From 9edc43cc488a8ed701159ef07627097205708678 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 25 Jan 2016 10:48:23 -0500 Subject: --disable-network --disable-userns compile time options --- src/firejail/Makefile.in | 4 +++- src/firejail/main.c | 17 ++++++++++++++--- src/firejail/profile.c | 10 ++++++++++ src/firejail/usage.c | 24 ++++++++++++++++++------ 4 files changed, 45 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 87cda9ab2..83a2b0592 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@ HAVE_CHROOT=@HAVE_CHROOT@ HAVE_BIND=@HAVE_BIND@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) diff --git a/src/firejail/main.c b/src/firejail/main.c index 014ea8cae..2fda8f1ab 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -208,7 +208,7 @@ static void check_network(Bridge *br) { } } - +#ifdef HAVE_USERNS void check_user_namespace(void) { if (getuid() == 0) { fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); @@ -228,6 +228,7 @@ void check_user_namespace(void) { arg_noroot = 0; } } +#endif // exit commands static void run_cmd_and_exit(int i, int argc, char **argv) { @@ -243,6 +244,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { printf("firejail version %s\n", VERSION); exit(0); } +#ifdef HAVE_NETWORK else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { logargs(argc, argv); @@ -303,7 +305,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { bandwidth_name(argv[i] + 12, cmd, dev, down, up); exit(0); } - +#endif //************************************* // independent commands - the program will exit! //************************************* @@ -382,10 +384,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { top(); exit(0); } +#ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netstats") == 0) { netstats(); exit(0); } +#endif else if (strncmp(argv[i], "--join=", 7) == 0) { logargs(argc, argv); @@ -397,6 +401,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); exit(0); } +#ifdef HAVE_NETWORK else if (strncmp(argv[i], "--join-network=", 15) == 0) { logargs(argc, argv); arg_join_network = 1; @@ -413,6 +418,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); exit(0); } +#endif else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { logargs(argc, argv); arg_join_filesystem = 1; @@ -962,9 +968,11 @@ int main(int argc, char **argv) { } else if (strcmp(argv[i], "--nogroups") == 0) arg_nogroups = 1; +#ifdef HAVE_USERNS else if (strcmp(argv[i], "--noroot") == 0) { check_user_namespace(); } +#endif else if (strncmp(argv[i], "--env=", 6) == 0) env_store(argv[i] + 6); else if (strncmp(argv[i], "--nosound", 9) == 0) { @@ -975,6 +983,7 @@ int main(int argc, char **argv) { //************************************* // network //************************************* +#ifdef HAVE_NETWORK else if (strncmp(argv[i], "--interface=", 12) == 0) { // checks if (arg_nonetwork) { @@ -1164,6 +1173,7 @@ int main(int argc, char **argv) { return 1; } } +#endif else if (strncmp(argv[i], "--dns=", 6) == 0) { uint32_t dns; if (atoip(argv[i] + 6, &dns)) { @@ -1182,6 +1192,7 @@ int main(int argc, char **argv) { return 1; } } +#ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netfilter") == 0) arg_netfilter = 1; else if (strncmp(argv[i], "--netfilter=", 12) == 0) { @@ -1194,7 +1205,7 @@ int main(int argc, char **argv) { arg_netfilter6_file = argv[i] + 13; check_netfilter_file(arg_netfilter6_file); } - +#endif //************************************* // command //************************************* diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f6b062d2b..2d7b07c6d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } // seccomp, caps, private, user namespace else if (strcmp(ptr, "noroot") == 0) { +#if HAVE_USERNS check_user_namespace(); +#endif return 0; } else if (strcmp(ptr, "seccomp") == 0) { @@ -146,31 +148,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "netfilter") == 0) { +#ifdef HAVE_NETWORK arg_netfilter = 1; +#endif return 0; } else if (strncmp(ptr, "netfilter ", 10) == 0) { +#ifdef HAVE_NETWORK arg_netfilter = 1; arg_netfilter_file = strdup(ptr + 10); if (!arg_netfilter_file) errExit("strdup"); check_netfilter_file(arg_netfilter_file); +#endif return 0; } else if (strncmp(ptr, "netfilter6 ", 11) == 0) { +#ifdef HAVE_NETWORK arg_netfilter6 = 1; arg_netfilter6_file = strdup(ptr + 11); if (!arg_netfilter6_file) errExit("strdup"); check_netfilter_file(arg_netfilter6_file); +#endif return 0; } else if (strcmp(ptr, "net none") == 0) { +#ifdef HAVE_NETWORK arg_nonetwork = 1; cfg.bridge0.configured = 0; cfg.bridge1.configured = 0; cfg.bridge2.configured = 0; cfg.bridge3.configured = 0; +#endif return 0; } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3ebefaae..6a033b922 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -34,10 +34,12 @@ void usage(void) { printf("\n"); printf("Options:\n\n"); printf("\t-- - signal the end of options and disables further option processing.\n\n"); +#ifdef HAVE_NETWORK printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); +#endif #ifdef HAVE_BIND printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); @@ -81,8 +83,10 @@ void usage(void) { +#ifdef HAVE_NETWORK printf("\t--defaultgw=address - use this address as default gateway in the new\n"); printf("\t\tnetwork namespace.\n\n"); +#endif printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); printf("\t\tservers can be defined.\n\n"); printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); @@ -99,15 +103,16 @@ void usage(void) { printf("\t--help, -? - this help screen.\n\n"); printf("\t--hostname=name - set sandbox hostname.\n\n"); printf("\t--ignore=command - ignore command in profile files.\n\n"); +#ifdef HAVE_NETWORK printf("\t--interface=name - move interface in a new network namespace. Up to\n"); printf("\t\tfour --interface options can be sepcified.\n\n"); - printf("\t--ip=address - set interface IP address.\n\n"); printf("\t--ip=none - no IP address and no default gateway address are configured\n"); printf("\t\tin the new network namespace. Use this option in case you intend\n"); printf("\t\tto start an external DHCP client in the sandbox.\n\n"); printf("\t--ip6=address - set interface IPv6 address.\n\n"); printf("\t--iprange=address,address - configure an IP address in this range\n\n"); +#endif printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); printf("\t\tthe sandbox is started as root.\n\n"); @@ -117,14 +122,19 @@ void usage(void) { printf("\t\tidentified by name.\n\n"); printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); printf("\t\tidentified by PID.\n\n"); +#ifdef HAVE_NETWORK printf("\t--join-network=name - join the network namespace of the sandbox\n"); printf("\t\tidentified by name.\n\n"); printf("\t--join-network=pid - join the network namespace of the sandbox\n"); printf("\t\tidentified by PID.\n\n"); +#endif printf("\t--list - list all sandboxes.\n\n"); +#ifdef HAVE_NETWORK printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); printf("\t--mtu=number - set interface MTU.\n\n"); +#endif printf("\t--name=name - set sandbox name.\n\n"); +#ifdef HAVE_NETWORK printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); printf("\t\tIP address and a default gateway will be assigned automatically\n"); @@ -163,6 +173,7 @@ void usage(void) { printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); printf("\t\tnetwork namespace.\n\n"); +#endif printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); printf("\t\tor file.\n\n"); printf("\t--nogroups - disable supplementary groups. Without this option,\n"); @@ -175,11 +186,11 @@ void usage(void) { printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); printf("\t\troot.\n\n"); - +#ifdef HAVE_USERNS printf("\t--noroot - install a user namespace with a single user - the current\n"); printf("\t\tuser. root user does not exist in the new namespace. This option\n"); printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); - +#endif printf("\t--nosound - disable sound system\n\n"); printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); @@ -239,11 +250,11 @@ void usage(void) { printf("\t\tcreated for the real user ID of the calling process.\n\n"); printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); printf("\t\tfor a process.\n\n"); - +#ifdef HAVE_NETWORK printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); printf("\t\trunning on the current host.\n\n"); - +#endif #ifdef HAVE_SECCOMP printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); printf("\t\tlist. The default list is as follows: mount, umount2,\n"); @@ -294,6 +305,7 @@ void usage(void) { printf("\n"); +#ifdef HAVE_NETWORK printf("Traffic Shaping\n\n"); printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); @@ -323,7 +335,7 @@ void usage(void) { printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); printf("\n"); printf("\n"); - +#endif printf("Monitoring\n\n"); -- cgit v1.2.3-54-g00ecf