diff options
-rw-r--r-- | Makefile.in | 2 | ||||
-rwxr-xr-x | configure | 492 | ||||
-rw-r--r-- | configure.ac | 23 | ||||
-rw-r--r-- | etc/firejail-default | 129 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 6 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 12 | ||||
-rw-r--r-- | todo | 3 |
7 files changed, 438 insertions, 229 deletions
diff --git a/Makefile.in b/Makefile.in index e47e109d3..4d7526826 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -85,6 +85,8 @@ realinstall: | |||
85 | done | 85 | done |
86 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 86 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
87 | rm -fr .etc | 87 | rm -fr .etc |
88 | # install apparmor profile | ||
89 | sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" | ||
88 | # man pages | 90 | # man pages |
89 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 | 91 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 |
90 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 | 92 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 |
@@ -625,9 +625,6 @@ ac_includes_default="\ | |||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | 627 | HAVE_SECCOMP_H |
628 | EGREP | ||
629 | GREP | ||
630 | CPP | ||
631 | HAVE_FATAL_WARNINGS | 628 | HAVE_FATAL_WARNINGS |
632 | HAVE_WHITELIST | 629 | HAVE_WHITELIST |
633 | HAVE_FILE_TRANSFER | 630 | HAVE_FILE_TRANSFER |
@@ -638,6 +635,11 @@ HAVE_GLOBALCFG | |||
638 | HAVE_BIND | 635 | HAVE_BIND |
639 | HAVE_CHROOT | 636 | HAVE_CHROOT |
640 | HAVE_SECCOMP | 637 | HAVE_SECCOMP |
638 | EXTRA_LDFLAGS | ||
639 | EGREP | ||
640 | GREP | ||
641 | CPP | ||
642 | HAVE_APPARMOR | ||
641 | RANLIB | 643 | RANLIB |
642 | INSTALL_DATA | 644 | INSTALL_DATA |
643 | INSTALL_SCRIPT | 645 | INSTALL_SCRIPT |
@@ -690,6 +692,7 @@ SHELL' | |||
690 | ac_subst_files='' | 692 | ac_subst_files='' |
691 | ac_user_opts=' | 693 | ac_user_opts=' |
692 | enable_option_checking | 694 | enable_option_checking |
695 | enable_apparmor | ||
693 | enable_seccomp | 696 | enable_seccomp |
694 | enable_chroot | 697 | enable_chroot |
695 | enable_bind | 698 | enable_bind |
@@ -1319,6 +1322,7 @@ Optional Features: | |||
1319 | --disable-option-checking ignore unrecognized --enable/--with options | 1322 | --disable-option-checking ignore unrecognized --enable/--with options |
1320 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | 1323 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) |
1321 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1324 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1325 | --enable-apparmor enable apparmor | ||
1322 | --disable-seccomp disable seccomp | 1326 | --disable-seccomp disable seccomp |
1323 | --disable-chroot disable chroot | 1327 | --disable-chroot disable chroot |
1324 | --disable-bind disable bind | 1328 | --disable-bind disable bind |
@@ -1462,52 +1466,6 @@ fi | |||
1462 | 1466 | ||
1463 | } # ac_fn_c_try_compile | 1467 | } # ac_fn_c_try_compile |
1464 | 1468 | ||
1465 | # ac_fn_c_try_link LINENO | ||
1466 | # ----------------------- | ||
1467 | # Try to link conftest.$ac_ext, and return whether this succeeded. | ||
1468 | ac_fn_c_try_link () | ||
1469 | { | ||
1470 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | ||
1471 | rm -f conftest.$ac_objext conftest$ac_exeext | ||
1472 | if { { ac_try="$ac_link" | ||
1473 | case "(($ac_try" in | ||
1474 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
1475 | *) ac_try_echo=$ac_try;; | ||
1476 | esac | ||
1477 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | ||
1478 | $as_echo "$ac_try_echo"; } >&5 | ||
1479 | (eval "$ac_link") 2>conftest.err | ||
1480 | ac_status=$? | ||
1481 | if test -s conftest.err; then | ||
1482 | grep -v '^ *+' conftest.err >conftest.er1 | ||
1483 | cat conftest.er1 >&5 | ||
1484 | mv -f conftest.er1 conftest.err | ||
1485 | fi | ||
1486 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | ||
1487 | test $ac_status = 0; } && { | ||
1488 | test -z "$ac_c_werror_flag" || | ||
1489 | test ! -s conftest.err | ||
1490 | } && test -s conftest$ac_exeext && { | ||
1491 | test "$cross_compiling" = yes || | ||
1492 | test -x conftest$ac_exeext | ||
1493 | }; then : | ||
1494 | ac_retval=0 | ||
1495 | else | ||
1496 | $as_echo "$as_me: failed program was:" >&5 | ||
1497 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
1498 | |||
1499 | ac_retval=1 | ||
1500 | fi | ||
1501 | # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information | ||
1502 | # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would | ||
1503 | # interfere with the next link command; also delete a directory that is | ||
1504 | # left behind by Apple's compiler. We do this before executing the actions. | ||
1505 | rm -rf conftest.dSYM conftest_ipa8_conftest.oo | ||
1506 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | ||
1507 | as_fn_set_status $ac_retval | ||
1508 | |||
1509 | } # ac_fn_c_try_link | ||
1510 | |||
1511 | # ac_fn_c_try_cpp LINENO | 1469 | # ac_fn_c_try_cpp LINENO |
1512 | # ---------------------- | 1470 | # ---------------------- |
1513 | # Try to preprocess conftest.$ac_ext, and return whether this succeeded. | 1471 | # Try to preprocess conftest.$ac_ext, and return whether this succeeded. |
@@ -1708,6 +1666,52 @@ $as_echo "$ac_res" >&6; } | |||
1708 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | 1666 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno |
1709 | 1667 | ||
1710 | } # ac_fn_c_check_header_compile | 1668 | } # ac_fn_c_check_header_compile |
1669 | |||
1670 | # ac_fn_c_try_link LINENO | ||
1671 | # ----------------------- | ||
1672 | # Try to link conftest.$ac_ext, and return whether this succeeded. | ||
1673 | ac_fn_c_try_link () | ||
1674 | { | ||
1675 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | ||
1676 | rm -f conftest.$ac_objext conftest$ac_exeext | ||
1677 | if { { ac_try="$ac_link" | ||
1678 | case "(($ac_try" in | ||
1679 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
1680 | *) ac_try_echo=$ac_try;; | ||
1681 | esac | ||
1682 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | ||
1683 | $as_echo "$ac_try_echo"; } >&5 | ||
1684 | (eval "$ac_link") 2>conftest.err | ||
1685 | ac_status=$? | ||
1686 | if test -s conftest.err; then | ||
1687 | grep -v '^ *+' conftest.err >conftest.er1 | ||
1688 | cat conftest.er1 >&5 | ||
1689 | mv -f conftest.er1 conftest.err | ||
1690 | fi | ||
1691 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | ||
1692 | test $ac_status = 0; } && { | ||
1693 | test -z "$ac_c_werror_flag" || | ||
1694 | test ! -s conftest.err | ||
1695 | } && test -s conftest$ac_exeext && { | ||
1696 | test "$cross_compiling" = yes || | ||
1697 | test -x conftest$ac_exeext | ||
1698 | }; then : | ||
1699 | ac_retval=0 | ||
1700 | else | ||
1701 | $as_echo "$as_me: failed program was:" >&5 | ||
1702 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
1703 | |||
1704 | ac_retval=1 | ||
1705 | fi | ||
1706 | # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information | ||
1707 | # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would | ||
1708 | # interfere with the next link command; also delete a directory that is | ||
1709 | # left behind by Apple's compiler. We do this before executing the actions. | ||
1710 | rm -rf conftest.dSYM conftest_ipa8_conftest.oo | ||
1711 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | ||
1712 | as_fn_set_status $ac_retval | ||
1713 | |||
1714 | } # ac_fn_c_try_link | ||
1711 | cat >config.log <<_ACEOF | 1715 | cat >config.log <<_ACEOF |
1712 | This file contains any messages produced by compilers while | 1716 | This file contains any messages produced by compilers while |
1713 | running configure, to aid debugging if configure makes a mistake. | 1717 | running configure, to aid debugging if configure makes a mistake. |
@@ -3069,189 +3073,23 @@ else | |||
3069 | fi | 3073 | fi |
3070 | 3074 | ||
3071 | 3075 | ||
3072 | HAVE_SECCOMP="" | 3076 | # Allow to build without apparmor support by calling: |
3073 | # Check whether --enable-seccomp was given. | 3077 | # ./configure --disable-apparmor |
3074 | if test "${enable_seccomp+set}" = set; then : | 3078 | # This makes it possible to run snaps in devmode on almost any host, |
3075 | enableval=$enable_seccomp; | 3079 | # regardless of the kernel version. |
3076 | fi | 3080 | HAVE_APPARMOR="" |
3077 | 3081 | # Check whether --enable-apparmor was given. | |
3078 | if test "x$enable_seccomp" != "xno"; then : | 3082 | if test "${enable_apparmor+set}" = set; then : |
3079 | 3083 | enableval=$enable_apparmor; | |
3080 | HAVE_SECCOMP="-DHAVE_SECCOMP" | ||
3081 | |||
3082 | |||
3083 | fi | ||
3084 | |||
3085 | HAVE_CHROOT="" | ||
3086 | # Check whether --enable-chroot was given. | ||
3087 | if test "${enable_chroot+set}" = set; then : | ||
3088 | enableval=$enable_chroot; | ||
3089 | fi | ||
3090 | |||
3091 | if test "x$enable_chroot" != "xno"; then : | ||
3092 | |||
3093 | HAVE_CHROOT="-DHAVE_CHROOT" | ||
3094 | |||
3095 | |||
3096 | fi | ||
3097 | |||
3098 | HAVE_BIND="" | ||
3099 | # Check whether --enable-bind was given. | ||
3100 | if test "${enable_bind+set}" = set; then : | ||
3101 | enableval=$enable_bind; | ||
3102 | fi | ||
3103 | |||
3104 | if test "x$enable_bind" != "xno"; then : | ||
3105 | |||
3106 | HAVE_BIND="-DHAVE_BIND" | ||
3107 | |||
3108 | |||
3109 | fi | ||
3110 | |||
3111 | HAVE_GLOBALCFG="" | ||
3112 | # Check whether --enable-globalcfg was given. | ||
3113 | if test "${enable_globalcfg+set}" = set; then : | ||
3114 | enableval=$enable_globalcfg; | ||
3115 | fi | ||
3116 | |||
3117 | if test "x$enable_globalcfg" != "xno"; then : | ||
3118 | |||
3119 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | ||
3120 | |||
3121 | |||
3122 | fi | ||
3123 | |||
3124 | HAVE_NETWORK="" | ||
3125 | # Check whether --enable-network was given. | ||
3126 | if test "${enable_network+set}" = set; then : | ||
3127 | enableval=$enable_network; | ||
3128 | fi | ||
3129 | |||
3130 | # Check whether --enable-network was given. | ||
3131 | if test "${enable_network+set}" = set; then : | ||
3132 | enableval=$enable_network; | ||
3133 | fi | ||
3134 | |||
3135 | if test "x$enable_network" != "xno"; then : | ||
3136 | |||
3137 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
3138 | if test "x$enable_network" = "xrestricted"; then : | ||
3139 | |||
3140 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
3141 | |||
3142 | fi | ||
3143 | |||
3144 | |||
3145 | fi | ||
3146 | |||
3147 | HAVE_USERNS="" | ||
3148 | # Check whether --enable-userns was given. | ||
3149 | if test "${enable_userns+set}" = set; then : | ||
3150 | enableval=$enable_userns; | ||
3151 | fi | ||
3152 | |||
3153 | if test "x$enable_userns" != "xno"; then : | ||
3154 | |||
3155 | HAVE_USERNS="-DHAVE_USERNS" | ||
3156 | |||
3157 | |||
3158 | fi | ||
3159 | |||
3160 | HAVE_X11="" | ||
3161 | # Check whether --enable-x11 was given. | ||
3162 | if test "${enable_x11+set}" = set; then : | ||
3163 | enableval=$enable_x11; | ||
3164 | fi | ||
3165 | |||
3166 | if test "x$enable_x11" != "xno"; then : | ||
3167 | |||
3168 | HAVE_X11="-DHAVE_X11" | ||
3169 | |||
3170 | |||
3171 | fi | ||
3172 | |||
3173 | HAVE_FILE_TRANSFER="" | ||
3174 | # Check whether --enable-file-transfer was given. | ||
3175 | if test "${enable_file_transfer+set}" = set; then : | ||
3176 | enableval=$enable_file_transfer; | ||
3177 | fi | ||
3178 | |||
3179 | if test "x$enable_file_transfer" != "xno"; then : | ||
3180 | |||
3181 | HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" | ||
3182 | |||
3183 | |||
3184 | fi | ||
3185 | |||
3186 | HAVE_WHITELIST="" | ||
3187 | # Check whether --enable-whitelist was given. | ||
3188 | if test "${enable_whitelist+set}" = set; then : | ||
3189 | enableval=$enable_whitelist; | ||
3190 | fi | ||
3191 | |||
3192 | if test "x$enable_whitelist" != "xno"; then : | ||
3193 | |||
3194 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
3195 | |||
3196 | |||
3197 | fi | ||
3198 | |||
3199 | HAVE_FATAL_WARNINGS="" | ||
3200 | # Check whether --enable-fatal_warnings was given. | ||
3201 | if test "${enable_fatal_warnings+set}" = set; then : | ||
3202 | enableval=$enable_fatal_warnings; | ||
3203 | fi | ||
3204 | |||
3205 | if test "x$enable_fatal_warnings" = "xyes"; then : | ||
3206 | |||
3207 | HAVE_FATAL_WARNINGS="-W -Wall -Werror" | ||
3208 | |||
3209 | |||
3210 | fi | 3084 | fi |
3211 | 3085 | ||
3086 | if test "x$enable_apparmor" = "xyes"; then : | ||
3212 | 3087 | ||
3213 | # checking pthread library | 3088 | HAVE_APPARMOR="-DHAVE_APPARMOR" |
3214 | |||
3215 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | ||
3216 | $as_echo_n "checking for main in -lpthread... " >&6; } | ||
3217 | if ${ac_cv_lib_pthread_main+:} false; then : | ||
3218 | $as_echo_n "(cached) " >&6 | ||
3219 | else | ||
3220 | ac_check_lib_save_LIBS=$LIBS | ||
3221 | LIBS="-lpthread $LIBS" | ||
3222 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
3223 | /* end confdefs.h. */ | ||
3224 | 3089 | ||
3225 | 3090 | ||
3226 | int | ||
3227 | main () | ||
3228 | { | ||
3229 | return main (); | ||
3230 | ; | ||
3231 | return 0; | ||
3232 | } | ||
3233 | _ACEOF | ||
3234 | if ac_fn_c_try_link "$LINENO"; then : | ||
3235 | ac_cv_lib_pthread_main=yes | ||
3236 | else | ||
3237 | ac_cv_lib_pthread_main=no | ||
3238 | fi | 3091 | fi |
3239 | rm -f core conftest.err conftest.$ac_objext \ | ||
3240 | conftest$ac_exeext conftest.$ac_ext | ||
3241 | LIBS=$ac_check_lib_save_LIBS | ||
3242 | fi | ||
3243 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 | ||
3244 | $as_echo "$ac_cv_lib_pthread_main" >&6; } | ||
3245 | if test "x$ac_cv_lib_pthread_main" = xyes; then : | ||
3246 | cat >>confdefs.h <<_ACEOF | ||
3247 | #define HAVE_LIBPTHREAD 1 | ||
3248 | _ACEOF | ||
3249 | 3092 | ||
3250 | LIBS="-lpthread $LIBS" | ||
3251 | |||
3252 | else | ||
3253 | as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 | ||
3254 | fi | ||
3255 | 3093 | ||
3256 | ac_ext=c | 3094 | ac_ext=c |
3257 | ac_cpp='$CPP $CPPFLAGS' | 3095 | ac_cpp='$CPP $CPPFLAGS' |
@@ -3650,6 +3488,208 @@ fi | |||
3650 | done | 3488 | done |
3651 | 3489 | ||
3652 | 3490 | ||
3491 | if test "x$enable_apparmor" = "xyes"; then : | ||
3492 | |||
3493 | ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" | ||
3494 | if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : | ||
3495 | |||
3496 | else | ||
3497 | as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5 | ||
3498 | fi | ||
3499 | |||
3500 | |||
3501 | |||
3502 | fi | ||
3503 | if test "x$enable_apparmor" = "xyes"; then : | ||
3504 | |||
3505 | EXTRA_LDFLAGS="-lapparmor" | ||
3506 | |||
3507 | fi | ||
3508 | |||
3509 | |||
3510 | HAVE_SECCOMP="" | ||
3511 | # Check whether --enable-seccomp was given. | ||
3512 | if test "${enable_seccomp+set}" = set; then : | ||
3513 | enableval=$enable_seccomp; | ||
3514 | fi | ||
3515 | |||
3516 | if test "x$enable_seccomp" != "xno"; then : | ||
3517 | |||
3518 | HAVE_SECCOMP="-DHAVE_SECCOMP" | ||
3519 | |||
3520 | |||
3521 | fi | ||
3522 | |||
3523 | HAVE_CHROOT="" | ||
3524 | # Check whether --enable-chroot was given. | ||
3525 | if test "${enable_chroot+set}" = set; then : | ||
3526 | enableval=$enable_chroot; | ||
3527 | fi | ||
3528 | |||
3529 | if test "x$enable_chroot" != "xno"; then : | ||
3530 | |||
3531 | HAVE_CHROOT="-DHAVE_CHROOT" | ||
3532 | |||
3533 | |||
3534 | fi | ||
3535 | |||
3536 | HAVE_BIND="" | ||
3537 | # Check whether --enable-bind was given. | ||
3538 | if test "${enable_bind+set}" = set; then : | ||
3539 | enableval=$enable_bind; | ||
3540 | fi | ||
3541 | |||
3542 | if test "x$enable_bind" != "xno"; then : | ||
3543 | |||
3544 | HAVE_BIND="-DHAVE_BIND" | ||
3545 | |||
3546 | |||
3547 | fi | ||
3548 | |||
3549 | HAVE_GLOBALCFG="" | ||
3550 | # Check whether --enable-globalcfg was given. | ||
3551 | if test "${enable_globalcfg+set}" = set; then : | ||
3552 | enableval=$enable_globalcfg; | ||
3553 | fi | ||
3554 | |||
3555 | if test "x$enable_globalcfg" != "xno"; then : | ||
3556 | |||
3557 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | ||
3558 | |||
3559 | |||
3560 | fi | ||
3561 | |||
3562 | HAVE_NETWORK="" | ||
3563 | # Check whether --enable-network was given. | ||
3564 | if test "${enable_network+set}" = set; then : | ||
3565 | enableval=$enable_network; | ||
3566 | fi | ||
3567 | |||
3568 | # Check whether --enable-network was given. | ||
3569 | if test "${enable_network+set}" = set; then : | ||
3570 | enableval=$enable_network; | ||
3571 | fi | ||
3572 | |||
3573 | if test "x$enable_network" != "xno"; then : | ||
3574 | |||
3575 | HAVE_NETWORK="-DHAVE_NETWORK" | ||
3576 | if test "x$enable_network" = "xrestricted"; then : | ||
3577 | |||
3578 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
3579 | |||
3580 | fi | ||
3581 | |||
3582 | |||
3583 | fi | ||
3584 | |||
3585 | HAVE_USERNS="" | ||
3586 | # Check whether --enable-userns was given. | ||
3587 | if test "${enable_userns+set}" = set; then : | ||
3588 | enableval=$enable_userns; | ||
3589 | fi | ||
3590 | |||
3591 | if test "x$enable_userns" != "xno"; then : | ||
3592 | |||
3593 | HAVE_USERNS="-DHAVE_USERNS" | ||
3594 | |||
3595 | |||
3596 | fi | ||
3597 | |||
3598 | HAVE_X11="" | ||
3599 | # Check whether --enable-x11 was given. | ||
3600 | if test "${enable_x11+set}" = set; then : | ||
3601 | enableval=$enable_x11; | ||
3602 | fi | ||
3603 | |||
3604 | if test "x$enable_x11" != "xno"; then : | ||
3605 | |||
3606 | HAVE_X11="-DHAVE_X11" | ||
3607 | |||
3608 | |||
3609 | fi | ||
3610 | |||
3611 | HAVE_FILE_TRANSFER="" | ||
3612 | # Check whether --enable-file-transfer was given. | ||
3613 | if test "${enable_file_transfer+set}" = set; then : | ||
3614 | enableval=$enable_file_transfer; | ||
3615 | fi | ||
3616 | |||
3617 | if test "x$enable_file_transfer" != "xno"; then : | ||
3618 | |||
3619 | HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" | ||
3620 | |||
3621 | |||
3622 | fi | ||
3623 | |||
3624 | HAVE_WHITELIST="" | ||
3625 | # Check whether --enable-whitelist was given. | ||
3626 | if test "${enable_whitelist+set}" = set; then : | ||
3627 | enableval=$enable_whitelist; | ||
3628 | fi | ||
3629 | |||
3630 | if test "x$enable_whitelist" != "xno"; then : | ||
3631 | |||
3632 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
3633 | |||
3634 | |||
3635 | fi | ||
3636 | |||
3637 | HAVE_FATAL_WARNINGS="" | ||
3638 | # Check whether --enable-fatal_warnings was given. | ||
3639 | if test "${enable_fatal_warnings+set}" = set; then : | ||
3640 | enableval=$enable_fatal_warnings; | ||
3641 | fi | ||
3642 | |||
3643 | if test "x$enable_fatal_warnings" = "xyes"; then : | ||
3644 | |||
3645 | HAVE_FATAL_WARNINGS="-W -Wall -Werror" | ||
3646 | |||
3647 | |||
3648 | fi | ||
3649 | |||
3650 | |||
3651 | # checking pthread library | ||
3652 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | ||
3653 | $as_echo_n "checking for main in -lpthread... " >&6; } | ||
3654 | if ${ac_cv_lib_pthread_main+:} false; then : | ||
3655 | $as_echo_n "(cached) " >&6 | ||
3656 | else | ||
3657 | ac_check_lib_save_LIBS=$LIBS | ||
3658 | LIBS="-lpthread $LIBS" | ||
3659 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
3660 | /* end confdefs.h. */ | ||
3661 | |||
3662 | |||
3663 | int | ||
3664 | main () | ||
3665 | { | ||
3666 | return main (); | ||
3667 | ; | ||
3668 | return 0; | ||
3669 | } | ||
3670 | _ACEOF | ||
3671 | if ac_fn_c_try_link "$LINENO"; then : | ||
3672 | ac_cv_lib_pthread_main=yes | ||
3673 | else | ||
3674 | ac_cv_lib_pthread_main=no | ||
3675 | fi | ||
3676 | rm -f core conftest.err conftest.$ac_objext \ | ||
3677 | conftest$ac_exeext conftest.$ac_ext | ||
3678 | LIBS=$ac_check_lib_save_LIBS | ||
3679 | fi | ||
3680 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 | ||
3681 | $as_echo "$ac_cv_lib_pthread_main" >&6; } | ||
3682 | if test "x$ac_cv_lib_pthread_main" = xyes; then : | ||
3683 | cat >>confdefs.h <<_ACEOF | ||
3684 | #define HAVE_LIBPTHREAD 1 | ||
3685 | _ACEOF | ||
3686 | |||
3687 | LIBS="-lpthread $LIBS" | ||
3688 | |||
3689 | else | ||
3690 | as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 | ||
3691 | fi | ||
3692 | |||
3653 | ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" | 3693 | ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" |
3654 | if test "x$ac_cv_header_pthread_h" = xyes; then : | 3694 | if test "x$ac_cv_header_pthread_h" = xyes; then : |
3655 | 3695 | ||
@@ -4855,6 +4895,7 @@ echo " prefix: $prefix" | |||
4855 | echo " sysconfdir: $sysconfdir" | 4895 | echo " sysconfdir: $sysconfdir" |
4856 | echo " seccomp: $HAVE_SECCOMP" | 4896 | echo " seccomp: $HAVE_SECCOMP" |
4857 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 4897 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
4898 | echo " apparmor: $HAVE_APPARMOR" | ||
4858 | echo " global config: $HAVE_GLOBALCFG" | 4899 | echo " global config: $HAVE_GLOBALCFG" |
4859 | echo " chroot: $HAVE_CHROOT" | 4900 | echo " chroot: $HAVE_CHROOT" |
4860 | echo " bind: $HAVE_BIND" | 4901 | echo " bind: $HAVE_BIND" |
@@ -4866,6 +4907,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
4866 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4907 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4867 | printf " uid_min: "; grep UID_MIN uids.h | 4908 | printf " uid_min: "; grep UID_MIN uids.h |
4868 | printf " gid_min: "; grep GID_MIN uids.h | 4909 | printf " gid_min: "; grep GID_MIN uids.h |
4910 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | ||
4869 | echo | 4911 | echo |
4870 | 4912 | ||
4871 | 4913 | ||
diff --git a/configure.ac b/configure.ac index a84396ad4..315c25038 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -9,6 +9,27 @@ AC_PROG_CC | |||
9 | AC_PROG_INSTALL | 9 | AC_PROG_INSTALL |
10 | AC_PROG_RANLIB | 10 | AC_PROG_RANLIB |
11 | 11 | ||
12 | # Allow to build without apparmor support by calling: | ||
13 | # ./configure --disable-apparmor | ||
14 | # This makes it possible to run snaps in devmode on almost any host, | ||
15 | # regardless of the kernel version. | ||
16 | HAVE_APPARMOR="" | ||
17 | AC_ARG_ENABLE([apparmor], | ||
18 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) | ||
19 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | ||
20 | HAVE_APPARMOR="-DHAVE_APPARMOR" | ||
21 | AC_SUBST(HAVE_APPARMOR) | ||
22 | ]) | ||
23 | |||
24 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | ||
25 | AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( | ||
26 | [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) | ||
27 | ]) | ||
28 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | ||
29 | EXTRA_LDFLAGS="-lapparmor" | ||
30 | ]) | ||
31 | AC_SUBST([EXTRA_LDFLAGS]) | ||
32 | |||
12 | HAVE_SECCOMP="" | 33 | HAVE_SECCOMP="" |
13 | AC_ARG_ENABLE([seccomp], | 34 | AC_ARG_ENABLE([seccomp], |
14 | AS_HELP_STRING([--disable-seccomp], [disable seccomp])) | 35 | AS_HELP_STRING([--disable-seccomp], [disable seccomp])) |
@@ -117,6 +138,7 @@ echo " prefix: $prefix" | |||
117 | echo " sysconfdir: $sysconfdir" | 138 | echo " sysconfdir: $sysconfdir" |
118 | echo " seccomp: $HAVE_SECCOMP" | 139 | echo " seccomp: $HAVE_SECCOMP" |
119 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 140 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
141 | echo " apparmor: $HAVE_APPARMOR" | ||
120 | echo " global config: $HAVE_GLOBALCFG" | 142 | echo " global config: $HAVE_GLOBALCFG" |
121 | echo " chroot: $HAVE_CHROOT" | 143 | echo " chroot: $HAVE_CHROOT" |
122 | echo " bind: $HAVE_BIND" | 144 | echo " bind: $HAVE_BIND" |
@@ -128,6 +150,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
128 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 150 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
129 | printf " uid_min: "; grep UID_MIN uids.h | 151 | printf " uid_min: "; grep UID_MIN uids.h |
130 | printf " gid_min: "; grep GID_MIN uids.h | 152 | printf " gid_min: "; grep GID_MIN uids.h |
153 | printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | ||
131 | echo | 154 | echo |
132 | 155 | ||
133 | 156 | ||
diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..609ab6c19 --- /dev/null +++ b/etc/firejail-default | |||
@@ -0,0 +1,129 @@ | |||
1 | #include <tunables/global> | ||
2 | |||
3 | profile firejail-default { | ||
4 | |||
5 | ##### | ||
6 | # D-Bus is a huge security hole, we disable it here. Uncomment this line if you | ||
7 | # need D-Bus functionality. | ||
