK |
216 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 214 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
217 | #endif | 215 | #endif |
218 | #ifdef HAVE_SECCOMP | ||
219 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" | 216 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
220 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" | 217 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
221 | "\tdefault syscall list and the syscalls specified by the command.\n" | 218 | "\tdefault syscall list and the syscalls specified by the command.\n" |
@@ -229,7 +226,6 @@ static char *usage_str = | |||
229 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 226 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
230 | " --seccomp-error-action=errno|kill|log - change error code, kill process\n" | 227 | " --seccomp-error-action=errno|kill|log - change error code, kill process\n" |
231 | "\tor log the attempt.\n" | 228 | "\tor log the attempt.\n" |
232 | #endif | ||
233 | " --shell=none - run the program directly without a user shell.\n" | 229 | " --shell=none - run the program directly without a user shell.\n" |
234 | " --shell=program - set default user shell.\n" | 230 | " --shell=program - set default user shell.\n" |
235 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" | 231 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 29b858c70..90db16d39 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -96,24 +96,7 @@ | |||
96 | # define PR_SET_NO_NEW_PRIVS 38 | 96 | # define PR_SET_NO_NEW_PRIVS 38 |
97 | #endif | 97 | #endif |
98 | 98 | ||
99 | #if HAVE_SECCOMP_H | ||
100 | #include <linux/seccomp.h> | 99 | #include <linux/seccomp.h> |
101 | #else | ||
102 | #define SECCOMP_MODE_FILTER 2 | ||
103 | #define SECCOMP_RET_KILL 0x00000000U | ||
104 | #define SECCOMP_RET_TRAP 0x00030000U | ||
105 | #define SECCOMP_RET_ALLOW 0x7fff0000U | ||
106 | #define SECCOMP_RET_ERRNO 0x00050000U | ||
107 | #define SECCOMP_RET_DATA 0x0000ffffU | ||
108 | |||
109 | struct seccomp_data { | ||
110 | int nr; | ||
111 | __u32 arch; | ||
112 | __u64 instruction_pointer; | ||
113 | __u64 args[6]; | ||
114 | }; | ||
115 | #endif | ||
116 | |||
117 | #ifndef SECCOMP_RET_LOG | 100 | #ifndef SECCOMP_RET_LOG |
118 | #define SECCOMP_RET_LOG 0x7ffc0000U | 101 | #define SECCOMP_RET_LOG 0x7ffc0000U |
119 | #endif | 102 | #endif |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 2f8ccaed7..4903971ad 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = { | |||
230 | "@cpu-emulation," | 230 | "@cpu-emulation," |
231 | "@debug," | 231 | "@debug," |
232 | "@module," | 232 | "@module," |
233 | "@mount," | ||
233 | "@obsolete," | 234 | "@obsolete," |
234 | "@raw-io," | 235 | "@raw-io," |
235 | "@reboot," | 236 | "@reboot," |
@@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = { | |||
297 | #ifdef SYS_vmsplice | 298 | #ifdef SYS_vmsplice |
298 | "vmsplice," | 299 | "vmsplice," |
299 | #endif | 300 | #endif |
300 | #ifdef SYS_umount | ||
301 | "umount," | ||
302 | #endif | ||
303 | #ifdef SYS_userfaultfd | 301 | #ifdef SYS_userfaultfd |
304 | "userfaultfd," | 302 | "userfaultfd," |
305 | #endif | 303 | #endif |
@@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = { | |||
309 | #ifdef SYS_bpf | 307 | #ifdef SYS_bpf |
310 | "bpf," | 308 | "bpf," |
311 | #endif | 309 | #endif |
312 | #ifdef SYS_chroot | ||
313 | "chroot," | ||
314 | #endif | ||
315 | #ifdef SYS_mount | ||
316 | "mount," | ||
317 | #endif | ||
318 | #ifdef SYS_nfsservctl | 310 | #ifdef SYS_nfsservctl |
319 | "nfsservctl," | 311 | "nfsservctl," |
320 | #endif | 312 | #endif |
321 | #ifdef SYS_pivot_root | ||
322 | "pivot_root," | ||
323 | #endif | ||
324 | #ifdef SYS_setdomainname | 313 | #ifdef SYS_setdomainname |
325 | "setdomainname," | 314 | "setdomainname," |
326 | #endif | 315 | #endif |
327 | #ifdef SYS_sethostname | 316 | #ifdef SYS_sethostname |
328 | "sethostname," | 317 | "sethostname," |
329 | #endif | 318 | #endif |
330 | #ifdef SYS_umount2 | ||
331 | "umount2," | ||
