diff --git a/configure b/configure index 71641878503..6611a8817f4 100755 --- a/configure +++ b/configure @@ -628,6 +628,7 @@ EGREP GREP CPP HAVE_LTS +HAVE_ONLY_SYSCFG_PROFILES HAVE_FORCE_NONEWPRIVS HAVE_CONTRIB_INSTALL HAVE_GCOV @@ -732,6 +733,7 @@ enable_busybox_workaround enable_gcov enable_contrib_install enable_force_nonewprivs +enable_only_syscfg_profiles enable_lts ' ac_precious_vars='build_alias @@ -1395,6 +1397,8 @@ Optional Features: install contrib scripts --enable-force-nonewprivs enable force nonewprivs + --enable-only-syscfg-profiles + disable profiles in $HOME/.config/firejail --enable-lts enable long-term support software version (LTS) Some influential environment variables: @@ -3830,6 +3834,19 @@ if test "x$enable_force_nonewprivs" = "xyes"; then : fi +HAVE_ONLY_SYSCFG_PROFILES="" + +# Check whether --enable-only-syscfg-profiles was given. +if test "${enable_only_syscfg_profiles+set}" = set; then : + enableval=$enable_only_syscfg_profiles; +fi + +if test "x$enable_only_syscfg_profiles" = "xyes"; then : + + HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" + +fi + HAVE_LTS="" # Check whether --enable-lts was given. @@ -5497,6 +5514,7 @@ Configuration options: Install as a SUID executable: $HAVE_SUID LTS: $HAVE_LTS Always enforce filters: $HAVE_FORCE_NONEWPRIVS + Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES EOF diff --git a/configure.ac b/configure.ac index 0ae9362ccb8..4ca30e6d70c 100644 --- a/configure.ac +++ b/configure.ac @@ -237,6 +237,14 @@ AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [ HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" ]) +HAVE_ONLY_SYSCFG_PROFILES="" +AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES]) +AC_ARG_ENABLE([only-syscfg-profiles], + [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])]) +AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [ + HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" +]) + HAVE_LTS="" AC_SUBST([HAVE_LTS]) AC_ARG_ENABLE([lts], @@ -305,6 +313,7 @@ Configuration options: Install as a SUID executable: $HAVE_SUID LTS: $HAVE_LTS Always enforce filters: $HAVE_FORCE_NONEWPRIVS + Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES EOF diff --git a/src/common.mk.in b/src/common.mk.in index c55c26f42d3..38c05bc69bc 100644 --- a/src/common.mk.in +++ b/src/common.mk.in @@ -28,6 +28,7 @@ HAVE_USERTMPFS=@HAVE_USERTMPFS@ HAVE_OUTPUT=@HAVE_OUTPUT@ HAVE_LTS=@HAVE_LTS@ HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ +HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) @@ -37,7 +38,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS = @CFLAGS@ CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' -MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) +MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) CFLAGS += $(MANFLAGS) CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index d434cb95eef..408662907af 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c @@ -24,11 +24,16 @@ static int check_profile(const char *name, const char *homedir) { // build profile name char *profname1; +#ifndef HAVE_ONLY_SYSCFG_PROFILES char *profname2; +#endif if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1) errExit("asprintf"); + +#ifndef HAVE_ONLY_SYSCFG_PROFILES if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1) errExit("asprintf"); +#endif int rv = 0; if (access(profname1, R_OK) == 0) { @@ -36,14 +41,18 @@ static int check_profile(const char *name, const char *homedir) { printf("found %s\n", profname1); rv = 1; } +#ifndef HAVE_ONLY_SYSCFG_PROFILES else if (access(profname2, R_OK) == 0) { if (arg_debug) printf("found %s\n", profname2); rv = 1; } +#endif free(profname1); +#ifndef HAVE_ONLY_SYSCFG_PROFILES free(profname2); +#endif return rv; } diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 04ea715cd69..c03cd7a12ea 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -825,11 +825,13 @@ void fs_proc_sys_dev_boot(void) { // disable firejail configuration in ~/.config/firejail void disable_config(void) { EUID_USER(); +#ifndef HAVE_ONLY_SYSCFG_PROFILES char *fname; if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) errExit("asprintf"); disable_file(BLACKLIST_FILE, fname); free(fname); +#endif // disable run time information disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 794668dc688..0e182955943 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -72,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) { // search and read the profile specified by name from firejail directories // return 1 if a profile was found int profile_find_firejail(const char *name, int add_ext) { +#ifndef HAVE_ONLY_SYSCFG_PROFILES // look for a profile in ~/.config/firejail directory char *usercfgdir; if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) @@ -84,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) { rv = profile_find(name, SYSCONFDIR, add_ext); return rv; +#else + return profile_find(name, SYSCONFDIR, add_ext); +#endif } //***************************************************