bringing back --private-home

onny · Sep 4, 2016 · 6aad9ad · 6aad9ad
1 parent ae1649c
commit 6aad9ad
Show file tree

Hide file tree

Showing 16 changed files with 446 additions and 147 deletions.
diff --git a/README b/README
@@ -87,7 +87,7 @@ greigdp (https://github.com/greigdp)
 Laurent Declercq (https://github.com/nuxwin)
  - fixed test for shell interpreter in chroots
 Franco (nextime) Lanza (https://github.com/nextime)
- - added --private-template
+ - added --private-template/--private-home
 xee5ch (https://github.com/xee5ch)
  - skypeforlinux profile
 Peter Hogg (https://github.com/pigmonkey)

diff --git a/README.md b/README.md
@@ -38,6 +38,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 
 Version 0.9.41~rc1 was released.
 
+## Bringing back --private-home
+
 ## Deprecated --user
 
 --user option was deprecated, please use "sudo -u username firejail application" instead.

diff --git a/RELNOTES b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * security: tighten --chroot, submitted by Jann Horn
  * security: terminal sandbox escape, submitted by Stephan Sokolow
  * security: several TOCTOU fixes submitted by Aleksey Manevich
+ * modifs: bringing back --private-home option
  * modifs: deprecated --user option, please use "sudo -u username firejail"
  * modifs: allow symlinks in home directory for --whitelist option
  * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"

diff --git a/configure b/configure
@@ -636,6 +636,7 @@ HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
+HAVE_PRIVATE_HOME
 HAVE_OVERLAYFS
 EXTRA_LDFLAGS
 EGREP
@@ -696,6 +697,7 @@ ac_user_opts='
 enable_option_checking
 enable_apparmor
 enable_overlayfs
+enable_private_home
 enable_seccomp
 enable_chroot
 enable_bind
@@ -1328,6 +1330,7 @@ Optional Features:
  --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
  --enable-apparmor enable apparmor
  --disable-overlayfs disable overlayfs
+ --disable-private-home disable private home feature
  --disable-seccomp disable seccomp
  --disable-chroot disable chroot
  --disable-bind disable bind
@@ -3525,6 +3528,19 @@ if test "x$enable_overlayfs" != "xno"; then :
  HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
 
 
+fi
+
+HAVE_PRIVATEHOME=""
+# Check whether --enable-private-home was given.
+if test "${enable_private_home+set}" = set; then :
+ enableval=$enable_private_home;
+fi
+
+if test "x$enable_private_home" != "xno"; then :
+
+ HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+
+
 fi
 
 HAVE_SECCOMP=""
@@ -4937,6 +4953,7 @@ echo " network: $HAVE_NETWORK"
 echo " user namespace: $HAVE_USERNS"
 echo " X11 sandboxing support: $HAVE_X11"
 echo " whitelisting: $HAVE_WHITELIST"
+echo " private home support: $HAVE_PRIVATE_HOME"
 echo " file transfer support: $HAVE_FILE_TRANSFER"
 echo " overlayfs support: $HAVE_OVERLAYFS"
 echo " fatal warnings: $HAVE_FATAL_WARNINGS"

diff --git a/configure.ac b/configure.ac
@@ -38,6 +38,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [
  AC_SUBST(HAVE_OVERLAYFS)
 ])
 
+HAVE_PRIVATEHOME=""
+AC_ARG_ENABLE([private-home],
+ AS_HELP_STRING([--disable-private-home], [disable private home feature]))
+AS_IF([test "x$enable_private_home" != "xno"], [
+ HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+ AC_SUBST(HAVE_PRIVATE_HOME)
+])
+
 HAVE_SECCOMP=""
 AC_ARG_ENABLE([seccomp],
  AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
@@ -163,6 +171,7 @@ echo " network: $HAVE_NETWORK"
 echo " user namespace: $HAVE_USERNS"
 echo " X11 sandboxing support: $HAVE_X11"
 echo " whitelisting: $HAVE_WHITELIST"
+echo " private home support: $HAVE_PRIVATE_HOME"
 echo " file transfer support: $HAVE_FILE_TRANSFER"
 echo " overlayfs support: $HAVE_OVERLAYFS"
 echo " fatal warnings: $HAVE_FATAL_WARNINGS"

diff --git a/etc/firejail.config b/etc/firejail.config
@@ -29,6 +29,9 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
 
+# Enable or disable private-home feature, default enabled
+# private-home yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
@@ -20,13 +20,14 @@ HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST = $(sort $(wildcard *.[h]))
 C_FILE_LIST = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS = $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -241,6 +241,14 @@ int checkcfg(int val) {
  else
  goto errout;
  }
+ else if (strncmp(ptr, "private-home ", 13) == 0) {
+ if (strcmp(ptr + 13, "yes") == 0)
+ cfg_val[CFG_PRIVATE_HOME] = 1;
+ else if (strcmp(ptr + 13, "no") == 0)
+ cfg_val[CFG_PRIVATE_HOME] = 0;
+ else
+ goto errout;
+ }
  else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
  if (strcmp(ptr + 15, "yes") == 0)
  cfg_val[CFG_CHROOT_DESKTOP] = 1;
@@ -295,14 +303,6 @@ void print_compiletime_support(void) {
 #endif
  );
 
- printf("\t- overlayfs support is %s\n",
-#ifdef HAVE_OVERLAYFS
- "enabled"
-#else
- "disabled"
-#endif
- );
-
  printf("\t- file and directory whitelisting support is %s\n",
 #ifdef HAVE_WHITELIST
  "enabled"
@@ -332,6 +332,22 @@ void print_compiletime_support(void) {
  printf("\t- networking features are available only to root user\n");
 #endif
 
+ printf("\t- overlayfs support is %s\n",
+#ifdef HAVE_OVERLAYFS
+ "enabled"
+#else
+ "disabled"
+#endif
+ );
+
+ printf("\t- private-home support is %s\n",
+#ifdef HAVE_PRIVATE_HOME
+ "enabled"
+#else
+ "disabled"
+#endif
+ );
+
  printf("\t- seccomp-bpf support is %s\n",
 #ifdef HAVE_SECCOMP
  "enabled"

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -180,6 +180,7 @@ typedef struct config_t {
  char *profile_ignore[MAX_PROFILE_IGNORE];
  char *chrootdir; // chroot directory
  char *home_private; // private home directory
+ char *home_private_keep; // keep list for private home directory
  char *etc_private_keep; // keep list for private etc directory
  char *bin_private_keep; // keep list for private bin directory
  char *cwd; // current working directory
@@ -640,7 +641,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_REMOUNT_PROC_SYS 11
 #define CFG_OVERLAYFS 12
 #define CFG_CHROOT_DESKTOP 13
-#define CFG_MAX 14 // this should always be the last entry
+#define CFG_PRIVATE_HOME 14
+#define CFG_MAX 15 // this should always be the last entry
 extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;