diff options
-rw-r--r-- | etc/profile-a-l/beaker.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/default.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/fdns.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-nettool.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/jitsi-meet-desktop.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/pidgin.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/rocketchat.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/server.profile | 1 | ||||
-rw-r--r-- | etc/templates/profile.template | 3 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 4 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 5 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 2 | ||||
-rw-r--r-- | test/environment/shell-none.profile | 1 | ||||
-rwxr-xr-x | test/profiles/ignore.exp | 6 | ||||
-rw-r--r-- | test/profiles/ignore.profile | 2 | ||||
-rw-r--r-- | test/profiles/ignore2.profile | 4 | ||||
-rw-r--r-- | test/profiles/ignore3.profile | 2 | ||||
-rwxr-xr-x | test/utils/build.exp | 4 |
21 files changed, 11 insertions, 37 deletions
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index ff21b7ee5..85c1bdec1 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile | |||
@@ -13,7 +13,6 @@ ignore include whitelist-usr-share-common.inc | |||
13 | ignore include whitelist-var-common.inc | 13 | ignore include whitelist-var-common.inc |
14 | ignore nou2f | 14 | ignore nou2f |
15 | ignore novideo | 15 | ignore novideo |
16 | ignore shell none | ||
17 | ignore disable-mnt | 16 | ignore disable-mnt |
18 | ignore private-cache | 17 | ignore private-cache |
19 | ignore private-dev | 18 | ignore private-dev |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index a10bbab5b..41794d173 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -40,7 +40,6 @@ notv | |||
40 | novideo | 40 | novideo |
41 | protocol unix,inet,inet6 | 41 | protocol unix,inet,inet6 |
42 | seccomp | 42 | seccomp |
43 | # shell none | ||
44 | # tracelog | 43 | # tracelog |
45 | 44 | ||
46 | # disable-mnt | 45 | # disable-mnt |
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 4dbf3c194..fe7f88a75 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -36,7 +36,6 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | #seccomp | 38 | #seccomp |
39 | #shell none | ||
40 | 39 | ||
41 | disable-mnt | 40 | disable-mnt |
42 | private | 41 | private |
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile index ce4e5edd8..7a9a0e336 100644 --- a/etc/profile-a-l/gnome-nettool.profile +++ b/etc/profile-a-l/gnome-nettool.profile | |||
@@ -35,7 +35,6 @@ notv | |||
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
37 | #seccomp | 37 | #seccomp |
38 | #shell none | ||
39 | 38 | ||
40 | disable-mnt | 39 | disable-mnt |
41 | private | 40 | private |
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index bc2c33cfb..cc6fd2114 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -9,7 +9,6 @@ include globals.local | |||
9 | # Disabled until someone reported positive feedback | 9 | # Disabled until someone reported positive feedback |
10 | ignore nou2f | 10 | ignore nou2f |
11 | ignore novideo | 11 | ignore novideo |
12 | ignore shell none | ||
13 | 12 | ||
14 | ignore noexec /tmp | 13 | ignore noexec /tmp |
15 | 14 | ||
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index d78478687..a852a2a18 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -38,7 +38,6 @@ notv | |||
38 | nou2f | 38 | nou2f |
39 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
40 | seccomp | 40 | seccomp |
41 | # shell none | ||
42 | tracelog | 41 | tracelog |
43 | 42 | ||
44 | # private-bin pidgin | 43 | # private-bin pidgin |
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile index bad384090..a95cc18d7 100644 --- a/etc/profile-m-z/rocketchat.profile +++ b/etc/profile-m-z/rocketchat.profile | |||
@@ -15,7 +15,6 @@ ignore include whitelist-usr-share-common.inc | |||
15 | ignore include whitelist-var-common.inc | 15 | ignore include whitelist-var-common.inc |
16 | ignore nou2f | 16 | ignore nou2f |
17 | ignore novideo | 17 | ignore novideo |
18 | ignore shell none | ||
19 | ignore disable-mnt | 18 | ignore disable-mnt |
20 | ignore private-cache | 19 | ignore private-cache |
21 | ignore private-dev | 20 | ignore private-dev |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 05170267b..667f9c557 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -70,7 +70,6 @@ nou2f | |||
70 | novideo | 70 | novideo |
71 | protocol unix,inet,inet6,netlink,packet | 71 | protocol unix,inet,inet6,netlink,packet |
72 | seccomp | 72 | seccomp |
73 | # shell none | ||
74 | tab # allow tab completion | 73 | tab # allow tab completion |
75 | 74 | ||
76 | disable-mnt | 75 | disable-mnt |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index b88566f54..9329fe297 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -31,7 +31,7 @@ | |||
31 | # MKDIRS | 31 | # MKDIRS |
32 | # WHITELISTS | 32 | # WHITELISTS |
33 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
34 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) | 34 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, tracelog) |
35 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) | 35 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) |
36 | # DBUS FILTER | 36 | # DBUS FILTER |
37 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | 37 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) |
