allow blacklists noexec etc. in private home directories; fix bug #1608

5 files changed, 4 insertions, 20 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e10a5d346..d853daa44 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -298,7 +298,6 @@ void clear_run_files(pid_t pid);
 
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
-extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0a6f40959..ed2c9a566 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -220,14 +220,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                         }
                 }
 
-                // We don't usually need to blacklist things in private home directories
-                if (okay_to_blacklist
-                 && cfg.homedir
-                 && arg_private
-                 && (!arg_allow_private_blacklist)
-                 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
-                        okay_to_blacklist = false;
-
                 if (okay_to_blacklist)
                         disable_file(op, path);
                 else if (arg_debug)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 584d0c293..126f98d9b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1600,7 +1600,8 @@ int main(int argc, char **argv) {
                         arg_machineid = 1;
                 }
                 else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        arg_allow_private_blacklist = 1;
+                        if (!arg_quiet)
+                                fprintf(stderr, "--allow-private-blacklist was deprecated\n");
                 }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a1c94579c..622306c22 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -242,7 +242,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                arg_allow_private_blacklist = 1;
+                if (!arg_quiet)
+                        fprintf(stderr, "--allow-private-blacklist was deprecated\n");
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7ba09ba8a..00481d4d3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -87,15 +87,6 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
-\fB\-\-allow-private-blacklist
-Allow blacklisting files in private home directory. By default these blacklists are disabled.
-.br
-
-.br
-Example:
-.br
-$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
-.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br