git-install

onny · Feb 4, 2017 · e46dd3e · e46dd3e
1 parent e7c0ee7
commit e46dd3e
Show file tree

Hide file tree

Showing 7 changed files with 139 additions and 12 deletions.
diff --git a/Makefile.in b/Makefile.in
@@ -82,6 +82,8 @@ realinstall:
  install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.

diff --git a/contrib/update_src.sh b/contrib/update_src.sh
diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+
+set -e # exit immediately if one of the commands fails
+cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure
+make
+sudo make install-strip
+echo "**********************************************************************"
+echo "Mainline git Firejail version was installed in /usr/local."
+echo "If you want to remove it, run"
+echo
+echo " firejail --git-uninstall"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail
diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+
+set -e # exit immediately if one of the commands fails
+cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure
+sudo make uninstall
+echo "**********************************************************************"
+echo "Firejail mainline git version uninstalled from /usr/local"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -720,5 +720,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 int sbox_run(unsigned filter, int num, ...);
 
 
+// git.c
+void git_install();
+void git_uninstall();
+
 #endif
 
diff --git a/src/firejail/git.c b/src/firejail/git.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/utsname.h>
+#include <sched.h>
+#include <sys/mount.h>
+
+// install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp
+static void sbox_ns(void) {
+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0)
+ errExit("unshare");
+
+ if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0)
+ errExit("mount");
+}
+
+void git_install() {
+ // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+ EUID_ASSERT();
+ EUID_ROOT();
+
+ // install a mount namespace with a tmpfs on top of /tmp
+ sbox_ns();
+
+ // drop privileges
+ if (setgid(getgid()) < 0)
+ errExit("setgid/getgid");
+ if (setuid(getuid()) < 0)
+ errExit("setuid/getuid");
+ assert(getenv("LD_PRELOAD") == NULL); 
+
+ printf("Running as "); fflush(0);
+ int rv = system("whoami");
+ (void) rv;
+ printf("/tmp directory: "); fflush(0);
+ rv = system("ls -l /tmp");
+ (void) rv;
+
+ // run command
+ const char *cmd = LIBDIR "/firejail/fgit-install.sh";
+ rv = system(cmd);
+ (void) rv;
+ exit(0);
+}
+
+void git_uninstall() {
+ // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+ EUID_ASSERT();
+ EUID_ROOT();
+
+ // install a mount namespace with a tmpfs on top of /tmp
+ sbox_ns();
+
+ // drop privileges
+ if (setgid(getgid()) < 0)
+ errExit("setgid/getgid");
+ if (setuid(getuid()) < 0)
+ errExit("setuid/getuid");
+ assert(getenv("LD_PRELOAD") == NULL); 
+
+ printf("Running as "); fflush(0);
+ int rv = system("whoami");
+ (void) rv;
+ printf("/tmp directory: "); fflush(0);
+ rv = system("ls -l /tmp");
+ (void) rv;
+
+ // run command
+ const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
+ rv = system(cmd);
+ (void) rv;
+ exit(0);
+}
+
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -846,10 +846,15 @@ int main(int argc, char **argv) {
  EUID_INIT();
  EUID_USER();
 
+ // process git-install and git-uninstall
+ if (check_arg(argc, argv, "--git-install"))
+ git_install(); // this function will not return
+ if (check_arg(argc, argv, "--git-uninstall"))
+ git_uninstall(); // this function will not return
 
  // check argv[0] symlink wrapper if this is not a login shell
  if (*argv[0] != '-')
- run_symlink(argc, argv);
+ run_symlink(argc, argv); // this function will not return
 
  // check if we already have a sandbox running
  // If LXC is detected, start firejail sandbox