Skip to content

Commit

Permalink
compile time: enable LTS
Browse files Browse the repository at this point in the history
  • Loading branch information
@startx2017
startx2017 committed Feb 28, 2021
1 parent 72ba0b7 commit d1acb31
Show file tree
Hide file tree
Showing 4 changed files with 178 additions and 20 deletions.
100 changes: 89 additions & 11 deletions configure
View file
Original file line number Diff line number Diff line change
Expand Up @@ -627,7 +627,7 @@ LIBOBJS
EGREP
GREP
CPP
HAVE_SELINUX
HAVE_LTS
HAVE_CONTRIB_INSTALL
HAVE_GCOV
BUSYBOX_WORKAROUND
Expand All @@ -650,6 +650,7 @@ HAVE_OVERLAYFS
HAVE_DBUSPROXY
EXTRA_LDFLAGS
EXTRA_CFLAGS
HAVE_SELINUX
HAVE_APPARMOR
AA_LIBS
AA_CFLAGS
Expand Down Expand Up @@ -711,6 +712,7 @@ ac_user_opts='
enable_option_checking
enable_analyzer
enable_apparmor
enable_selinux
enable_dbusproxy
enable_output
enable_usertmpfs
Expand All @@ -729,7 +731,7 @@ enable_fatal_warnings
enable_busybox_workaround
enable_gcov
enable_contrib_install
enable_selinux
enable_lts
'
ac_precious_vars='build_alias
host_alias
Expand Down Expand Up @@ -1367,6 +1369,7 @@ Optional Features:
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-analyzer enable GCC 10 static analyzer
--enable-apparmor enable apparmor
--enable-selinux SELinux labeling support
--disable-dbusproxy disable dbus proxy
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
Expand All @@ -1388,7 +1391,7 @@ Optional Features:
--enable-gcov Gcov instrumentation
--enable-contrib-install
install contrib scripts
--enable-selinux SELinux labeling support
--enable-lts enable long-term support software version (LTS)
Some influential environment variables:
CC C compiler command
Expand Down Expand Up @@ -3514,6 +3517,20 @@ fi

fi

HAVE_SELINUX=""
# Check whether --enable-selinux was given.
if test "${enable_selinux+set}" = set; then :
enableval=$enable_selinux;
fi

if test "x$enable_selinux" = "xyes"; then :

HAVE_SELINUX="-DHAVE_SELINUX"
EXTRA_LDFLAGS+=" -lselinux "


fi




Expand Down Expand Up @@ -3808,20 +3825,67 @@ else
fi


HAVE_SELINUX=""
# Check whether --enable-selinux was given.
if test "${enable_selinux+set}" = set; then :
enableval=$enable_selinux;
HAVE_LTS=""
# Check whether --enable-lts was given.
if test "${enable_lts+set}" = set; then :
enableval=$enable_lts;
fi

if test "x$enable_selinux" = "xyes"; then :
if test "x$enable_lts" = "xyes"; then :

HAVE_LTS="-DHAVE_LTS"


HAVE_DBUSPROXY=""


HAVE_OVERLAYFS=""


HAVE_OUTPUT=""

HAVE_SELINUX="-DHAVE_SELINUX"
EXTRA_LDFLAGS+=" -lselinux "

HAVE_USERTMPFS=""


HAVE_MAN="-DHAVE_MAN"


HAVE_FIRETUNNEL=""


HAVE_PRIVATEHOME=""


HAVE_CHROOT=""


HAVE_GLOBALCFG=""


HAVE_USERNS=""


HAVE_X11=""


HAVE_FILE_TRANSFER=""


HAVE_SUID="yes"


BUSYBOX_WORKAROUND="no"


HAVE_CONTRIB_INSTALL="no",


fi




# checking pthread library
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
$as_echo_n "checking for main in -lpthread... " >&6; }
Expand Down Expand Up @@ -5485,6 +5549,7 @@ echo "Configuration options:"
echo " prefix: $prefix"
echo " sysconfdir: $sysconfdir"
echo " apparmor: $HAVE_APPARMOR"
echo " SELinux labeling support: $HAVE_SELINUX"
echo " global config: $HAVE_GLOBALCFG"
echo " chroot: $HAVE_CHROOT"
echo " network: $HAVE_NETWORK"
Expand All @@ -5506,6 +5571,19 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS"
echo " fatal warnings: $HAVE_FATAL_WARNINGS"
echo " Gcov instrumentation: $HAVE_GCOV"
echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
echo " SELinux labeling support: $HAVE_SELINUX"
echo " Install as a SUID executable: $HAVE_SUID"
echo " LTS: $HAVE_LTS"
echo
if test "$HAVE_LTS" = -DHAVE_LTS; then
echo
echo
echo "*********************************************************"
echo "* Warning: Long-term support (LTS) was enabled! *"
echo "* Most compile-time options have bean rewritten! *"
echo "*********************************************************"
echo
echo
fi
86 changes: 78 additions & 8 deletions configure.ac
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
AC_SUBST(HAVE_APPARMOR)
])

HAVE_SELINUX=""
AC_ARG_ENABLE([selinux],
AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
AS_IF([test "x$enable_selinux" = "xyes"], [
HAVE_SELINUX="-DHAVE_SELINUX"
EXTRA_LDFLAGS+=" -lselinux "
AC_SUBST(HAVE_SELINUX)
])

AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])

Expand Down Expand Up @@ -219,15 +228,62 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
)
AC_SUBST(HAVE_CONTRIB_INSTALL)

HAVE_SELINUX=""
AC_ARG_ENABLE([selinux],
AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
AS_IF([test "x$enable_selinux" = "xyes"], [
HAVE_SELINUX="-DHAVE_SELINUX"
EXTRA_LDFLAGS+=" -lselinux "
AC_SUBST(HAVE_SELINUX)
HAVE_LTS=""
AC_ARG_ENABLE([lts],
AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
AS_IF([test "x$enable_lts" = "xyes"], [
HAVE_LTS="-DHAVE_LTS"
AC_SUBST(HAVE_LTS)
HAVE_DBUSPROXY=""
AC_SUBST(HAVE_DBUSPROXY)
HAVE_OVERLAYFS=""
AC_SUBST(HAVE_OVERLAYFS)
HAVE_OUTPUT=""
AC_SUBST(HAVE_OUTPUT)
HAVE_USERTMPFS=""
AC_SUBST(HAVE_USERTMPFS)
HAVE_MAN="-DHAVE_MAN"
AC_SUBST(HAVE_MAN)
HAVE_FIRETUNNEL=""
AC_SUBST(HAVE_FIRETUNNEL)
HAVE_PRIVATEHOME=""
AC_SUBST(HAVE_PRIVATE_HOME)
HAVE_CHROOT=""
AC_SUBST(HAVE_CHROOT)
HAVE_GLOBALCFG=""
AC_SUBST(HAVE_GLOBALCFG)
HAVE_USERNS=""
AC_SUBST(HAVE_USERNS)
HAVE_X11=""
AC_SUBST(HAVE_X11)
HAVE_FILE_TRANSFER=""
AC_SUBST(HAVE_FILE_TRANSFER)
HAVE_SUID="yes"
AC_SUBST(HAVE_SUID)
BUSYBOX_WORKAROUND="no"
AC_SUBST(BUSYBOX_WORKAROUND)
HAVE_CONTRIB_INSTALL="no",
AC_SUBST(HAVE_CONTRIB_INSTALL)
])




# checking pthread library
AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
Expand All @@ -250,6 +306,7 @@ echo "Configuration options:"
echo " prefix: $prefix"
echo " sysconfdir: $sysconfdir"
echo " apparmor: $HAVE_APPARMOR"
echo " SELinux labeling support: $HAVE_SELINUX"
echo " global config: $HAVE_GLOBALCFG"
echo " chroot: $HAVE_CHROOT"
echo " network: $HAVE_NETWORK"
Expand All @@ -271,6 +328,19 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS"
echo " fatal warnings: $HAVE_FATAL_WARNINGS"
echo " Gcov instrumentation: $HAVE_GCOV"
echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
echo " SELinux labeling support: $HAVE_SELINUX"
echo " Install as a SUID executable: $HAVE_SUID"
echo " LTS: $HAVE_LTS"
echo


if test "$HAVE_LTS" = -DHAVE_LTS; then
echo
echo
echo "*********************************************************"
echo "* Warning: Long-term support (LTS) was enabled! *"
echo "* Most compile-time options have bean rewritten! *"
echo "*********************************************************"
echo
echo
fi

3 changes: 2 additions & 1 deletion src/common.mk.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ HAVE_SELINUX=@HAVE_SELINUX@
HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
HAVE_USERTMPFS=@HAVE_USERTMPFS@
HAVE_OUTPUT=@HAVE_OUTPUT@
HAVE_LTS=@HAVE_LTS@

H_FILE_LIST = $(sort $(wildcard *.[h]))
C_FILE_LIST = $(sort $(wildcard *.c))
Expand All @@ -35,7 +36,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
CFLAGS = @CFLAGS@
CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
MANFLAGS = $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
CFLAGS += $(MANFLAGS)
CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
Expand Down
9 changes: 9 additions & 0 deletions src/man/firejail.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,15 @@ Miscellaneous:
firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
.RE
.SH DESCRIPTION
#ifdef HAVE_LTS
This is Firejail long-term support (LTS), an enterprise focused version of the software,
LTS is usually supported for two or three years.
During this time only bugs and the occasional documentation problems are fixed.
The attack surface of the SUID executable was greatly reduced by removing some of the features.
.br

.br
#endif
Firejail is a SUID sandbox program that reduces the risk of security breaches by
restricting the running environment of untrusted applications using Linux
namespaces, seccomp-bpf and Linux capabilities.
Expand Down

0 comments on commit d1acb31

Please sign in to comment.