feature: build: add --disable-sandbox-check configure flag

This flag disables the code which checks whether the current instance of firejail is running within a sandbox like LXC, chroot or firejail itself. If we want to develop firejail inside of a sandbox, to keep the "host system" clean of unnecessary installed dependencies and changes to the system, we might want to force firejail to run normally, so that we can test different profiles inside of the sandbox. This is only meant for people who are working on the firejail code, not someone attempting to run firejail inside of a sandbox as a user, because it needs to run as root and it can escape the sandbox easily.
2026-05-15 14:16:14 -06:00 · 2024-12-27 15:40:02 +00:00 · 2024-12-27 15:40:02 +00:00 · 108327c5a0
commit 108327c5a0
parent 102d760fa7
5 changed files with 41 additions and 0 deletions
--- a/config.mk.in
+++ b/config.mk.in
@ -44,6 +44,7 @@ HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@
+HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
 HAVE_USERNS=@HAVE_USERNS@
@ -65,6 +66,7 @@ MANFLAGS = \
 	$(HAVE_OVERLAYFS) \
 	$(HAVE_PRIVATE_HOME) \
 	$(HAVE_PRIVATE_LIB) \
+	$(HAVE_SANDBOX_CHECK) \
 	$(HAVE_SELINUX) \
 	$(HAVE_SUID) \
 	$(HAVE_USERNS) \
--- a/21
+++ b/21
@ -674,6 +674,7 @@ PKG_CONFIG_PATH
 PKG_CONFIG
 HAVE_APPARMOR
 HAVE_IDS
+HAVE_SANDBOX_CHECK
 DEPS_CFLAGS
 TAR
 STRIP
@ -733,6 +734,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_sanitizer
+enable_sandbox_check
 enable_ids
 enable_apparmor
 enable_selinux
@ -1391,6 +1393,9 @@ Optional Features:
  --enable-analyzer       enable GCC static analyzer
  --enable-sanitizer=[address | memory | undefined]
                          enable a compiler-based sanitizer (debug)
+  --disable-sandbox-check checking if current instance of firejail is running
+                          within a sandbox is disabled, only use this when
+                          developing firejail inside of a sandbox
  --enable-ids            enable ids
  --enable-apparmor       enable apparmor
  --enable-selinux        SELinux labeling support
@ -3955,6 +3960,21 @@ esac
 fi


+fi
+
+HAVE_SANDBOX_CHECK=""
+
+# Check whether --enable-sandbox-check was given.
+if test ${enable_sandbox_check+y}
+then :
+  enableval=$enable_sandbox_check;
+fi
+
+if test "x$enable_sandbox_check" != "xno"
+then :
+
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+
 fi

 HAVE_IDS=""
@ -5793,6 +5813,7 @@ Features:
   overlayfs support: $HAVE_OVERLAYFS
   private home support: $HAVE_PRIVATE_HOME
   private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
   SELinux labeling support: $HAVE_SELINUX
   user namespace: $HAVE_USERNS
   X11 sandboxing support: $HAVE_X11
--- a/configure.ac
+++ b/configure.ac
@ -69,6 +69,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], [
 	], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
 ])

+HAVE_SANDBOX_CHECK=""
+AC_SUBST([HAVE_SANDBOX_CHECK])
+AC_ARG_ENABLE([sandbox-check],
+	      [AS_HELP_STRING([--disable-sandbox-check], [checking if current instance of firejail is running within a sandbox is disabled, only use this when developing firejail inside of a sandbox])])
+AS_IF([test "x$enable_sandbox_check" != "xno"], [
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+])
+
 HAVE_IDS=""
 AC_SUBST([HAVE_IDS])
 AC_ARG_ENABLE([ids],
@ -324,6 +332,7 @@ Features:
   overlayfs support: $HAVE_OVERLAYFS
   private home support: $HAVE_PRIVATE_HOME
   private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
   SELinux labeling support: $HAVE_SELINUX
   user namespace: $HAVE_USERNS
   X11 sandboxing support: $HAVE_X11
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@ -405,6 +405,13 @@ static const char *const compiletime_support =
 		"disabled"
 #endif

+	"\n\t- sandbox check is "
+#ifdef HAVE_SANDBOX_CHECK
+		"enabled"
+#else
+		"disabled"
+#endif
+
 	"\n\t- SELinux support is "
 #ifdef HAVE_SELINUX
 		"enabled"
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -1130,6 +1130,7 @@ int main(int argc, char **argv, char **envp) {
 	// If LXC is detected, start firejail sandbox
 	// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
 	//	- start the application in a /bin/bash shell
+#ifdef HAVE_SANDBOX_CHECK
 	if (check_namespace_virt() == 0) {
 		EUID_ROOT();
 		int rv = check_kernel_procs();
@ -1145,6 +1146,7 @@ int main(int argc, char **argv, char **envp) {
 			__builtin_unreachable();
 		}
 	}
+#endif

 	// profile builder
 	if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename