From e6ee65a48c1d17da1cd2058b1e61dc838513a49e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 21 Aug 2016 15:01:10 -0400
Subject: run time support to disable overlayfs

---
 RELNOTES                |   1 +
 etc/firejail.config     |   8 ++-
 src/firejail/checkcfg.c |   8 +++
 src/firejail/firejail.h |   3 +-
 src/firejail/main.c     | 168 ++++++++++++++++++++++++++++--------------------
 5 files changed, 115 insertions(+), 73 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index d9e4314ba..d59618c7c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
   * --overlay-clean option
   * --overlay-named=name option
   * --overlay-path=path option
+  * compile time and run time support to disable overlayfs
   * Ubuntu snap support
   * include /dev/snd in --private-dev
   * added mkfile profile command
diff --git a/etc/firejail.config b/etc/firejail.config
index 1b8d5f4e3..275bba8e2 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -3,9 +3,6 @@
 # Most features are enabled by default. Use 'yes' or 'no' as configuration
 # values.
 
-# Remount /proc and /sys inside the sandbox, default enabled.
-# remount-proc-sys yes
-
 # Enable or disable bind support, default enabled.
 # bind yes
 
@@ -24,9 +21,14 @@
 # Enable or disable networking features, default enabled.
 # network yes
 
+# Enable or disable overlayfs features, default enabled.
+# overlayfs yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
+# Remount /proc and /sys inside the sandbox, default enabled.
+# remount-proc-sys yes
 
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index c4a6888a9..fed934434 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -233,6 +233,14 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
+			else if (strncmp(ptr, "overlayfs ", 10) == 0) {
+				if (strcmp(ptr + 10, "yes") == 0)
+					cfg_val[CFG_OVERLAYFS] = 1;
+				else if (strcmp(ptr + 10, "no") == 0)
+					cfg_val[CFG_OVERLAYFS] = 0;
+				else
+					goto errout;
+			}
 			else
 				goto errout;
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 067d788a6..98ba8ee3b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -591,7 +591,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_WHITELIST 9
 #define CFG_XEPHYR_WINDOW_TITLE 10
 #define CFG_REMOUNT_PROC_SYS 11
-#define CFG_MAX 12 // this should always be the last entry
+#define CFG_OVERLAYFS 12
+#define CFG_MAX 13 // this should always be the last entry
 extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c366390cc..1824765eb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -266,18 +266,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 	}
 #ifdef HAVE_OVERLAYFS
 	else if (strcmp(argv[i], "--overlay-clean") == 0) {
-		char *path;
-		if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
-			errExit("asprintf");
-		EUID_ROOT();
-		if (setreuid(0, 0) < 0)
-			errExit("setreuid");
-		if (setregid(0, 0) < 0)
-			errExit("setregid");
-		errno = 0;
-		int rv = remove_directory(path);
-		if (rv) {
-			fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno);
+		if (checkcfg(CFG_OVERLAYFS)) {
+			char *path;
+			if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+				errExit("asprintf");
+			EUID_ROOT();
+			if (setreuid(0, 0) < 0)
+				errExit("setreuid");
+			if (setregid(0, 0) < 0)
+				errExit("setregid");
+			errno = 0;
+			int rv = remove_directory(path);
+			if (rv) {
+				fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno);
+				exit(1);
+			}
+		}
+		else {
+			fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
 			exit(1);
 		}
 		exit(0);
@@ -1283,78 +1289,103 @@ int main(int argc, char **argv) {
 		}
 #ifdef HAVE_OVERLAYFS
 		else if (strcmp(argv[i], "--overlay") == 0) {
-			if (cfg.chrootdir) {
-				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-				exit(1);
+			if (checkcfg(CFG_OVERLAYFS)) {
+				if (cfg.chrootdir) {
+					fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+					exit(1);
+				}
+				struct stat s;
+				if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+					fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+					exit(1);	
+				}
+				arg_overlay = 1;
+				arg_overlay_keep = 1;
+				
+				char *subdirname;
+				if (asprintf(&subdirname, "%d", getpid()) == -1)
+					errExit("asprintf");
+				cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+	
+				free(subdirname);
 			}
-			struct stat s;
-			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
-				exit(1);	
+			else {
+				fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
+				exit(1);
 			}
-			arg_overlay = 1;
-			arg_overlay_keep = 1;
-			
-			char *subdirname;
-			if (asprintf(&subdirname, "%d", getpid()) == -1)
-				errExit("asprintf");
-			cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
-
-			free(subdirname);
 		}
 		else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
-			if (cfg.chrootdir) {
-				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-				exit(1);
-			}
-			struct stat s;
-			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
-				exit(1);
+			if (checkcfg(CFG_OVERLAYFS)) {
+				if (cfg.chrootdir) {
+					fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+					exit(1);
+				}
+				struct stat s;
+				if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+					fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+					exit(1);
+				}
+				arg_overlay = 1;
+				arg_overlay_keep = 1;
+				arg_overlay_reuse = 1;
+				
+				char *subdirname = argv[i] + 16;
+				if (subdirname == '\0') {
+					fprintf(stderr, "Error: invalid overlay option\n");
+					exit(1);
+				}
+				cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
 			}
-			arg_overlay = 1;
-			arg_overlay_keep = 1;
-			arg_overlay_reuse = 1;
-			
-			char *subdirname = argv[i] + 16;
-			if (subdirname == '\0') {
-				fprintf(stderr, "Error: invalid overlay option\n");
+			else {
+				fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
 				exit(1);
 			}
-			cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+
 		}
 		else if (strncmp(argv[i], "--overlay-path=", 15) == 0) {
-			if (cfg.chrootdir) {
-				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-				exit(1);
-			}
-			struct stat s;
-			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
-				exit(1);
+			if (checkcfg(CFG_OVERLAYFS)) {
+				if (cfg.chrootdir) {
+					fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+					exit(1);
+				}
+				struct stat s;
+				if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+					fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+					exit(1);
+				}
+				arg_overlay = 1;
+				arg_overlay_keep = 1;
+				arg_overlay_reuse = 1;
+				
+				char *dirname = argv[i] + 15;
+				if (dirname == '\0') {
+					fprintf(stderr, "Error: invalid overlay option\n");
+					exit(1);
+				}
+				cfg.overlay_dir = expand_home(dirname, cfg.homedir);
 			}
-			arg_overlay = 1;
-			arg_overlay_keep = 1;
-			arg_overlay_reuse = 1;
-			
-			char *dirname = argv[i] + 15;
-			if (dirname == '\0') {
-				fprintf(stderr, "Error: invalid overlay option\n");
+			else {
+				fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
 				exit(1);
 			}
-			cfg.overlay_dir = expand_home(dirname, cfg.homedir);
 		}
 		else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
-			if (cfg.chrootdir) {
-				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-				exit(1);
+			if (checkcfg(CFG_OVERLAYFS)) {
+				if (cfg.chrootdir) {
+					fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+					exit(1);
+				}
+				struct stat s;
+				if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+					fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+					exit(1);	
+				}
+				arg_overlay = 1;
 			}
-			struct stat s;
-			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
-				exit(1);	
+			else {
+				fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
+				exit(1);
 			}
-			arg_overlay = 1;
 		}
 #endif
 		else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -1477,7 +1508,6 @@ int main(int argc, char **argv) {
 				fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
 				exit(1);
 			}
-
 		}
 #endif
 		else if (strcmp(argv[i], "--writable-etc") == 0) {
-- 
cgit v1.2.3-54-g00ecf