Merge pull request #4771 from kmk3/revert-allow-deny-leftovers

Revert allow/deny leftovers
author: netblue30 <netblue30@protonmail.com> 2021-12-18 15:22:21 +0000
committer: GitHub <noreply@github.com> 2021-12-18 15:22:21 +0000
commit: 6ca3225d1ca28b8019bc2daeac0a4d38e872d07b (patch)
tree: 572f8efa6418f229f8f65f1100051199f25f4179
parent: disable curl and wget in browsers based on firefox and chromium (diff)
parent: Remove profcleaner.c and profcleaner.sh (diff)
download: firejail-6ca3225d1ca28b8019bc2daeac0a4d38e872d07b.tar.gz
firejail-6ca3225d1ca28b8019bc2daeac0a4d38e872d07b.tar.zst
firejail-6ca3225d1ca28b8019bc2daeac0a4d38e872d07b.zip
5 files changed, 15 insertions, 209 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0262db608..58e374b8b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1574,7 +1574,6 @@ int main(int argc, char **argv, char **envp) {
                        profile_add(line);
                }
-                // blacklist/deny
                else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                        char *line;
                        if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1583,14 +1582,6 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strncmp(argv[i], "--deny=", 7) == 0) {
-                        char *line;
-                        if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
-                                errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
                else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
                        char *line;
                        if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1599,16 +1590,6 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
-                        char *line;
-                        if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
-                                errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
-                // whitelist
                else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
                        char *line;
                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
@@ -1617,14 +1598,6 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strncmp(argv[i], "--allow=", 8) == 0) {
-                        char *line;
-                        if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
-                                errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
                else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                        char *line;
                        if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)
@@ -1633,15 +1606,6 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strncmp(argv[i], "--noallow=", 10) == 0) {
-                        char *line;
-                        if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
-                                errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
                else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
                        char *line;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5e24591fa..9504b26de 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1752,44 +1752,6 @@ void profile_read(const char *fname) {
                        continue;
                }
-                // translate allow/deny to whitelist/blacklist
-                if (strncmp(ptr, "allow ", 6) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "deny ", 5) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "deny-nolog ", 11) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                // translate noallow/nodeny to nowhitelist/noblacklist
-                else if (strncmp(ptr, "noallow ", 8) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "nodeny ", 7) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
                // process quiet
                // todo: a quiet in the profile file cannot be disabled by --ignore on command line
                if (strcmp(ptr, "quiet") == 0) {
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
deleted file mode 100644
index beff93199..000000000
--- a/src/tools/profcleaner.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-//*************************************************************
-// Small utility program to convert profiles from blacklist/whitelist to deny/allow
-// Compile:
-//       gcc -o profcleaner profcleaner.c
-// Usage:
-//       profcleaner *.profile
-//*************************************************************
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#define MAXBUF 4096
-int main(int argc, char **argv) {
-        printf("Usage: profcleaner files\n");
-        int i;
-        for (i = 1; i < argc; i++) {
-                FILE *fp = fopen(argv[i], "r");
-                if (!fp) {
-                        fprintf(stderr, "Error: cannot open %s\n", argv[i]);
-                        return 1;
-                }
-                FILE *fpout = fopen("profcleaner-tmp", "w");
-                if (!fpout) {
-                        fprintf(stderr, "Error: cannot open output file\n");
-                        return 1;
-                }
-                char buf[MAXBUF];
-                while (fgets(buf, MAXBUF, fp)) {
-                        if (strncmp(buf, "blacklist-nolog", 15) == 0)
-                                fprintf(fpout, "deny-nolog %s", buf + 15);
-                        else if (strncmp(buf, "blacklist", 9) == 0)
-                                fprintf(fpout, "deny %s", buf + 9);
-                        else if (strncmp(buf, "noblacklist", 11) == 0)
-                                fprintf(fpout, "nodeny %s", buf + 11);
-                        else if (strncmp(buf, "whitelist", 9) == 0)
-                                fprintf(fpout, "allow %s", buf + 9);
-                        else if (strncmp(buf, "nowhitelist", 11) == 0)
-                                fprintf(fpout, "noallow %s", buf + 11);
-                        else
-                                fprintf(fpout, "%s", buf);
-                }
-                fclose(fp);
-                fclose(fpout);
-                unlink(argv[i]);
-                rename("profcleaner-tmp", argv[i]);
-        }
-        return 0;
-}
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
deleted file mode 100755
index 96402aed6..000000000
--- a/src/tools/profcleaner.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-# Copyright (C) 2021 Firejail Authors
-#
-# This file is part of firejail project
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-if [[ $1 == --help ]]; then
-        cat <<-EOM
-        USAGE:
-          profcleaner.sh --help        Show this help message and exit
-          profcleaner.sh --system      Clean all profiles in /etc/firejail
-          profcleaner.sh --user        Clean all profiles in ~/.config/firejail
-          profcleaner.sh /path/to/profile1 /path/to/profile2 ...
-        EOM
-        exit 0
-fi
-if [[ $1 == --system ]]; then
-        profiles=(/etc/firejail/*.{inc,local,profile})
-elif [[ $1 == --user ]]; then
-        profiles=("$HOME"/.config/firejail/*.{inc,local,profile})
-else
-        profiles=("$@")
-fi
-sed -i -E \
-        -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \
-        -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \
-        -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \
-        -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \
-        "${profiles[@]}"
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 6ce71aed8..8c1d758cc 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -48,8 +48,8 @@ _firejail_args=(
    '*::arguments:_normal'
    '--appimage[sandbox an AppImage application]'
-    '--build[build a profile for the application and print it on stdout]'
+    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '--build=-[build a profile for the application and save it]: :_files'
+    '--build=-[build a whitelisted profile for the application and save it]: :_files'
    # Ignore that you can do -? too as it's the only short option
    '--help[this help screen]'
    '--join=-[join the sandbox name|pid]: :_all_firejails'
@@ -66,14 +66,14 @@ _firejail_args=(
    '--ids-init[initialize IDS database]'
    '--debug[print sandbox debug messages]'
-    '--debug-allow[debug file system access]'
+    '--debug-blacklists[debug blacklisting]'
    '--debug-caps[print all recognized capabilities]'
-    '--debug-deny[debug file system access]'
    '--debug-errnos[print all recognized error numbers]'
    '--debug-private-lib[debug for --private-lib option]'
    '--debug-protocols[print all recognized protocols]'
    '--debug-syscalls[print all recognized system calls]'
    '--debug-syscalls32[print all recognized 32 bit system calls]'
+    '--debug-whitelists[debug whitelisting]'
    '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
    '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
@@ -86,13 +86,13 @@ _firejail_args=(
    '--allusers[all user home directories are visible inside the sandbox]'
    # Should be _files, a comma and files or files -/
    '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
+    '*--blacklist=-[blacklist directory or file]: :_files'
    '--caps[enable default Linux capabilities filter]'
    '--caps.drop=all[drop all capabilities]'
    '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
    '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
    '--cgroup=-[place the sandbox in the specified control group]: :'
    '--cpu=-[set cpu affinity]: :->cpus'
-    '*--deny=-[deny access to directory or file]: :_files'
    "--deterministic-exit-code[always exit with first child's status code]"
    '--deterministic-shutdown[terminate orphan processes]'
    '*--dns=-[set DNS server]: :'
@@ -116,7 +116,7 @@ _firejail_args=(
    '--nice=-[set nice value]: :(1 10 15 20)'
    '--no3d[disable 3D hardware acceleration]'
    '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--nodeny=-[disable deny command for file or directory]: :_files'
+    '--noblacklist=-[disable blacklist for file or directory]: :_files'
    '--nodbus[disable D-Bus access]'
    '--nodvd[disable DVD and audio CD devices]'
    '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
@@ -147,13 +147,13 @@ _firejail_args=(
    '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
    '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
    '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
-    '--seccomp[enable seccomp filter and drop the default syscalls]: :'
+    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
-    '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
    '--seccomp.block-secondary[build only the native architecture filters]'
-    '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
-    '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
    # FIXME: Add errnos
    '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
    '--shell=none[run the program directly without a user shell]'
@@ -161,7 +161,7 @@ _firejail_args=(
    '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
    #'(--tracelog)--trace[trace open, access and connect system calls]'
    '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
-    '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
    '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
    '--writable-var[/var directory is mounted read-write]'
@@ -255,8 +255,8 @@ _firejail_args=(
    '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
-    '*--noallow=-[disable allow command for file or directory]: :_files'
+    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
-    '*--allow=-[allow file system access]: :_files'
+    '*--whitelist=-[whitelist directory or file]: :_files'
 #ifdef HAVE_X11
    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
author	netblue30 <netblue30@protonmail.com>	2021-12-18 15:22:21 +0000
committer	GitHub <noreply@github.com>	2021-12-18 15:22:21 +0000
commit	6ca3225d1ca28b8019bc2daeac0a4d38e872d07b (patch)
tree	572f8efa6418f229f8f65f1100051199f25f4179
parent	disable curl and wget in browsers based on firefox and chromium (diff)
parent	Remove profcleaner.c and profcleaner.sh (diff)
download	firejail-6ca3225d1ca28b8019bc2daeac0a4d38e872d07b.tar.gz firejail-6ca3225d1ca28b8019bc2daeac0a4d38e872d07b.tar.zst firejail-6ca3225d1ca28b8019bc2daeac0a4d38e872d07b.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index 0262db608..58e374b8b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1574,7 +1574,6 @@ int main(int argc, char argv, char envp) {
1574	profile_add(line);	1574	profile_add(line);
1575	}	1575	}
1576		1576
1577	// blacklist/deny
1578	else if (strncmp(argv[i], "--blacklist=", 12) == 0) {	1577	else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
1579	char *line;	1578	char *line;
1580	if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)	1579	if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1583,14 +1582,6 @@ int main(int argc, char argv, char envp) {
1583	profile_check_line(line, 0, NULL); // will exit if something wrong	1582	profile_check_line(line, 0, NULL); // will exit if something wrong
1584	profile_add(line);	1583	profile_add(line);
1585	}	1584	}
1586	else if (strncmp(argv[i], "--deny=", 7) == 0) {
1587	char *line;
1588	if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
1589	errExit("asprintf");
1590
1591	profile_check_line(line, 0, NULL); // will exit if something wrong
1592	profile_add(line);
1593	}
1594	else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {	1585	else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
1595	char *line;	1586	char *line;
1596	if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)	1587	if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1599,16 +1590,6 @@ int main(int argc, char argv, char envp) {
1599	profile_check_line(line, 0, NULL); // will exit if something wrong	1590	profile_check_line(line, 0, NULL); // will exit if something wrong
1600	profile_add(line);	1591	profile_add(line);
1601	}	1592	}
1602	else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
1603	char *line;
1604	if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
1605	errExit("asprintf");
1606
1607	profile_check_line(line, 0, NULL); // will exit if something wrong
1608	profile_add(line);
1609	}
1610
1611	// whitelist
1612	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {	1593	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
1613	char *line;	1594	char *line;
1614	if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)	1595	if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
@@ -1617,14 +1598,6 @@ int main(int argc, char argv, char envp) {
1617	profile_check_line(line, 0, NULL); // will exit if something wrong	1598	profile_check_line(line, 0, NULL); // will exit if something wrong
1618	profile_add(line);	1599	profile_add(line);
1619	}	1600	}
1620	else if (strncmp(argv[i], "--allow=", 8) == 0) {
1621	char *line;
1622	if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
1623	errExit("asprintf");
1624
1625	profile_check_line(line, 0, NULL); // will exit if something wrong
1626	profile_add(line);
1627	}
1628	else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {	1601	else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
1629	char *line;	1602	char *line;
1630	if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)	1603	if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)
@@ -1633,15 +1606,6 @@ int main(int argc, char argv, char envp) {
1633	profile_check_line(line, 0, NULL); // will exit if something wrong	1606	profile_check_line(line, 0, NULL); // will exit if something wrong
1634	profile_add(line);	1607	profile_add(line);
1635	}	1608	}
1636	else if (strncmp(argv[i], "--noallow=", 10) == 0) {
1637	char *line;
1638	if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
1639	errExit("asprintf");
1640
