cleanup

18 files changed, 61 insertions, 152 deletions

diff --git a/RELNOTES b/RELNOTES
index 87b3f3780..c6194e1a6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,8 @@
 firejail (0.9.53) baseline; urgency=low
   * work in progress
   * modif: --force depercated
+  * modif: --csg, --zsh deprecated
+  * modif: --debug-check-filename deprecated
   * modif: --git-install and --git-uninstall deprecated
   * modif: support for private-bin, private-lib and shell none has been
      disabled while running AppImage archives in order to be able to use
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 48d985d73..d0f43041c 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7b0ae30b6..f8094e893 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -166,10 +166,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-                        // follow symlink in private-bin command
-                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                fwarning("follow-symlink-private-bin from firejail.config was deprecated\n");
-                        }
                         // nonewprivs
                         else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
@@ -311,9 +307,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
-                                fwarning("remount-proc-sys from firejail.config was deprecated\n");
-                        }
                         else if (strncmp(ptr, "overlayfs ", 10) == 0) {
                                 if (strcmp(ptr + 10, "yes") == 0)
                                         cfg_val[CFG_OVERLAYFS] = 1;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 718c0b328..2746deea1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
-extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
 extern int arg_debug_private_lib;       // print debug messages for private-lib
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
 void caps_drop_dac_override(void);
 
-// syscall.c
-const char *syscall_find_nr(int nr);
-
 // fs_trace.c
 void fs_trace_preload(void);
 void fs_trace(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e676bbd7c..2d8af7f41 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -47,7 +47,6 @@ Config cfg;					// configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename = 0;               // print debug messages for filename checking
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_debug_private_lib = 0;                  // print debug messages for private-lib
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) {
 
                 if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--debug-check-filename") == 0)
-                        arg_debug_check_filename = 1;
                 else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) {
                         custom_profile = 1;
                         free(ppath);
                 }
-                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
-                        fwarning("--profile-path has been deprecated\n");
-                }
                 else if (strcmp(argv[i], "--noprofile") == 0) {
                         if (custom_profile) {
                                 fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--machine-id") == 0) {
                         arg_machineid = 1;
                 }
-                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        fwarning("--allow-private-blacklist was deprecated\n");
-                }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
                 }
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) {
                 }
                 else if (strcmp(argv[i], "--appimage") == 0)
                         arg_appimage = 1;
-                else if (strcmp(argv[i], "--csh") == 0) {
-                        if (arg_shell_none) {
-
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
                 else if (strcmp(argv[i], "--shell=none") == 0) {
                         arg_shell_none = 1;
                         if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index ba955bcca..5bd3f7e09 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) {
         for (i = 0; i < argc; i++) {
                 if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--csh") == 0 ||
-                    strcmp(argv[i], "--zsh") == 0 ||
-                    strcmp(argv[i], "--shell=none") == 0 ||
+                else if (strcmp(argv[i], "--shell=none") == 0 ||
                     strncmp(argv[i], "--shell=", 8) == 0)
                         fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
         }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3ef9a1856..156ffa24a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_nodbus = 1;
                 return 0;
         }
-        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                fmessage("--allow-private-blacklist was deprecated\n");
-                return 0;
-        }
         else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index a9dcc78e5..742fc0465 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -29,8 +29,6 @@ static char *usage_str =
         "Options:\n"
         "    -- - signal the end of options and disables further option processing.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
-        "    --allow-private-blacklist - allow blacklisting files in private\n"
-        "\thome directories.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
         "    --apparmor - enable AppArmor confinement.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
@@ -58,11 +56,9 @@ static char *usage_str =
 #endif
         "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
         "    --cpu.print=name|pid - print the cpus in use.\n"
-        "    --csh - use /bin/csh as default shell.\n"
         "    --debug - print sandbox debug messages.\n"
         "    --debug-blacklists - debug blacklisting.\n"
         "    --debug-caps - print all recognized capabilities.\n"
-        "    --debug-check-filename - debug filename checking.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
         "    --debug-private-lib - debug for --private-lib option.\n"
         "    --debug-protocols - print all recognized protocols.\n"
@@ -163,6 +159,7 @@ static char *usage_str =
         "\tfilesystem, and copy the files and directories in the list.\n"
         "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
         "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
         "    --profile=filename - use a custom profile.\n"
         "    --profile.print=name|pid - print the name of profile file.\n"
         "    --profile-path=directory - use this directory to look for profile files.\n"
@@ -236,7 +233,6 @@ static char *usage_str =
         "    --x11=xvfb - enable Xvfb X11 server.\n"
         "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
-        "    --zsh - use /usr/bin/zsh as default shell.\n"
         "\n"
         "Examples:\n"
         "    $ firejail firefox\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3437d495f..a44e52e98 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) {
         assert(fname);
         const char *ptr = fname;
 
-        if (arg_debug_check_filename)
-                printf("Checking filename %s\n", fname);
-
         if (strncmp(ptr, "${HOME}", 7) == 0)
                 ptr = fname + 7;
         else if (strncmp(ptr, "${PATH}", 7) == 0)
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 37bd4e874..a4d642d66 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -43,6 +43,7 @@ static char *help_str =
         "\t--tree - print a tree of all sandboxed processes.\n\n"
         "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
         "\t--version - print program version and exit.\n\n"
+        "\t--x11 - print X11 display number.\n\n"
 
         "Without any options, firemon monitors all fork, exec, id change, and exit\n"
         "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 5d92aa133..7d9784392 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) {
         if (strcmp(name, "root") == 0)
                 return 1;
 
+        // user nobody disabled by default
+        if (strcmp(name, "nobody") == 0) {
+                fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n");
+                exit(1);
+        }
+
         // check file existence
         char *fname = get_fname();
         if (access(fname, F_OK)) {
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index fcc0f914b..ec91e495c 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default.
+root user is allowed by default, user nobody is denied access by default.
 
 Example:
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6e8e4eb2c..2e410061d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -314,15 +314,6 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 
 .TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-csh
-.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 
 .TP
 \fB\-\-debug-errnos
@@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
-shell.
+By default Bash shell (/bin/bash) is used.
 .br
 
 .br
@@ -2324,16 +2305,6 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 
-.TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-zsh
-
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index dcf16452f..0ec07c1ad 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -56,7 +56,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "appimage Leafpad"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 073c32dab..90b13b9ff 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -44,7 +44,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "appimage Leafpad"
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index 10a278ebc..7b5ab9b33 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --csh\r"
+send -- "firejail --private --shell=/bin/csh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        ".cshrc"
-}
-
-send -- "env | grep SHELL\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "SHELL"
+        "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "/bin/csh"
 }
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --shell=none --csh\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
-}
-after 100
-
-send -- "firejail --csh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
+        "home"
 }
+send -- "exit\r"
 after 100
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index e7f610e98..a1b94a326 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --zsh\r"
+send -- "firejail --private --shell=/bin/zsh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        ".zshrc"
-}
-
 send -- "env | grep SHELL;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
         "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "/bin/zsh"
 }
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --shell=none --zsh\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
-}
-after 100
-
-send -- "firejail --zsh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
+        "home"
 }
+send -- "exit\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/root/private.exp b/test/root/private.exp
index 784761fc8..e3d3245ae 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -54,6 +54,21 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 
 
 send -- "touch /srv/firejail-test-file\r"
@@ -77,14 +92,20 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
 
-
-
-
-
-
-
-
-
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 
 puts "\nall done\n"