diff --git a/config.mk.in b/config.mk.in index 812573a14..11d00851a 100644 --- a/config.mk.in +++ b/config.mk.in @@ -44,6 +44,7 @@ HAVE_OUTPUT=@HAVE_OUTPUT@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@ +HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@ HAVE_SELINUX=@HAVE_SELINUX@ HAVE_SUID=@HAVE_SUID@ HAVE_USERNS=@HAVE_USERNS@ @@ -65,6 +66,7 @@ MANFLAGS = \ $(HAVE_OVERLAYFS) \ $(HAVE_PRIVATE_HOME) \ $(HAVE_PRIVATE_LIB) \ + $(HAVE_SANDBOX_CHECK) \ $(HAVE_SELINUX) \ $(HAVE_SUID) \ $(HAVE_USERNS) \ diff --git a/configure b/configure index 70e8c9b61..781acf0dc 100755 --- a/configure +++ b/configure @@ -674,6 +674,7 @@ PKG_CONFIG_PATH PKG_CONFIG HAVE_APPARMOR HAVE_IDS +HAVE_SANDBOX_CHECK DEPS_CFLAGS TAR STRIP @@ -733,6 +734,7 @@ ac_user_opts=' enable_option_checking enable_analyzer enable_sanitizer +enable_sandbox_check enable_ids enable_apparmor enable_selinux @@ -1391,6 +1393,9 @@ Optional Features: --enable-analyzer enable GCC static analyzer --enable-sanitizer=[address | memory | undefined] enable a compiler-based sanitizer (debug) + --disable-sandbox-check checking if current instance of firejail is running + within a sandbox is disabled, only use this when + developing firejail inside of a sandbox --enable-ids enable ids --enable-apparmor enable apparmor --enable-selinux SELinux labeling support @@ -3955,6 +3960,21 @@ esac fi +fi + +HAVE_SANDBOX_CHECK="" + +# Check whether --enable-sandbox-check was given. +if test ${enable_sandbox_check+y} +then : + enableval=$enable_sandbox_check; +fi + +if test "x$enable_sandbox_check" != "xno" +then : + + HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK" + fi HAVE_IDS="" @@ -5793,6 +5813,7 @@ Features: overlayfs support: $HAVE_OVERLAYFS private home support: $HAVE_PRIVATE_HOME private lib support: $HAVE_PRIVATE_LIB + sandbox check: $HAVE_SANDBOX_CHECK SELinux labeling support: $HAVE_SELINUX user namespace: $HAVE_USERNS X11 sandboxing support: $HAVE_X11 diff --git a/configure.ac b/configure.ac index 86b05d9b0..55c096b1f 100644 --- a/configure.ac +++ b/configure.ac @@ -69,6 +69,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], [ ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]) ]) +HAVE_SANDBOX_CHECK="" +AC_SUBST([HAVE_SANDBOX_CHECK]) +AC_ARG_ENABLE([sandbox-check], + [AS_HELP_STRING([--disable-sandbox-check], [checking if current instance of firejail is running within a sandbox is disabled, only use this when developing firejail inside of a sandbox])]) +AS_IF([test "x$enable_sandbox_check" != "xno"], [ + HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK" +]) + HAVE_IDS="" AC_SUBST([HAVE_IDS]) AC_ARG_ENABLE([ids], @@ -324,6 +332,7 @@ Features: overlayfs support: $HAVE_OVERLAYFS private home support: $HAVE_PRIVATE_HOME private lib support: $HAVE_PRIVATE_LIB + sandbox check: $HAVE_SANDBOX_CHECK SELinux labeling support: $HAVE_SELINUX user namespace: $HAVE_USERNS X11 sandboxing support: $HAVE_X11 diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index bab0e819f..175894684 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -405,6 +405,13 @@ static const char *const compiletime_support = "disabled" #endif + "\n\t- sandbox check is " +#ifdef HAVE_SANDBOX_CHECK + "enabled" +#else + "disabled" +#endif + "\n\t- SELinux support is " #ifdef HAVE_SELINUX "enabled" diff --git a/src/firejail/main.c b/src/firejail/main.c index e989a5ead..d85d1569f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1130,6 +1130,7 @@ int main(int argc, char **argv, char **envp) { // If LXC is detected, start firejail sandbox // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: // - start the application in a /bin/bash shell +#ifdef HAVE_SANDBOX_CHECK if (check_namespace_virt() == 0) { EUID_ROOT(); int rv = check_kernel_procs(); @@ -1145,6 +1146,7 @@ int main(int argc, char **argv, char **envp) { __builtin_unreachable(); } } +#endif // profile builder if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename