From 355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 2 Aug 2016 10:03:28 -0400
Subject: apparmor

---
 src/firejail/Makefile.in |  6 ++++--
 src/firejail/sandbox.c   | 12 ++++++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 21f415ba5..15253b5ab 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
 HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
 	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS)
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firejail firejail.1 firejail.1.gz
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0fd81979f..1502a0312 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -39,6 +39,9 @@
 # define PR_SET_NO_NEW_PRIVS 38
 #endif
 
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
 
 
 static int monitored_pid = 0;
@@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) {
 	if (arg_debug && child_pid == 1)
 		printf("PID namespace installed\n");
 
+
 	//****************************
 	// set hostname
 	//****************************
@@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) {
 	else
 		fs_basic_fs();
 	
-
 	//****************************
 	// set hostname in /etc/hostname
 	//****************************
@@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) {
 	pid_t app_pid = fork();
 	if (app_pid == -1)
 		errExit("fork");
-		
+
 	if (app_pid == 0) {
+#ifdef HAVE_APPARMOR
+		errno = 0;
+		if (aa_change_onexec("firejail-default")) 
+			fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno);
+#endif		
 		prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
 		start_application();	// start app
 	}
-- 
cgit v1.2.3-70-g09d2