Add ability to disable user profiles at compile time

configure

@@ -628,6 +628,7 @@ EGREP
 GREP
 CPP
 HAVE_LTS
+HAVE_ONLY_SYSCFG_PROFILES
 HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
@@ -732,6 +733,7 @@ enable_busybox_workaround
 enable_gcov
 enable_contrib_install
 enable_force_nonewprivs
+enable_only_syscfg_profiles
 enable_lts
 '
  ac_precious_vars='build_alias
@@ -1395,6 +1397,8 @@ Optional Features:
  install contrib scripts
  --enable-force-nonewprivs
  enable force nonewprivs
+ --enable-only-syscfg-profiles
+ disable profiles in $HOME/.config/firejail
  --enable-lts enable long-term support software version (LTS)
 
 Some influential environment variables:
@@ -3830,6 +3834,19 @@ if test "x$enable_force_nonewprivs" = "xyes"; then :
 
 fi
 
+HAVE_ONLY_SYSCFG_PROFILES=""
+
+# Check whether --enable-only-syscfg-profiles was given.
+if test "${enable_only_syscfg_profiles+set}" = set; then :
+ enableval=$enable_only_syscfg_profiles;
+fi
+
+if test "x$enable_only_syscfg_profiles" = "xyes"; then :
+
+ HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
+
+fi
+
 HAVE_LTS=""
 
 # Check whether --enable-lts was given.
@@ -5497,6 +5514,7 @@ Configuration options:
  Install as a SUID executable: $HAVE_SUID
  LTS: $HAVE_LTS
  Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+ Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
 
 EOF
 

configure.ac

@@ -237,6 +237,14 @@ AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
  HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
 ])
 
+HAVE_ONLY_SYSCFG_PROFILES=""
+AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
+AC_ARG_ENABLE([only-syscfg-profiles],
+ [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
+AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
+ HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
+])
+
 HAVE_LTS=""
 AC_SUBST([HAVE_LTS])
 AC_ARG_ENABLE([lts],
@@ -305,6 +313,7 @@ Configuration options:
  Install as a SUID executable: $HAVE_SUID
  LTS: $HAVE_LTS
  Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+ Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
 
 EOF
 

src/common.mk.in

@@ -28,6 +28,7 @@ HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_LTS=@HAVE_LTS@
 HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
+HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
 
 H_FILE_LIST = $(sort $(wildcard *.h))
 C_FILE_LIST = $(sort $(wildcard *.c))
@@ -37,7 +38,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now

src/firecfg/desktop_files.c

@@ -24,26 +24,35 @@
 static int check_profile(const char *name, const char *homedir) {
  // build profile name
  char *profname1;
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
  char *profname2;
+#endif
  if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
  errExit("asprintf");
+
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
  if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
  errExit("asprintf");
+#endif
 
  int rv = 0;
  if (access(profname1, R_OK) == 0) {
  if (arg_debug)
  printf("found %s\n", profname1);
  rv = 1;
  }
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
  else if (access(profname2, R_OK) == 0) {
  if (arg_debug)
  printf("found %s\n", profname2);
  rv = 1;
  }
+#endif
 
  free(profname1);
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
  free(profname2);
+#endif
  return rv;
 }
 

src/firejail/fs.c

@@ -825,11 +825,13 @@ void fs_proc_sys_dev_boot(void) {
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
  EUID_USER();
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
  char *fname;
  if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
  errExit("asprintf");
  disable_file(BLACKLIST_FILE, fname);
  free(fname);
+#endif
 
  // disable run time information
  disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);

src/firejail/profile.c

@@ -72,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) {
 // search and read the profile specified by name from firejail directories
 // return 1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
  // look for a profile in ~/.config/firejail directory
  char *usercfgdir;
  if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
@@ -84,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) {
  rv = profile_find(name, SYSCONFDIR, add_ext);
 
  return rv;
+#else
+ return profile_find(name, SYSCONFDIR, add_ext);
+#endif
 }
 
 //***************************************************