diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 28 | ||||
-rw-r--r-- | src/firejail/profile.c | 14 |
6 files changed, 13 insertions, 35 deletions
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.67) baseline; urgency=low | 1 | firejail (0.9.67) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * deprecated --disable-whitelist at compile time | 3 | * deprecated --disable-whitelist at compile time |
4 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | ||
4 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 | 5 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 |
5 | 6 | ||
6 | firejail (0.9.66) baseline; urgency=low | 7 | firejail (0.9.66) baseline; urgency=low |
diff --git a/etc/firejail.config b/etc/firejail.config index 43db49422..2e355586b 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -123,9 +123,6 @@ | |||
123 | # Enable or disable user namespace support, default enabled. | 123 | # Enable or disable user namespace support, default enabled. |
124 | # userns yes | 124 | # userns yes |
125 | 125 | ||
126 | # Enable or disable whitelisting support, default enabled. | ||
127 | # whitelist yes | ||
128 | |||
129 | # Disable whitelist top level directories, in addition to those | 126 | # Disable whitelist top level directories, in addition to those |
130 | # that are disabled out of the box. None by default; this is an example. | 127 | # that are disabled out of the box. None by default; this is an example. |
131 | # whitelist-disable-topdir /etc,/usr/etc | 128 | # whitelist-disable-topdir /etc,/usr/etc |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 501804cbb..06e6f0ccb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -106,7 +106,6 @@ int checkcfg(int val) { | |||
106 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") | 106 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") |
107 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") | 107 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") |
108 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | 108 | PARSE_YESNO(CFG_SECCOMP, "seccomp") |
109 | PARSE_YESNO(CFG_WHITELIST, "whitelist") | ||
110 | PARSE_YESNO(CFG_NETWORK, "network") | 109 | PARSE_YESNO(CFG_NETWORK, "network") |
111 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
112 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9971d30b6..6c9d70c0b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -776,7 +776,6 @@ enum { | |||
776 | CFG_NETWORK, | 776 | CFG_NETWORK, |
777 | CFG_RESTRICTED_NETWORK, | 777 | CFG_RESTRICTED_NETWORK, |
778 | CFG_FORCE_NONEWPRIVS, | 778 | CFG_FORCE_NONEWPRIVS, |
779 | CFG_WHITELIST, | ||
780 | CFG_XEPHYR_WINDOW_TITLE, | 779 | CFG_XEPHYR_WINDOW_TITLE, |
781 | CFG_OVERLAYFS, | 780 | CFG_OVERLAYFS, |
782 | CFG_PRIVATE_BIN, | 781 | CFG_PRIVATE_BIN, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b97b1f6ad..f64994e02 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1602,28 +1602,20 @@ int main(int argc, char **argv, char **envp) { | |||
1602 | 1602 | ||
1603 | // whitelist | 1603 | // whitelist |
1604 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1604 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1605 | if (checkcfg(CFG_WHITELIST)) { | 1605 | char *line; |
1606 | char *line; | 1606 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
1607 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1607 | errExit("asprintf"); |
1608 | errExit("asprintf"); | ||
1609 | 1608 | ||
1610 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1609 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1611 | profile_add(line); | 1610 | profile_add(line); |
1612 | } | ||
1613 | else | ||
1614 | exit_err_feature("whitelist"); | ||
1615 | } | 1611 | } |
1616 | else if (strncmp(argv[i], "--allow=", 8) == 0) { | 1612 | else if (strncmp(argv[i], "--allow=", 8) == 0) { |
1617 | if (checkcfg(CFG_WHITELIST)) { | 1613 | char *line; |
1618 | char *line; | 1614 | if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) |
1619 | if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) | 1615 | errExit("asprintf"); |
1620 | errExit("asprintf"); | ||
1621 | 1616 | ||
1622 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1617 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1623 | profile_add(line); | 1618 | profile_add(line); |
1624 | } | ||
1625 | else | ||
1626 | exit_err_feature("whitelist"); | ||
1627 | } | 1619 | } |
1628 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { | 1620 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { |
1629 | char *line; | 1621 | char *line; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 430187809..29bb5fbac 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1589,18 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
1590 | ptr += 12; | 1590 | ptr += 12; |
1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
1592 | if (checkcfg(CFG_WHITELIST)) { | 1592 | arg_whitelist = 1; |
1593 | arg_whitelist = 1; | 1593 | ptr += 10; |
1594 | ptr += 10; | ||
1595 | } | ||
1596 | else { | ||
1597 | static int whitelist_warning_printed = 0; | ||
1598 | if (!whitelist_warning_printed) { | ||
1599 | warning_feature_disabled("whitelist"); | ||
1600 | whitelist_warning_printed = 1; | ||
1601 | } | ||
1602 | return 0; | ||
1603 | } | ||
1604 | } | 1594 | } |
1605 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) | 1595 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) |
1606 | ptr += 12; | 1596 | ptr += 12; |