7 files changed, 2 insertions, 76 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 714ed8e6e..51e9cfdad 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
 syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index ff411c807..8e047ce90 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -42,10 +42,6 @@ _firejail()
            _filedir -d
            return 0
            ;;
-        --cgroup)
-            _filedir -d
-            return 0
-            ;;
        --tmpfs)
            _filedir
            return 0
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 7e05fc785..b47089b0e 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -414,7 +414,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
        if (!arg_shell_none)
                shfd = open_shell();
-        // in user mode set caps seccomp, cpu, cgroup, etc
+        // in user mode set caps seccomp, cpu etc.
        if (getuid() != 0) {
                extract_nonewprivs(sandbox);  // redundant on Linux >= 4.10; duplicated in function extract_caps
                extract_caps(sandbox);
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 2f6b47461..08042d2c4 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -37,7 +37,6 @@
 #define RUN_RO_DIR                      RUN_FIREJAIL_DIR "/firejail.ro.dir"
 #define RUN_RO_FILE                     RUN_FIREJAIL_DIR "/firejail.ro.file"
 #define RUN_MNT_DIR                     RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG                  RUN_MNT_DIR "/cgroup"
 #define RUN_CPU_CFG                     RUN_MNT_DIR "/cpu"
 #define RUN_GROUPS_CFG                  RUN_MNT_DIR "/groups"
 #define RUN_PROTOCOL_CFG                RUN_MNT_DIR "/protocol"
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f7cd3cdff..8383d83d3 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -91,7 +91,6 @@ _firejail_args=(
    '--caps.drop=all[drop all capabilities]'
    '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
    '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
-    '--cgroup=-[place the sandbox in the specified control group]: :'
    '--cpu=-[set cpu affinity]: :->cpus'
    "--deterministic-exit-code[always exit with first child's status code]"
    '--deterministic-shutdown[terminate orphan processes]'
diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp
deleted file mode 100755
index 9a1bbe161..000000000
--- a/test/root/cgroup.exp
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2022 Firejail Authors
-# License GPL v2
-set timeout 10
-cd /home
-spawn $env(SHELL)
-match_max 100000
-send -- "mkdir /sys/fs/cgroup/systemd/firejail\r"
-sleep 1
-send -- "ls /sys/fs/cgroup/systemd/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "tasks"
-}
-send --  "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-spawn $env(SHELL)
-send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "3"
-}
-spawn $env(SHELL)
-send --  "firejail --join=\"join testing\"\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Switching to pid"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-send -- "ps aux\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "/bin/bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "/bin/bash"
-}
-after 100
-spawn $env(SHELL)
-send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "3"
-}
-after 100
-puts "\nall done\n"
diff --git a/test/root/root.sh b/test/root/root.sh
index 78a6619d7..e8c0ec1ac 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -103,9 +103,6 @@ echo "TESTING: firejail configuration (test/root/checkcfg.exp)"
 ./checkcfg.exp
 cp ../../etc/firejail.config /etc/firejail/.
-echo "TESTING: cgroup (test/root/cgroup.exp)"
-./cgroup.exp
 echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
 ./option_tmpfs.exp

diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 714ed8e6e..51e9cfdad 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG\|DESKTOP\|DOCUMENTS\|DOWNLOADS\|HOME\|MUSIC\|PATH\|PICTURES
49		49
50	" Commands grabbed from: src/firejail/profile.c	50	" Commands grabbed from: src/firejail/profile.c
51	" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } \| grep -vEx '(include\|ignore\|caps\.drop\|caps\.keep\|protocol\|seccomp\|seccomp\.drop\|seccomp\.keep\|env\|rmenv\|net\|ip)' \| sort -u \| tr $'\n' '\|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)	51	" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } \| grep -vEx '(include\|ignore\|caps\.drop\|caps\.keep\|protocol\|seccomp\|seccomp\.drop\|seccomp\.keep\|env\|rmenv\|net\|ip)' \| sort -u \| tr $'\n' '\|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
52	syn match fjCommand /\v(bind\|blacklist\|blacklist-nolog\|cgroup\|cpu\|defaultgw\|dns\|hostname\|hosts-file\|ip6\|iprange\|join-or-start\|mac\|mkdir\|mkfile\|mtu\|name\|netfilter\|netfilter6\|netmask\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|read-only\|read-write\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|timeout\|tmpfs\|veth-name\|whitelist\|xephyr-screen) / skipwhite contained	52	syn match fjCommand /\v(bind\|blacklist\|blacklist-nolog\|cpu\|defaultgw\|dns\|hostname\|hosts-file\|ip6\|iprange\|join-or-start\|mac\|mkdir\|mkfile\|mtu\|name\|netfilter\|netfilter6\|netmask\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|read-only\|read-write\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|timeout\|tmpfs\|veth-name\|whitelist\|xephyr-screen) / skipwhite contained
53	" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c \| grep -vEx '(include\|rlimit\|quiet)' \| sed -e 's/\./\\./' \| sort -u \| tr $'\n' '\|' # include/rlimit are false positives, quiet is special-cased below	53	" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c \| grep -vEx '(include\|rlimit\|quiet)' \| sed -e 's/\./\\./' \| sort -u \| tr $'\n' '\|' # include/rlimit are false positives, quiet is special-cased below
54	syn match fjCommand /\v(allow-debuggers\|allusers\|apparmor\|caps\|deterministic-exit-code\|deterministic-shutdown\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-fd\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noprinters\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay\|overlay-tmpfs\|private\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|seccomp\|seccomp\.32\|seccomp\.block-secondary\|tracelog\|writable-etc\|writable-run-user\|writable-var\|writable-var-log\|x11)$/ contained	54	syn match fjCommand /\v(allow-debuggers\|allusers\|apparmor\|caps\|deterministic-exit-code\|deterministic-shutdown\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-fd\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noprinters\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay\|overlay-tmpfs\|private\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|seccomp\|seccomp\.32\|seccomp\.block-secondary\|tracelog\|writable-etc\|writable-run-user\|writable-var\|writable-var-log\|x11)$/ contained
55	syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained	55	syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained


diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index ff411c807..8e047ce90 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in
@@ -42,10 +42,6 @@ _firejail()
42	_filedir -d	42	_filedir -d
43	return 0	43	return 0
44	;;	44	;;
45	--cgroup)
46	_filedir -d
47	return 0
48	;;
49	--tmpfs)	45	--tmpfs)
50	_filedir	46	_filedir
51	return 0	47	return 0


diff --git a/src/firejail/join.c b/src/firejail/join.c index 7e05fc785..b47089b0e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -414,7 +414,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
414	if (!arg_shell_none)	414	if (!arg_shell_none)
415	shfd = open_shell();	415	shfd = open_shell();
416		416
417	// in user mode set caps seccomp, cpu, cgroup, etc	417	// in user mode set caps seccomp, cpu etc.
418	if (getuid() != 0) {	418	if (getuid() != 0) {
419	extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps	419	extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps
420	extract_caps(sandbox);	420	extract_caps(sandbox);


diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 2f6b47461..08042d2c4 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h
@@ -37,7 +37,6 @@
37	#define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir"	37	#define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir"
38	#define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file"	38	#define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file"
39	#define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created	39	#define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created
40	#define RUN_CGROUP_CFG RUN_MNT_DIR "/cgroup"
41	#define RUN_CPU_CFG RUN_MNT_DIR "/cpu"	40	#define RUN_CPU_CFG RUN_MNT_DIR "/cpu"
42	#define RUN_GROUPS_CFG RUN_MNT_DIR "/groups"	41	#define RUN_GROUPS_CFG RUN_MNT_DIR "/groups"
43	#define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol"	42	#define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol"


diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f7cd3cdff..8383d83d3 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in
@@ -91,7 +91,6 @@ _firejail_args=(
91	'--caps.drop=all[drop all capabilities]'	91	'--caps.drop=all[drop all capabilities]'
92	'*--caps.drop=-[drop capabilities: all\|cap1,cap2,...]: :_caps'	92	'*--caps.drop=-[drop capabilities: all\|cap1,cap2,...]: :_caps'
93	'*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'	93	'*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
94	'--cgroup=-[place the sandbox in the specified control group]: :'
95	'--cpu=-[set cpu affinity]: :->cpus'	94	'--cpu=-[set cpu affinity]: :->cpus'
96	"--deterministic-exit-code[always exit with first child's status code]"	95	"--deterministic-exit-code[always exit with first child's status code]"
97	'--deterministic-shutdown[terminate orphan processes]'	96	'--deterministic-shutdown[terminate orphan processes]'


diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp deleted file mode 100755 index 9a1bbe161..000000000 --- a/test/root/cgroup.exp +++ /dev/null
@@ -1,65 +0,0 @@
1	#!/usr/bin/expect -f
2	# This file is part of Firejail project
3	# Copyright (C) 2014-2022 Firejail Authors
4	# License GPL v2
5
6	set timeout 10
7	cd /home
8	spawn $env(SHELL)
9	match_max 100000
10
11
12	send -- "mkdir /sys/fs/cgroup/systemd/firejail\r"
13	sleep 1
14	send -- "ls /sys/fs/cgroup/systemd/firejail\r"
15	expect {
16	timeout {puts "TESTING ERROR 0\n";exit}
17	"tasks"
18	}
19
20	send -- "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r"
21	expect {
22	timeout {puts "TESTING ERROR 1\n";exit}
23	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
24	}
25	sleep 2
26
27	spawn $env(SHELL)
28	send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
29	expect {
30	timeout {puts "TESTING ERROR 2\n";exit}
31	"3"
32	}
33
34	spawn $env(SHELL)
35	send -- "firejail --join=\"join testing\"\r"
36	expect {
37	timeout {puts "TESTING ERROR 3\n";exit}
38	"Switching to pid"
39	}
40	expect {
41	timeout {puts "TESTING ERROR 4\n";exit}
42	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
43	}
44	sleep 1
45	send -- "ps aux\r"
46	expect {
47	timeout {puts "TESTING ERROR 5\n";exit}
48	"/bin/bash"
49	}
50	expect {
51	timeout {puts "TESTING ERROR 6\n";exit}
52	"/bin/bash"
53	}
54
55	after 100
56
57	spawn $env(SHELL)
58	send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
59	expect {
60	timeout {puts "TESTING ERROR 7\n";exit}
61	"3"
62	}
63	after 100
64
65	puts "\nall done\n"


diff --git a/test/root/root.sh b/test/root/root.sh index 78a6619d7..e8c0ec1ac 100755 --- a/test/root/root.sh +++ b/test/root/root.sh
@@ -103,9 +103,6 @@ echo "TESTING: firejail configuration (test/root/checkcfg.exp)"
103	./checkcfg.exp	103	./checkcfg.exp
104	cp ../../etc/firejail.config /etc/firejail/.	104	cp ../../etc/firejail.config /etc/firejail/.
105		105
106	echo "TESTING: cgroup (test/root/cgroup.exp)"
107	./cgroup.exp
108
109	echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"	106	echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
110	./option_tmpfs.exp	107	./option_tmpfs.exp
111		108