332 | #endif | ||
333 | #ifdef SYS_vhangup | 319 | #ifdef SYS_vhangup |
334 | "vhangup" | 320 | "vhangup" |
335 | #endif | 321 | #endif |
diff --git a/src/man/Makefile.in b/src/man/Makefile.in new file mode 100644 index 000000000..0180baee5 --- /dev/null +++ b/src/man/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | preproc: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | %.man: %.txt preproc | ||
12 | ./preproc $(MANFLAGS) $< | ||
13 | |||
14 | clean:; rm -fr *.o preproc *.gcov *.gcda *.gcno *.plist *.man alldone | ||
15 | |||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/man/preproc.c b/src/man/preproc.c new file mode 100644 index 000000000..34a49d335 --- /dev/null +++ b/src/man/preproc.c | |||
@@ -0,0 +1,146 @@ | |||
1 | #include <stdio.h> | ||
2 | #include <stdlib.h> | ||
3 | #include <string.h> | ||
4 | #include <assert.h> | ||
5 | |||
6 | #define MAXBUF 4096 | ||
7 | #define MAXMACROS 64 | ||
8 | static char *macro[MAXMACROS] = {NULL}; | ||
9 | |||
10 | static void add_macro(char *m) { | ||
11 | assert(m); | ||
12 | int i; | ||
13 | for (i = 0; i < MAXMACROS && macro[i]; i++); | ||
14 | if (i == MAXMACROS) { | ||
15 | fprintf(stderr, "Error: maximum number of marcros (%d) exceeded\n", MAXMACROS); | ||
16 | exit(1); | ||
17 | } | ||
18 | |||
19 | macro[i] = m; | ||
20 | } | ||
21 | |||
22 | static char *find_macro(char *m) { | ||
23 | assert(m); | ||
24 | int i = 0; | ||
25 | while (i < MAXMACROS && macro[i]) { | ||
26 | if (strcmp(macro[i], m) == 0) | ||
27 | return m; | ||
28 | i++; | ||
29 | } | ||
30 | |||
31 | return NULL; | ||
32 | } | ||
33 | |||
34 | static void usage(void) { | ||
35 | printf("Simple preprocessor for man pages. It supports:\n"); | ||
36 | printf("\t#if 0 ... #endif\n"); | ||
37 | printf("\t#ifdef macro ... #endif\n"); | ||
38 | printf("Usage: preproc [--help] [-Dmacro] manpage.txt\n"); | ||
39 | return; | ||
40 | } | ||
41 | |||
42 | |||
43 | int main(int argc, char **argv) { | ||
44 | if (argc == 1) { | ||
45 | fprintf(stderr, "Error: no files/arguments provided\n"); | ||
46 | usage(); | ||
47 | exit(1); | ||
48 | } | ||
49 | |||
50 | int i; | ||
51 | for (i = 1; i < argc; i++) { | ||
52 | if (strncmp(argv[i], "-D", 2) == 0) | ||
53 | add_macro(argv[i] + 2); | ||
54 | else if (strcmp(argv[i], "--help") == 0) { | ||
55 | usage(); | ||
56 | return 0; | ||
57 | } | ||
58 | else if (*argv[i] == '-') { | ||
59 | fprintf(stderr, "Error: invalid argument %s\n", argv[i]); | ||
60 | exit(1); | ||
61 | } | ||
62 | else | ||
63 | break; | ||
64 | } | ||
65 | |||
66 | char *ptr = strstr(argv[i], ".txt"); | ||
67 | if (!ptr || strlen(ptr) != 4) { | ||
68 | fprintf(stderr, "Error: input file needs to have a .txt extension\n"), | ||
69 | exit(1); | ||
70 | } | ||
71 | |||
72 | FILE *fp = fopen(argv[i], "r"); | ||
73 | if (!fp) { | ||
74 | fprintf(stderr, "Error: cannot open %s\n", argv[i]); | ||
75 | exit(1); | ||
76 | } | ||
77 | char *outfile = strdup(argv[i]); | ||
78 | if (!outfile) | ||
79 | goto errout; | ||
80 | ptr = strstr(outfile, ".txt"); | ||
81 | assert(ptr); | ||
82 | strcpy(ptr, ".man"); | ||
83 | FILE *fpout = fopen(outfile, "w"); | ||
84 | if (!fpout) | ||
85 | goto errout; | ||
86 | |||
87 | char buf[MAXBUF]; | ||
88 | int disabled = 0; | ||
89 | int enabled = 0; | ||
90 | int line = 0;; | ||
91 | while (fgets(buf, MAXBUF, fp)) { | ||
92 | line++; | ||
93 | if (disabled && strncmp(buf, "#if", 3) == 0) { | ||
94 | fprintf(stderr, "Error %d: already in a #if block on line %d\n", __LINE__, line); | ||
95 | exit(1); | ||
96 | } | ||
97 | if ((!disabled && !enabled) && strncmp(buf, "#endif", 6) == 0) { | ||
98 | fprintf(stderr, "Error %d: unmatched #endif on line %d\n", __LINE__, line); | ||
99 | exit(1); | ||
100 | } | ||
101 | |||
102 | char *ptr = strchr(buf, '\n'); | ||
103 | if (ptr) | ||
104 | *ptr = '\0'; | ||
105 | |||
106 | if (strncmp(buf, "#if 0", 5) == 0) { | ||
107 | disabled = 1; | ||
108 | continue; | ||
109 | } | ||
110 | if (strncmp(buf, "#ifdef", 6) == 0) { | ||
