Add ./configure --enable-force-nonewprivs

This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
netblue30 · Mar 1, 2021 · b02d8f9 · b02d8f9
1 parent f09bb2a
commit b02d8f9
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 2 deletions.
diff --git a/configure b/configure
@@ -628,6 +628,7 @@ EGREP
 GREP
 CPP
 HAVE_LTS
+HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
@@ -731,6 +732,7 @@ enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
 enable_contrib_install
+enable_force_nonewprivs
 enable_lts
 '
  ac_precious_vars='build_alias
@@ -1391,6 +1393,8 @@ Optional Features:
  --enable-gcov Gcov instrumentation
  --enable-contrib-install
  install contrib scripts
+ --enable-force-nonewprivs
+ enable force nonewprivs
  --enable-lts enable long-term support software version (LTS)
 
 Some influential environment variables:
@@ -3825,6 +3829,19 @@ else
 fi
 
 
+HAVE_FORCE_NONEWPRIVS=""
+# Check whether --enable-force-nonewprivs was given.
+if test "${enable_force_nonewprivs+set}" = set; then :
+ enableval=$enable_force_nonewprivs;
+fi
+
+if test "x$enable_force_nonewprivs" = "xyes"; then :
+
+ HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
+
+
+fi
+
 HAVE_LTS=""
 # Check whether --enable-lts was given.
 if test "${enable_lts+set}" = set; then :
@@ -5573,6 +5590,7 @@ echo " Gcov instrumentation: $HAVE_GCOV"
 echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
 echo " Install as a SUID executable: $HAVE_SUID"
 echo " LTS: $HAVE_LTS"
+echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
 echo
 
 

diff --git a/configure.ac b/configure.ac
@@ -228,6 +228,14 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
 )
 AC_SUBST(HAVE_CONTRIB_INSTALL)
 
+HAVE_FORCE_NONEWPRIVS=""
+AC_ARG_ENABLE([force-nonewprivs],
+ AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs]))
+AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
+ HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
+ AC_SUBST(HAVE_FORCE_NONEWPRIVS)
+])
+
 HAVE_LTS=""
 AC_ARG_ENABLE([lts],
  AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
@@ -330,6 +338,7 @@ echo " Gcov instrumentation: $HAVE_GCOV"
 echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
 echo " Install as a SUID executable: $HAVE_SUID"
 echo " LTS: $HAVE_LTS"
+echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
 echo
 
 

diff --git a/src/common.mk.in b/src/common.mk.in
@@ -27,6 +27,7 @@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_LTS=@HAVE_LTS@
+HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
 
 H_FILE_LIST = $(sort $(wildcard *.[h]))
 C_FILE_LIST = $(sort $(wildcard *.c))
@@ -36,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -386,6 +386,14 @@ void print_compiletime_support(void) {
  "enabled"
 #else
  "disabled"
+#endif
+ );
+
+ printf("\t- Always force nonewprivs support is %s\n",
+#ifdef HAVE_FORCE_NONEWPRIVS
+ "enabled"
+#else
+ "disabled"
 #endif
  );
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) {
  exit(rv);
  }
 
+#ifdef HAVE_FORCE_NONEWPRIVS
+ bool always_enforce_filters = true;
+#else
+ bool always_enforce_filters = false;
+#endif
  // need ld.so.preload if tracing or seccomp with any non-default lists
  bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
  // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
  // and drop all capabilities
- if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) {
+ if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) {
  enforce_filters();
  need_preload = arg_trace || arg_tracelog;
  }