From d17ce1322e6e42ca905393545db03a13570da1b0 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 5 Feb 2017 11:50:04 -0500
Subject: disable --git-install at compile time

---
 src/firejail/Makefile.in |  3 ++-
 src/firejail/checkcfg.c  |  8 ++++++++
 src/firejail/fs.c        | 52 ------------------------------------------------
 src/firejail/git.c       |  4 ++++
 src/firejail/main.c      |  2 ++
 src/firejail/usage.c     |  2 ++
 6 files changed, 18 insertions(+), 53 deletions(-)

(limited to 'src')

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 6e5071925..80f35ff4d 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index c3eedc510..73fa6e46b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -351,6 +351,13 @@ void print_compiletime_support(void) {
 #endif
 		);
 
+	printf("\t- git install support is %s\n",
+#ifdef HAVE_GIT_INSTALL
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
 
 #ifdef HAVE_NETWORK_RESTRICTED
 	printf("\t- networking features are available only to root user\n");
@@ -395,4 +402,5 @@ void print_compiletime_support(void) {
 		"disabled"
 #endif
 		);
+		
 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 69b9d77bc..2a2e97419 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -572,58 +572,6 @@ void fs_proc_sys_dev_boot(void) {
 	}
 	free(fname);
 	
-// todo: investigate
-#if 0
-	// breaks too many applications, option needed
-	/* // disable /run/user/{uid}/bus */
-	/* char *fnamebus; */
-	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
-	/*     errExit("asprintf"); */
-	/* if (stat(fnamebus, &s) == 0) */
-	/*     disable_file(BLACKLIST_FILE, fnamebus); */
-	/* free(fnamebus); */
-
-	// WARNING: not working
-	// disable /run/user/{uid}/kdeinit*
-	//char *fnamekde;
-	//if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
-	//    errExit("asprintf");
-	//if (stat(fnamekde, &s) == 0)
-	//    disable_file(BLACKLIST_FILE, fnamekde);
-	//free(fnamekde);
-	
-	
-	// disable /run/user/{uid}/pulse
-	/* char *fnamepulse; */
-	/* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
-	/*     errExit("asprintf"); */
-	/* if (stat(fnamepulse, &s) == 0) */
-	/*     disable_file(BLACKLIST_FILE, fnamepulse); */
-	/* free(fnamepulse); */
-
-	// disable /run/user/{uid}/dconf
-	/* char *fnamedconf; */
-	/* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
-	/*     errExit("asprintf"); */
-	/* if (stat(fnamedconf, &s) == 0) */
-	/*     disable_file(BLACKLIST_FILE, fnamedconf); */
-	/* free(fnamedconf); */
-
-
-	// dirs in /run/user/{uid}/
-	// using gnome:
-	// bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
-
-	// using kde:
-	// kdeinit__0, ...
-		
-	// more files with sockets to be blacklisted
-	// /run/dbus /run/systemd /run/udev /run/lvm
-
-	// /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
-	
-#endif
-
 	if (getuid() != 0) {
 		// disable /dev/kmsg and /proc/kmsg
 		disable_file(BLACKLIST_FILE, "/dev/kmsg");
diff --git a/src/firejail/git.c b/src/firejail/git.c
index 1cfbb1bf4..b67339c8b 100644
--- a/src/firejail/git.c
+++ b/src/firejail/git.c
@@ -17,6 +17,9 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+
+#ifdef HAVE_GIT_INSTALL
+ 
 #include "firejail.h"
 #include <sys/utsname.h>
 #include <sched.h>
@@ -84,3 +87,4 @@ void git_uninstall(void) {
 	exit(0);
 }
 	
+#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ee89a7281..0d4cf2595 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -846,11 +846,13 @@ int main(int argc, char **argv) {
 	EUID_INIT();
 	EUID_USER();
 
+#ifdef HAVE_GIT_INSTALL
 	// process git-install and git-uninstall
 	if (check_arg(argc, argv, "--git-install"))
 		git_install(); // this function will not return
 	if (check_arg(argc, argv, "--git-uninstall"))
 		git_uninstall(); // this function will not return
+#endif
 
 	// check argv[0] symlink wrapper if this is not a login shell
 	if (*argv[0] != '-')
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b9fff2011..dc8fcdfef 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -76,9 +76,11 @@ void usage(void) {
 	printf("    --env=name=value - set environment variable.\n");
 	printf("    --fs.print=name|pid - print the filesystem log.\n");
 	printf("    --get=name|pid filename - get a file from sandbox container.\n");
+#ifdef HAVE_GIT_INSTALL
 	printf("    --git-install - download, compile and install mainline git version\n");
 	printf("\tof Firejail.\n");
 	printf("    --git-uninstall - uninstall mainline git version of Firejail\n");
+#endif
 	printf("    --help, -? - this help screen.\n");
 	printf("    --hostname=name - set sandbox hostname.\n");
 	printf("    --hosts-file=file - use file as /etc/hosts.\n");
-- 
cgit v1.2.3-70-g09d2