disable cgroup code

author: netblue30 <netblue30@protonmail.com> 2022-06-13 09:03:45 -0400
committer: netblue30 <netblue30@protonmail.com> 2022-06-13 09:03:45 -0400
commit: 73b089092dcf033a4f67584d86c2237b94c5646b (patch)
tree: 14440d16fef77d16fc6a6d2b04ac49e4f8e92c66
parent: Merge pull request #5140 from kmk3/build-dedup-config-vars (diff)
download: firejail-73b089092dcf033a4f67584d86c2237b94c5646b.tar.gz
firejail-73b089092dcf033a4f67584d86c2237b94c5646b.tar.zst
firejail-73b089092dcf033a4f67584d86c2237b94c5646b.zip
8 files changed, 0 insertions, 178 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 856018101..3c1cb7336 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -25,9 +25,6 @@
 # Disable U2F in browsers, default enabled.
 # browser-disable-u2f yes
-# Enable or disable cgroup support, default enabled.
-# cgroup yes
 # Enable or disable chroot support, default enabled.
 # chroot yes
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
deleted file mode 100644
index c8cb96f98..000000000
--- a/src/firejail/cgroup.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2014-2022 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include "../include/gcov_wrapper.h"
-#include <sys/wait.h>
-#include <errno.h>
-#define MAXBUF 4096
-void save_cgroup(void) {
-        if (cfg.cgroup == NULL)
-                return;
-        FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
-        if (fp) {
-                fprintf(fp, "%s", cfg.cgroup);
-                fflush(0);
-                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                if (fclose(fp))
-                        goto errout;
-        }
-        else
-                goto errout;
-        return;
-errout:
-        fprintf(stderr, "Error: cannot save cgroup\n");
-        exit(1);
-}
-static int is_cgroup_path(const char *fname) {
-        // path starts with /sys/fs/cgroup
-        if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
-                return 0;
-        // no .. traversal
-        char *ptr = strstr(fname, "..");
-        if (ptr)
-                return 0;
-        return 1;
-}
-void check_cgroup_file(const char *fname) {
-        assert(fname);
-        invalid_filename(fname, 0); // no globbing
-        if (!is_cgroup_path(fname))
-                goto errout;
-        const char *base = gnu_basename(fname);
-        if (strcmp(base, "tasks") != 0 &&  // cgroup v1
-            strcmp(base, "cgroup.procs") != 0)
-                goto errout;
-        if (access(fname, W_OK) == 0)
-                return;
-errout:
-        fprintf(stderr, "Error: invalid cgroup\n");
-        exit(1);
-}
-static void do_set_cgroup(const char *fname, pid_t pid) {
-        FILE *fp = fopen(fname, "ae");
-        if (!fp) {
-                fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
-                return;
-        }
-        int rv = fprintf(fp, "%d\n", pid);
-        (void) rv;
-        fclose(fp);
-}
-void set_cgroup(const char *fname, pid_t pid) {
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                drop_privs(0);
-                do_set_cgroup(fname, pid);
-                __gcov_flush();
-                _exit(0);
-        }
-        waitpid(child, NULL, 0);
-}
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index e1acaf632..33260ce94 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -100,7 +100,6 @@ int checkcfg(int val) {
                        PARSE_YESNO(CFG_X11, "x11")
                        PARSE_YESNO(CFG_APPARMOR, "apparmor")
                        PARSE_YESNO(CFG_BIND, "bind")
-                        PARSE_YESNO(CFG_CGROUP, "cgroup")
                        PARSE_YESNO(CFG_NAME_CHANGE, "name-change")
                        PARSE_YESNO(CFG_USERNS, "userns")
                        PARSE_YESNO(CFG_CHROOT, "chroot")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7e1d45c01..7930778ca 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -211,7 +211,6 @@ typedef struct config_t {
        // cpu affinity, nice and control groups
        uint32_t cpus;
        int nice;
-        char *cgroup;
        // command line
        char *command_line;
@@ -669,11 +668,6 @@ void set_cpu_affinity(void);
 void save_cpu(void);
 void cpu_print_filter(pid_t pid) __attribute__((noreturn));
-// cgroup.c
-void save_cgroup(void);
-void check_cgroup_file(const char *fname);
-void set_cgroup(const char *fname, pid_t pid);
 // output.c
 void check_output(int argc, char **argv);
@@ -830,7 +824,6 @@ enum {
        CFG_BROWSER_ALLOW_DRM,
        CFG_APPARMOR,
        CFG_DBUS,
-        CFG_CGROUP,
        CFG_NAME_CHANGE,
        CFG_SECCOMP_ERROR_ACTION,
        // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 5acdcb060..7e05fc785 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -204,24 +204,6 @@ static void extract_cpu(ProcessHandle sandbox) {
        fclose(fp);
 }
-static void extract_cgroup(ProcessHandle sandbox) {
-        int fd = process_rootfs_open(sandbox, RUN_CGROUP_CFG);
-        if (fd < 0)
-                return; // not configured
-        FILE *fp = fdopen(fd, "r");
-        if (!fp)
-                errExit("fdopen");
-        char buf[BUFLEN];
-        if (fgets(buf, BUFLEN, fp)) {
-                cfg.cgroup = strdup(buf);
-                if (!cfg.cgroup)
-                        errExit("strdup");
-        }
-        fclose(fp);
-}
 static void extract_umask(ProcessHandle sandbox) {
        int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE);
        if (fd < 0) {
@@ -437,16 +419,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                extract_nonewprivs(sandbox);  // redundant on Linux >= 4.10; duplicated in function extract_caps
                extract_caps(sandbox);
                extract_cpu(sandbox);
-                extract_cgroup(sandbox);
                extract_nogroups(sandbox);
                extract_user_namespace(sandbox);
                extract_umask(sandbox);
        }
-        // set cgroup
-        if (cfg.cgroup) // not available for uid 0
-                set_cgroup(cfg.cgroup, getpid());
        // join namespaces
        EUID_ROOT();
        if (arg_join_network) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7081e067f..8bfff4e68 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1012,7 +1012,6 @@ int main(int argc, char **argv, char **envp) {
        int lockfd_network = -1;
        int lockfd_directory = -1;
        int lockfd_sandboxfile = -1;
-        int option_cgroup = 0;
        int custom_profile = 0; // custom profile loaded
        int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
        int arg_netlock = 0;
@@ -1566,23 +1565,6 @@ int main(int argc, char **argv, char **envp) {
                                cfg.nice = 0;
                        arg_nice = 1;
                }
-                else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
-                        if (checkcfg(CFG_CGROUP)) {
-                                if (option_cgroup) {
-                                        fprintf(stderr, "Error: only one cgroup can be defined\n");
-                                        exit(1);
-                                }
-                                cfg.cgroup = strdup(argv[i] + 9);
-                                if (!cfg.cgroup)
-                                        errExit("strdup");
-                                check_cgroup_file(cfg.cgroup);
-                                set_cgroup(cfg.cgroup, getpid());
-                                option_cgroup = 1;
-                        }
-                        else
-                                exit_err_feature("cgroup");
-                }
                //*************************************
                // filesystem
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5bc77263a..daa0a2e92 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1144,21 +1144,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
-        // cgroup
-        if (strncmp(ptr, "cgroup ", 7) == 0) {
-                if (checkcfg(CFG_CGROUP)) {
-                        cfg.cgroup = strdup(ptr + 7);
-                        if (!cfg.cgroup)
-                                errExit("strdup");
-                        check_cgroup_file(cfg.cgroup);
-                        set_cgroup(cfg.cgroup, getpid());
-                }
-                else
-                        warning_feature_disabled("cgroup");
-                return 0;
-        }
        // writable-etc
        if (strcmp(ptr, "writable-etc") == 0) {
                if (cfg.etc_private_keep) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 635137feb..4ad9eb678 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1150,9 +1150,6 @@ int sandbox(void* sandbox_arg) {
        // save cpu affinity mask to CPU_CFG file
        save_cpu();
-        // save cgroup in CGROUP_CFG file
-        save_cgroup();
        // set seccomp
        // install protocol filter
 #ifdef SYS_socket
author	netblue30 <netblue30@protonmail.com>	2022-06-13 09:03:45 -0400
committer	netblue30 <netblue30@protonmail.com>	2022-06-13 09:03:45 -0400
commit	73b089092dcf033a4f67584d86c2237b94c5646b (patch)
tree	14440d16fef77d16fc6a6d2b04ac49e4f8e92c66
parent	Merge pull request #5140 from kmk3/build-dedup-config-vars (diff)
download	firejail-73b089092dcf033a4f67584d86c2237b94c5646b.tar.gz firejail-73b089092dcf033a4f67584d86c2237b94c5646b.tar.zst firejail-73b089092dcf033a4f67584d86c2237b94c5646b.zip

diff --git a/etc/firejail.config b/etc/firejail.config index 856018101..3c1cb7336 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -25,9 +25,6 @@
25	# Disable U2F in browsers, default enabled.	25	# Disable U2F in browsers, default enabled.
26	# browser-disable-u2f yes	26	# browser-disable-u2f yes
27		27
28	# Enable or disable cgroup support, default enabled.
29	# cgroup yes
30
31	# Enable or disable chroot support, default enabled.	28	# Enable or disable chroot support, default enabled.
32	# chroot yes	29	# chroot yes
33		30


diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c deleted file mode 100644 index c8cb96f98..000000000 --- a/src/firejail/cgroup.c +++ /dev/null
@@ -1,108 +0,0 @@
1	/*
2	* Copyright (C) 2014-2022 Firejail Authors
3	*
4	* This file is part of firejail project
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; either version 2 of the License, or
9	* (at your option) any later version.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License along
17	* with this program; if not, write to the Free Software Foundation, Inc.,
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/
20	#include "firejail.h"
21	#include "../include/gcov_wrapper.h"
22	#include <sys/wait.h>
23	#include <errno.h>
24
25	#define MAXBUF 4096
26
27	void save_cgroup(void) {
28	if (cfg.cgroup == NULL)
29	return;
30
31	FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
32	if (fp) {
33	fprintf(fp, "%s", cfg.cgroup);
34	fflush(0);
35	SET_PERMS_STREAM(fp, 0, 0, 0644);
36	if (fclose(fp))
37	goto errout;
38	}
39	else
40	goto errout;
41
42	return;
43
44	errout:
45	fprintf(stderr, "Error: cannot save cgroup\n");
46	exit(1);
47	}
48
49	static int is_cgroup_path(const char *fname) {
50	// path starts with /sys/fs/cgroup
51	if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
52	return 0;
53
54	// no .. traversal
55	char *ptr = strstr(fname, "..");
56	if (ptr)
57	return 0;
58
59	return 1;
60	}
61
62	void check_cgroup_file(const char *fname) {
63	assert(fname);
64	invalid_filename(fname, 0); // no globbing
65
66	if (!is_cgroup_path(fname))
67	goto errout;
68
69	const char *base = gnu_basename(fname);
70	if (strcmp(base, "tasks") != 0 && // cgroup v1
71	strcmp(base, "cgroup.procs") != 0)
72	goto errout;
73
74	if (access(fname, W_OK) == 0)
75	return;
76
77	errout:
78	fprintf(stderr, "Error: invalid cgroup\n");
79	exit(1);
80	}
81
82	static void do_set_cgroup(const char *fname, pid_t pid) {
83	FILE *fp = fopen(fname, "ae");
84	if (!fp) {
85	fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
86	return;
87	}
88
89	int rv = fprintf(fp, "%d\n", pid);
90	(void) rv;
91	fclose(fp);
92	}
93
94	void set_cgroup(const char *fname, pid_t pid) {
95	pid_t child = fork();
96	if (child < 0)
97	errExit("fork");
98	if (child == 0) {
99	drop_privs(0);
100
101	do_set_cgroup(fname, pid);
102
103	__gcov_flush();
104
105	_exit(0);
106	}
107	waitpid(child, NULL, 0);
108	}


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index e1acaf632..33260ce94 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -100,7 +100,6 @@ int checkcfg(int val) {
100	PARSE_YESNO(CFG_X11, "x11")	100	PARSE_YESNO(CFG_X11, "x11")
101	PARSE_YESNO(CFG_APPARMOR, "apparmor")	101	PARSE_YESNO(CFG_APPARMOR, "apparmor")
102	PARSE_YESNO(CFG_BIND, "bind")	102	PARSE_YESNO(CFG_BIND, "bind")
103	PARSE_YESNO(CFG_CGROUP, "cgroup")
104	PARSE_YESNO(CFG_NAME_CHANGE, "name-change")	103	PARSE_YESNO(CFG_NAME_CHANGE, "name-change")
105	PARSE_YESNO(CFG_USERNS, "userns")	104	PARSE_YESNO(CFG_USERNS, "userns")
106	PARSE_YESNO(CFG_CHROOT, "chroot")	105	PARSE_YESNO(CFG_CHROOT, "chroot")


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7e1d45c01..7930778ca 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -211,7 +211,6 @@ typedef struct config_t {
211	// cpu affinity, nice and control groups	211	// cpu affinity, nice and control groups
212	uint32_t cpus;	212	uint32_t cpus;
213	int nice;	213	int nice;
214	char *cgroup;
215		214
216	// command line	215	// command line
217	char *command_line;	216	char *command_line;
@@ -669,11 +668,6 @@ void set_cpu_affinity(void);
669	void save_cpu(void);	668	void save_cpu(void);
670	void cpu_print_filter(pid_t pid) __attribute__((noreturn));	669	void cpu_print_filter(pid_t pid) __attribute__((noreturn));
671		670
672	// cgroup.c
673	void save_cgroup(void);
674	void check_cgroup_file(const char *fname);
675	void set_cgroup(const char *fname, pid_t pid);
676
677	// output.c	671	// output.c
678	void check_output(int argc, char **argv);	672	void check_output(int argc, char **argv);
679		673
@@ -830,7 +824,6 @@ enum {
830	CFG_BROWSER_ALLOW_DRM,	824	CFG_BROWSER_ALLOW_DRM,
831	CFG_APPARMOR,	825	CFG_APPARMOR,
832	CFG_DBUS,	826	CFG_DBUS,
833	CFG_CGROUP,
834	CFG_NAME_CHANGE,	827	CFG_NAME_CHANGE,
835	CFG_SECCOMP_ERROR_ACTION,	828	CFG_SECCOMP_ERROR_ACTION,
836	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv	829	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv


diff --git a/src/firejail/join.c b/src/firejail/join.c index 5acdcb060..7e05fc785 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -204,24 +204,6 @@ static void extract_cpu(ProcessHandle sandbox) {
204	fclose(fp);	204	fclose(fp);
205	}	205	}
206		206
207	static void extract_cgroup(ProcessHandle sandbox) {
208	int fd = process_rootfs_open(sandbox, RUN_CGROUP_CFG);
209	if (fd < 0)
210	return; // not configured
211
212	FILE *fp = fdopen(fd, "r");
213	if (!fp)
214	errExit("fdopen");
215
216	char buf[BUFLEN];
217	if (fgets(buf, BUFLEN, fp)) {
218	cfg.cgroup = strdup(buf);
219	if (!cfg.cgroup)
220	errExit("strdup");
221	}
222	fclose(fp);
223	}
224
225	static void extract_umask(ProcessHandle sandbox) {	207	static void extract_umask(ProcessHandle sandbox) {
226	int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE);	208	int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE);
227	if (fd < 0) {	209	if (fd < 0) {
@@ -437,16 +419,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
437	extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps	419	extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps
438	extract_caps(sandbox);	420	extract_caps(sandbox);
439	extract_cpu(sandbox);	421	extract_cpu(sandbox);
440	extract_cgroup(sandbox);
441	extract_nogroups(sandbox);	422	extract_nogroups(sandbox);
442	extract_user_namespace(sandbox);	423	extract_user_namespace(sandbox);
443	extract_umask(sandbox);	424	extract_umask(sandbox);
444	}	425	}
445		426
446	// set cgroup
447	if (cfg.cgroup) // not available for uid 0
448	set_cgroup(cfg.cgroup, getpid());
449
450	// join namespaces	427	// join namespaces
451	EUID_ROOT();	428	EUID_ROOT();
452	if (arg_join_network) {	429	if (arg_join_network) {


diff --git a/src/firejail/main.c b/src/firejail/main.c index 7081e067f..8bfff4e68 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1012,7 +1012,6 @@ int main(int argc, char argv, char envp) {
1012	int lockfd_network = -1;	1012	int lockfd_network = -1;
1013	int lockfd_directory = -1;	1013	int lockfd_directory = -1;
1014	int lockfd_sandboxfile = -1;	1014	int lockfd_sandboxfile = -1;
1015	int option_cgroup = 0;
1016	int custom_profile = 0; // custom profile loaded	1015	int custom_profile = 0; // custom profile loaded
1017	int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot)	1016	int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot)
1018	int arg_netlock = 0;	1017	int arg_netlock = 0;
@@ -1566,23 +1565,6 @@ int main(int argc, char argv, char envp) {
1566	cfg.nice = 0;	1565	cfg.nice = 0;
1567	arg_nice = 1;	1566	arg_nice = 1;
1568	}	1567	}
1569	else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
1570	if (checkcfg(CFG_CGROUP)) {
1571	if (option_cgroup) {
1572	fprintf(stderr, "Error: only one cgroup can be defined\n");
1573	exit(1);
1574	}
1575	cfg.cgroup = strdup(argv[i] + 9);
1576	if (!cfg.cgroup)
1577	errExit("strdup");
1578
1579	check_cgroup_file(cfg.cgroup);
1580	set_cgroup(cfg.cgroup, getpid());
1581	option_cgroup = 1;
1582	}
1583	else
1584	exit_err_feature("cgroup");
1585	}
1586		1568
1587	//*************************************	1569	//*************************************
1588	// filesystem	1570	// filesystem


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5bc77263a..daa0a2e92 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1144,21 +1144,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1144	return 0;	1144	return 0;
1145	}	1145	}
1146		1146
1147	// cgroup
1148	if (strncmp(ptr, "cgroup ", 7) == 0) {
1149	if (checkcfg(CFG_CGROUP)) {
1150	cfg.cgroup = strdup(ptr + 7);
1151	if (!cfg.cgroup)
1152	errExit("strdup");
1153
1154	check_cgroup_file(cfg.cgroup);
1155	set_cgroup(cfg.cgroup, getpid());
1156	}
1157	else
1158	warning_feature_disabled("cgroup");
1159	return 0;
1160	}
1161
1162	// writable-etc	1147	// writable-etc
1163	if (strcmp(ptr, "writable-etc") == 0) {	1148	if (strcmp(ptr, "writable-etc") == 0) {
1164	if (cfg.etc_private_keep) {	1149	if (cfg.etc_private_keep) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 635137feb..4ad9eb678 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -1150,9 +1150,6 @@ int sandbox(void* sandbox_arg) {
1150	// save cpu affinity mask to CPU_CFG file	1150	// save cpu affinity mask to CPU_CFG file
1151	save_cpu();	1151	save_cpu();
1152		1152
1153	// save cgroup in CGROUP_CFG file
1154	save_cgroup();
1155
1156	// set seccomp	1153	// set seccomp
1157	// install protocol filter	1154	// install protocol filter
1158	#ifdef SYS_socket	1155	#ifdef SYS_socket