diff options
| -rw-r--r-- | README | 3 | ||||
| -rw-r--r-- | RELNOTES | 3 | ||||
| -rwxr-xr-x | configure | 12 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rwxr-xr-x | test/compile/compile.sh | 22 |
5 files changed, 40 insertions, 2 deletions
| @@ -18,6 +18,9 @@ License: GPL v2 | |||
| 18 | Firejail Authors: | 18 | Firejail Authors: |
| 19 | 19 | ||
| 20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
| 21 | yumkam (https://github.com/yumkam) | ||
| 22 | - add compile-time option to restrict --net= to root only | ||
| 23 | - man page fixes | ||
| 21 | Vasya Novikov (https://github.com/vn971) | 24 | Vasya Novikov (https://github.com/vn971) |
| 22 | - Wesnoth profile | 25 | - Wesnoth profile |
| 23 | mahdi1234 (https://github.com/mahdi1234) | 26 | mahdi1234 (https://github.com/mahdi1234) |
| @@ -5,10 +5,11 @@ firejail (0.9.39) baseline; urgency=low | |||
| 5 | * added --nice option | 5 | * added --nice option |
| 6 | * addded mkdir profile command | 6 | * addded mkdir profile command |
| 7 | * --version also prints compile options | 7 | * --version also prints compile options |
| 8 | * added compile-time option to restrict --net= to root only | ||
| 8 | * build rpm packages using "make rpms" | 9 | * build rpm packages using "make rpms" |
| 9 | * new profiles: lxterminal, Epiphany, cherrytree, Polari | 10 | * new profiles: lxterminal, Epiphany, cherrytree, Polari |
| 10 | * bugfixes | 11 | * bugfixes |
| 11 | -- netblue30 <netblue30@yahoo.com> Tue, 8 Feb 2016 10:00:00 -0500 | 12 | -- netblue30 <netblue30@yahoo.com> Wed, 24 Feb 2016 10:00:00 -0500 |
| 12 | 13 | ||
| 13 | firejail (0.9.38) baseline; urgency=low | 14 | firejail (0.9.38) baseline; urgency=low |
| 14 | * IPv6 support (--ip6 and --netfilter6) | 15 | * IPv6 support (--ip6 and --netfilter6) |
| @@ -1317,6 +1317,8 @@ Optional Features: | |||
| 1317 | --disable-chroot disable chroot | 1317 | --disable-chroot disable chroot |
| 1318 | --disable-bind disable bind | 1318 | --disable-bind disable bind |
| 1319 | --disable-network disable network | 1319 | --disable-network disable network |
| 1320 | --enable-network=restricted | ||
| 1321 | restrict --net= to root only | ||
| 1320 | --disable-userns disable user namespace | 1322 | --disable-userns disable user namespace |
| 1321 | --disable-x11 disable X11 support | 1323 | --disable-x11 disable X11 support |
| 1322 | --enable-fatal-warnings -W -Wall -Werror | 1324 | --enable-fatal-warnings -W -Wall -Werror |
| @@ -3102,9 +3104,19 @@ if test "${enable_network+set}" = set; then : | |||
| 3102 | enableval=$enable_network; | 3104 | enableval=$enable_network; |
| 3103 | fi | 3105 | fi |
| 3104 | 3106 | ||
| 3107 | # Check whether --enable-network was given. | ||
| 3108 | if test "${enable_network+set}" = set; then : | ||
| 3109 | enableval=$enable_network; | ||
| 3110 | fi | ||
| 3111 | |||
| 3105 | if test "x$enable_network" != "xno"; then : | 3112 | if test "x$enable_network" != "xno"; then : |
| 3106 | 3113 | ||
| 3107 | HAVE_NETWORK="-DHAVE_NETWORK" | 3114 | HAVE_NETWORK="-DHAVE_NETWORK" |
| 3115 | if test "x$enable_network" = "xrestricted"; then : | ||
| 3116 | |||
| 3117 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
| 3118 | |||
| 3119 | fi | ||
| 3108 | 3120 | ||
| 3109 | 3121 | ||
| 3110 | fi | 3122 | fi |
diff --git a/configure.ac b/configure.ac index 9b717d333..512159568 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -36,6 +36,8 @@ AS_IF([test "x$enable_bind" != "xno"], [ | |||
