7 files changed, 139 insertions, 12 deletions
diff --git a/Makefile.in b/Makefile.in
index fb6460dfd..7152019d4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -82,6 +82,8 @@ realinstall:
        install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
diff --git a/contrib/update_src.sh b/contrib/update_src.sh
deleted file mode 100755
index a61244c49..000000000
--- a/contrib/update_src.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
-set -e
-git clone --depth=1 https://www.github.com/netblue30/firejail.git
-cd firejail
-./configure
-make
-sudo make install-strip
-echo "Firejail was updated!"
-cd ..
-rm -rf firejail
diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh
new file mode 100755
index 000000000..9e43559a1
--- /dev/null
+++ b/src/fgit/fgit-install.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+set -e          # exit immediately if one of the commands fails
+cd /tmp         # by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure
+make
+sudo make install-strip
+echo "**********************************************************************"
+echo "Mainline git Firejail version was installed in /usr/local."
+echo "If you want to remove it, run"
+echo
+echo "           firejail --git-uninstall"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail
diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh
new file mode 100644
index 000000000..9a370546d
--- /dev/null
+++ b/src/fgit/fgit-uninstall.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+set -e          # exit immediately if one of the commands fails
+cd /tmp         # by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure
+sudo make uninstall
+echo "**********************************************************************"
+echo "Firejail mainline git version uninstalled from /usr/local"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7e5412630..40d81f3aa 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -720,5 +720,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 int sbox_run(unsigned filter, int num, ...);
+// git.c
+void git_install();
+void git_uninstall();
 #endif
diff --git a/src/firejail/git.c b/src/firejail/git.c
new file mode 100644
index 000000000..bacceba59
--- /dev/null
+++ b/src/firejail/git.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/utsname.h>
+#include <sched.h>
+#include <sys/mount.h>
+// install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp
+static void sbox_ns(void) {
+        if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0)
+                errExit("unshare");
+        if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0)
+                errExit("mount");
+}
+void git_install() {
+        // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+        EUID_ASSERT();
+        EUID_ROOT();
+        
+        // install a mount namespace with a tmpfs on top of /tmp
+        sbox_ns();
+        
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
+        assert(getenv("LD_PRELOAD") == NULL);   
+        printf("Running as "); fflush(0);
+        int rv = system("whoami");
+        (void) rv;
+        printf("/tmp directory: "); fflush(0);
+        rv = system("ls -l /tmp");
+        (void) rv;
+        // run command
+        const char *cmd = LIBDIR "/firejail/fgit-install.sh";
+        rv = system(cmd);
+        (void) rv;
+        exit(0);
+}
+void git_uninstall() {
+        // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+        EUID_ASSERT();
+        EUID_ROOT();
+        
+        // install a mount namespace with a tmpfs on top of /tmp
+        sbox_ns();
+        
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
+        assert(getenv("LD_PRELOAD") == NULL);   
+        printf("Running as "); fflush(0);
+        int rv = system("whoami");
+        (void) rv;
+        printf("/tmp directory: "); fflush(0);
+        rv = system("ls -l /tmp");
+        (void) rv;
+        // run command
+        const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
+        rv = system(cmd);
+        (void) rv;
+        exit(0);
+}
+        
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7c6568903..ee89a7281 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -846,10 +846,15 @@ int main(int argc, char **argv) {
        EUID_INIT();
        EUID_USER();
+        // process git-install and git-uninstall
+        if (check_arg(argc, argv, "--git-install"))
+                git_install(); // this function will not return
+        if (check_arg(argc, argv, "--git-uninstall"))
+                git_uninstall(); // this function will not return
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
-                run_symlink(argc, argv);
+                run_symlink(argc, argv); // this function will not return
        // check if we already have a sandbox running
        // If LXC is detected, start firejail sandbox

diff --git a/Makefile.in b/Makefile.in index fb6460dfd..7152019d4 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -82,6 +82,8 @@ realinstall:
82	install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.	82	install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
83	install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.	83	install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
84	install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.	84	install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
		85	install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
		86	install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
85	install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.	87	install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
86	install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.	88	install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
87	install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.	89	install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.


diff --git a/contrib/update_src.sh b/contrib/update_src.sh deleted file mode 100755 index a61244c49..000000000 --- a/contrib/update_src.sh +++ /dev/null
@@ -1,11 +0,0 @@
1	#!/bin/sh
2	# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
3	set -e
4	git clone --depth=1 https://www.github.com/netblue30/firejail.git
5	cd firejail
6	./configure
7	make
8	sudo make install-strip
9	echo "Firejail was updated!"
10	cd ..
11	rm -rf firejail


diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh new file mode 100755 index 000000000..9e43559a1 --- /dev/null +++ b/src/fgit/fgit-install.sh
@@ -0,0 +1,20 @@
		1	#!/bin/sh
		2	# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
		3	#
		4
		5	set -e # exit immediately if one of the commands fails
		6	cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp
		7	git clone --depth=1 https://www.github.com/netblue30/firejail.git
		8	cd firejail
		9	./configure
		10	make
		11	sudo make install-strip
		12	echo "**********************************************************************"
		13	echo "Mainline git Firejail version was installed in /usr/local."
		14	echo "If you want to remove it, run"
		15	echo
		16	echo " firejail --git-uninstall"
		17	echo
		18	echo "**********************************************************************"
		19	cd ..
		20	rm -rf firejail


diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh new file mode 100644 index 000000000..9a370546d --- /dev/null +++ b/src/fgit/fgit-uninstall.sh
@@ -0,0 +1,16 @@
		1	#!/bin/sh
		2	# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
		3	#
		4
		5	set -e # exit immediately if one of the commands fails
		6	cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp
		7	git clone --depth=1 https://www.github.com/netblue30/firejail.git
		8	cd firejail
		9	./configure
		10	sudo make uninstall
		11	echo "**********************************************************************"
		12	echo "Firejail mainline git version uninstalled from /usr/local"
		13	echo
		14	echo "**********************************************************************"
		15	cd ..
		16	rm -rf firejail


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7e5412630..40d81f3aa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -720,5 +720,9 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
720	int sbox_run(unsigned filter, int num, ...);	720	int sbox_run(unsigned filter, int num, ...);
721		721
722		722
		723	// git.c
		724	void git_install();
		725	void git_uninstall();
		726
723	#endif	727	#endif
724		728


diff --git a/src/firejail/git.c b/src/firejail/git.c new file mode 100644 index 000000000..bacceba59 --- /dev/null +++ b/src/firejail/git.c
@@ -0,0 +1,91 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firejail.h"
		21	#include <sys/utsname.h>
		22	#include <sched.h>
		23	#include <sys/mount.h>
		24
		25	// install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp
		26	static void sbox_ns(void) {
		27	if (unshare(CLONE_NEWNS \| CLONE_NEWIPC) < 0)
		28	errExit("unshare");
		29
		30	if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0)
		31	errExit("mount");
		32	}
		33
		34	void git_install() {
		35	// redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
		36	EUID_ASSERT();
		37	EUID_ROOT();
		38
		39	// install a mount namespace with a tmpfs on top of /tmp
		40	sbox_ns();
		41
		42	// drop privileges
		43	if (setgid(getgid()) < 0)
		44	errExit("setgid/getgid");
		45	if (setuid(getuid()) < 0)
		46	errExit("setuid/getuid");
		47	assert(getenv("LD_PRELOAD") == NULL);
		48
		49	printf("Running as "); fflush(0);
		50	int rv = system("whoami");
		51	(void) rv;
		52	printf("/tmp directory: "); fflush(0);
		53	rv = system("ls -l /tmp");
		54	(void) rv;
		55
		56	// run command
		57	const char *cmd = LIBDIR "/firejail/fgit-install.sh";
		58	rv = system(cmd);
		59	(void) rv;
		60	exit(0);
		61	}
		62
		63	void git_uninstall() {
		64	// redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
		65	EUID_ASSERT();
		66	EUID_ROOT();
		67
		68	// install a mount namespace with a tmpfs on top of /tmp
		69	sbox_ns();
		70
		71	// drop privileges
		72	if (setgid(getgid()) < 0)
		73	errExit("setgid/getgid");
		74	if (setuid(getuid()) < 0)
		75	errExit("setuid/getuid");
		76	assert(getenv("LD_PRELOAD") == NULL);
		77
		78	printf("Running as "); fflush(0);
		79	int rv = system("whoami");
		80	(void) rv;
		81	printf("/tmp directory: "); fflush(0);
		82	rv = system("ls -l /tmp");
		83	(void) rv;
		84
		85	// run command
		86	const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
		87	rv = system(cmd);
		88	(void) rv;
		89	exit(0);
		90	}
		91


diff --git a/src/firejail/main.c b/src/firejail/main.c index 7c6568903..ee89a7281 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -846,10 +846,15 @@ int main(int argc, char **argv) {
846	EUID_INIT();	846	EUID_INIT();
847	EUID_USER();	847	EUID_USER();
848		848
		849	// process git-install and git-uninstall
		850	if (check_arg(argc, argv, "--git-install"))
		851	git_install(); // this function will not return
		852	if (check_arg(argc, argv, "--git-uninstall"))
		853	git_uninstall(); // this function will not return
849		854
850	// check argv[0] symlink wrapper if this is not a login shell	855	// check argv[0] symlink wrapper if this is not a login shell
851	if (*argv[0] != '-')	856	if (*argv[0] != '-')
852	run_symlink(argc, argv);	857	run_symlink(argc, argv); // this function will not return
853		858
854	// check if we already have a sandbox running	859	// check if we already have a sandbox running
855	// If LXC is detected, start firejail sandbox	860	// If LXC is detected, start firejail sandbox