From b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Mon, 1 Mar 2021 12:40:02 +0100 Subject: [PATCH] Add ./configure --enable-force-nonewprivs This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'. --- configure | 18 ++++++++++++++++++ configure.ac | 9 +++++++++ src/common.mk.in | 3 ++- src/firejail/checkcfg.c | 8 ++++++++ src/firejail/sandbox.c | 7 ++++++- 5 files changed, 43 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 952f7af9b54..7ef95075e92 100755 --- a/configure +++ b/configure @@ -628,6 +628,7 @@ EGREP GREP CPP HAVE_LTS +HAVE_FORCE_NONEWPRIVS HAVE_CONTRIB_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND @@ -731,6 +732,7 @@ enable_fatal_warnings enable_busybox_workaround enable_gcov enable_contrib_install +enable_force_nonewprivs enable_lts ' ac_precious_vars='build_alias @@ -1391,6 +1393,8 @@ Optional Features: --enable-gcov Gcov instrumentation --enable-contrib-install install contrib scripts + --enable-force-nonewprivs + enable force nonewprivs --enable-lts enable long-term support software version (LTS) Some influential environment variables: @@ -3825,6 +3829,19 @@ else fi +HAVE_FORCE_NONEWPRIVS="" +# Check whether --enable-force-nonewprivs was given. +if test "${enable_force_nonewprivs+set}" = set; then : + enableval=$enable_force_nonewprivs; +fi + +if test "x$enable_force_nonewprivs" = "xyes"; then : + + HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" + + +fi + HAVE_LTS="" # Check whether --enable-lts was given. if test "${enable_lts+set}" = set; then : @@ -5573,6 +5590,7 @@ echo " Gcov instrumentation: $HAVE_GCOV" echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" echo " Install as a SUID executable: $HAVE_SUID" echo " LTS: $HAVE_LTS" +echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" echo diff --git a/configure.ac b/configure.ac index 449b8b436c9..2654a26998e 100644 --- a/configure.ac +++ b/configure.ac @@ -228,6 +228,14 @@ AS_IF([test "x$enable_contrib_install" = "xno"], ) AC_SUBST(HAVE_CONTRIB_INSTALL) +HAVE_FORCE_NONEWPRIVS="" +AC_ARG_ENABLE([force-nonewprivs], + AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])) +AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ + HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" + AC_SUBST(HAVE_FORCE_NONEWPRIVS) +]) + HAVE_LTS="" AC_ARG_ENABLE([lts], AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])) @@ -330,6 +338,7 @@ echo " Gcov instrumentation: $HAVE_GCOV" echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" echo " Install as a SUID executable: $HAVE_SUID" echo " LTS: $HAVE_LTS" +echo " Always enforce filters: $HAVE_FORCE_NONEWPRIVS" echo diff --git a/src/common.mk.in b/src/common.mk.in index eae4138c066..a3df4abb635 100644 --- a/src/common.mk.in +++ b/src/common.mk.in @@ -27,6 +27,7 @@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ HAVE_USERTMPFS=@HAVE_USERTMPFS@ HAVE_OUTPUT=@HAVE_OUTPUT@ HAVE_LTS=@HAVE_LTS@ +HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) @@ -36,7 +37,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS = @CFLAGS@ CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) +MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS) CFLAGS += $(MANFLAGS) CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 9d327933f9a..a277e76d93c 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -386,6 +386,14 @@ void print_compiletime_support(void) { "enabled" #else "disabled" +#endif + ); + + printf("\t- Always force nonewprivs support is %s\n", +#ifdef HAVE_FORCE_NONEWPRIVS + "enabled" +#else + "disabled" #endif ); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff5f4cb1e3d..e320e77f9ad 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) { exit(rv); } +#ifdef HAVE_FORCE_NONEWPRIVS + bool always_enforce_filters = true; +#else + bool always_enforce_filters = false; +#endif // need ld.so.preload if tracing or seccomp with any non-default lists bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS // and drop all capabilities - if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { + if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) { enforce_filters(); need_preload = arg_trace || arg_tracelog; }