| 36 | HAVE_NETWORK="" | 36 | HAVE_NETWORK="" |
| 37 | AC_ARG_ENABLE([network], | 37 | AC_ARG_ENABLE([network], |
| 38 | AS_HELP_STRING([--disable-network], [disable network])) | 38 | AS_HELP_STRING([--disable-network], [disable network])) |
| 39 | AC_ARG_ENABLE([network], | ||
| 40 | AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only])) | ||
| 39 | AS_IF([test "x$enable_network" != "xno"], [ | 41 | AS_IF([test "x$enable_network" != "xno"], [ |
| 40 | HAVE_NETWORK="-DHAVE_NETWORK" | 42 | HAVE_NETWORK="-DHAVE_NETWORK" |
| 41 | AS_IF([test "x$enable_network" = "xrestricted"], [ | 43 | AS_IF([test "x$enable_network" = "xrestricted"], [ |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index d191b4d2b..40d37a990 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
| @@ -7,6 +7,7 @@ arr[4]="TEST 4: compile bind disabled" | |||
| 7 | arr[5]="TEST 5: compile user namespace disabled" | 7 | arr[5]="TEST 5: compile user namespace disabled" |
| 8 | arr[6]="TEST 6: compile network disabled" | 8 | arr[6]="TEST 6: compile network disabled" |
| 9 | arr[7]="TEST 7: compile X11 disabled" | 9 | arr[7]="TEST 7: compile X11 disabled" |
| 10 | arr[8]="TEST 8: compile network restricted" | ||
| 10 | 11 | ||
| 11 | 12 | ||
| 12 | # remove previous reports and output file | 13 | # remove previous reports and output file |
| @@ -153,7 +154,7 @@ rm output-configure output-make | |||
| 153 | # - disable X11 support | 154 | # - disable X11 support |
| 154 | # - check compilation | 155 | # - check compilation |
| 155 | #***************************************************************** | 156 | #***************************************************************** |
| 156 | print_title "${arr[6]}" | 157 | print_title "${arr[7]}" |
| 157 | # seccomp | 158 | # seccomp |
| 158 | cd firejail | 159 | cd firejail |
| 159 | make distclean | 160 | make distclean |
| @@ -166,6 +167,24 @@ rm output-configure output-make | |||
| 166 | 167 | ||
| 167 | 168 | ||
| 168 | #***************************************************************** | 169 | #***************************************************************** |
| 170 | # TEST 8 | ||
| 171 | #***************************************************************** | ||
| 172 | # - enable network restricted | ||
| 173 | # - check compilation | ||
| 174 | #***************************************************************** | ||
| 175 | print_title "${arr[8]}" | ||
| 176 | # seccomp | ||
| 177 | cd firejail | ||
| 178 | make distclean | ||
| 179 | ./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
| 180 | make -j4 2>&1 | tee ../output-make | ||
| 181 | cd .. | ||
| 182 | grep Warning output-configure output-make > ./report-test8 | ||
| 183 | grep Error output-configure output-make >> ./report-test8 | ||
| 184 | rm output-configure output-make | ||
| 185 | |||
| 186 | |||
| 187 | #***************************************************************** | ||
| 169 | # PRINT REPORTS | 188 | # PRINT REPORTS |
| 170 | #***************************************************************** | 189 | #***************************************************************** |
| 171 | echo | 190 | echo |
| @@ -186,3 +205,4 @@ echo ${arr[4]} | |||
| 186 | echo ${arr[5]} | 205 | echo ${arr[5]} |
| 187 | echo ${arr[6]} | 206 | echo ${arr[6]} |
| 188 | echo ${arr[7]} | 207 | echo ${arr[7]} |
| 208 | echo ${arr[8]} | ||