diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-03 11:01:22 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-03 11:01:22 -0400 |
commit | 4c71ddbcd8f577016ce227a55300a9be4fb72385 (patch) | |
tree | d9be2d9458e4ea8ee3f80b6999097b82e548e96e | |
parent | gimp v.2.10 preparations (diff) | |
download | firejail-4c71ddbcd8f577016ce227a55300a9be4fb72385.tar.gz firejail-4c71ddbcd8f577016ce227a55300a9be4fb72385.tar.zst firejail-4c71ddbcd8f577016ce227a55300a9be4fb72385.zip |
deprecating --force
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 35 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 7 | ||||
-rwxr-xr-x | test/environment/firejail-in-firejail.exp | 20 |
6 files changed, 13 insertions, 59 deletions
@@ -1,6 +1,6 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) | 3 | * --force depercated |
4 | * modif: support for private-bin, private-lib and shell none has been | 4 | * modif: support for private-bin, private-lib and shell none has been |
5 | disabled while running AppImage archives in order to be able to use | 5 | disabled while running AppImage archives in order to be able to use |
6 | our regular profile files with AppImages. | 6 | our regular profile files with AppImages. |
@@ -10,6 +10,7 @@ firejail (0.9.53) baseline; urgency=low | |||
10 | All users of Firefox-based browsers who use addons and plugins | 10 | All users of Firefox-based browsers who use addons and plugins |
11 | that read/write from ${HOME} will need to uncomment the includes for | 11 | that read/write from ${HOME} will need to uncomment the includes for |
12 | firefox-common-addons.inc in firefox-common.profile. | 12 | firefox-common-addons.inc in firefox-common.profile. |
13 | * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) | ||
13 | * Spectre mitigation patch for gcc and clang compiler | 14 | * Spectre mitigation patch for gcc and clang compiler |
14 | * D-Bus handling (--nodbus) | 15 | * D-Bus handling (--nodbus) |
15 | * AppArmor support for overlayfs and chroot sandboxes | 16 | * AppArmor support for overlayfs and chroot sandboxes |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 25b52f5ce..29cca0761 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -707,8 +707,6 @@ void fs_basic_fs(void) { | |||
707 | restrict_users(); | 707 | restrict_users(); |
708 | 708 | ||
709 | // when starting as root, firejail config is not disabled; | 709 | // when starting as root, firejail config is not disabled; |
710 | // this mode could be used to install and test new software by chaining | ||
711 | // firejail sandboxes (firejail --force) | ||
712 | if (uid) | 710 | if (uid) |
713 | disable_config(); | 711 | disable_config(); |
714 | } | 712 | } |
@@ -1020,8 +1018,6 @@ void fs_overlayfs(void) { | |||
1020 | restrict_users(); | 1018 | restrict_users(); |
1021 | 1019 | ||
1022 | // when starting as root, firejail config is not disabled; | 1020 | // when starting as root, firejail config is not disabled; |
1023 | // this mode could be used to install and test new software by chaining | ||
1024 | // firejail sandboxes (firejail --force) | ||
1025 | if (getuid() != 0) | 1021 | if (getuid() != 0) |
1026 | disable_config(); | 1022 | disable_config(); |
1027 | 1023 | ||
@@ -1265,8 +1261,6 @@ void fs_chroot(const char *rootdir) { | |||
1265 | restrict_users(); | 1261 | restrict_users(); |
1266 | 1262 | ||
1267 | // when starting as root, firejail config is not disabled; | 1263 | // when starting as root, firejail config is not disabled; |
1268 | // this mode could be used to install and test new software by chaining | ||
1269 | // firejail sandboxes (firejail --force) | ||
1270 | if (getuid() != 0) | 1264 | if (getuid() != 0) |
1271 | disable_config(); | 1265 | disable_config(); |
1272 | } | 1266 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 52f6af667..787fa28e1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -829,7 +829,6 @@ int main(int argc, char **argv) { | |||
829 | int lockfd_network = -1; | 829 | int lockfd_network = -1; |
830 | int lockfd_directory = -1; | 830 | int lockfd_directory = -1; |
831 | int option_cgroup = 0; | 831 | int option_cgroup = 0; |
832 | int option_force = 0; | ||
833 | int custom_profile = 0; // custom profile loaded | 832 | int custom_profile = 0; // custom profile loaded |
834 | 833 | ||
835 | atexit(clear_atexit); | 834 | atexit(clear_atexit); |
@@ -900,27 +899,21 @@ int main(int argc, char **argv) { | |||
900 | // check if we already have a sandbox running | 899 | // check if we already have a sandbox running |
901 | // If LXC is detected, start firejail sandbox | 900 | // If LXC is detected, start firejail sandbox |
902 | // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: | 901 | // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: |
903 | // - if --force flag is set, start firejail sandbox | 902 | // - start the application in a /bin/bash shell |
904 | // -- if --force flag is not set, start the application in a /bin/bash shell | ||
905 | if (check_namespace_virt() == 0) { | 903 | if (check_namespace_virt() == 0) { |
906 | EUID_ROOT(); | 904 | EUID_ROOT(); |
907 | int rv = check_kernel_procs(); | 905 | int rv = check_kernel_procs(); |
908 | EUID_USER(); | 906 | EUID_USER(); |
909 | if (rv == 0) { | 907 | if (rv == 0) { |
910 | // if --force option is passed to the program, disregard the existing sandbox | 908 | if (check_arg(argc, argv, "--version", 1)) { |
911 | if (check_arg(argc, argv, "--force", 1)) | 909 | printf("firejail version %s\n", VERSION); |
912 | option_force = 1; | 910 | exit(0); |
913 | else { | ||
914 | if (check_arg(argc, argv, "--version", 1)) { | ||
915 | printf("firejail version %s\n", VERSION); | ||
916 | exit(0); | ||
917 | } | ||
918 | |||
919 | // start the program directly without sandboxing | ||
920 | run_no_sandbox(argc, argv); | ||
921 | // it will never get here! | ||
922 | assert(0); | ||
923 | } | 911 | } |
912 | |||
913 | // start the program directly without sandboxing | ||
914 | run_no_sandbox(argc, argv); | ||
915 | // it will never get here! | ||
916 | assert(0); | ||
924 | } | 917 | } |
925 | } | 918 | } |
926 | 919 | ||
@@ -1064,12 +1057,8 @@ int main(int argc, char **argv) { | |||
1064 | for (i = 1; i < argc; i++) { | 1057 | for (i = 1; i < argc; i++) { |
1065 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 1058 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
1066 | 1059 | ||
1067 | if (strcmp(argv[i], "--debug") == 0) { | 1060 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) { |
1068 | if (!arg_quiet) { | 1061 | arg_debug = 1; |
1069 | arg_debug = 1; | ||
1070 | if (option_force) | ||
1071 | fmessage("Entering sandbox-in-sandbox mode\n"); | ||
1072 | } | ||
1073 | } | 1062 | } |
1074 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 1063 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
1075 | arg_debug_check_filename = 1; | 1064 | arg_debug_check_filename = 1; |
@@ -1083,8 +1072,6 @@ int main(int argc, char **argv) { | |||
1083 | arg_quiet = 1; | 1072 | arg_quiet = 1; |
1084 | arg_debug = 0; | 1073 | arg_debug = 0; |
1085 | } | 1074 | } |
1086 | else if (strcmp(argv[i], "--force") == 0) | ||
1087 | ; | ||
1088 | else if (strcmp(argv[i], "--allow-debuggers") == 0) { | 1075 | else if (strcmp(argv[i], "--allow-debuggers") == 0) { |
1089 | // already handled | 1076 | // already handled |
1090 | } | 1077 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1c878c818..542747efc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -76,7 +76,6 @@ static char *usage_str = | |||
76 | " --dns=address - set DNS server.\n" | 76 | " --dns=address - set DNS server.\n" |
77 | " --dns.print=name|pid - print DNS configuration.\n" | 77 | " --dns.print=name|pid - print DNS configuration.\n" |
78 | " --env=name=value - set environment variable.\n" | 78 | " --env=name=value - set environment variable.\n" |
79 | " --force - attempt to start a new sandbox inside the existing sandbox.\n" | ||
80 | " --fs.print=name|pid - print the filesystem log.\n" | 79 | " --fs.print=name|pid - print the filesystem log.\n" |
81 | " --get=name|pid filename - get a file from sandbox container.\n" | 80 | " --get=name|pid filename - get a file from sandbox container.\n" |
82 | #ifdef HAVE_GIT_INSTALL | 81 | #ifdef HAVE_GIT_INSTALL |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f481f5c46..85550e576 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -468,13 +468,6 @@ Example: | |||
468 | $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib | 468 | $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib |
469 | 469 | ||
470 | .TP | 470 | .TP |
471 | \fB\-\-force | ||
472 | By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell. | ||
473 | This option disables this behavior, and attempts to start Firejail in the existing sandbox. | ||
474 | There could be lots of reasons for it to fail, for example if the existing sandbox disables | ||
475 | admin capabilities, SUID binaries, or if it runs seccomp. | ||
476 | |||
477 | .TP | ||
478 | \fB\-\-fs.print=name|print | 471 | \fB\-\-fs.print=name|print |
479 | Print the filesystem log for the sandbox identified by name or by PID. | 472 | Print the filesystem log for the sandbox identified by name or by PID. |
480 | .br | 473 | .br |
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 6f8f4316f..29f82007b 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp | |||
@@ -24,26 +24,6 @@ after 100 | |||
24 | send -- "exit\r" | 24 | send -- "exit\r" |
25 | after 100 | 25 | after 100 |
26 | 26 | ||
27 | send -- "firejail --force\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 3\n";exit} | ||
30 | "cannot rise privileges" | ||
31 | } | ||
32 | after 100 | ||
33 | |||
34 | send -- "firejail --version\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4\n";exit} | ||
37 | "firejail version" | ||
38 | } | ||
39 | after 100 | ||
40 | |||
41 | send -- "firejail --version --force\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | "firejail version" | ||
45 | } | ||
46 | after 100 | ||
47 | 27 | ||
48 | 28 | ||
49 | puts "\nall done\n" | 29 | puts "\nall done\n" |