From ccf7230e0b4e74d21ba9030793b4486250d30507 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 20 Aug 2016 07:54:20 -0400
Subject: compile time config option for overlayfs

---
 configure                    | 17 +++++++++++++++++
 configure.ac                 |  9 +++++++++
 src/firejail/Makefile.in     |  3 ++-
 src/firejail/checkcfg.c      |  8 ++++++++
 src/firejail/fs.c            |  3 ++-
 src/firejail/main.c          |  4 ++++
 src/firejail/sandbox.c       |  2 ++
 src/firejail/x11.c           | 22 ++++++++++++----------
 src/lib/common.c             |  2 +-
 test/dist-compile/compile.sh | 39 +++++++++++++++++++++++----------------
 10 files changed, 80 insertions(+), 29 deletions(-)

diff --git a/configure b/configure
index 29792969c..5505b01c2 100755
--- a/configure
+++ b/configure
@@ -636,6 +636,7 @@ HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
+HAVE_OVERLAYFS
 EXTRA_LDFLAGS
 EGREP
 GREP
@@ -694,6 +695,7 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_apparmor
+enable_overlayfs
 enable_seccomp
 enable_chroot
 enable_bind
@@ -1325,6 +1327,7 @@ Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-apparmor       enable apparmor
+  --disable-overlayfs     disable overlayfs
   --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-bind          disable bind
@@ -3511,6 +3514,19 @@ if test "x$enable_apparmor" = "xyes"; then :
 fi
 
 
+HAVE_OVERLAYFS=""
+# Check whether --enable-overlayfs was given.
+if test "${enable_overlayfs+set}" = set; then :
+  enableval=$enable_overlayfs;
+fi
+
+if test "x$enable_overlayfs" != "xno"; then :
+
+	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+
+
+fi
+
 HAVE_SECCOMP=""
 # Check whether --enable-seccomp was given.
 if test "${enable_seccomp+set}" = set; then :
@@ -4922,6 +4938,7 @@ echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
 echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
+echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 printf "   uid_min: "; grep UID_MIN uids.h
diff --git a/configure.ac b/configure.ac
index 149f76eae..2a5bd5e54 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,6 +30,14 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
 ])
 AC_SUBST([EXTRA_LDFLAGS])
 
+HAVE_OVERLAYFS=""
+AC_ARG_ENABLE([overlayfs],
+    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+AS_IF([test "x$enable_overlayfs" != "xno"], [
+	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+	AC_SUBST(HAVE_OVERLAYFS)
+])
+
 HAVE_SECCOMP=""
 AC_ARG_ENABLE([seccomp],
     AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
@@ -156,6 +164,7 @@ echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
 echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
+echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 printf "   uid_min: "; grep UID_MIN uids.h
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 15253b5ab..f56137308 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -19,13 +19,14 @@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
 HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 019b54773..f5ea7439b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -272,6 +272,14 @@ void print_compiletime_support(void) {
 #endif
 		);
 
+	printf("\t- overlayfs support is %s\n",
+#ifdef HAVE_OVERLAYFS
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
 	printf("\t- file and directory whitelisting support is %s\n",
 #ifdef HAVE_WHITELIST
 		"enabled"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 63ffa8bff..ddb25c2dd 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -815,6 +815,7 @@ void fs_basic_fs(void) {
 
 
 
+#ifdef HAVE_OVERLAYFS
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
 	// create ~/.firejail directory
 	struct stat s;
@@ -1121,7 +1122,7 @@ void fs_overlayfs(void) {
 	free(oroot);
 	free(odiff);
 }
-
+#endif
 
