From 880f2c98a1dee26228530875fc45d54db68ed1c8 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Wed, 25 May 2022 07:36:42 -0400
Subject: Removed IDS feature from the default build. To enable it, use
 --enable-ids at compile time.

---
 src/common.mk.in        |  3 ++-
 src/firejail/checkcfg.c | 10 ++++++++--
 src/firejail/main.c     |  9 +++++++++
 src/man/firejail.txt    |  4 ++++
 4 files changed, 23 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/common.mk.in b/src/common.mk.in
index 38c05bc69..64ed774ad 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_IDS=@HAVE_IDS@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
@@ -38,7 +39,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 8f8f5b6c3..e1acaf632 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -365,6 +365,14 @@ void print_compiletime_support(void) {
 #endif
 		);
 
+	printf("\t- IDS support is %s\n",
+#ifdef HAVE_IDS
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
 	printf("\t- networking support is %s\n",
 #ifdef HAVE_NETWORK
 		"enabled"
@@ -427,6 +435,4 @@ void print_compiletime_support(void) {
 		"disabled"
 #endif
 		);
-
-
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1bcec667e..cbf9df79f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) {
 		run_builder(argc, argv); // this function will not return
 
 	// intrusion detection system
+#ifdef HAVE_IDS
 	if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
 		run_ids(argc, argv); // this function will not return
+#else
+	if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check
+		fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n"
+			"\tTo enable it, configure your build system using --enable-ids.\n"
+			"\tExample: ./configure --prefix=/usr --enable-ids\n\n");
+		exit(1);
+	}
+#endif
 
 	EUID_ROOT();
 #ifndef HAVE_SUID
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 366a4e061..420a96ab5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -820,6 +820,7 @@ Example:
 .br
 $ firejail \-\-hosts-file=~/myhosts firefox
 
+#ifdef HAVE_IDS
 .TP
 \fB\-\-ids-check
 Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
@@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
 Example:
 .br
 $ firejail \-\-ids-init
+#endif
 
 .TP
 \fB\-\-ignore=command
@@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
 #endif
 
+#ifdef HAVE_IDS
 .SH INTRUSION DETECTION SYSTEM (IDS)
 The host-based intrusion detection system tracks down and audits user and system file modifications.
 The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
@@ -3399,6 +3402,7 @@ New files and deleted files are also flagged.
 
 Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
 The program can also be run as root (sudo firejail --ids-init/--ids-check).
+#endif
 
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
-- 
cgit v1.2.3-70-g09d2