1641	profile_check_line(line, 0, NULL); // will exit if something wrong
1642	profile_add(line);
1643	}
1644
1645		1609
1646	else if (strncmp(argv[i], "--mkdir=", 8) == 0) {	1610	else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
1647	char *line;	1611	char *line;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5e24591fa..9504b26de 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1752,44 +1752,6 @@ void profile_read(const char *fname) {
1752	continue;	1752	continue;
1753	}	1753	}
1754		1754
1755	// translate allow/deny to whitelist/blacklist
1756	if (strncmp(ptr, "allow ", 6) == 0) {
1757	char *tmp;
1758	if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
1759	errExit("asprintf");
1760	free(ptr);
1761	ptr = tmp;
1762	}
1763	else if (strncmp(ptr, "deny ", 5) == 0) {
1764	char *tmp;
1765	if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
1766	errExit("asprintf");
1767	free(ptr);
1768	ptr = tmp;
1769	}
1770	else if (strncmp(ptr, "deny-nolog ", 11) == 0) {
1771	char *tmp;
1772	if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1)
1773	errExit("asprintf");
1774	free(ptr);
1775	ptr = tmp;
1776	}
1777	// translate noallow/nodeny to nowhitelist/noblacklist
1778	else if (strncmp(ptr, "noallow ", 8) == 0) {
1779	char *tmp;
1780	if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
1781	errExit("asprintf");
1782	free(ptr);
1783	ptr = tmp;
1784	}
1785	else if (strncmp(ptr, "nodeny ", 7) == 0) {
1786	char *tmp;
1787	if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
1788	errExit("asprintf");
1789	free(ptr);
1790	ptr = tmp;
1791	}
1792
1793	// process quiet	1755	// process quiet
1794	// todo: a quiet in the profile file cannot be disabled by --ignore on command line	1756	// todo: a quiet in the profile file cannot be disabled by --ignore on command line
1795	if (strcmp(ptr, "quiet") == 0) {	1757	if (strcmp(ptr, "quiet") == 0) {


diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c deleted file mode 100644 index beff93199..000000000 --- a/src/tools/profcleaner.c +++ /dev/null
@@ -1,75 +0,0 @@
1	/*
2	* Copyright (C) 2014-2021 Firejail Authors
3	*
4	* This file is part of firejail project
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; either version 2 of the License, or
9	* (at your option) any later version.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License along
17	* with this program; if not, write to the Free Software Foundation, Inc.,
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/
20
21	//*************************************************************
22	// Small utility program to convert profiles from blacklist/whitelist to deny/allow
23	// Compile:
24	// gcc -o profcleaner profcleaner.c
25	// Usage:
26	// profcleaner *.profile
27	//*************************************************************
28
29	#include <stdio.h>
30	#include <stdlib.h>
31	#include <string.h>
32	#include <unistd.h>
33	#define MAXBUF 4096
34
35	int main(int argc, char **argv) {
36	printf("Usage: profcleaner files\n");
37	int i;
38
39	for (i = 1; i < argc; i++) {
40	FILE *fp = fopen(argv[i], "r");
41	if (!fp) {
42	fprintf(stderr, "Error: cannot open %s\n", argv[i]);
43	return 1;
44	}
45
46	FILE *fpout = fopen("profcleaner-tmp", "w");
47	if (!fpout) {
48	fprintf(stderr, "Error: cannot open output file\n");
49	return 1;
50	}
51
52	char buf[MAXBUF];
53	while (fgets(buf, MAXBUF, fp)) {
54	if (strncmp(buf, "blacklist-nolog", 15) == 0)
55	fprintf(fpout, "deny-nolog %s", buf + 15);
56	else if (strncmp(buf, "blacklist", 9) == 0)
57	fprintf(fpout, "deny %s", buf + 9);
58	else if (strncmp(buf, "noblacklist", 11) == 0)
59	fprintf(fpout, "nodeny %s", buf + 11);
60	else if (strncmp(buf, "whitelist", 9) == 0)
61	fprintf(fpout, "allow %s", buf + 9);
62	else if (strncmp(buf, "nowhitelist", 11) == 0)
63	fprintf(fpout, "noallow %s", buf + 11);
64	else
65	fprintf(fpout, "%s", buf);
66	}
67
68	fclose(fp);
69	fclose(fpout);
70	unlink(argv[i]);
71	rename("profcleaner-tmp", argv[i]);
72	}
73
74	return 0;
75	}


diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh deleted file mode 100755 index 96402aed6..000000000 --- a/src/tools/profcleaner.sh +++ /dev/null
@@ -1,45 +0,0 @@
1	#!/bin/bash
2
3	# Copyright (C) 2021 Firejail Authors
4	#
5	# This file is part of firejail project
6	#
7	# This program is free software; you can redistribute it and/or modify
8	# it under the terms of the GNU General Public License as published by
9	# the Free Software Foundation; either version 2 of the License, or
10	# (at your option) any later version.
11	#
12	# This program is distributed in the hope that it will be useful,
13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	# GNU General Public License for more details.
16	#
17	# You should have received a copy of the GNU General Public License along
18	# with this program; if not, write to the Free Software Foundation, Inc.,
19	# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21	if [[ $1 == --help ]]; then
22	cat <<-EOM
23	USAGE:
24	profcleaner.sh --help Show this help message and exit
25	profcleaner.sh --system Clean all profiles in /etc/firejail
26	profcleaner.sh --user Clean all profiles in ~/.config/firejail
27	profcleaner.sh /path/to/profile1 /path/to/profile2 ...
28	EOM
29	exit 0
30	fi
31
32	if [[ $1 == --system ]]; then
33	profiles=(/etc/firejail/*.{inc,local,profile})
34	elif [[ $1 == --user ]]; then
35	profiles=("$HOME"/.config/firejail/*.{inc,local,profile})
36	else
37	profiles=("$@")
38	fi
39
40	sed -i -E \
41	-e "s/^(# \|#)?(ignore )?blacklist/\1\2deny/" \
42	-e "s/^(# \|#)?(ignore )?noblacklist/\1\2nodeny/" \
43	-e "s/^(# \|#)?(ignore )?whitelist/\1\2allow/" \
44	-e "s/^(# \|#)?(ignore )?nowhitelist/\1\2noallow/" \
45	"${profiles[@]}"


diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8..8c1d758cc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in
@@ -48,8 +48,8 @@ _firejail_args=(
48	'*::arguments:_normal'	48	'*::arguments:_normal'
49		49
50	'--appimage[sandbox an AppImage application]'	50	'--appimage[sandbox an AppImage application]'
51	'--build[build a profile for the application and print it on stdout]'	51	'--build[build a whitelisted profile for the application and print it on stdout]'
52	'--build=-[build a profile for the application and save it]: :_files'	52	'--build=-[build a whitelisted profile for the application and save it]: :_files'
53	# Ignore that you can do -? too as it's the only short option	53	# Ignore that you can do -? too as it's the only short option
54	'--help[this help screen]'	54	'--help[this help screen]'
55	'--join=-[join the sandbox name\|pid]: :_all_firejails'	55	'--join=-[join the sandbox name\|pid]: :_all_firejails'
@@ -66,14 +66,14 @@ _firejail_args=(
66	'--ids-init[initialize IDS database]'	66	'--ids-init[initialize IDS database]'
67		67
68	'--debug[print sandbox debug messages]'	68	'--debug[print sandbox debug messages]'
69	'--debug-allow[debug file system access]'	69	'--debug-blacklists[debug blacklisting]'
70	'--debug-caps[print all recognized capabilities]'	70	'--debug-caps[print all recognized capabilities]'
71	'--debug-deny[debug file system access]'
72	'--debug-errnos[print all recognized error numbers]'	71	'--debug-errnos[print all recognized error numbers]'
73	'--debug-private-lib[debug for --private-lib option]'	72	'--debug-private-lib[debug for --private-lib option]'
74	'--debug-protocols[print all recognized protocols]'	73	'--debug-protocols[print all recognized protocols]'
75	'--debug-syscalls[print all recognized system calls]'	74	'--debug-syscalls[print all recognized system calls]'
76	'--debug-syscalls32[print all recognized 32 bit system calls]'	75	'--debug-syscalls32[print all recognized 32 bit system calls]'
		76	'--debug-whitelists[debug whitelisting]'
77		77
78	'--caps.print=-[print the caps filter name\|pid]:firejail:_all_firejails'	78	'--caps.print=-[print the caps filter name\|pid]:firejail:_all_firejails'
79	'--cpu.print=-[print the cpus in use name\|pid]: :_all_firejails'	79	'--cpu.print=-[print the cpus in use name\|pid]: :_all_firejails'
@@ -86,13 +86,13 @@ _firejail_args=(
86	'--allusers[all user home directories are visible inside the sandbox]'	86	'--allusers[all user home directories are visible inside the sandbox]'
87	# Should be _files, a comma and files or files -/	87	# Should be _files, a comma and files or files -/
88	'*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'	88	'*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
		89	'*--blacklist=-[blacklist directory or file]: :_files'
89	'--caps[enable default Linux capabilities filter]'	90	'--caps[enable default Linux capabilities filter]'
90	'--caps.drop=all[drop all capabilities]'	91	'--caps.drop=all[drop all capabilities]'
91	'*--caps.drop=-[drop capabilities: all\|cap1,cap2,...]: :_caps'	92	'*--caps.drop=-[drop capabilities: all\|cap1,cap2,...]: :_caps'
92	'*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'	93	'*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
93	'--cgroup=-[place the sandbox in the specified control group]: :'	94	'--cgroup=-[place the sandbox in the specified control group]: :'
94	'--cpu=-[set cpu affinity]: :->cpus'	95	'--cpu=-[set cpu affinity]: :->cpus'
95	'*--deny=-[deny access to directory or file]: :_files'
96	"--deterministic-exit-code[always exit with first child's status code]"	96	"--deterministic-exit-code[always exit with first child's status code]"
97	'--deterministic-shutdown[terminate orphan processes]'	97	'--deterministic-shutdown[terminate orphan processes]'
98	'*--dns=-[set DNS server]: :'	98	'*--dns=-[set DNS server]: :'
@@ -116,7 +116,7 @@ _firejail_args=(
116	'--nice=-[set nice value]: :(1 10 15 20)'	116	'--nice=-[set nice value]: :(1 10 15 20)'
117	'--no3d[disable 3D hardware acceleration]'	117	'--no3d[disable 3D hardware acceleration]'
118	'--noautopulse[disable automatic ~/.config/pulse init]'	118	'--noautopulse[disable automatic ~/.config/pulse init]'
119	'--nodeny=-[disable deny command for file or directory]: :_files'	119	'--noblacklist=-[disable blacklist for file or directory]: :_files'
120	'--nodbus[disable D-Bus access]'	120	'--nodbus[disable D-Bus access]'
121	'--nodvd[disable DVD and audio CD devices]'	121	'--nodvd[disable DVD and audio CD devices]'
122	'*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'	122	'*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
@@ -147,13 +147,13 @@ _firejail_args=(
147	'--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'	147	'--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
148	'--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'	148	'--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
149	'*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env \| cut -d= -f1)'	149	'*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env \| cut -d= -f1)'
150	'--seccomp[enable seccomp filter and drop the default syscalls]: :'	150	'--seccomp[enable seccomp filter and apply the default blacklist]: :'
151	'--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp'	151	'--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
152	'--seccomp.block-secondary[build only the native architecture filters]'	152	'--seccomp.block-secondary[build only the native architecture filters]'
153	'*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp'	153	'*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
154	'*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp'	154	'*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
155	'*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'	155	'*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
156	'*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'	156	'*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
157	# FIXME: Add errnos	157	# FIXME: Add errnos
158	'--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'	158	'--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
159	'--shell=none[run the program directly without a user shell]'	159	'--shell=none[run the program directly without a user shell]'
@@ -161,7 +161,7 @@ _firejail_args=(
161	'--timeout=-[kill the sandbox automatically after the time has elapsed]: :'	161	'--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
162	#'(--tracelog)--trace[trace open, access and connect system calls]'	162	#'(--tracelog)--trace[trace open, access and connect system calls]'
163	'(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'	163	'(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
164	'(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]'	164	'(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
165	'(--private-etc)--writable-etc[/etc directory is mounted read-write]'	165	'(--private-etc)--writable-etc[/etc directory is mounted read-write]'
166	'--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'	166	'--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
167	'--writable-var[/var directory is mounted read-write]'	167	'--writable-var[/var directory is mounted read-write]'
@@ -255,8 +255,8 @@ _firejail_args=(
255	'*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'	255	'*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
256	#endif	256	#endif
257		257
258	'*--noallow=-[disable allow command for file or directory]: :_files'	258	'*--nowhitelist=-[disable whitelist for file or directory]: :_files'
259	'*--allow=-[allow file system access]: :_files'	259	'*--whitelist=-[whitelist directory or file]: :_files'
260		260
261	#ifdef HAVE_X11	261	#ifdef HAVE_X11
262	'--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'	262	'--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'