 
 #ifdef HAVE_CHROOT		
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8e18ec724..c366390cc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -264,6 +264,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 		printf("\n");
 		exit(0);
 	}
+#ifdef HAVE_OVERLAYFS
 	else if (strcmp(argv[i], "--overlay-clean") == 0) {
 		char *path;
 		if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
@@ -281,6 +282,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 		}
 		exit(0);
 	}
+#endif
 #ifdef HAVE_X11
 	else if (strcmp(argv[i], "--x11") == 0) {
 		if (checkcfg(CFG_X11)) {
@@ -1279,6 +1281,7 @@ int main(int argc, char **argv) {
 			profile_check_line(line, 0, NULL);	// will exit if something wrong
 			profile_add(line);
 		}
+#ifdef HAVE_OVERLAYFS
 		else if (strcmp(argv[i], "--overlay") == 0) {
 			if (cfg.chrootdir) {
 				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
@@ -1353,6 +1356,7 @@ int main(int argc, char **argv) {
 			}
 			arg_overlay = 1;
 		}
+#endif
 		else if (strncmp(argv[i], "--profile=", 10) == 0) {
 			if (arg_noprofile) {
 				fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index c40ff1d03..a33c81937 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -500,9 +500,11 @@ int sandbox(void* sandbox_arg) {
 	}
 	else 
 #endif		
+#ifdef HAVE_OVERLAYFS
 	if (arg_overlay)	
 		fs_overlayfs();
 	else
+#endif
 		fs_basic_fs();
 	
 	//****************************
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ed6fa3741..3d0918b2c 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -26,6 +26,7 @@
 #include <stdlib.h>
 #include <dirent.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
 
 #ifdef HAVE_X11
 // return 1 if xpra is installed on the system
@@ -163,7 +164,7 @@ void fs_x11(void) {
 //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox
 void x11_start_xephyr(int argc, char **argv) {
 	EUID_ASSERT();
-	size_t i;
+	int i;
 	struct stat s;
 	pid_t jail = 0;
 	pid_t server = 0;
@@ -204,12 +205,12 @@ void x11_start_xephyr(int argc, char **argv) {
 	// parse xephyr_extra_params
 	// very basic quoting support
 	char *temp = strdup(xephyr_extra_params);
-	if (xephyr_extra_params != "") {
+	if (*xephyr_extra_params != '\0') {
 		if (!temp)
 			errExit("strdup");
 		bool dquote = false;
 		bool squote = false;
-		for (i = 0; i < strlen(xephyr_extra_params); i++) {
+		for (i = 0; i < (int) strlen(xephyr_extra_params); i++) {
 			if (temp[i] == '\"') {
 				dquote = !dquote;
 				if (dquote) temp[i] = '\0'; // replace closing quote by \0
@@ -229,7 +230,7 @@ void x11_start_xephyr(int argc, char **argv) {
 			exit(1);
 		}
 
-		for (i = 0; i < strlen(xephyr_extra_params)-1; i++) {
+		for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
 			if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) {
 				fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
 				exit(1);
@@ -257,7 +258,7 @@ void x11_start_xephyr(int argc, char **argv) {
 
 	// remove --x11 arg
 	char *jail_argv[argc+2];
-	size_t j = 0;
+	int j = 0;
 	for (i = 0; i < argc; i++) {
 		if (strcmp(argv[i], "--x11") == 0)
 			continue;
@@ -359,7 +360,7 @@ void x11_start_xephyr(int argc, char **argv) {
 
 void x11_start_xpra(int argc, char **argv) {
 	EUID_ASSERT();
-	size_t i;
+	int i;
 	struct stat s;
 	pid_t client = 0;
 	pid_t server = 0;
@@ -464,7 +465,7 @@ void x11_start_xpra(int argc, char **argv) {
 
 	// build jail command
 	char *firejail_argv[argc+2];
-	unsigned pos = 0;
+	int pos = 0;
 	for (i = 0; i < argc; i++) {
 		if (strcmp(argv[i], "--x11") == 0)
 			continue;
@@ -477,7 +478,7 @@ void x11_start_xpra(int argc, char **argv) {
 	}
 	firejail_argv[pos] = NULL;
 
-	assert(pos < argc+2);
+	assert(pos < (argc+2));
 	assert(!firejail_argv[pos]);
 
 	// start jail
@@ -524,12 +525,13 @@ void x11_start_xpra(int argc, char **argv) {
 					break;
 			}
 
-			if (arg_debug)
+			if (arg_debug) {
 				if (n == 10)
 					printf("failed to stop xpra server gratefully\n");
 				else
 					printf("xpra server successfully stoped in %d secs\n", n);
-
+			}
+			
 			// kill xpra server and xpra client
 			kill(client, SIGTERM);
 			kill(server, SIGTERM);
diff --git a/src/lib/common.c b/src/lib/common.c
index fe5c62536..acb6bd3b4 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -241,7 +241,7 @@ int pid_proc_cmdline_x11(const pid_t pid) {
 		i++;
 		if (i >= len)
 			break;
-		char *arg = buffer + i;
+		char *arg = (char *)buffer + i;
 
 		// detect the last command line option
 		if (strcmp(arg, "--") == 0)
diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh
index f762b457d..76a7162b7 100755
--- a/test/dist-compile/compile.sh
+++ b/test/dist-compile/compile.sh
@@ -12,7 +12,8 @@ arr[9]="TEST 9: compile file transfer disabled"
 arr[10]="TEST 10: compile disable whitelist"
 arr[11]="TEST 11: compile disable global config"
 arr[12]="TEST 12: compile apparmor"
-arr[12]="TEST 13: compile busybox"
+arr[13]="TEST 13: compile busybox"
+arr[14]="TEST 14: compile overlayfs disabled"
 
 # remove previous reports and output file
 cleanup() {
@@ -52,8 +53,6 @@ cleanup
 # TEST 1
 #*****************************************************************
 # - checkout source code
-# - check compilation
-# - install
 #*****************************************************************
 print_title "${arr[1]}"
 echo "$DIST"
@@ -75,7 +74,6 @@ rm output-configure output-make
 # TEST 2
 #*****************************************************************
 # - disable seccomp configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[2]}"
 # seccomp
@@ -94,7 +92,6 @@ rm output-configure output-make
 # TEST 3
 #*****************************************************************
 # - disable chroot configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[3]}"
 # seccomp
@@ -113,7 +110,6 @@ rm output-configure output-make
 # TEST 4
 #*****************************************************************
 # - disable bind configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[4]}"
 # seccomp
@@ -132,7 +128,6 @@ rm output-configure output-make
 # TEST 5
 #*****************************************************************
 # - disable user namespace configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[5]}"
 # seccomp
@@ -170,7 +165,6 @@ rm output-configure output-make
 # TEST 7
 #*****************************************************************
 # - disable X11 support
-# - check compilation
 #*****************************************************************
 print_title "${arr[7]}"
 # seccomp
@@ -190,7 +184,6 @@ rm output-configure output-make
 # TEST 8
 #*****************************************************************
 # - enable network restricted
-# - check compilation
 #*****************************************************************
 print_title "${arr[8]}"
 # seccomp
@@ -210,7 +203,6 @@ rm output-configure output-make
 # TEST 9
 #*****************************************************************
 # - disable file transfer
-# - check compilation
 #*****************************************************************
 print_title "${arr[9]}"
 # seccomp
@@ -229,7 +221,6 @@ rm output-configure output-make
 # TEST 10
 #*****************************************************************
 # - disable whitelist
-# - check compilation
 #*****************************************************************
 print_title "${arr[10]}"
 # seccomp
@@ -248,7 +239,6 @@ rm output-configure output-make
 # TEST 11
 #*****************************************************************
 # - disable global config
-# - check compilation
 #*****************************************************************
 print_title "${arr[11]}"
 # seccomp
@@ -267,9 +257,8 @@ rm output-configure output-make
 # TEST 12
 #*****************************************************************
 # - enable apparmor
-# - check compilation
 #*****************************************************************
-print_title "${arr[11]}"
+print_title "${arr[12]}"
 # seccomp
 cd firejail
 make distclean
@@ -286,9 +275,8 @@ rm output-configure output-make
 # TEST 13
 #*****************************************************************
 # - enable busybox workaround
-# - check compilation
 #*****************************************************************
-print_title "${arr[11]}"
+print_title "${arr[13]}"
 # seccomp
 cd firejail
 make distclean
@@ -301,6 +289,24 @@ cp output-configure oc13
 cp output-make om13
 rm output-configure output-make
 
+#*****************************************************************
+# TEST 14
+#*****************************************************************
+# - disable overlayfs
+#*****************************************************************
+print_title "${arr[14]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test14
+grep Error output-configure output-make >> ./report-test14
+cp output-configure oc14
+cp output-make om14
+rm output-configure output-make
+
 
 #*****************************************************************
 # PRINT REPORTS
@@ -329,3 +335,4 @@ echo ${arr[10]}
 echo ${arr[11]}
 echo ${arr[12]}
 echo ${arr[13]}
+echo ${arr[14]}
-- 
cgit v1.2.3-54-g00ecf