From d28f1d7157c87076771498f062f5af7e932bd20f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 12 Jun 2016 07:27:21 -0400
Subject: support to disable enforcing firejail.config

---
 README                      |  2 ++
 RELNOTES                    |  3 +++
 configure                   | 18 ++++++++++++++++++
 configure.ac                |  9 +++++++++
 src/firejail/Makefile.in    |  4 ++--
 src/firejail/checkcfg.c     |  5 +++++
 src/firejail/fs.c           | 25 +++++++++++++------------
 src/firejail/main.c         |  2 +-
 src/include/euid_common.h   |  4 ++--
 src/man/firecfg.txt         |  2 +-
 src/man/firejail-config.txt | 17 +++++++++++++++++
 11 files changed, 73 insertions(+), 18 deletions(-)

diff --git a/README b/README
index d08a11680..05c9408ec 100644
--- a/README
+++ b/README
@@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh)
 	- clang-analyzer fixes
 	- Debian reproducible build
 	- unit testing framework
+Simon Peter (https://github.com/probonopd)
+	- set $APPIMAGE and $APPDIR environment variables
 maces (https://github.com/maces)
 	- Franz messenger profile
 KellerFuchs (https://github.com/KellerFuchs)
diff --git a/RELNOTES b/RELNOTES
index c2552c533..04a9d7cbb 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,8 @@
 firejail (0.9.41) baseline; urgency=low
   * work in progress...
+  * compile time and run time support to disable whitelists
+  * compile time support to disable global configuration file
+  * some profiles have been converted to private-bin
   * new profiles: Gitter, gThumb, mpv, Franz messenger
  -- netblue30 <netblue30@yahoo.com>  Tue, 31 May 2016 08:00:00 -0500
 
diff --git a/configure b/configure
index da7d370d3..ca0704e91 100755
--- a/configure
+++ b/configure
@@ -634,6 +634,7 @@ HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
+HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
@@ -692,6 +693,7 @@ enable_option_checking
 enable_seccomp
 enable_chroot
 enable_bind
+enable_globalcfg
 enable_network
 enable_userns
 enable_x11
@@ -1320,6 +1322,8 @@ Optional Features:
   --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-bind          disable bind
+  --disable-globalcfg     disable global config file
+                          (/etc/firejail/firejail.cfg)
   --disable-network       disable network
   --enable-network=restricted
                           restrict --net= to root only
@@ -3102,6 +3106,19 @@ if test "x$enable_bind" != "xno"; then :
 	HAVE_BIND="-DHAVE_BIND"
 
 
+fi
+
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+
+if test "x$enable_globalcfg" != "xno"; then :
+
+	HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+
+
 fi
 
 HAVE_NETWORK=""
@@ -4834,6 +4851,7 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
diff --git a/configure.ac b/configure.ac
index c9061f219..93e062518 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,6 +33,14 @@ AS_IF([test "x$enable_bind" != "xno"], [
 	AC_SUBST(HAVE_BIND)
 ])
 
+HAVE_GLOBALCFG=""
+AC_ARG_ENABLE([globalcfg],
+    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+AS_IF([test "x$enable_globalcfg" != "xno"], [
+	HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+	AC_SUBST(HAVE_GLOBALCFG)
+])
+
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
     AS_HELP_STRING([--disable-network], [disable network]))
@@ -106,6 +114,7 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index a8af1a4e0..21f415ba5 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -17,13 +17,13 @@ HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
 HAVE_WHITELIST=@HAVE_WHITELIST@
-
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index a69c2831e..6636e7efe 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -48,8 +48,13 @@ int checkcfg(int val) {
 
 		FILE *fp = fopen(fname, "r");
 		if (!fp) {
+#ifdef HAVE_GLOBALCFG			
 			fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
 			exit(1);
+#else
+			initialized = 1;
+			return	cfg_val[val];
+#endif	
 		}
 		
 		// read configuration file
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 8cae9191c..acc03e412 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -652,26 +652,27 @@ void fs_proc_sys_dev_boot(void) {
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
 static void disable_firejail_config(void) {
 	struct stat s;
-	if (stat("/etc/firejail", &s) == 0)
-		disable_file(BLACKLIST_FILE, "/etc/firejail");
+//	if (stat("/etc/firejail", &s) == 0)
+//		disable_file(BLACKLIST_FILE, "/etc/firejail");
 
 	char *fname;
 	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
 		errExit("asprintf");
 	if (stat(fname, &s) == 0)
 		disable_file(BLACKLIST_FILE, fname);
+	free(fname);
 	
-	if (stat("/usr/local/etc/firejail", &s) == 0)
-		disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
-
-	if (strcmp(PREFIX, "/usr/local")) {
-		if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-			errExit("asprintf");
-		if (stat(fname, &s) == 0)
-			disable_file(BLACKLIST_FILE, fname);
-	}
+//	if (stat("/usr/local/etc/firejail", &s) == 0)
+//		disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
+//
+//	if (strcmp(PREFIX, "/usr/local")) {
+//		if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
+//			errExit("asprintf");
+//		if (stat(fname, &s) == 0)
+//			disable_file(BLACKLIST_FILE, fname);
+//		free(fname);
+//	}
 	
-	free(fname);
 	
 	// disable run time information
 	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d027eb697..423df3752 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -854,7 +854,7 @@ int main(int argc, char **argv) {
 	
 	
 	// check for force-nonewprivs in /etc/firejail/firejail.config file
-	if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))
+	if (checkcfg(CFG_FORCE_NONEWPRIVS))
 		arg_nonewprivs = 1;
 	
 	// parse arguments
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index f07cf2868..b6d341bf4 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -36,12 +36,12 @@ extern uid_t firejail_uid;
 
 static inline void EUID_ROOT(void) {
 	if (seteuid(0) == -1)
-		fprintf(stderr, "Error: cannot switch euid to root\n");
+		fprintf(stderr, "Warning: cannot switch euid to root\n");
 }
 
 static inline void EUID_USER(void) {
 	if (seteuid(firejail_uid) == -1)
-		fprintf(stderr, "Error: cannot switch euid to user\n");
+		fprintf(stderr, "Warning: cannot switch euid to user\n");
 }
 
 static inline void EUID_PRINT(void) {
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index e2e4229b0..c12bf7731 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -10,7 +10,7 @@ sandbox applications automatically, just by clicking on a regular desktop
 menus and icons.
 
 The symbolic links are placed in /usr/local/bin. For more information, see
-DESKTOP INTEGRATION section in man 1 firejail.
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 
 .SH OPTIONS
 .TP
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 6a66c7f75..bc29dc977 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -74,6 +74,23 @@ xephyr-screen 1024x768
 .br
 xephyr-screen 1280x1024
 
+.TP
+\fBxephyr-window-title
+Firejail window title in Xephry, default enabled.
+
+.TP
+\fBxephyr-extra-params
+Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
+.br
+
+.br
+xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+.br
+xephyr-extra-params -grayscale
+
+.SH COMPILE TIME CONFIGURATION
+Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
+
 .SH FILES
 /etc/firejail/firejail.config
 
-- 
cgit v1.2.3-54-g00ecf