diff options
author | netblue30 <netblue30@protonmail.com> | 2021-07-03 19:24:31 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-07-03 19:24:31 -0400 |
commit | c08414fdbbb97b06678b862a16d354766af3e611 (patch) | |
tree | da2c22b3ed9fe7affec72811b862430a33f3ab9f /src | |
parent | cleanup for the next development cycle (diff) | |
download | firejail-c08414fdbbb97b06678b862a16d354766af3e611.tar.gz firejail-c08414fdbbb97b06678b862a16d354766af3e611.tar.zst firejail-c08414fdbbb97b06678b862a16d354766af3e611.zip |
deprecated --disable-whitelist at compile time
Diffstat (limited to 'src')
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 2 |
6 files changed, 1 insertions, 23 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index f88da55ac..5ae8bf204 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
15 | HAVE_USERNS=@HAVE_USERNS@ | 15 | HAVE_USERNS=@HAVE_USERNS@ |
16 | HAVE_X11=@HAVE_X11@ | 16 | HAVE_X11=@HAVE_X11@ |
17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
18 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
19 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 18 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
20 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 19 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
21 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
@@ -42,7 +41,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
42 | CFLAGS = @CFLAGS@ | 41 | CFLAGS = @CFLAGS@ |
43 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 42 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
44 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 43 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
45 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) | 44 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) |
46 | CFLAGS += $(MANFLAGS) | 45 | CFLAGS += $(MANFLAGS) |
47 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 46 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
48 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 47 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1e9f4b641..501804cbb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -342,14 +342,6 @@ void print_compiletime_support(void) { | |||
342 | #endif | 342 | #endif |
343 | ); | 343 | ); |
344 | 344 | ||
345 | printf("\t- file and directory whitelisting support is %s\n", | ||
346 | #ifdef HAVE_WHITELIST | ||
347 | "enabled" | ||
348 | #else | ||
349 | "disabled" | ||
350 | #endif | ||
351 | ); | ||
352 | |||
353 | printf("\t- file transfer support is %s\n", | 345 | printf("\t- file transfer support is %s\n", |
354 | #ifdef HAVE_FILE_TRANSFER | 346 | #ifdef HAVE_FILE_TRANSFER |
355 | "enabled" | 347 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a0d52837..cf3f8a82d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1581,8 +1581,6 @@ int main(int argc, char **argv, char **envp) { | |||
1581 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1581 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1582 | profile_add(line); | 1582 | profile_add(line); |
1583 | } | 1583 | } |
1584 | |||
1585 | #ifdef HAVE_WHITELIST | ||
1586 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1584 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1587 | if (checkcfg(CFG_WHITELIST)) { | 1585 | if (checkcfg(CFG_WHITELIST)) { |
1588 | char *line; | 1586 | char *line; |
@@ -1603,7 +1601,6 @@ int main(int argc, char **argv, char **envp) { | |||
1603 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1601 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1604 | profile_add(line); | 1602 | profile_add(line); |
1605 | } | 1603 | } |
1606 | #endif | ||
1607 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1604 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
1608 | char *line; | 1605 | char *line; |
1609 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) | 1606 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e52bdc6e3..350122844 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1589,7 +1589,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
1590 | ptr += 12; | 1590 | ptr += 12; |
1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
1592 | #ifdef HAVE_WHITELIST | ||
1593 | if (checkcfg(CFG_WHITELIST)) { | 1592 | if (checkcfg(CFG_WHITELIST)) { |
1594 | arg_whitelist = 1; | 1593 | arg_whitelist = 1; |
1595 | ptr += 10; | 1594 | ptr += 10; |
@@ -1602,9 +1601,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1602 | } | 1601 | } |
1603 | return 0; | 1602 | return 0; |
1604 | } | 1603 | } |
1605 | #else | ||
1606 | return 0; | ||
1607 | #endif | ||
1608 | } | 1604 | } |
1609 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) | 1605 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) |
1610 | ptr += 12; | 1606 | ptr += 12; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 888a6ffed..2093a4ed3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -80,9 +80,7 @@ static char *usage_str = | |||
80 | " --debug-protocols - print all recognized protocols.\n" | 80 | " --debug-protocols - print all recognized protocols.\n" |
81 | " --debug-syscalls - print all recognized system calls.\n" | 81 | " --debug-syscalls - print all recognized system calls.\n" |
82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
83 | #ifdef HAVE_WHITELIST | ||
84 | " --debug-whitelists - debug whitelisting.\n" | 83 | " --debug-whitelists - debug whitelisting.\n" |
85 | #endif | ||
86 | #ifdef HAVE_NETWORK | 84 | #ifdef HAVE_NETWORK |
87 | " --defaultgw=address - configure default gateway.\n" | 85 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 86 | #endif |
@@ -252,9 +250,7 @@ static char *usage_str = | |||
252 | #ifdef HAVE_NETWORK | 250 | #ifdef HAVE_NETWORK |
253 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 251 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
254 | #endif | 252 | #endif |
255 | #ifdef HAVE_WHITELIST | ||
256 | " --whitelist=filename - whitelist directory or file.\n" | 253 | " --whitelist=filename - whitelist directory or file.\n" |
257 | #endif | ||
258 | " --writable-etc - /etc directory is mounted read-write.\n" | 254 | " --writable-etc - /etc directory is mounted read-write.\n" |
259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 255 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
260 | "\t/run/user/$UID/gnupg.\n" | 256 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f1a19b86d..cede9c101 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -251,10 +251,8 @@ _firejail_args=( | |||
251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
252 | #endif | 252 | #endif |
253 | 253 | ||
254 | #ifdef HAVE_WHITELIST | ||
255 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | 254 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
256 | '*--whitelist=-[whitelist directory or file]: :_files' | 255 | '*--whitelist=-[whitelist directory or file]: :_files' |
257 | #endif | ||
258 | 256 | ||
259 | #ifdef HAVE_X11 | 257 | #ifdef HAVE_X11 |
260 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |