diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-07-03 19:24:31 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-07-03 19:24:31 -0400 |
| commit | c08414fdbbb97b06678b862a16d354766af3e611 (patch) | |
| tree | da2c22b3ed9fe7affec72811b862430a33f3ab9f /src | |
| parent | cleanup for the next development cycle (diff) | |
| download | firejail-c08414fdbbb97b06678b862a16d354766af3e611.tar.gz firejail-c08414fdbbb97b06678b862a16d354766af3e611.tar.zst firejail-c08414fdbbb97b06678b862a16d354766af3e611.zip | |
deprecated --disable-whitelist at compile time
Diffstat (limited to 'src')
| -rw-r--r-- | src/common.mk.in | 3 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
| -rw-r--r-- | src/firejail/main.c | 3 | ||||
| -rw-r--r-- | src/firejail/profile.c | 4 | ||||
| -rw-r--r-- | src/firejail/usage.c | 4 | ||||
| -rw-r--r-- | src/zsh_completion/_firejail.in | 2 |
6 files changed, 1 insertions, 23 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index f88da55ac..5ae8bf204 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
| @@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
| 15 | HAVE_USERNS=@HAVE_USERNS@ | 15 | HAVE_USERNS=@HAVE_USERNS@ |
| 16 | HAVE_X11=@HAVE_X11@ | 16 | HAVE_X11=@HAVE_X11@ |
| 17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
| 18 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
| 19 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 18 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
| 20 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 19 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
| 21 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
| @@ -42,7 +41,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
| 42 | CFLAGS = @CFLAGS@ | 41 | CFLAGS = @CFLAGS@ |
| 43 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 42 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
| 44 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 43 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
| 45 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) | 44 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) |
| 46 | CFLAGS += $(MANFLAGS) | 45 | CFLAGS += $(MANFLAGS) |
| 47 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 46 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
| 48 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 47 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1e9f4b641..501804cbb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -342,14 +342,6 @@ void print_compiletime_support(void) { | |||
| 342 | #endif | 342 | #endif |
| 343 | ); | 343 | ); |
| 344 | 344 | ||
| 345 | printf("\t- file and directory whitelisting support is %s\n", | ||
| 346 | #ifdef HAVE_WHITELIST | ||
| 347 | "enabled" | ||
| 348 | #else | ||
| 349 | "disabled" | ||
| 350 | #endif | ||
| 351 | ); | ||
| 352 | |||
| 353 | printf("\t- file transfer support is %s\n", | 345 | printf("\t- file transfer support is %s\n", |
| 354 | #ifdef HAVE_FILE_TRANSFER | 346 | #ifdef HAVE_FILE_TRANSFER |
| 355 | "enabled" | 347 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a0d52837..cf3f8a82d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1581,8 +1581,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1581 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1581 | profile_check_line(line, 0, NULL); // will exit if something wrong |
| 1582 | profile_add(line); | 1582 | profile_add(line); |
| 1583 | } | 1583 | } |
| 1584 | |||
| 1585 | #ifdef HAVE_WHITELIST | ||
| 1586 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1584 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
| 1587 | if (checkcfg(CFG_WHITELIST)) { | 1585 | if (checkcfg(CFG_WHITELIST)) { |
| 1588 | char *line; | 1586 | char *line; |
| @@ -1603,7 +1601,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1603 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1601 | profile_check_line(line, 0, NULL); // will exit if something wrong |
| 1604 | profile_add(line); | 1602 | profile_add(line); |
| 1605 | } | 1603 | } |
| 1606 | #endif | ||
| 1607 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1604 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
| 1608 | char *line; | 1605 | char *line; |
| 1609 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) | 1606 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e52bdc6e3..350122844 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1589,7 +1589,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
| 1590 | ptr += 12; | 1590 | ptr += 12; |
| 1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
| 1592 | #ifdef HAVE_WHITELIST | ||
| 1593 | if (checkcfg(CFG_WHITELIST)) { | 1592 | if (checkcfg(CFG_WHITELIST)) { |
| 1594 | arg_whitelist = 1; | 1593 | arg_whitelist = 1; |
| 1595 | ptr += 10; | 1594 | ptr += 10; |
| @@ -1602,9 +1601,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1602 | } | 1601 | } |
| 1603 | return 0; | 1602 | return 0; |
| 1604 | } | 1603 | } |
| 1605 | #else | ||
| 1606 | return 0; | ||
| 1607 | #endif | ||
| 1608 | } | 1604 | } |
| 1609 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) | 1605 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) |
| 1610 | ptr += 12; | 1606 | ptr += 12; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 888a6ffed..2093a4ed3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -80,9 +80,7 @@ static char *usage_str = | |||
| 80 | " --debug-protocols - print all recognized protocols.\n" | 80 | " --debug-protocols - print all recognized protocols.\n" |
| 81 | " --debug-syscalls - print all recognized system calls.\n" | 81 | " --debug-syscalls - print all recognized system calls.\n" |
| 82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
| 83 | #ifdef HAVE_WHITELIST | ||
| 84 | " --debug-whitelists - debug whitelisting.\n" | 83 | " --debug-whitelists - debug whitelisting.\n" |
| 85 | #endif | ||
| 86 | #ifdef HAVE_NETWORK | 84 | #ifdef HAVE_NETWORK |
| 87 | " --defaultgw=address - configure default gateway.\n" | 85 | " --defaultgw=address - configure default gateway.\n" |
| 88 | #endif | 86 | #endif |
| @@ -252,9 +250,7 @@ static char *usage_str = | |||
| 252 | #ifdef HAVE_NETWORK | 250 | #ifdef HAVE_NETWORK |
| 253 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 251 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
| 254 | #endif | 252 | #endif |
| 255 | #ifdef HAVE_WHITELIST | ||
| 256 | " --whitelist=filename - whitelist directory or file.\n" | 253 | " --whitelist=filename - whitelist directory or file.\n" |
| 257 | #endif | ||
| 258 | " --writable-etc - /etc directory is mounted read-write.\n" | 254 | " --writable-etc - /etc directory is mounted read-write.\n" |
| 259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 255 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
| 260 | "\t/run/user/$UID/gnupg.\n" | 256 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f1a19b86d..cede9c101 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
| @@ -251,10 +251,8 @@ _firejail_args=( | |||
| 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
| 252 | #endif | 252 | #endif |
| 253 | 253 | ||
| 254 | #ifdef HAVE_WHITELIST | ||
| 255 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | 254 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
| 256 | '*--whitelist=-[whitelist directory or file]: :_files' | 255 | '*--whitelist=-[whitelist directory or file]: :_files' |
| 257 | #endif | ||
| 258 | 256 | ||
| 259 | #ifdef HAVE_X11 | 257 | #ifdef HAVE_X11 |
| 260 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |