allow blacklists noexec etc. in private home directories; fix bug #1608

author: netblue30 <netblue30@yahoo.com> 2017-10-20 11:08:58 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-10-20 11:08:58 -0400
commit: 033074ab6d859fbd11fc3e1946d637572666ff48 (patch)
tree: 6b25ac1616782abab36bd37dd0689ca4c33c60a2
parent: Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download: firejail-033074ab6d859fbd11fc3e1946d637572666ff48.tar.gz
firejail-033074ab6d859fbd11fc3e1946d637572666ff48.tar.zst
firejail-033074ab6d859fbd11fc3e1946d637572666ff48.zip
7 files changed, 7 insertions, 46 deletions
diff --git a/RELNOTES b/RELNOTES
index 9a15686db..49ec862a1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,8 @@
 firejail (0.9.51) baseline; urgency=low
  * work in progress!
+  * modif: --allow-private-blacklists was deprecated; blacklisting,
+    read-only, read-write, tmpfs and noexec are allowed in
+    private home directories
  * enhancement: support Firejail user config directory in firecfg
  * enhancement: disable DBus activation in firecfg
  * enhancement; enumerate root directories in apparmor profile
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e10a5d346..d853daa44 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -298,7 +298,6 @@ void clear_run_files(pid_t pid);
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
-extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0a6f40959..ed2c9a566 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -220,14 +220,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                        }
                }
-                // We don't usually need to blacklist things in private home directories
-                if (okay_to_blacklist
-                 && cfg.homedir
-                 && arg_private
-                 && (!arg_allow_private_blacklist)
-                 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
-                        okay_to_blacklist = false;
                if (okay_to_blacklist)
                        disable_file(op, path);
                else if (arg_debug)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 584d0c293..126f98d9b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1600,7 +1600,8 @@ int main(int argc, char **argv) {
                        arg_machineid = 1;
                }
                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        arg_allow_private_blacklist = 1;
+                        if (!arg_quiet)
+                                fprintf(stderr, "--allow-private-blacklist was deprecated\n");
                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a1c94579c..622306c22 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -242,7 +242,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                arg_allow_private_blacklist = 1;
+                if (!arg_quiet)
+                        fprintf(stderr, "--allow-private-blacklist was deprecated\n");
                return 0;
        }
        else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7ba09ba8a..00481d4d3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -87,15 +87,6 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
-\fB\-\-allow-private-blacklist
-Allow blacklisting files in private home directory. By default these blacklists are disabled.
-.br
-.br
-Example:
-.br
-$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
-.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 9c97ff4ea..d58adf801 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -74,32 +74,6 @@ sleep 1
 send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
 expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Not blacklist"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "test_dir_2"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "find ~\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "testfile"
-}
-after 100
-send -- "exit\r"
-sleep 1
-send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
-expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        "Disable"
 }
author	netblue30 <netblue30@yahoo.com>	2017-10-20 11:08:58 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-10-20 11:08:58 -0400
commit	033074ab6d859fbd11fc3e1946d637572666ff48 (patch)
tree	6b25ac1616782abab36bd37dd0689ca4c33c60a2
parent	Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download	firejail-033074ab6d859fbd11fc3e1946d637572666ff48.tar.gz firejail-033074ab6d859fbd11fc3e1946d637572666ff48.tar.zst firejail-033074ab6d859fbd11fc3e1946d637572666ff48.zip