aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-07-03 19:24:31 -0400
committerLibravatar netblue30 <netblue30@protonmail.com>2021-07-03 19:24:31 -0400
commitc08414fdbbb97b06678b862a16d354766af3e611 (patch)
treeda2c22b3ed9fe7affec72811b862430a33f3ab9f
parentcleanup for the next development cycle (diff)
downloadfirejail-c08414fdbbb97b06678b862a16d354766af3e611.tar.gz
firejail-c08414fdbbb97b06678b862a16d354766af3e611.tar.zst
firejail-c08414fdbbb97b06678b862a16d354766af3e611.zip
deprecated --disable-whitelist at compile time
Diffstat
-rw-r--r--RELNOTES5
-rwxr-xr-xconfigure17
-rw-r--r--configure.ac9
-rw-r--r--src/common.mk.in3
-rw-r--r--src/firejail/checkcfg.c8
-rw-r--r--src/firejail/main.c3
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/usage.c4
-rw-r--r--src/zsh_completion/_firejail.in2
9 files changed, 6 insertions, 49 deletions
diff --git a/RELNOTES b/RELNOTES
index e75fca44b..2a2d9fbac 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,3 +1,8 @@
1firejail (0.9.67) baseline; urgency=low
2 * work in progress
3 * deprecated --disable-whitelist at compile time
4 -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500
5
1firejail (0.9.66) baseline; urgency=low 6firejail (0.9.66) baseline; urgency=low
2 * deprecated --audit options, relpaced by jailcheck utility 7 * deprecated --audit options, relpaced by jailcheck utility
3 * deprecated follow-symlink-as-user from firejail.config 8 * deprecated follow-symlink-as-user from firejail.config
diff --git a/configure b/configure
index e8622d3bf..9e883191a 100755
--- a/configure
+++ b/configure
@@ -634,7 +634,6 @@ HAVE_GCOV
634BUSYBOX_WORKAROUND 634BUSYBOX_WORKAROUND
635HAVE_FATAL_WARNINGS 635HAVE_FATAL_WARNINGS
636HAVE_SUID 636HAVE_SUID
637HAVE_WHITELIST
638HAVE_FILE_TRANSFER 637HAVE_FILE_TRANSFER
639HAVE_X11 638HAVE_X11
640HAVE_USERNS 639HAVE_USERNS
@@ -726,7 +725,6 @@ enable_network
726enable_userns 725enable_userns
727enable_x11 726enable_x11
728enable_file_transfer 727enable_file_transfer
729enable_whitelist
730enable_suid 728enable_suid
731enable_fatal_warnings 729enable_fatal_warnings
732enable_busybox_workaround 730enable_busybox_workaround
@@ -1385,7 +1383,6 @@ Optional Features:
1385 --disable-userns disable user namespace 1383 --disable-userns disable user namespace
1386 --disable-x11 disable X11 sandboxing support 1384 --disable-x11 disable X11 sandboxing support
1387 --disable-file-transfer disable file transfer 1385 --disable-file-transfer disable file transfer
1388 --disable-whitelist disable whitelist
1389 --disable-suid install as a non-SUID executable 1386 --disable-suid install as a non-SUID executable
1390 --enable-fatal-warnings -W -Wall -Werror 1387 --enable-fatal-warnings -W -Wall -Werror
1391 --enable-busybox-workaround 1388 --enable-busybox-workaround
@@ -3747,19 +3744,6 @@ if test "x$enable_file_transfer" != "xno"; then :
3747 3744
3748fi 3745fi
3749 3746
3750HAVE_WHITELIST=""
3751# Check whether --enable-whitelist was given.
3752if test "${enable_whitelist+set}" = set; then :
3753 enableval=$enable_whitelist;
3754fi
3755
3756if test "x$enable_whitelist" != "xno"; then :
3757
3758 HAVE_WHITELIST="-DHAVE_WHITELIST"
3759
3760
3761fi
3762
3763HAVE_SUID="" 3747HAVE_SUID=""
3764# Check whether --enable-suid was given. 3748# Check whether --enable-suid was given.
3765if test "${enable_suid+set}" = set; then : 3749if test "${enable_suid+set}" = set; then :
@@ -5572,7 +5556,6 @@ Configuration options:
5572 network: $HAVE_NETWORK 5556 network: $HAVE_NETWORK
5573 user namespace: $HAVE_USERNS 5557 user namespace: $HAVE_USERNS
5574 X11 sandboxing support: $HAVE_X11 5558 X11 sandboxing support: $HAVE_X11
5575 whitelisting: $HAVE_WHITELIST
5576 private home support: $HAVE_PRIVATE_HOME 5559 private home support: $HAVE_PRIVATE_HOME
5577 file transfer support: $HAVE_FILE_TRANSFER 5560 file transfer support: $HAVE_FILE_TRANSFER
5578 overlayfs support: $HAVE_OVERLAYFS 5561 overlayfs support: $HAVE_OVERLAYFS
diff --git a/configure.ac b/configure.ac
index be534e49f..1f8e802b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -177,14 +177,6 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
177 AC_SUBST(HAVE_FILE_TRANSFER) 177 AC_SUBST(HAVE_FILE_TRANSFER)
178]) 178])
179 179
180HAVE_WHITELIST=""
181AC_ARG_ENABLE([whitelist],
182 AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
183AS_IF([test "x$enable_whitelist" != "xno"], [
184 HAVE_WHITELIST="-DHAVE_WHITELIST"
185 AC_SUBST(HAVE_WHITELIST)
186])
187
188HAVE_SUID="" 180HAVE_SUID=""
189AC_ARG_ENABLE([suid], 181AC_ARG_ENABLE([suid],
190 AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])) 182 AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
@@ -323,7 +315,6 @@ Configuration options:
323 network: $HAVE_NETWORK 315 network: $HAVE_NETWORK
324 user namespace: $HAVE_USERNS 316 user namespace: $HAVE_USERNS
325 X11 sandboxing support: $HAVE_X11 317 X11 sandboxing support: $HAVE_X11
326 whitelisting: $HAVE_WHITELIST
327 private home support: $HAVE_PRIVATE_HOME 318 private home support: $HAVE_PRIVATE_HOME
328 file transfer support: $HAVE_FILE_TRANSFER 319 file transfer support: $HAVE_FILE_TRANSFER
329 overlayfs support: $HAVE_OVERLAYFS 320 overlayfs support: $HAVE_OVERLAYFS
diff --git a/src/common.mk.in b/src/common.mk.in
index f88da55ac..5ae8bf204 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@
15HAVE_USERNS=@HAVE_USERNS@ 15HAVE_USERNS=@HAVE_USERNS@
16HAVE_X11=@HAVE_X11@ 16HAVE_X11=@HAVE_X11@
17HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ 17HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
18HAVE_WHITELIST=@HAVE_WHITELIST@
19HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ 18HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
20HAVE_APPARMOR=@HAVE_APPARMOR@ 19HAVE_APPARMOR=@HAVE_APPARMOR@
21HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ 20HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
@@ -42,7 +41,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
42CFLAGS = @CFLAGS@ 41CFLAGS = @CFLAGS@
43CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) 42CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
44CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' 43CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
45MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) 44MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
46CFLAGS += $(MANFLAGS) 45CFLAGS += $(MANFLAGS)
47CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security 46CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
48LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread 47LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 1e9f4b641..501804cbb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -342,14 +342,6 @@ void print_compiletime_support(void) {
342#endif 342#endif
343 ); 343 );
344 344
345 printf("\t- file and directory whitelisting support is %s\n",
346#ifdef HAVE_WHITELIST
347 "enabled"
348#else
349 "disabled"
350#endif
351 );
352
353 printf("\t- file transfer support is %s\n", 345 printf("\t- file transfer support is %s\n",
354#ifdef HAVE_FILE_TRANSFER 346#ifdef HAVE_FILE_TRANSFER
355 "enabled" 347 "enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7a0d52837..cf3f8a82d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1581,8 +1581,6 @@ int main(int argc, char **argv, char **envp) {
1581 profile_check_line(line, 0, NULL); // will exit if something wrong 1581 profile_check_line(line, 0, NULL); // will exit if something wrong
1582 profile_add(line); 1582 profile_add(line);
1583 } 1583 }
1584
1585#ifdef HAVE_WHITELIST
1586 else if (strncmp(argv[i], "--whitelist=", 12) == 0) { 1584 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
1587 if (checkcfg(CFG_WHITELIST)) { 1585 if (checkcfg(CFG_WHITELIST)) {
1588 char *line; 1586 char *line;
@@ -1603,7 +1601,6 @@ int main(int argc, char **argv, char **envp) {
1603 profile_check_line(line, 0, NULL); // will exit if something wrong 1601 profile_check_line(line, 0, NULL); // will exit if something wrong
1604 profile_add(line); 1602 profile_add(line);
1605 } 1603 }
1606#endif
1607 else if (strncmp(argv[i], "--mkdir=", 8) == 0) { 1604 else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
1608 char *line; 1605 char *line;
1609 if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) 1606 if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e52bdc6e3..350122844 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1589,7 +1589,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1589 else if (strncmp(ptr, "noblacklist ", 12) == 0) 1589 else if (strncmp(ptr, "noblacklist ", 12) == 0)
1590 ptr += 12; 1590 ptr += 12;
1591 else if (strncmp(ptr, "whitelist ", 10) == 0) { 1591 else if (strncmp(ptr, "whitelist ", 10) == 0) {
1592#ifdef HAVE_WHITELIST
1593 if (checkcfg(CFG_WHITELIST)) { 1592 if (checkcfg(CFG_WHITELIST)) {
1594 arg_whitelist = 1; 1593 arg_whitelist = 1;
1595 ptr += 10; 1594 ptr += 10;
@@ -1602,9 +1601,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1602 } 1601 }
1603 return 0; 1602 return 0;
1604 } 1603 }
1605#else
1606 return 0;
1607#endif
1608 } 1604 }
1609 else if (strncmp(ptr, "nowhitelist ", 12) == 0) 1605 else if (strncmp(ptr, "nowhitelist ", 12) == 0)
1610 ptr += 12; 1606 ptr += 12;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 888a6ffed..2093a4ed3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -80,9 +80,7 @@ static char *usage_str =
80 " --debug-protocols - print all recognized protocols.\n" 80 " --debug-protocols - print all recognized protocols.\n"
81 " --debug-syscalls - print all recognized system calls.\n" 81 " --debug-syscalls - print all recognized system calls.\n"
82 " --debug-syscalls32 - print all recognized 32 bit system calls.\n" 82 " --debug-syscalls32 - print all recognized 32 bit system calls.\n"
83#ifdef HAVE_WHITELIST
84 " --debug-whitelists - debug whitelisting.\n" 83 " --debug-whitelists - debug whitelisting.\n"
85#endif
86#ifdef HAVE_NETWORK 84#ifdef HAVE_NETWORK
87 " --defaultgw=address - configure default gateway.\n" 85 " --defaultgw=address - configure default gateway.\n"
88#endif 86#endif
@@ -252,9 +250,7 @@ static char *usage_str =
252#ifdef HAVE_NETWORK 250#ifdef HAVE_NETWORK
253 " --veth-name=name - use this name for the interface connected to the bridge.\n" 251 " --veth-name=name - use this name for the interface connected to the bridge.\n"
254#endif 252#endif
255#ifdef HAVE_WHITELIST
256 " --whitelist=filename - whitelist directory or file.\n" 253 " --whitelist=filename - whitelist directory or file.\n"
257#endif
258 " --writable-etc - /etc directory is mounted read-write.\n" 254 " --writable-etc - /etc directory is mounted read-write.\n"
259 " --writable-run-user - allow access to /run/user/$UID/systemd and\n" 255 " --writable-run-user - allow access to /run/user/$UID/systemd and\n"
260 "\t/run/user/$UID/gnupg.\n" 256 "\t/run/user/$UID/gnupg.\n"
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f1a19b86d..cede9c101 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -251,10 +251,8 @@ _firejail_args=(
251 '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' 251 '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
252#endif 252#endif
253 253
254#ifdef HAVE_WHITELIST
255 '*--nowhitelist=-[disable whitelist for file or directory]: :_files' 254 '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
256 '*--whitelist=-[whitelist directory or file]: :_files' 255 '*--whitelist=-[whitelist directory or file]: :_files'
257#endif
258 256
259#ifdef HAVE_X11 257#ifdef HAVE_X11
260 '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' 258 '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-05-28 01:28:38 +0000