cleanup

author: netblue30 <netblue30@yahoo.com> 2018-04-20 09:28:42 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-04-20 09:28:42 -0400
commit: 3fe1b06a36cefc497e957b603d1a5231ba7fbc02 (patch)
tree: 7fcb14ff2fc3752ea1438177a6324134e5823caf /src
parent: mkuid: fall back to default values if no UID_MIN / GID_MIN found (diff)
download: firejail-3fe1b06a36cefc497e957b603d1a5231ba7fbc02.tar.gz
firejail-3fe1b06a36cefc497e957b603d1a5231ba7fbc02.tar.zst
firejail-3fe1b06a36cefc497e957b603d1a5231ba7fbc02.zip
12 files changed, 12 insertions, 90 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 48d985d73..d0f43041c 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
 include ../common.mk
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7b0ae30b6..f8094e893 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -166,10 +166,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // follow symlink in private-bin command
-                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                fwarning("follow-symlink-private-bin from firejail.config was deprecated\n");
-                        }
                        // nonewprivs
                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                if (strcmp(ptr + 17, "yes") == 0)
@@ -311,9 +307,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
-                                fwarning("remount-proc-sys from firejail.config was deprecated\n");
-                        }
                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
                                if (strcmp(ptr + 10, "yes") == 0)
                                        cfg_val[CFG_OVERLAYFS] = 1;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 718c0b328..2746deea1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
-extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
 extern int arg_debug_private_lib;       // print debug messages for private-lib
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
 void caps_drop_dac_override(void);
-// syscall.c
-const char *syscall_find_nr(int nr);
 // fs_trace.c
 void fs_trace_preload(void);
 void fs_trace(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e676bbd7c..2d8af7f41 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -47,7 +47,6 @@ Config cfg;					// configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename = 0;               // print debug messages for filename checking
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_debug_private_lib = 0;                  // print debug messages for private-lib
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) {
                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
                        arg_debug = 1;
-                else if (strcmp(argv[i], "--debug-check-filename") == 0)
-                        arg_debug_check_filename = 1;
                else if (strcmp(argv[i], "--debug-blacklists") == 0)
                        arg_debug_blacklists = 1;
                else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) {
                        custom_profile = 1;
                        free(ppath);
                }
-                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
-                        fwarning("--profile-path has been deprecated\n");
-                }
                else if (strcmp(argv[i], "--noprofile") == 0) {
                        if (custom_profile) {
                                fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--machine-id") == 0) {
                        arg_machineid = 1;
                }
-                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        fwarning("--allow-private-blacklist was deprecated\n");
-                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--appimage") == 0)
                        arg_appimage = 1;
-                else if (strcmp(argv[i], "--csh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
                else if (strcmp(argv[i], "--shell=none") == 0) {
                        arg_shell_none = 1;
                        if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index ba955bcca..5bd3f7e09 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) {
        for (i = 0; i < argc; i++) {
                if (strcmp(argv[i], "--debug") == 0)
                        arg_debug = 1;
-                else if (strcmp(argv[i], "--csh") == 0 ||
+                else if (strcmp(argv[i], "--shell=none") == 0 ||
-                    strcmp(argv[i], "--zsh") == 0 ||
-                    strcmp(argv[i], "--shell=none") == 0 ||
                    strncmp(argv[i], "--shell=", 8) == 0)
                        fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
        }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3ef9a1856..156ffa24a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_nodbus = 1;
                return 0;
        }
-        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                fmessage("--allow-private-blacklist was deprecated\n");
-                return 0;
-        }
        else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index a9dcc78e5..742fc0465 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -29,8 +29,6 @@ static char *usage_str =
        "Options:\n"
        "    -- - signal the end of options and disables further option processing.\n"
        "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
-        "    --allow-private-blacklist - allow blacklisting files in private\n"
-        "\thome directories.\n"
        "    --allusers - all user home directories are visible inside the sandbox.\n"
        "    --apparmor - enable AppArmor confinement.\n"
        "    --apparmor.print=name|pid - print apparmor status.\n"
@@ -58,11 +56,9 @@ static char *usage_str =
 #endif
        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
        "    --cpu.print=name|pid - print the cpus in use.\n"
-        "    --csh - use /bin/csh as default shell.\n"
        "    --debug - print sandbox debug messages.\n"
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
-        "    --debug-check-filename - debug filename checking.\n"
        "    --debug-errnos - print all recognized error numbers.\n"
        "    --debug-private-lib - debug for --private-lib option.\n"
        "    --debug-protocols - print all recognized protocols.\n"
@@ -163,6 +159,7 @@ static char *usage_str =
        "\tfilesystem, and copy the files and directories in the list.\n"
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
        "    --profile=filename - use a custom profile.\n"
        "    --profile.print=name|pid - print the name of profile file.\n"
        "    --profile-path=directory - use this directory to look for profile files.\n"
@@ -236,7 +233,6 @@ static char *usage_str =
        "    --x11=xvfb - enable Xvfb X11 server.\n"
        "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
-        "    --zsh - use /usr/bin/zsh as default shell.\n"
        "\n"
        "Examples:\n"
        "    $ firejail firefox\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3437d495f..a44e52e98 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) {
        assert(fname);
        const char *ptr = fname;
-        if (arg_debug_check_filename)
-                printf("Checking filename %s\n", fname);
        if (strncmp(ptr, "${HOME}", 7) == 0)
                ptr = fname + 7;
        else if (strncmp(ptr, "${PATH}", 7) == 0)
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 37bd4e874..a4d642d66 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -43,6 +43,7 @@ static char *help_str =
        "\t--tree - print a tree of all sandboxed processes.\n\n"
        "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
        "\t--version - print program version and exit.\n\n"
+        "\t--x11 - print X11 display number.\n\n"
        "Without any options, firemon monitors all fork, exec, id change, and exit\n"
        "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 5d92aa133..7d9784392 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) {
        if (strcmp(name, "root") == 0)
                return 1;
+        // user nobody disabled by default
+        if (strcmp(name, "nobody") == 0) {
+                fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n");
+                exit(1);
+        }
        // check file existence
        char *fname = get_fname();
        if (access(fname, F_OK)) {
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index fcc0f914b..ec91e495c 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default.
+root user is allowed by default, user nobody is denied access by default.
 Example:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6e8e4eb2c..2e410061d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -314,15 +314,6 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 .TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
-.br
-.br
-Example:
-.br
-$ firejail \-\-csh
-.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 .TP
 \fB\-\-debug-errnos
@@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
+By default Bash shell (/bin/bash) is used.
-shell.
 .br
 .br
@@ -2324,16 +2305,6 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
-.TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
-.br
-.br
-Example:
-.br
-$ firejail \-\-zsh
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
author	netblue30 <netblue30@yahoo.com>	2018-04-20 09:28:42 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-04-20 09:28:42 -0400
commit	3fe1b06a36cefc497e957b603d1a5231ba7fbc02 (patch)
tree	7fcb14ff2fc3752ea1438177a6324134e5823caf /src
parent	mkuid: fall back to default values if no UID_MIN / GID_MIN found (diff)
download	firejail-3fe1b06a36cefc497e957b603d1a5231ba7fbc02.tar.gz firejail-3fe1b06a36cefc497e957b603d1a5231ba7fbc02.tar.zst firejail-3fe1b06a36cefc497e957b603d1a5231ba7fbc02.zip