From d17ce1322e6e42ca905393545db03a13570da1b0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Feb 2017 11:50:04 -0500 Subject: disable --git-install at compile time --- configure | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'configure') diff --git a/configure b/configure index 9efba1b1d..bdffba2ad 100755 --- a/configure +++ b/configure @@ -625,6 +625,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H +HAVE_GIT_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS @@ -711,6 +712,7 @@ enable_whitelist enable_fatal_warnings enable_busybox_workaround enable_gcov +enable_git_install ' ac_precious_vars='build_alias host_alias @@ -1349,6 +1351,7 @@ Optional Features: --enable-busybox-workaround enable busybox workaround --enable-gcov Gcov instrumentation + --disable-git-install disable git install feature Some influential environment variables: CC C compiler command @@ -3710,6 +3713,18 @@ if test "x$enable_gcov" = "xyes"; then : fi +HAVE_GIT_INSTALL="" +# Check whether --enable-git-install was given. +if test "${enable_git_install+set}" = set; then : + enableval=$enable_git_install; +fi + +if test "x$enable_git_install" != "xno"; then : + + HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" + + +fi # checking pthread library @@ -4971,6 +4986,7 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" +echo " git install support: $HAVE_GIT_INSTALL" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" -- cgit v1.2.3-70-g09d2 From 6730f4c0cce738b79bdd3a661ab9077ec7839176 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Feb 2017 13:03:28 -0500 Subject: --git-install: default disabled in ./configure script --- configure | 7 ++++--- configure.ac | 7 ++++--- src/fgit/fgit-install.sh | 2 +- src/fgit/fgit-uninstall.sh | 2 +- src/firejail/main.c | 6 ++++++ 5 files changed, 16 insertions(+), 8 deletions(-) (limited to 'configure') diff --git a/configure b/configure index bdffba2ad..74f47a7c4 100755 --- a/configure +++ b/configure @@ -1351,7 +1351,7 @@ Optional Features: --enable-busybox-workaround enable busybox workaround --enable-gcov Gcov instrumentation - --disable-git-install disable git install feature + --enable-git-install enable git install feature Some influential environment variables: CC C compiler command @@ -3103,6 +3103,7 @@ if test "x$enable_apparmor" = "xyes"; then : fi + ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -3713,20 +3714,20 @@ if test "x$enable_gcov" = "xyes"; then : fi + HAVE_GIT_INSTALL="" # Check whether --enable-git-install was given. if test "${enable_git_install+set}" = set; then : enableval=$enable_git_install; fi -if test "x$enable_git_install" != "xno"; then : +if test "x$enable_git_install" = "xyes"; then : HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" fi - # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 $as_echo_n "checking for main in -lpthread... " >&6; } diff --git a/configure.ac b/configure.ac index 252f82cde..6a6c40b40 100644 --- a/configure.ac +++ b/configure.ac @@ -17,6 +17,7 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ AC_SUBST(HAVE_APPARMOR) ]) + AS_IF([test "x$enable_apparmor" = "xyes"], [ AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) @@ -145,15 +146,15 @@ AS_IF([test "x$enable_gcov" = "xyes"], [ AC_SUBST(HAVE_GCOV) ]) + HAVE_GIT_INSTALL="" AC_ARG_ENABLE([git-install], - AS_HELP_STRING([--disable-git-install], [disable git install feature])) -AS_IF([test "x$enable_git_install" != "xno"], [ + AS_HELP_STRING([--enable-git-install], [enable git install feature])) +AS_IF([test "x$enable_git_install" = "xyes"], [ HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" AC_SUBST(HAVE_GIT_INSTALL) ]) - # checking pthread library AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh index 9e43559a1..1f710c688 100755 --- a/src/fgit/fgit-install.sh +++ b/src/fgit/fgit-install.sh @@ -6,7 +6,7 @@ set -e # exit immediately if one of the commands fails cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp git clone --depth=1 https://www.github.com/netblue30/firejail.git cd firejail -./configure +./configure --enable-git-install make sudo make install-strip echo "**********************************************************************" diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh index 9a370546d..bc7cc9563 100644 --- a/src/fgit/fgit-uninstall.sh +++ b/src/fgit/fgit-uninstall.sh @@ -6,7 +6,7 @@ set -e # exit immediately if one of the commands fails cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp git clone --depth=1 https://www.github.com/netblue30/firejail.git cd firejail -./configure +./configure --enable-git-install sudo make uninstall echo "**********************************************************************" echo "Firejail mainline git version uninstalled from /usr/local" diff --git a/src/firejail/main.c b/src/firejail/main.c index 0d4cf2595..b90e30cca 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2143,6 +2143,12 @@ int main(int argc, char **argv) { return 1; } } + else if (strcmp(argv[i], "--git-install") == 0 || + strcmp(argv[i], "--git-uninstall") == 0) { + fprintf(stderr, "This feature is not enabled in the current build\n"); + exit(1); + } + else if (strcmp(argv[i], "--") == 0) { // double dash - positional params to follow arg_doubledash = 1; -- cgit v1.2.3-70-g09d2 From b286a6bc3a13161038dc918660722628057d28d7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 14 Feb 2017 11:38:19 -0500 Subject: merge #1100 from zackw: removed libconnect --- .gitignore | 1 + Makefile.in | 4 +-- README | 2 ++ configure | 3 +-- configure.ac | 2 +- etc/firejail.config | 2 +- platform/rpm/old-mkrpm.sh | 2 -- src/firejail/fs_trace.c | 3 --- src/firejail/sandbox.c | 8 +++--- src/libconnect/Makefile.in | 25 ----------------- src/libconnect/libconnect.c | 66 --------------------------------------------- 11 files changed, 11 insertions(+), 107 deletions(-) delete mode 100644 src/libconnect/Makefile.in delete mode 100644 src/libconnect/libconnect.c (limited to 'configure') diff --git a/.gitignore b/.gitignore index 89bf3c4fa..1b2c7fc7b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ *.gcda *.gcno Makefile +autom4te.cache/ config.log config.status firejail-login.5 diff --git a/Makefile.in b/Makefile.in index 7152019d4..7ed27c89d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man filters MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 @@ -79,7 +79,6 @@ realinstall: install -m 0755 -d $(DESTDIR)/$(libdir)/firejail install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. @@ -142,7 +141,6 @@ install-strip: all strip src/firecfg/firecfg strip src/libtrace/libtrace.so strip src/libtracelog/libtracelog.so - strip src/libconnect/libconnect.so strip src/ftee/ftee strip src/faudit/faudit strip src/fnet/fnet diff --git a/README b/README index 66e196e97..617ec3ec8 100644 --- a/README +++ b/README @@ -101,6 +101,8 @@ valoq (https://github.com/valoq) - added wget profile - disable gnupg and systemd directories under /run/user - added iridium browser profile +Zack Weinberg (https://github.com/zackw) + - removed libconnect Igor Bukanov (https://github.com/ibukanov) - found/fiixed privilege escalation in --hosts-file option Cat (https://github.com/ecat3) diff --git a/configure b/configure index 74f47a7c4..4ff257b66 100755 --- a/configure +++ b/configure @@ -3793,7 +3793,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4513,7 +4513,6 @@ do "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; - "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index 6a6c40b40..c04bfed89 100644 --- a/configure.ac +++ b/configure.ac @@ -168,7 +168,7 @@ fi AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ -src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) +src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile) echo echo "Configuration options:" diff --git a/etc/firejail.config b/etc/firejail.config index 5498b2112..766802a7d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -85,6 +85,6 @@ # Firejail window title in Xephyr, default enabled. # xephyr-window-title yes -# Xephyr command extra parameters. None by default, and the declaration is commented out. +# Xephyr command extra parameters. None by default; these are examples. # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev # xephyr-extra-params -grayscale diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 017d5e1c3..6c8a4c240 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh @@ -24,7 +24,6 @@ install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/ install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. -install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. mkdir -p firejail-$VERSION/usr/share/man/man1 install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. @@ -436,7 +435,6 @@ rm -rf %{buildroot} /usr/lib/firejail/libtrace.so /usr/lib/firejail/libtracelog.so -/usr/lib/firejail/libconnect.so /usr/lib/firejail/faudit /usr/lib/firejail/ftee /usr/lib/firejail/firecfg.config diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 9e1dd546e..2a58d1eb2 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -60,9 +60,6 @@ void fs_trace(void) { printf("Blacklist violations are logged to syslog\n"); } - if (mask_x11_abstract_socket) - fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR); - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); fclose(fp); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3fddc654b..1af9e7286 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -585,7 +585,7 @@ int sandbox(void* sandbox_arg) { #endif // trace pre-install - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace_preload(); // store hosts file @@ -622,7 +622,7 @@ int sandbox(void* sandbox_arg) { //**************************** // trace pre-install, this time inside chroot //**************************** - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace_preload(); } else @@ -685,7 +685,7 @@ int sandbox(void* sandbox_arg) { else { fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); // create /etc/ld.so.preload file again - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace_preload(); } } @@ -781,7 +781,7 @@ int sandbox(void* sandbox_arg) { //**************************** // install trace //**************************** - if (arg_trace || arg_tracelog || mask_x11_abstract_socket) + if (arg_trace || arg_tracelog) fs_trace(); //**************************** diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in deleted file mode 100644 index 5b7a8d0f1..000000000 --- a/src/libconnect/Makefile.in +++ /dev/null @@ -1,25 +0,0 @@ -PREFIX=@prefix@ -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ - -H_FILE_LIST = $(sort $(wildcard *.[h])) -C_FILE_LIST = $(sort $(wildcard *.c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now - -all: libconnect.so - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ - -libconnect.so: $(OBJS) - $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - - -clean:; rm -f $(OBJS) libconnect.so - -distclean: clean - rm -fr Makefile diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c deleted file mode 100644 index d79dcc4cb..000000000 --- a/src/libconnect/libconnect.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2014-2017 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//#define DEBUG - -//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { -static int check_sockaddr(const struct sockaddr *addr) { - if (addr->sa_family == AF_UNIX) { - struct sockaddr_un *a = (struct sockaddr_un *) addr; - if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) { -// printf("@%s\n", a->sun_path + 1); - errno = ENOENT; - return -1; - } - } - - return 0; -} - -// -// syscalls -// - -// connect -typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); -static orig_connect_t orig_connect = NULL; -int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { - if (!orig_connect) - orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); - - if (check_sockaddr(addr) == -1) - return -1; - - return orig_connect(sockfd, addr, addrlen); -} -- cgit v1.2.3-70-g09d2