feature: build: add --disable-sandbox-check configure flag

powerjungle · powerjungle · commit 5f36f0331eae · 2024-12-29T22:50:28.000Z
This flag disables the code which checks whether the current instance of
firejail is running within a sandbox like LXC, chroot or firejail itself.
If we want to develop firejail inside of a sandbox, to keep the "host system"
clean of unnecessary installed dependencies and changes to the system,
we might want to force firejail to run normally, so that we can test different
profiles inside of the sandbox. This is only meant for people who are working
on the firejail code, not someone attempting to run firejail inside of a
sandbox as a user, because it needs to run as root and it can escape the
sandbox easily.
diff --git a/config.mk.in b/config.mk.in
@@ -44,6 +44,7 @@ HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@
+HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
 HAVE_USERNS=@HAVE_USERNS@
@@ -65,6 +66,7 @@ MANFLAGS = \
 	$(HAVE_OVERLAYFS) \
 	$(HAVE_PRIVATE_HOME) \
 	$(HAVE_PRIVATE_LIB) \
+	$(HAVE_SANDBOX_CHECK) \
 	$(HAVE_SELINUX) \
 	$(HAVE_SUID) \
 	$(HAVE_USERNS) \
diff --git a/configure b/configure
@@ -674,6 +674,7 @@ PKG_CONFIG_PATH
 PKG_CONFIG
 HAVE_APPARMOR
 HAVE_IDS
+HAVE_SANDBOX_CHECK
 DEPS_CFLAGS
 TAR
 STRIP
@@ -733,6 +734,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_sanitizer
+enable_sandbox_check
 enable_ids
 enable_apparmor
 enable_selinux
@@ -1391,6 +1393,9 @@ Optional Features:
   --enable-analyzer       enable GCC static analyzer
   --enable-sanitizer=[address | memory | undefined]
                           enable a compiler-based sanitizer (debug)
+  --disable-sandbox-check checking if current instance of firejail is running
+                          within a sandbox is disabled, only use this when
+                          developing firejail inside of a sandbox
   --enable-ids            enable ids
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
@@ -3955,6 +3960,21 @@ esac
 fi
 
 
+fi
+
+HAVE_SANDBOX_CHECK=""
+
+# Check whether --enable-sandbox-check was given.
+if test ${enable_sandbox_check+y}
+then :
+  enableval=$enable_sandbox_check;
+fi
+
+if test "x$enable_sandbox_check" != "xno"
+then :
+
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+
 fi
 
 HAVE_IDS=""
@@ -5793,6 +5813,7 @@ Features:
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
    private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/configure.ac b/configure.ac
@@ -69,6 +69,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], [
 	], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
 ])
 
+HAVE_SANDBOX_CHECK=""
+AC_SUBST([HAVE_SANDBOX_CHECK])
+AC_ARG_ENABLE([sandbox-check],
+	      [AS_HELP_STRING([--disable-sandbox-check], [checking if current instance of firejail is running within a sandbox is disabled, only use this when developing firejail inside of a sandbox])])
+AS_IF([test "x$enable_sandbox_check" != "xno"], [
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+])
+
 HAVE_IDS=""
 AC_SUBST([HAVE_IDS])
 AC_ARG_ENABLE([ids],
@@ -324,6 +332,7 @@ Features:
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
    private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -1130,6 +1130,7 @@ int main(int argc, char **argv, char **envp) {
 	// If LXC is detected, start firejail sandbox
 	// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
 	//	- start the application in a /bin/bash shell
+#ifdef HAVE_SANDBOX_CHECK
 	if (check_namespace_virt() == 0) {
 		EUID_ROOT();
 		int rv = check_kernel_procs();
@@ -1145,6 +1146,7 @@ int main(int argc, char **argv, char **envp) {
 			__builtin_unreachable();
 		}
 	}
+#endif
 
 	// profile builder
 	if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename

Original file line number	Diff line number	Diff line change
`@@ -1130,6 +1130,7 @@ int main(int argc, char argv, char envp) {`
`1130`	`1130`	`// If LXC is detected, start firejail sandbox`
`1131`	`1131`	`// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:`
`1132`	`1132`	`// - start the application in a /bin/bash shell`
	`1133`	`+#ifdef HAVE_SANDBOX_CHECK`
`1133`	`1134`	`if (check_namespace_virt() == 0) {`
`1134`	`1135`	`EUID_ROOT();`
`1135`	`1136`	`int rv = check_kernel_procs();`
`@@ -1145,6 +1146,7 @@ int main(int argc, char argv, char envp) {`
`1145`	`1146`	`__builtin_unreachable();`
`1146`	`1147`	`}`
`1147`	`1148`	`}`
	`1149`	`+#endif`
`1148`	`1150`
`1149`	`1151`	`// profile builder`
`1150`	`1152`	`if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename`