disable --git-install at compile time

onny · Feb 5, 2017 · d17ce13 · d17ce13
1 parent a387dee
commit d17ce13
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 53 deletions.
diff --git a/configure b/configure
@@ -625,6 +625,7 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 HAVE_SECCOMP_H
+HAVE_GIT_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
@@ -711,6 +712,7 @@ enable_whitelist
 enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
+enable_git_install
 '
  ac_precious_vars='build_alias
 host_alias
@@ -1349,6 +1351,7 @@ Optional Features:
  --enable-busybox-workaround
  enable busybox workaround
  --enable-gcov Gcov instrumentation
+ --disable-git-install disable git install feature
 
 Some influential environment variables:
  CC C compiler command
@@ -3710,6 +3713,18 @@ if test "x$enable_gcov" = "xyes"; then :
 
 fi
 
+HAVE_GIT_INSTALL=""
+# Check whether --enable-git-install was given.
+if test "${enable_git_install+set}" = set; then :
+ enableval=$enable_git_install;
+fi
+
+if test "x$enable_git_install" != "xno"; then :
+
+ HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
+
+
+fi
 
 
 # checking pthread library
@@ -4971,6 +4986,7 @@ echo " whitelisting: $HAVE_WHITELIST"
 echo " private home support: $HAVE_PRIVATE_HOME"
 echo " file transfer support: $HAVE_FILE_TRANSFER"
 echo " overlayfs support: $HAVE_OVERLAYFS"
+echo " git install support: $HAVE_GIT_INSTALL"
 echo " busybox workaround: $BUSYBOX_WORKAROUND"
 echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo " fatal warnings: $HAVE_FATAL_WARNINGS"

diff --git a/configure.ac b/configure.ac
@@ -145,6 +145,13 @@ AS_IF([test "x$enable_gcov" = "xyes"], [
  AC_SUBST(HAVE_GCOV)
 ])
 
+HAVE_GIT_INSTALL=""
+AC_ARG_ENABLE([git-install],
+ AS_HELP_STRING([--disable-git-install], [disable git install feature]))
+AS_IF([test "x$enable_git_install" != "xno"], [
+ HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
+ AC_SUBST(HAVE_GIT_INSTALL)
+])
 
 
 # checking pthread library
@@ -179,6 +186,7 @@ echo " whitelisting: $HAVE_WHITELIST"
 echo " private home support: $HAVE_PRIVATE_HOME"
 echo " file transfer support: $HAVE_FILE_TRANSFER"
 echo " overlayfs support: $HAVE_OVERLAYFS"
+echo " git install support: $HAVE_GIT_INSTALL"
 echo " busybox workaround: $BUSYBOX_WORKAROUND"
 echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo " fatal warnings: $HAVE_FATAL_WARNINGS"

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST = $(sort $(wildcard *.[h]))
 C_FILE_LIST = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS = $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -351,6 +351,13 @@ void print_compiletime_support(void) {
 #endif
  );
 
+ printf("\t- git install support is %s\n",
+#ifdef HAVE_GIT_INSTALL
+ "enabled"
+#else
+ "disabled"
+#endif
+ );
 
 #ifdef HAVE_NETWORK_RESTRICTED
  printf("\t- networking features are available only to root user\n");
@@ -395,4 +402,5 @@ void print_compiletime_support(void) {
  "disabled"
 #endif
  );
+
 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -572,58 +572,6 @@ void fs_proc_sys_dev_boot(void) {
  }
  free(fname);
 
-// todo: investigate
-#if 0
- // breaks too many applications, option needed
- /* // disable /run/user/{uid}/bus */
- /* char *fnamebus; */
- /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
- /* errExit("asprintf"); */
- /* if (stat(fnamebus, &s) == 0) */
- /* disable_file(BLACKLIST_FILE, fnamebus); */
- /* free(fnamebus); */
-
- // WARNING: not working
- // disable /run/user/{uid}/kdeinit*
- //char *fnamekde;
- //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
- // errExit("asprintf");
- //if (stat(fnamekde, &s) == 0)
- // disable_file(BLACKLIST_FILE, fnamekde);
- //free(fnamekde);
-
-
- // disable /run/user/{uid}/pulse
- /* char *fnamepulse; */
- /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
- /* errExit("asprintf"); */
- /* if (stat(fnamepulse, &s) == 0) */
- /* disable_file(BLACKLIST_FILE, fnamepulse); */
- /* free(fnamepulse); */
-
- // disable /run/user/{uid}/dconf
- /* char *fnamedconf; */
- /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
- /* errExit("asprintf"); */
- /* if (stat(fnamedconf, &s) == 0) */
- /* disable_file(BLACKLIST_FILE, fnamedconf); */
- /* free(fnamedconf); */
-
-
- // dirs in /run/user/{uid}/
- // using gnome:
- // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
-
- // using kde:
- // kdeinit__0, ...
-
- // more files with sockets to be blacklisted
- // /run/dbus /run/systemd /run/udev /run/lvm
-
- // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
-
-#endif
-
  if (getuid() != 0) {
  // disable /dev/kmsg and /proc/kmsg
  disable_file(BLACKLIST_FILE, "/dev/kmsg");

diff --git a/src/firejail/git.c b/src/firejail/git.c
@@ -17,6 +17,9 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+
+#ifdef HAVE_GIT_INSTALL
+
 #include "firejail.h"
 #include <sys/utsname.h>
 #include <sched.h>
@@ -84,3 +87,4 @@ void git_uninstall(void) {
  exit(0);
 }
 
+#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -846,11 +846,13 @@ int main(int argc, char **argv) {
  EUID_INIT();
  EUID_USER();
 
+#ifdef HAVE_GIT_INSTALL
  // process git-install and git-uninstall
  if (check_arg(argc, argv, "--git-install"))
  git_install(); // this function will not return
  if (check_arg(argc, argv, "--git-uninstall"))
  git_uninstall(); // this function will not return
+#endif
 
  // check argv[0] symlink wrapper if this is not a login shell
  if (*argv[0] != '-')

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -76,9 +76,11 @@ void usage(void) {
  printf(" --env=name=value - set environment variable.\n");
  printf(" --fs.print=name|pid - print the filesystem log.\n");
  printf(" --get=name|pid filename - get a file from sandbox container.\n");
+#ifdef HAVE_GIT_INSTALL
  printf(" --git-install - download, compile and install mainline git version\n");
  printf("\tof Firejail.\n");
  printf(" --git-uninstall - uninstall mainline git version of Firejail\n");
+#endif
  printf(" --help, -? - this help screen.\n");
  printf(" --hostname=name - set sandbox hostname.\n");
  printf(" --hosts-file=file - use file as /etc/hosts.\n");