deprecating --force

4 files changed, 11 insertions, 38 deletions

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 25b52f5ce..29cca0761 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -707,8 +707,6 @@ void fs_basic_fs(void) {
         restrict_users();
 
         // when starting as root, firejail config is not disabled;
-        // this mode could be used to install and test new software by chaining
-        // firejail sandboxes (firejail --force)
         if (uid)
                 disable_config();
 }
@@ -1020,8 +1018,6 @@ void fs_overlayfs(void) {
         restrict_users();
 
         // when starting as root, firejail config is not disabled;
-        // this mode could be used to install and test new software by chaining
-        // firejail sandboxes (firejail --force)
         if (getuid() != 0)
                 disable_config();
 
@@ -1265,8 +1261,6 @@ void fs_chroot(const char *rootdir) {
                 restrict_users();
 
                 // when starting as root, firejail config is not disabled;
-                // this mode could be used to install and test new software by chaining
-                // firejail sandboxes (firejail --force)
                 if (getuid() != 0)
                         disable_config();
         }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 52f6af667..787fa28e1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -829,7 +829,6 @@ int main(int argc, char **argv) {
         int lockfd_network = -1;
         int lockfd_directory = -1;
         int option_cgroup = 0;
-        int option_force = 0;
         int custom_profile = 0; // custom profile loaded
 
         atexit(clear_atexit);
@@ -900,27 +899,21 @@ int main(int argc, char **argv) {
         // check if we already have a sandbox running
         // If LXC is detected, start firejail sandbox
         // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
-        //      - if --force flag is set, start firejail sandbox
-        //      -- if --force flag is not set, start the application in a /bin/bash shell
+        //      - start the application in a /bin/bash shell
         if (check_namespace_virt() == 0) {
                 EUID_ROOT();
                 int rv = check_kernel_procs();
                 EUID_USER();
                 if (rv == 0) {
-                        // if --force option is passed to the program, disregard the existing sandbox
-                        if (check_arg(argc, argv, "--force", 1))
-                                option_force = 1;
-                        else {
-                                if (check_arg(argc, argv, "--version", 1)) {
-                                        printf("firejail version %s\n", VERSION);
-                                        exit(0);
-                                }
-
-                                // start the program directly without sandboxing
-                                run_no_sandbox(argc, argv);
-                                // it will never get here!
-                                assert(0);
+                        if (check_arg(argc, argv, "--version", 1)) {
+                                printf("firejail version %s\n", VERSION);
+                                exit(0);
                         }
+
+                        // start the program directly without sandboxing
+                        run_no_sandbox(argc, argv);
+                        // it will never get here!
+                        assert(0);
                 }
         }
 
@@ -1064,12 +1057,8 @@ int main(int argc, char **argv) {
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
 
-                if (strcmp(argv[i], "--debug") == 0) {
-                        if (!arg_quiet) {
-                                arg_debug = 1;
-                                if (option_force)
-                                        fmessage("Entering sandbox-in-sandbox mode\n");
-                        }
+                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) {
+                        arg_debug = 1;
                 }
                 else if (strcmp(argv[i], "--debug-check-filename") == 0)
                         arg_debug_check_filename = 1;
@@ -1083,8 +1072,6 @@ int main(int argc, char **argv) {
                         arg_quiet = 1;
                         arg_debug = 0;
                 }
-                else if (strcmp(argv[i], "--force") == 0)
-                        ;
                 else if (strcmp(argv[i], "--allow-debuggers") == 0) {
                         // already handled
                 }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 1c878c818..542747efc 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -76,7 +76,6 @@ static char *usage_str =
         "    --dns=address - set DNS server.\n"
         "    --dns.print=name|pid - print DNS configuration.\n"
         "    --env=name=value - set environment variable.\n"
-        "    --force - attempt to start a new sandbox inside the existing sandbox.\n"
         "    --fs.print=name|pid - print the filesystem log.\n"
         "    --get=name|pid filename - get a file from sandbox container.\n"
 #ifdef HAVE_GIT_INSTALL
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f481f5c46..85550e576 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -468,13 +468,6 @@ Example:
 $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
 
 .TP
-\fB\-\-force
-By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell.
-This option disables this behavior, and attempts to start Firejail in the existing sandbox.
-There could be lots of reasons for it to fail, for example if the existing sandbox disables
-admin capabilities, SUID binaries, or if it runs seccomp.
-
-.TP
 \fB\-\-fs.print=name|print
 Print the filesystem log for the sandbox identified by name or by PID.
 .br