8 | # | ||
9 | #dbus, | ||
10 | |||
11 | ##### | ||
12 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
13 | # enough to run "top" or "ps aux". | ||
14 | # | ||
15 | / r, | ||
16 | /[^proc,^sys]** mrwlk, | ||
17 | |||
18 | /proc/ r, | ||
19 | /proc/meminfo r, | ||
20 | /proc/cpuinfo r, | ||
21 | /proc/filesystems r, | ||
22 | /proc/uptime r, | ||
23 | /proc/loadavg r, | ||
24 | /proc/stat r, | ||
25 | /proc/@{pid}/ r, | ||
26 | /proc/@{pid}/fd/ r, | ||
27 | /proc/@{pid}/task/ r, | ||
28 | /proc/@{pid}/cmdline r, | ||
29 | /proc/@{pid}/comm r, | ||
30 | /proc/@{pid}/stat r, | ||
31 | /proc/@{pid}/statm r, | ||
32 | /proc/@{pid}/status r, | ||
33 | /proc/sys/kernel/pid_max r, | ||
34 | /proc/sys/kernel/shmmax r, | ||
35 | /sys/ r, | ||
36 | /sys/bus/ r, | ||
37 | /sys/bus/** r, | ||
38 | /sys/class/ r, | ||
39 | /sys/class/** r, | ||
40 | /sys/devices/ r, | ||
41 | /sys/devices/** r, | ||
42 | |||
43 | /proc/@{pid}/maps r, | ||
44 | /proc/@{pid}/mounts r, | ||
45 | /proc/@{pid}/mountinfo r, | ||
46 | /proc/@{pid}/oom_score_adj r, | ||
47 | |||
48 | /{,var/}run/firejail/mnt/fslogger r, | ||
49 | /{,var/}run/user/**/dconf/ r, | ||
50 | /{,var/}run/user/**/dconf/user r, | ||
51 | |||
52 | ##### | ||
53 | # Allow running programs only from well-known system directories. If you need | ||
54 | # to run programs from your home directory, uncomment /home line. | ||
55 | # | ||
56 | /lib/** ix, | ||
57 | /lib64/** ix, | ||
58 | /bin/** ix, | ||
59 | /sbin/** ix, | ||
60 | /usr/bin/** ix, | ||
61 | /usr/sbin/** ix, | ||
62 | /usr/local/** ix, | ||
63 | /usr/lib/** ix, | ||
64 | /usr/games/** ix, | ||
65 | /opt/** ix, | ||
66 | #/home/** ix, | ||
67 | |||
68 | ##### | ||
69 | # Allow all networking functionality, and control it from Firejail. | ||
70 | # | ||
71 | network inet, | ||
72 | network inet6, | ||
73 | network unix, | ||
74 | network netlink, | ||
75 | network raw, | ||
76 | |||
77 | ##### | ||
78 | # There is no equivalent in Firejail for filtering signals. | ||
79 | # | ||
80 | signal, | ||
81 | |||
82 | ##### | ||
83 | # Disable all capabilities. If you run your sandbox as root, you might need to | ||
84 | # enable/uncomment some of them. | ||
85 | # | ||
86 | capability chown, | ||
87 | capability dac_override, | ||
88 | capability dac_read_search, | ||
89 | capability fowner, | ||
90 | capability fsetid, | ||
91 | capability kill, | ||
92 | capability setgid, | ||
93 | capability setuid, | ||
94 | capability setpcap, | ||
95 | capability linux_immutable, | ||
96 | capability net_bind_service, | ||
97 | capability net_broadcast, | ||
98 | capability net_admin, | ||
99 | capability net_raw, | ||
100 | capability ipc_lock, | ||
101 | capability ipc_owner, | ||
102 | capability sys_module, | ||
103 | capability sys_rawio, | ||
104 | capability sys_chroot, | ||
105 | capability sys_ptrace, | ||
106 | capability sys_pacct, | ||
107 | capability sys_admin, | ||
108 | capability sys_boot, | ||
109 | capability sys_nice, | ||
110 | capability sys_resource, | ||
111 | capability sys_time, | ||
112 | capability sys_tty_config, | ||
113 | capability mknod, | ||
114 | capability lease, | ||
115 | capability audit_write, | ||
116 | capability audit_control, | ||
117 | capability setfcap, | ||
118 | capability mac_override, | ||
119 | capability mac_admin, | ||
120 | |||
121 | ##### | ||
122 | # No mount/umount functionality when running as regular user. | ||
123 | # | ||
124 | mount, | ||
125 | remount, | ||
126 | umount, | ||
127 | pivot_root, | ||
128 | |||
129 | } | ||
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 21f415ba5..15253b5ab 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@ | |||
18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | 19 | HAVE_WHITELIST=@HAVE_WHITELIST@ |
20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
21 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
22 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
21 | 23 | ||
22 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 24 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
23 | C_FILE_LIST = $(sort $(wildcard *.c)) | 25 | C_FILE_LIST = $(sort $(wildcard *.c)) |
24 | OBJS = $(C_FILE_LIST:.c=.o) | 26 | OBJS = $(C_FILE_LIST:.c=.o) |
25 | BINOBJS = $(foreach file, $(OBJS), $file) | 27 | BINOBJS = $(foreach file, $(OBJS), $file) |
26 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 28 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
27 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 29 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
28 | 30 | ||
29 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 31 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
30 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 32 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
31 | 33 | ||
32 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o | 34 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o |
33 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) | 35 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
34 | 36 | ||
35 | clean:; rm -f *.o firejail firejail.1 firejail.1.gz | 37 | clean:; rm -f *.o firejail firejail.1 firejail.1.gz |
36 | 38 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0fd81979f..1502a0312 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -39,6 +39,9 @@ | |||
39 | # define PR_SET_NO_NEW_PRIVS 38 | 39 | # define PR_SET_NO_NEW_PRIVS 38 |
40 | #endif | 40 | #endif |
41 | 41 | ||
42 | #ifdef HAVE_APPARMOR | ||
43 | #include <sys/apparmor.h> | ||
44 | #endif | ||
42 | 45 | ||
43 | 46 | ||
44 | static int monitored_pid = 0; | 47 | static int monitored_pid = 0; |
@@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) { | |||
392 | if (arg_debug && child_pid == 1) | 395 | if (arg_debug && child_pid == 1) |
393 | printf("PID namespace installed\n"); | 396 | printf("PID namespace installed\n"); |
394 | 397 | ||
398 | |||
395 | //**************************** | 399 | //**************************** |
396 | // set hostname | 400 | // set hostname |
397 | //**************************** | 401 | //**************************** |
@@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) { | |||
503 | else | 507 | else |
504 | fs_basic_fs(); | 508 | fs_basic_fs(); |
505 | 509 | ||
506 | |||
507 | //**************************** | 510 | //**************************** |
508 | // set hostname in /etc/hostname | 511 | // set hostname in /etc/hostname |
509 | //**************************** | 512 | //**************************** |
@@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) { | |||
798 | pid_t app_pid = fork(); | 801 | pid_t app_pid = fork(); |
799 | if (app_pid == -1) | 802 | if (app_pid == -1) |
800 | errExit("fork"); | 803 | errExit("fork"); |
801 | 804 | ||
802 | if (app_pid == 0) { | 805 | if (app_pid == 0) { |
806 | #ifdef HAVE_APPARMOR | ||
807 | errno = 0; | ||
808 | if (aa_change_onexec("firejail-default")) | ||
809 | fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); | ||
810 | #endif | ||
803 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 811 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
804 | start_application(); // start app | 812 | start_application(); // start app |
805 | } | 813 | } |
@@ -251,6 +251,7 @@ References | |||
251 | 23. AppArmor | 251 | 23. AppArmor |
252 | 252 | ||
253 | $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify | 253 | $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify |
254 | $ sudo apt-get install libapparmor-dev | ||
254 | 255 | ||
255 | $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub | 256 | $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub |
256 | $ sudo update-grub | 257 | $ sudo update-grub |
@@ -259,5 +260,7 @@ $ sudo reboot | |||
259 | If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. | 260 | If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. |
260 | $ sudo aa-notify -p -f /var/log/audit/audit.log | 261 | $ sudo aa-notify -p -f /var/log/audit/audit.log |
261 | 262 | ||
263 | /sys/module/apparmor/parameters/enabled | ||
264 | /sys/kernel/security/apparmor | ||
262 | 265 | ||
263 | 266 | ||