111 | char *ptr = buf + 6; | ||
112 | if (*ptr != ' ' && *ptr != '\t') { | ||
113 | fprintf(stderr, "Error %d: invalid macro on line %d\n", __LINE__, line); | ||
114 | exit(1); | ||
115 | } | ||
116 | |||
117 | while (*ptr == ' ' || *ptr == '\t') | ||
118 | ptr++; | ||
119 | |||
120 | if (!find_macro(ptr)) | ||
121 | disabled = 1; | ||
122 | else | ||
123 | enabled = 1; | ||
124 | continue; | ||
125 | } | ||
126 | |||
127 | if (strncmp(buf, "#endif", 6) == 0) { | ||
128 | disabled = 0; | ||
129 | enabled = 1; | ||
130 | continue; | ||
131 | } | ||
132 | |||
133 | if (!disabled) { | ||
134 | // printf("%s\n", buf); | ||
135 | fprintf(fpout, "%s\n", buf); | ||
136 | } | ||
137 | } | ||
138 | fclose(fp); | ||
139 | |||
140 | return 0; | ||
141 | |||
142 | errout: | ||
143 | fclose(fp); | ||
144 | fprintf(stderr, "Error: cannot open output file\n"); | ||
145 | exit(1); | ||
146 | } | ||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 2f9e0ece6..6739bc4d6 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -4,7 +4,7 @@ | |||
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | arr[1]="TEST 1: standard compilation" | 6 | arr[1]="TEST 1: standard compilation" |
7 | arr[2]="TEST 2: compile seccomp disabled" | 7 | arr[2]="deprecated" |
8 | arr[3]="TEST 3: compile chroot disabled" | 8 | arr[3]="TEST 3: compile chroot disabled" |
9 | arr[4]="TEST 4: compile firetunnel disabled" | 9 | arr[4]="TEST 4: compile firetunnel disabled" |
10 | arr[5]="TEST 5: compile user namespace disabled" | 10 | arr[5]="TEST 5: compile user namespace disabled" |
@@ -24,6 +24,8 @@ cleanup() { | |||
24 | rm -f report* | 24 | rm -f report* |
25 | rm -fr firejail | 25 | rm -fr firejail |
26 | rm -f oc* om* | 26 | rm -f oc* om* |
27 | rm -f output-configure | ||
28 | rm -f output-make | ||
27 | } | 29 | } |
28 | 30 | ||
29 | print_title() { | 31 | print_title() { |
@@ -74,23 +76,23 @@ cp output-make om1 | |||
74 | rm output-configure output-make | 76 | rm output-configure output-make |
75 | 77 | ||
76 | 78 | ||
77 | #***************************************************************** | 79 | ##***************************************************************** |
78 | # TEST 2 | 80 | ## TEST 2 |
79 | #***************************************************************** | 81 | ##***************************************************************** |
80 | # - disable seccomp configuration | 82 | ## - disable seccomp configuration |
81 | #***************************************************************** | 83 | ##***************************************************************** |
82 | print_title "${arr[2]}" | 84 | #print_title "${arr[2]}" |
83 | # seccomp | 85 | ## seccomp |
84 | cd firejail | 86 | #cd firejail |
85 | make distclean | 87 | #make distclean |
86 | ./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure | 88 | #./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure |
87 | make -j4 2>&1 | tee ../output-make | 89 | #make -j4 2>&1 | tee ../output-make |
88 | cd .. | 90 | #cd .. |
89 | grep Warning output-configure output-make > ./report-test2 | 91 | #grep Warning output-configure output-make > ./report-test2 |
90 | grep Error output-configure output-make >> ./report-test2 | 92 | #grep Error output-configure output-make >> ./report-test2 |
91 | cp output-configure oc2 | 93 | #cp output-configure oc2 |
92 | cp output-make om2 | 94 | #cp output-make om2 |
93 | rm output-configure output-make | 95 | #rm output-configure output-make |
94 | 96 | ||
95 | #***************************************************************** | 97 | #***************************************************************** |
96 | # TEST 3 | 98 | # TEST 3 |
@@ -342,7 +344,7 @@ wc -l report-test* | |||
342 | echo | 344 | echo |
343 | echo "Legend:" | 345 | echo "Legend:" |
344 | echo ${arr[1]} | 346 | echo ${arr[1]} |
345 | echo ${arr[2]} | 347 | #echo ${arr[2]} |
346 | echo ${arr[3]} | 348 | echo ${arr[3]} |
347 | echo ${arr[4]} | 349 | echo ${arr[4]} |
348 | echo ${arr[5]} | 350 | echo ${arr[5]} |