Removed IDS feature from the default build. To enable it, use --enabl…

…e-ids at compile time.

configure

@@ -658,6 +658,7 @@ PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
 HAVE_APPARMOR
+HAVE_IDS
 OBJEXT
 EXEEXT
 ac_ct_CC
@@ -709,6 +710,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_sanitizer
+enable_ids
 enable_apparmor
 enable_selinux
 enable_dbusproxy
@@ -1369,6 +1371,7 @@ Optional Features:
   --enable-analyzer       enable GCC static analyzer
   --enable-sanitizer=[address | memory | undefined]
                           enable a compiler-based sanitizer (debug)
+  --enable-ids            enable ids
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
   --disable-dbusproxy     disable dbus proxy
@@ -3088,6 +3091,19 @@ fi
 
 fi
 
+HAVE_IDS=""
+
+# Check whether --enable-ids was given.
+if test "${enable_ids+set}" = set; then :
+  enableval=$enable_ids;
+fi
+
+if test "x$enable_ids" = "xyes"; then :
+
+	HAVE_IDS="-DHAVE_IDS"
+
+fi
+
 HAVE_APPARMOR=""
 
 # Check whether --enable-apparmor was given.
@@ -3639,6 +3655,7 @@ fi
 if test "x$enable_lts" = "xyes"; then :
 
 	HAVE_LTS="-DHAVE_LTS"
+	HAVE_IDS=""
 	HAVE_DBUSPROXY=""
 	HAVE_OVERLAYFS=""
 	HAVE_OUTPUT=""
@@ -5282,6 +5299,7 @@ Configuration options:
    allow tmpfs as regular user: $HAVE_USERTMPFS
    enable --ouput logging: $HAVE_OUTPUT
    Manpage support: $HAVE_MAN
+   IDS support: $HAVE_IDS
    firetunnel support: $HAVE_FIRETUNNEL
    busybox workaround: $BUSYBOX_WORKAROUND
    Spectre compiler patch: $HAVE_SPECTRE

configure.ac

@@ -54,6 +54,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ],
 	], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]
 )])
 
+HAVE_IDS=""
+AC_SUBST([HAVE_IDS])
+AC_ARG_ENABLE([ids],
+    [AS_HELP_STRING([--enable-ids], [enable ids])])
+AS_IF([test "x$enable_ids" = "xyes"], [
+	HAVE_IDS="-DHAVE_IDS"
+])
+
 HAVE_APPARMOR=""
 AC_SUBST([HAVE_APPARMOR])
 AC_ARG_ENABLE([apparmor],
@@ -249,6 +257,7 @@ AC_ARG_ENABLE([lts],
     [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
 AS_IF([test "x$enable_lts" = "xyes"], [
 	HAVE_LTS="-DHAVE_LTS"
+	HAVE_IDS=""
 	HAVE_DBUSPROXY=""
 	HAVE_OVERLAYFS=""
 	HAVE_OUTPUT=""
@@ -300,6 +309,7 @@ Configuration options:
    allow tmpfs as regular user: $HAVE_USERTMPFS
    enable --ouput logging: $HAVE_OUTPUT
    Manpage support: $HAVE_MAN
+   IDS support: $HAVE_IDS
    firetunnel support: $HAVE_FIRETUNNEL
    busybox workaround: $BUSYBOX_WORKAROUND
    Spectre compiler patch: $HAVE_SPECTRE

src/common.mk.in

@@ -20,6 +20,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_IDS=@HAVE_IDS@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
@@ -38,7 +39,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now

src/firejail/checkcfg.c

@@ -365,6 +365,14 @@ void print_compiletime_support(void) {
 #endif
 		);
 
+	printf("\t- IDS support is %s\n",
+#ifdef HAVE_IDS
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
 	printf("\t- networking support is %s\n",
 #ifdef HAVE_NETWORK
 		"enabled"
@@ -427,6 +435,4 @@ void print_compiletime_support(void) {
 		"disabled"
 #endif
 		);
-
-
 }

src/firejail/main.c

@@ -1090,8 +1090,17 @@ int main(int argc, char **argv, char **envp) {
 		run_builder(argc, argv); // this function will not return
 
 	// intrusion detection system
+#ifdef HAVE_IDS
 	if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
 		run_ids(argc, argv); // this function will not return
+#else
+	if (check_arg(argc, argv, "--ids-", 0)) { // supports both --ids-init and --ids-check
+		fprintf(stderr, "Error: IDS features disabled in your Firejail build.\n"
+			"\tTo enable it, configure your build system using --enable-ids.\n"
+			"\tExample: ./configure --prefix=/usr --enable-ids\n\n");
+		exit(1);
+	}
+#endif
 
 	EUID_ROOT();
 #ifndef HAVE_SUID

src/man/firejail.txt

@@ -820,6 +820,7 @@ Example:
 .br
 $ firejail \-\-hosts-file=~/myhosts firefox
 
+#ifdef HAVE_IDS
 .TP
 \fB\-\-ids-check
 Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
@@ -839,6 +840,7 @@ Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
 Example:
 .br
 $ firejail \-\-ids-init
+#endif
 
 .TP
 \fB\-\-ignore=command
@@ -3342,6 +3344,7 @@ $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
 #endif
 
+#ifdef HAVE_IDS
 .SH INTRUSION DETECTION SYSTEM (IDS)
 The host-based intrusion detection system tracks down and audits user and system file modifications.
 The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
@@ -3399,6 +3402,7 @@ New files and deleted files are also flagged.
 
 Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
 The program can also be run as root (sudo firejail --ids-init/--ids-check).
+#endif
 
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format

test/compile/compile.sh

@@ -31,6 +31,7 @@ arr[15]="TEST 15: compile private-home disabled"
 arr[16]="TEST 16: compile disable manpages"
 arr[17]="TEST 17: disable tmpfs as regular user"
 arr[18]="TEST 18: disable private home"
+arr[18]="TEST 19: enable ids"
 
 # remove previous reports and output file
 cleanup() {
@@ -379,6 +380,23 @@ cp output-configure oc18
 cp output-make om18
 rm output-configure output-make
 
+#*****************************************************************
+# TEST 19
+#*****************************************************************
+# - enable ids
+#*****************************************************************
+print_title "${arr[19]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test19
+grep Error output-configure output-make >> ./report-test19
+cp output-configure oc19
+cp output-make om19
+rm output-configure output-make
+
 #*****************************************************************
 # PRINT REPORTS
 #*****************************************************************
@@ -411,3 +429,4 @@ echo ${arr[15]}
 echo ${arr[16]}
 echo ${arr[17]}
 echo ${arr[18]}
+echo ${arr[19]}