Skip to content

Commit

Permalink
[firejail] Add ability to disable user profiles at compile time.
Browse files Browse the repository at this point in the history
  • Loading branch information
chestnykh committed Feb 28, 2022
1 parent b2c954a commit 565198d
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 5 deletions.
26 changes: 22 additions & 4 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -628,6 +628,7 @@ EGREP
GREP
CPP
HAVE_LTS
HAVE_ONLY_SYSCFG_PROFILES
HAVE_FORCE_NONEWPRIVS
HAVE_CONTRIB_INSTALL
HAVE_GCOV
Expand Down Expand Up @@ -732,6 +733,7 @@ enable_busybox_workaround
enable_gcov
enable_contrib_install
enable_force_nonewprivs
enable_only_syscfg_profiles
enable_lts
'
ac_precious_vars='build_alias
Expand Down Expand Up @@ -1395,6 +1397,8 @@ Optional Features:
install contrib scripts
--enable-force-nonewprivs
enable force nonewprivs
--enable-only-syscfg-profiles
disable profiles in $HOME/.config/firejail
--enable-lts enable long-term support software version (LTS)
Some influential environment variables:
Expand Down Expand Up @@ -3434,8 +3438,8 @@ if test "x$enable_apparmor" = "xyes"; then :
HAVE_APPARMOR="-DHAVE_APPARMOR"
pkg_failed=no
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
$as_echo_n "checking for libapparmor... " >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
$as_echo_n "checking for AA... " >&6; }
if test -n "$AA_CFLAGS"; then
pkg_cv_AA_CFLAGS="$AA_CFLAGS"
Expand Down Expand Up @@ -3475,7 +3479,7 @@ fi
if test $pkg_failed = yes; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
Expand All @@ -3502,7 +3506,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
and AA_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details." "$LINENO" 5
elif test $pkg_failed = untried; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
Expand Down Expand Up @@ -3830,6 +3834,19 @@ if test "x$enable_force_nonewprivs" = "xyes"; then :
fi
HAVE_ONLY_SYSCFG_PROFILES=""
# Check whether --enable-only-syscfg-profiles was given.
if test "${enable_only_syscfg_profiles+set}" = set; then :
enableval=$enable_only_syscfg_profiles;
fi
if test "x$enable_only_syscfg_profiles" = "xyes"; then :
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
fi
HAVE_LTS=""
# Check whether --enable-lts was given.
Expand Down Expand Up @@ -5497,6 +5514,7 @@ Configuration options:
Install as a SUID executable: $HAVE_SUID
LTS: $HAVE_LTS
Always enforce filters: $HAVE_FORCE_NONEWPRIVS
Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
EOF
Expand Down
9 changes: 9 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,14 @@ AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
])

HAVE_ONLY_SYSCFG_PROFILES=""
AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
AC_ARG_ENABLE([only-syscfg-profiles],
[AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
])

HAVE_LTS=""
AC_SUBST([HAVE_LTS])
AC_ARG_ENABLE([lts],
Expand Down Expand Up @@ -305,6 +313,7 @@ Configuration options:
Install as a SUID executable: $HAVE_SUID
LTS: $HAVE_LTS
Always enforce filters: $HAVE_FORCE_NONEWPRIVS
Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES

EOF

Expand Down
3 changes: 2 additions & 1 deletion src/common.mk.in
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ HAVE_USERTMPFS=@HAVE_USERTMPFS@
HAVE_OUTPUT=@HAVE_OUTPUT@
HAVE_LTS=@HAVE_LTS@
HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@

H_FILE_LIST = $(sort $(wildcard *.h))
C_FILE_LIST = $(sort $(wildcard *.c))
Expand All @@ -37,7 +38,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
CFLAGS = @CFLAGS@
CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"'
MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
CFLAGS += $(MANFLAGS)
CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
Expand Down
9 changes: 9 additions & 0 deletions src/firecfg/desktop_files.c
Original file line number Diff line number Diff line change
Expand Up @@ -24,26 +24,35 @@
static int check_profile(const char *name, const char *homedir) {
// build profile name
char *profname1;
#ifndef HAVE_ONLY_SYSCFG_PROFILES
char *profname2;
#endif
if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
errExit("asprintf");

#ifndef HAVE_ONLY_SYSCFG_PROFILES
if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
errExit("asprintf");
#endif

int rv = 0;
if (access(profname1, R_OK) == 0) {
if (arg_debug)
printf("found %s\n", profname1);
rv = 1;
}
#ifndef HAVE_ONLY_SYSCFG_PROFILES
else if (access(profname2, R_OK) == 0) {
if (arg_debug)
printf("found %s\n", profname2);
rv = 1;
}
#endif

free(profname1);
#ifndef HAVE_ONLY_SYSCFG_PROFILES
free(profname2);
#endif
return rv;
}

Expand Down
2 changes: 2 additions & 0 deletions src/firejail/fs.c
Original file line number Diff line number Diff line change
Expand Up @@ -825,11 +825,13 @@ void fs_proc_sys_dev_boot(void) {
// disable firejail configuration in ~/.config/firejail
void disable_config(void) {
EUID_USER();
#ifndef HAVE_ONLY_SYSCFG_PROFILES
char *fname;
if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
errExit("asprintf");
disable_file(BLACKLIST_FILE, fname);
free(fname);
#endif

// disable run time information
disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
Expand Down
4 changes: 4 additions & 0 deletions src/firejail/profile.c
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) {
// search and read the profile specified by name from firejail directories
// return 1 if a profile was found
int profile_find_firejail(const char *name, int add_ext) {
#ifndef HAVE_ONLY_SYSCFG_PROFILES
// look for a profile in ~/.config/firejail directory
char *usercfgdir;
if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
Expand All @@ -84,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) {
rv = profile_find(name, SYSCONFDIR, add_ext);

return rv;
#else
return profile_find(name, SYSCONFDIR, add_ext);
#endif
}

//***************************************************
Expand Down

0 comments on commit 565198d

Please sign in to comment.