git-install

Makefile.in

@@ -82,6 +82,8 @@ realinstall:
 	install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
+	install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
+	install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.

contrib/update_src.sh

@@ -1,11 +0,0 @@
-#!/bin/sh
-# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
-set -e
-git clone --depth=1 https://www.github.com/netblue30/firejail.git
-cd firejail
-./configure
-make
-sudo make install-strip
-echo "Firejail was updated!"
-cd ..
-rm -rf firejail

src/fgit/fgit-install.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+
+set -e		# exit immediately if one of the commands fails
+cd /tmp		# by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure
+make
+sudo make install-strip
+echo "**********************************************************************"
+echo "Mainline git Firejail version was installed in /usr/local."
+echo "If you want to remove it, run"
+echo
+echo "           firejail --git-uninstall"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail

src/fgit/fgit-uninstall.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+
+set -e		# exit immediately if one of the commands fails
+cd /tmp		# by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure
+sudo make uninstall
+echo "**********************************************************************"
+echo "Firejail mainline git version uninstalled from /usr/local"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail

src/firejail/firejail.h

@@ -720,5 +720,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 int sbox_run(unsigned filter, int num, ...);
 
 
+// git.c
+void git_install();
+void git_uninstall();
+
 #endif
 

src/firejail/git.c

@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/utsname.h>
+#include <sched.h>
+#include <sys/mount.h>
+
+// install a simple mount/pid namespace sandbox with a tmpfs on top of /tmp
+static void sbox_ns(void) {
+	if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0)
+		errExit("unshare");
+
+	if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0)
+		errExit("mount");
+}
+
+void git_install() {
+	// redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+	EUID_ASSERT();
+	EUID_ROOT();
+	
+	// install a mount namespace with a tmpfs on top of /tmp
+	sbox_ns();
+	
+	// drop privileges
+	if (setgid(getgid()) < 0)
+		errExit("setgid/getgid");
+	if (setuid(getuid()) < 0)
+		errExit("setuid/getuid");
+	assert(getenv("LD_PRELOAD") == NULL);	
+
+	printf("Running as "); fflush(0);
+	int rv = system("whoami");
+	(void) rv;
+	printf("/tmp directory: "); fflush(0);
+	rv = system("ls -l /tmp");
+	(void) rv;
+
+	// run command
+	const char *cmd = LIBDIR "/firejail/fgit-install.sh";
+	rv = system(cmd);
+	(void) rv;
+	exit(0);
+}
+
+void git_uninstall() {
+	// redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+	EUID_ASSERT();
+	EUID_ROOT();
+	
+	// install a mount namespace with a tmpfs on top of /tmp
+	sbox_ns();
+	
+	// drop privileges
+	if (setgid(getgid()) < 0)
+		errExit("setgid/getgid");
+	if (setuid(getuid()) < 0)
+		errExit("setuid/getuid");
+	assert(getenv("LD_PRELOAD") == NULL);	
+
+	printf("Running as "); fflush(0);
+	int rv = system("whoami");
+	(void) rv;
+	printf("/tmp directory: "); fflush(0);
+	rv = system("ls -l /tmp");
+	(void) rv;
+
+	// run command
+	const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
+	rv = system(cmd);
+	(void) rv;
+	exit(0);
+}
+	

src/firejail/main.c

@@ -846,10 +846,15 @@ int main(int argc, char **argv) {
 	EUID_INIT();
 	EUID_USER();
 
+	// process git-install and git-uninstall
+	if (check_arg(argc, argv, "--git-install"))
+		git_install(); // this function will not return
+	if (check_arg(argc, argv, "--git-uninstall"))
+		git_uninstall(); // this function will not return
 
 	// check argv[0] symlink wrapper if this is not a login shell
 	if (*argv[0] != '-')
-		run_symlink(argc, argv);
+		run_symlink(argc, argv); // this function will not return
 
 	// check if we already have a sandbox running
 	// If LXC is detected, start firejail sandbox