From f2e7e5e18272250cbf0bafcd0cff0209f6ab9209 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20Miku=C5=82a?= <mati865@gmail.com>
Date: Tue, 27 Feb 2018 22:53:19 +0100
Subject: [PATCH] Support a stateless configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mateusz Mikuła <mati865@gmail.com>
---
 Makefile.in                     |  9 +++++----
 configure.ac                    |  1 +
 src/firejail/Makefile.in        |  3 ++-
 src/firejail/checkcfg.c         |  7 ++++++-
 src/firejail/main.c             | 11 +++++++++++
 src/firejail/restricted_shell.c | 12 ++++++++++--
 6 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index d11d537b..d2099870 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -9,6 +9,7 @@ exec_prefix=@exec_prefix@
 bindir=@bindir@
 libdir=@libdir@
 datarootdir=@datarootdir@
+datadir=@datadir@
 mandir=@mandir@
 sysconfdir=@sysconfdir@
 
@@ -123,12 +124,12 @@ endif
 	install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
 	install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
 	# etc files
-	./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
-	install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
+	./mketc.sh $(datadir)/defaults $(BUSYBOX_WORKAROUND)
+	install -m 0755 -d $(DESTDIR)/$(datadir)/defaults/firejail
 	for file in .etc/* etc/firejail.config; do \
-		install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
+		install -c -m 0644 $$file $(DESTDIR)/$(datadir)/defaults/firejail; \
 	done
-	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
+	sh -c "if [ ! -f $(DESTDIR)/$(datadir)/defaults/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(datadir)/defaults/firejail/.; fi;"
 	rm -fr .etc
 ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
 	# install apparmor profile
diff --git a/configure.ac b/configure.ac
index 2b7dd1d2..c78122cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -183,6 +183,7 @@ echo
 echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
+echo "   defaultsdir: $datadir/defaults/firejail"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 146bf824..929a07fd 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -5,6 +5,7 @@ prefix=@prefix@
 exec_prefix=@exec_prefix@
 libdir=@libdir@
 sysconfdir=@sysconfdir@
+datadir=@datadir@
 
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
@@ -30,7 +31,7 @@ H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DDATADIR='"$(datadir)"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f101a845..fa5f681e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -52,7 +52,12 @@ int checkcfg(int val) {
 		cfg_val[CFG_XPRA_ATTACH] = 0;
 
 		// open configuration file
-		const char *fname = SYSCONFDIR "/firejail.config";
+		const char *fname;
+		if (access(SYSCONFDIR "/firejail.config", F_OK) == 0) {
+			fname = SYSCONFDIR "/firejail.config";
+		} else {
+			fname = DATADIR "/defaults/firejail/firejail.config";
+		}
 		fp = fopen(fname, "r");
 		if (!fp) {
 #ifdef HAVE_GLOBALCFG
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df758e11..83482f81 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -40,6 +40,9 @@
 uid_t firejail_uid = 0;
 gid_t firejail_gid = 0;
 
+// Stateless configuration directory
+#define DEFAULTSDIR DATADIR "/defaults/firejail"
+
 #define STACK_SIZE (1024 * 1024)
 static char child_stack[STACK_SIZE];		// space for child's stack
 Config cfg;					// configuration
@@ -2400,6 +2403,10 @@ int main(int argc, char **argv) {
 			int rv = profile_find(cfg.command_name, SYSCONFDIR);
 			custom_profile = rv;
 		}
+		if (!custom_profile) {
+			// look for a user profile in /usr/share/defaults directory
+			custom_profile = profile_find(cfg.command_name, DEFAULTSDIR);
+		}
 	}
 
 	// use default.profile as the default
@@ -2428,6 +2435,10 @@ int main(int argc, char **argv) {
 			if (!custom_profile)
 				// look for the profile in /etc/firejail directory
 				custom_profile = profile_find(profile_name, SYSCONFDIR);
+			if (!custom_profile) {
+				// look for the profile in /usr/share/defaults directory
+				custom_profile = profile_find(profile_name, DEFAULTSDIR);
+			}
 
 			if (!custom_profile) {
 				fprintf(stderr, "Error: no default.profile installed\n");
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index d09a2c7e..4162d14e 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -34,8 +34,16 @@ int restricted_shell(const char *user) {
 		errExit("asprintf");
 	FILE *fp = fopen(fname, "r");
 	free(fname);
-	if (fp == NULL)
-		return 0;
+	fname = NULL;
+	if (fp == NULL) {
+		// Grab the stateless version
+		if (asprintf(&fname, "%s/defaults/firejail/login.users", DATADIR) == -1)
+			errExit("asprintf");
+		FILE *fp = fopen(fname, "r");
+		free(fname);
+		if (fp == NULL)
+			return 0;
+	}
 
 	int lineno = 0;
 	char buf[MAX_READ];
-- 
2.16.2