From 108327c5a0bfda50efcc0ea7545d1691c7f61743 Mon Sep 17 00:00:00 2001
From: powerjungle <fabsidereal@gmail.com>
Date: Fri, 27 Dec 2024 15:40:02 +0000
Subject: [PATCH] feature: build: add --disable-sandbox-check configure flag

This flag disables the code which checks whether the current instance of
firejail is running within a sandbox like LXC, chroot or firejail itself.
If we want to develop firejail inside of a sandbox, to keep the "host system"
clean of unnecessary installed dependencies and changes to the system,
we might want to force firejail to run normally, so that we can test different
profiles inside of the sandbox. This is only meant for people who are working
on the firejail code, not someone attempting to run firejail inside of a
sandbox as a user, because it needs to run as root and it can escape the
sandbox easily.
---
 config.mk.in            |  2 ++
 configure               | 21 +++++++++++++++++++++
 configure.ac            |  9 +++++++++
 src/firejail/checkcfg.c |  7 +++++++
 src/firejail/main.c     |  2 ++
 5 files changed, 41 insertions(+)

diff --git a/config.mk.in b/config.mk.in
index 812573a14..11d00851a 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -44,6 +44,7 @@ HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@
+HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
 HAVE_USERNS=@HAVE_USERNS@
@@ -65,6 +66,7 @@ MANFLAGS = \
 	$(HAVE_OVERLAYFS) \
 	$(HAVE_PRIVATE_HOME) \
 	$(HAVE_PRIVATE_LIB) \
+	$(HAVE_SANDBOX_CHECK) \
 	$(HAVE_SELINUX) \
 	$(HAVE_SUID) \
 	$(HAVE_USERNS) \
diff --git a/configure b/configure
index 70e8c9b61..781acf0dc 100755
--- a/configure
+++ b/configure
@@ -674,6 +674,7 @@ PKG_CONFIG_PATH
 PKG_CONFIG
 HAVE_APPARMOR
 HAVE_IDS
+HAVE_SANDBOX_CHECK
 DEPS_CFLAGS
 TAR
 STRIP
@@ -733,6 +734,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_sanitizer
+enable_sandbox_check
 enable_ids
 enable_apparmor
 enable_selinux
@@ -1391,6 +1393,9 @@ Optional Features:
   --enable-analyzer       enable GCC static analyzer
   --enable-sanitizer=[address | memory | undefined]
                           enable a compiler-based sanitizer (debug)
+  --disable-sandbox-check checking if current instance of firejail is running
+                          within a sandbox is disabled, only use this when
+                          developing firejail inside of a sandbox
   --enable-ids            enable ids
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
@@ -3955,6 +3960,21 @@ esac
 fi
 
 
+fi
+
+HAVE_SANDBOX_CHECK=""
+
+# Check whether --enable-sandbox-check was given.
+if test ${enable_sandbox_check+y}
+then :
+  enableval=$enable_sandbox_check;
+fi
+
+if test "x$enable_sandbox_check" != "xno"
+then :
+
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+
 fi
 
 HAVE_IDS=""
@@ -5793,6 +5813,7 @@ Features:
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
    private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/configure.ac b/configure.ac
index 86b05d9b0..55c096b1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], [
 	], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
 ])
 
+HAVE_SANDBOX_CHECK=""
+AC_SUBST([HAVE_SANDBOX_CHECK])
+AC_ARG_ENABLE([sandbox-check],
+	      [AS_HELP_STRING([--disable-sandbox-check], [checking if current instance of firejail is running within a sandbox is disabled, only use this when developing firejail inside of a sandbox])])
+AS_IF([test "x$enable_sandbox_check" != "xno"], [
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+])
+
 HAVE_IDS=""
 AC_SUBST([HAVE_IDS])
 AC_ARG_ENABLE([ids],
@@ -324,6 +332,7 @@ Features:
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
    private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index bab0e819f..175894684 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -405,6 +405,13 @@ static const char *const compiletime_support =
 		"disabled"
 #endif
 
+	"\n\t- sandbox check is "
+#ifdef HAVE_SANDBOX_CHECK
+		"enabled"
+#else
+		"disabled"
+#endif
+
 	"\n\t- SELinux support is "
 #ifdef HAVE_SELINUX
 		"enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e989a5ead..d85d1569f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1130,6 +1130,7 @@ int main(int argc, char **argv, char **envp) {
 	// If LXC is detected, start firejail sandbox
 	// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
 	//	- start the application in a /bin/bash shell
+#ifdef HAVE_SANDBOX_CHECK
 	if (check_namespace_virt() == 0) {
 		EUID_ROOT();
 		int rv = check_kernel_procs();
@@ -1145,6 +1146,7 @@ int main(int argc, char **argv, char **envp) {
 			__builtin_unreachable();
 		}
 	}
+#endif
 
 	// profile builder
 	if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename