From d1acb31c9714fe503082a890f1754f2026e71ee5 Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@protonmail.com>
Date: Sun, 28 Feb 2021 10:26:08 -0500
Subject: compile time: enable LTS

---
 configure            | 100 +++++++++++++++++++++++++++++++++++++++++++++------
 configure.ac         |  86 +++++++++++++++++++++++++++++++++++++++-----
 src/common.mk.in     |   3 +-
 src/man/firejail.txt |   9 +++++
 4 files changed, 178 insertions(+), 20 deletions(-)

diff --git a/configure b/configure
index fc8048ffb..952f7af9b 100755
--- a/configure
+++ b/configure
@@ -627,7 +627,7 @@ LIBOBJS
 EGREP
 GREP
 CPP
-HAVE_SELINUX
+HAVE_LTS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
@@ -650,6 +650,7 @@ HAVE_OVERLAYFS
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
+HAVE_SELINUX
 HAVE_APPARMOR
 AA_LIBS
 AA_CFLAGS
@@ -711,6 +712,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_apparmor
+enable_selinux
 enable_dbusproxy
 enable_output
 enable_usertmpfs
@@ -729,7 +731,7 @@ enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
 enable_contrib_install
-enable_selinux
+enable_lts
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1367,6 +1369,7 @@ Optional Features:
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-analyzer       enable GCC 10 static analyzer
   --enable-apparmor       enable apparmor
+  --enable-selinux        SELinux labeling support
   --disable-dbusproxy     disable dbus proxy
   --disable-output        disable --output logging
   --disable-usertmpfs     disable tmpfs as regular user
@@ -1388,7 +1391,7 @@ Optional Features:
   --enable-gcov           Gcov instrumentation
   --enable-contrib-install
                           install contrib scripts
-  --enable-selinux        SELinux labeling support
+  --enable-lts            enable long-term support software version (LTS)
 
 Some influential environment variables:
   CC          C compiler command
@@ -3514,6 +3517,20 @@ fi
 
 fi
 
+HAVE_SELINUX=""
+# Check whether --enable-selinux was given.
+if test "${enable_selinux+set}" = set; then :
+  enableval=$enable_selinux;
+fi
+
+if test "x$enable_selinux" = "xyes"; then :
+
+	HAVE_SELINUX="-DHAVE_SELINUX"
+	EXTRA_LDFLAGS+=" -lselinux "
+
+
+fi
+
 
 
 
@@ -3808,20 +3825,67 @@ else
 fi
 
 
-HAVE_SELINUX=""
-# Check whether --enable-selinux was given.
-if test "${enable_selinux+set}" = set; then :
-  enableval=$enable_selinux;
+HAVE_LTS=""
+# Check whether --enable-lts was given.
+if test "${enable_lts+set}" = set; then :
+  enableval=$enable_lts;
 fi
 
-if test "x$enable_selinux" = "xyes"; then :
+if test "x$enable_lts" = "xyes"; then :
+
+	HAVE_LTS="-DHAVE_LTS"
+
+
+	HAVE_DBUSPROXY=""
+
+
+	HAVE_OVERLAYFS=""
+
+
+	HAVE_OUTPUT=""
 
-	HAVE_SELINUX="-DHAVE_SELINUX"
-	EXTRA_LDFLAGS+=" -lselinux "
+
+	HAVE_USERTMPFS=""
+
+
+	HAVE_MAN="-DHAVE_MAN"
+
+
+	HAVE_FIRETUNNEL=""
+
+
+	HAVE_PRIVATEHOME=""
+
+
+	HAVE_CHROOT=""
+
+
+	HAVE_GLOBALCFG=""
+
+
+	HAVE_USERNS=""
+
+
+	HAVE_X11=""
+
+
+	HAVE_FILE_TRANSFER=""
+
+
+	HAVE_SUID="yes"
+
+
+	BUSYBOX_WORKAROUND="no"
+
+
+	HAVE_CONTRIB_INSTALL="no",
 
 
 fi
 
+
+
+
 # checking pthread library
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
 $as_echo_n "checking for main in -lpthread... " >&6; }
@@ -5485,6 +5549,7 @@ echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   apparmor: $HAVE_APPARMOR"
+echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   network: $HAVE_NETWORK"
@@ -5506,6 +5571,19 @@ echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   Gcov instrumentation: $HAVE_GCOV"
 echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   Install as a SUID executable: $HAVE_SUID"
+echo "   LTS: $HAVE_LTS"
 echo
+
+
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+	echo
+	echo
+	echo "*********************************************************"
+	echo "*    Warning: Long-term support (LTS) was enabled!      *"
+	echo "*    Most compile-time options have bean rewritten!     *"
+	echo "*********************************************************"
+	echo
+	echo
+fi
+
diff --git a/configure.ac b/configure.ac
index 0556da374..449b8b436 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
 	AC_SUBST(HAVE_APPARMOR)
 ])
 
+HAVE_SELINUX=""
+AC_ARG_ENABLE([selinux],
+    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+AS_IF([test "x$enable_selinux" = "xyes"], [
+	HAVE_SELINUX="-DHAVE_SELINUX"
+	EXTRA_LDFLAGS+=" -lselinux "
+	AC_SUBST(HAVE_SELINUX)
+])
+
 AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
 
@@ -219,15 +228,62 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
 )
 AC_SUBST(HAVE_CONTRIB_INSTALL)
 
-HAVE_SELINUX=""
-AC_ARG_ENABLE([selinux],
-    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
-AS_IF([test "x$enable_selinux" = "xyes"], [
-	HAVE_SELINUX="-DHAVE_SELINUX"
-	EXTRA_LDFLAGS+=" -lselinux "
-	AC_SUBST(HAVE_SELINUX)
+HAVE_LTS=""
+AC_ARG_ENABLE([lts],
+    AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
+AS_IF([test "x$enable_lts" = "xyes"], [
+	HAVE_LTS="-DHAVE_LTS"
+	AC_SUBST(HAVE_LTS)
+
+	HAVE_DBUSPROXY=""
+	AC_SUBST(HAVE_DBUSPROXY)
+
+	HAVE_OVERLAYFS=""
+	AC_SUBST(HAVE_OVERLAYFS)
+
+	HAVE_OUTPUT=""
+	AC_SUBST(HAVE_OUTPUT)
+
+	HAVE_USERTMPFS=""
+	AC_SUBST(HAVE_USERTMPFS)
+
+	HAVE_MAN="-DHAVE_MAN"
+	AC_SUBST(HAVE_MAN)
+
+	HAVE_FIRETUNNEL=""
+	AC_SUBST(HAVE_FIRETUNNEL)
+
+	HAVE_PRIVATEHOME=""
+	AC_SUBST(HAVE_PRIVATE_HOME)
+
+	HAVE_CHROOT=""
+	AC_SUBST(HAVE_CHROOT)
+
+	HAVE_GLOBALCFG=""
+	AC_SUBST(HAVE_GLOBALCFG)
+
+	HAVE_USERNS=""
+	AC_SUBST(HAVE_USERNS)
+
+	HAVE_X11=""
+	AC_SUBST(HAVE_X11)
+
+	HAVE_FILE_TRANSFER=""
+	AC_SUBST(HAVE_FILE_TRANSFER)
+
+	HAVE_SUID="yes"
+	AC_SUBST(HAVE_SUID)
+
+	BUSYBOX_WORKAROUND="no"
+	AC_SUBST(BUSYBOX_WORKAROUND)
+
+	HAVE_CONTRIB_INSTALL="no",
+	AC_SUBST(HAVE_CONTRIB_INSTALL)
 ])
 
+
+
+
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -250,6 +306,7 @@ echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   apparmor: $HAVE_APPARMOR"
+echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   network: $HAVE_NETWORK"
@@ -271,6 +328,19 @@ echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   Gcov instrumentation: $HAVE_GCOV"
 echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   Install as a SUID executable: $HAVE_SUID"
+echo "   LTS: $HAVE_LTS"
 echo
+
+
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+	echo
+	echo
+	echo "*********************************************************"
+	echo "*    Warning: Long-term support (LTS) was enabled!      *"
+	echo "*    Most compile-time options have bean rewritten!     *"
+	echo "*********************************************************"
+	echo
+	echo
+fi
+
diff --git a/src/common.mk.in b/src/common.mk.in
index 77d8539ef..eae4138c0 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -26,6 +26,7 @@ HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
+HAVE_LTS=@HAVE_LTS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -35,7 +36,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b251f8191..639b171cd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -42,6 +42,15 @@ Miscellaneous:
 firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
 .RE
 .SH DESCRIPTION
+#ifdef HAVE_LTS
+This is Firejail long-term support (LTS), an enterprise focused version of the software,
+LTS is usually supported for two or three years.
+During this time  only bugs and the occasional documentation problems are fixed.
+The attack surface of the SUID executable was greatly reduced by removing some of the features.
+.br
+
+.br
+#endif
 Firejail is a SUID sandbox program that reduces the risk of security breaches by
 restricting the running environment of untrusted applications using Linux
 namespaces, seccomp-bpf and Linux capabilities.
-- 
cgit v1.2.3-70-g09d2