modif: --profile-path was deprecated

author: netblue30 <netblue30@yahoo.com> 2017-10-27 09:37:09 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-10-27 09:37:09 -0400
commit: e8cf957a8bf3deda07e608e0c482b38cd573627a (patch)
tree: c935731763eb38af17354e91e123a3f02afc3b21
parent: modif: remount-proc-sys deprecated from firejail.config (diff)
download: firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.tar.gz
firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.tar.zst
firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.zip
4 files changed, 7 insertions, 75 deletions
diff --git a/RELNOTES b/RELNOTES
index 2c8b43433..b69e1dd33 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.51) baseline; urgency=low
    read-only, read-write, tmpfs and noexec are allowed in
    private home directories
  * modif: remount-proc-sys deprecated from firejail.config
+  * modif: --profile-path deprecated
  * enhancement: support Firejail user config directory in firecfg
  * enhancement: disable DBus activation in firecfg
  * enhancement; enumerate root directories in apparmor profile
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 069aa6ca8..7730e8384 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -888,8 +888,6 @@ int main(int argc, char **argv) {
        int option_cgroup = 0;
        int option_force = 0;
        int custom_profile = 0; // custom profile loaded
-        char *custom_profile_dir = NULL; // custom profile directory
        atexit(clear_atexit);
@@ -1497,22 +1495,8 @@ int main(int argc, char **argv) {
                        free(ppath);
                }
                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
-                        if (arg_noprofile) {
+                        if (!arg_quiet)
-                                fprintf(stderr, "Error: --noprofile and --profile-path options are mutually exclusive\n");
+                                fprintf(stderr, "Warning: --profile-path has been deprecated\n");
-                                exit(1);
-                        }
-                        custom_profile_dir = expand_home(argv[i] + 15, cfg.homedir);
-                        invalid_filename(custom_profile_dir, 0); // no globbing
-                        if (!is_dir(custom_profile_dir) || is_link(custom_profile_dir) || strstr(custom_profile_dir, "..")) {
-                                fprintf(stderr, "Error: invalid profile path\n");
-                                exit(1);
-                        }
-                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(custom_profile_dir, R_OK)) {
-                                fprintf(stderr, "Error: cannot access profile directory\n");
-                                return 1;
-                        }
                }
                else if (strcmp(argv[i], "--noprofile") == 0) {
                        if (custom_profile) {
@@ -2398,11 +2382,7 @@ int main(int argc, char **argv) {
                }
                if (!custom_profile) {
                        // look for a user profile in /etc/firejail directory
-                        int rv;
+                        int rv = profile_find(cfg.command_name, SYSCONFDIR);
-                        if (custom_profile_dir)
-                                rv = profile_find(cfg.command_name, custom_profile_dir);
-                        else
-                                rv = profile_find(cfg.command_name, SYSCONFDIR);
                        custom_profile = rv;
                }
        }
@@ -2430,13 +2410,10 @@ int main(int argc, char **argv) {
                        custom_profile = profile_find(profile_name, usercfgdir);
                        free(usercfgdir);
-                        if (!custom_profile) {
+                        if (!custom_profile)
                                // look for the profile in /etc/firejail directory
-                                if (custom_profile_dir)
+                                custom_profile = profile_find(profile_name, SYSCONFDIR);
-                                        custom_profile = profile_find(profile_name, custom_profile_dir);
-                                else
-                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
-                        }
                        if (!custom_profile) {
                                fprintf(stderr, "Error: no default.profile installed\n");
                                exit(1);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 39680ab0a..77bdffb62 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -594,37 +594,6 @@ instead of the default one.
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
-.SH RELOCATING PROFILES
-For various reasons some users might want to keep the profile files in a different directory.
-Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
-into this directory.
-This is an example of relocating the profile files into a new
-directory, /home/netblue/myprofiles. Start by creating the new directory and copy all
-the profile files in:
-.br
-.br
-$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .
-.br
-.br
-Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands:
-.br
-.br
-$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile
-.br
-$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc
-.br
-.br
-Start Firejail using the new path:
-.br
-.br
-$ firejail --profile-path=~/myprofiles
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d725bb883..476050d9c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1451,21 +1451,6 @@ $ firejail \-\-profile.print=browser
 .br
 /etc/firejail/firefox.profile
 .br
-.TP
-\fB\-\-profile-path=directory
-Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/.
-For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in
-\fBman 5 firejail-profile\fR.
-.br
-.br
-Example:
-.br
-$ firejail \-\-profile-path=~/myprofiles
-.br
-$ firejail \-\-profile-path=/home/netblue/myprofiles
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
author	netblue30 <netblue30@yahoo.com>	2017-10-27 09:37:09 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-10-27 09:37:09 -0400
commit	e8cf957a8bf3deda07e608e0c482b38cd573627a (patch)
tree	c935731763eb38af17354e91e123a3f02afc3b21
parent	modif: remount-proc-sys deprecated from firejail.config (diff)
download	firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.tar.gz firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.tar.zst firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.zip

diff --git a/RELNOTES b/RELNOTES index 2c8b43433..b69e1dd33 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.51) baseline; urgency=low
4	read-only, read-write, tmpfs and noexec are allowed in	4	read-only, read-write, tmpfs and noexec are allowed in
5	private home directories	5	private home directories
6	* modif: remount-proc-sys deprecated from firejail.config	6	* modif: remount-proc-sys deprecated from firejail.config
		7	* modif: --profile-path deprecated
7	* enhancement: support Firejail user config directory in firecfg	8	* enhancement: support Firejail user config directory in firecfg
8	* enhancement: disable DBus activation in firecfg	9	* enhancement: disable DBus activation in firecfg
9	* enhancement; enumerate root directories in apparmor profile	10	* enhancement; enumerate root directories in apparmor profile


diff --git a/src/firejail/main.c b/src/firejail/main.c index 069aa6ca8..7730e8384 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -888,8 +888,6 @@ int main(int argc, char **argv) {
888	int option_cgroup = 0;	888	int option_cgroup = 0;
889	int option_force = 0;	889	int option_force = 0;
890	int custom_profile = 0; // custom profile loaded	890	int custom_profile = 0; // custom profile loaded
891	char *custom_profile_dir = NULL; // custom profile directory
892
893		891
894	atexit(clear_atexit);	892	atexit(clear_atexit);
895		893
@@ -1497,22 +1495,8 @@ int main(int argc, char **argv) {
1497	free(ppath);	1495	free(ppath);
1498	}	1496	}
1499	else if (strncmp(argv[i], "--profile-path=", 15) == 0) {	1497	else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
1500	if (arg_noprofile) {	1498	if (!arg_quiet)
1501	fprintf(stderr, "Error: --noprofile and --profile-path options are mutually exclusive\n");	1499	fprintf(stderr, "Warning: --profile-path has been deprecated\n");
1502	exit(1);
1503	}
1504	custom_profile_dir = expand_home(argv[i] + 15, cfg.homedir);
1505	invalid_filename(custom_profile_dir, 0); // no globbing
1506	if (!is_dir(custom_profile_dir) \|\| is_link(custom_profile_dir) \|\| strstr(custom_profile_dir, "..")) {
1507	fprintf(stderr, "Error: invalid profile path\n");
1508	exit(1);
1509	}
1510
1511	// access call checks as real UID/GID, not as effective UID/GID
1512	if (access(custom_profile_dir, R_OK)) {
1513	fprintf(stderr, "Error: cannot access profile directory\n");
1514	return 1;
1515	}
1516	}	1500	}
1517	else if (strcmp(argv[i], "--noprofile") == 0) {	1501	else if (strcmp(argv[i], "--noprofile") == 0) {
1518	if (custom_profile) {	1502	if (custom_profile) {
@@ -2398,11 +2382,7 @@ int main(int argc, char **argv) {
2398	}	2382	}
2399	if (!custom_profile) {	2383	if (!custom_profile) {
2400	// look for a user profile in /etc/firejail directory	2384	// look for a user profile in /etc/firejail directory
2401	int rv;	2385	int rv = profile_find(cfg.command_name, SYSCONFDIR);
2402	if (custom_profile_dir)
2403	rv = profile_find(cfg.command_name, custom_profile_dir);
2404	else
2405	rv = profile_find(cfg.command_name, SYSCONFDIR);
2406	custom_profile = rv;	2386	custom_profile = rv;
2407	}	2387	}
2408	}	2388	}
@@ -2430,13 +2410,10 @@ int main(int argc, char **argv) {
2430	custom_profile = profile_find(profile_name, usercfgdir);	2410	custom_profile = profile_find(profile_name, usercfgdir);
2431	free(usercfgdir);	2411	free(usercfgdir);
2432		2412
2433	if (!custom_profile) {	2413	if (!custom_profile)
2434	// look for the profile in /etc/firejail directory	2414	// look for the profile in /etc/firejail directory
2435	if (custom_profile_dir)	2415	custom_profile = profile_find(profile_name, SYSCONFDIR);
2436	custom_profile = profile_find(profile_name, custom_profile_dir);	2416
2437	else
2438	custom_profile = profile_find(profile_name, SYSCONFDIR);
2439	}
2440	if (!custom_profile) {	2417	if (!custom_profile) {
2441	fprintf(stderr, "Error: no default.profile installed\n");	2418	fprintf(stderr, "Error: no default.profile installed\n");
2442	exit(1);	2419	exit(1);


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 39680ab0a..77bdffb62 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -594,37 +594,6 @@ instead of the default one.
594	Join the sandbox identified by name or start a new one.	594	Join the sandbox identified by name or start a new one.
595	Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".	595	Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
596		596
597	.SH RELOCATING PROFILES
598	For various reasons some users might want to keep the profile files in a different directory.
599	Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
600	into this directory.
601
602	This is an example of relocating the profile files into a new
603	directory, /home/netblue/myprofiles. Start by creating the new directory and copy all
604	the profile files in:
605	.br
606
607	.br
608	$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .
609	.br
610
611	.br
612	Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands:
613	.br
614
615	.br
616	$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile
617	.br
618	$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc
619	.br
620
621	.br
622	Start Firejail using the new path:
623	.br
624
625	.br
626	$ firejail --profile-path=~/myprofiles
627
628	.SH FILES	597	.SH FILES
629	/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile	598	/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
630		599


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d725bb883..476050d9c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1451,21 +1451,6 @@ $ firejail \-\-profile.print=browser
1451	.br	1451	.br
1452	/etc/firejail/firefox.profile	1452	/etc/firejail/firefox.profile
1453	.br	1453	.br
1454
1455	.TP
1456	\fB\-\-profile-path=directory
1457	Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/.
1458	For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in
1459	\fBman 5 firejail-profile\fR.
1460	.br
1461
1462	.br
1463	Example:
1464	.br
1465	$ firejail \-\-profile-path=~/myprofiles
1466	.br
1467	$ firejail \-\-profile-path=/home/netblue/myprofiles
1468
1469	.TP	1454	.TP
1470	\fB\-\-protocol=protocol,protocol,protocol	1455	\fB\-\-protocol=protocol,protocol,protocol
1471	Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.	1456	Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.