@@ -172,7 +172,6 @@ include globals.local | |||
172 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 172 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
173 | #seccomp.block-secondary | 173 | #seccomp.block-secondary |
174 | ##seccomp-error-action log (only for debugging seccomp issues) | 174 | ##seccomp-error-action log (only for debugging seccomp issues) |
175 | #shell none | ||
176 | #tracelog | 175 | #tracelog |
177 | # Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set | 176 | # Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set |
178 | ##x11 none | 177 | ##x11 none |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 8e047ce90..98e3a035e 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -82,10 +82,6 @@ _firejail() | |||
82 | _filedir | 82 | _filedir |
83 | return 0 | 83 | return 0 |
84 | ;; | 84 | ;; |
85 | --shell) | ||
86 | _filedir | ||
87 | return 0 | ||
88 | ;; | ||
89 | --net) | 85 | --net) |
90 | comps=$(__interfaces) | 86 | comps=$(__interfaces) |
91 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) | 87 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 75f1c10d7..96ddd79fb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -143,7 +143,6 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
143 | fprintf(fp, "#novideo\t# disable video capture devices\n"); | 143 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
144 | build_protocol(trace_output, fp); | 144 | build_protocol(trace_output, fp); |
145 | fprintf(fp, "seccomp !chroot\t# allowing chroot, just in case this is an Electron app\n"); | 145 | fprintf(fp, "seccomp !chroot\t# allowing chroot, just in case this is an Electron app\n"); |
146 | fprintf(fp, "shell none\n"); | ||
147 | fprintf(fp, "#tracelog\t# send blacklist violations to syslog\n"); | 146 | fprintf(fp, "#tracelog\t# send blacklist violations to syslog\n"); |
148 | fprintf(fp, "\n"); | 147 | fprintf(fp, "\n"); |
149 | 148 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 45b199db4..b0d5dac17 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2806,7 +2806,7 @@ int main(int argc, char **argv, char **envp) { | |||
2806 | // already handled | 2806 | // already handled |
2807 | } | 2807 | } |
2808 | else if (strncmp(argv[i], "--shell=", 8) == 0) { | 2808 | else if (strncmp(argv[i], "--shell=", 8) == 0) { |
2809 | fprintf(stderr, "Warning: --shell feature has been deprecated\n"); | 2809 | fprintf(stderr, "Error: \"shell none\" is done by default now; the \"shell\" command has been removed\n"); |
2810 | exit(1); | 2810 | exit(1); |
2811 | } | 2811 | } |
2812 | else if (strcmp(argv[i], "-c") == 0) { | 2812 | else if (strcmp(argv[i], "-c") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 07449f646..bdaaed433 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -371,8 +371,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
371 | arg_caps_drop_all = 1; | 371 | arg_caps_drop_all = 1; |
372 | return 0; | 372 | return 0; |
373 | } | 373 | } |
374 | else if (strcmp(ptr, "shell none") == 0) { | 374 | else if (strcmp(ptr, "shell ") == 0) { |
375 | fprintf(stderr, "Warning: \"shell none\" command in the profile file is done by default; the command will be deprecated\n"); | 375 | fprintf(stderr, "Warning: \"shell none\" is done by default now; the \"shell\" command has been removed\n"); |
376 | return 0; | 376 | return 0; |
377 | } | 377 | } |
378 | else if (strcmp(ptr, "tracelog") == 0) { | 378 | else if (strcmp(ptr, "tracelog") == 0) { |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index fa294d888..3a678b14f 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -799,11 +799,6 @@ Disable video capture devices. | |||
799 | .TP | 799 | .TP |
800 | \fBmachine-id | 800 | \fBmachine-id |
801 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. | 801 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. |
802 | .TP | ||
803 | \fBshell none | ||
804 | Run the program directly, without a shell. | ||
805 | |||
806 | |||
807 | #ifdef HAVE_NETWORK | 802 | #ifdef HAVE_NETWORK |
808 | .SH Networking | 803 | .SH Networking |
809 | Networking features available in profile files. | 804 | Networking features available in profile files. |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 455ba7e50..7e87bb991 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -160,8 +160,6 @@ _firejail_args=( | |||
160 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | 160 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
161 | # FIXME: Add errnos | 161 | # FIXME: Add errnos |
162 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 162 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
163 | '--shell=none[run the program directly without a user shell]' | ||
164 | '--shell=-[set default user shell]: :_values $(cat /etc/shells)' | ||
165 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 163 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
166 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 164 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
167 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 165 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
diff --git a/test/environment/shell-none.profile b/test/environment/shell-none.profile deleted file mode 100644 index f16ebe3a0..000000000 --- a/test/environment/shell-none.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | shell none | ||
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 450d271c1..053d920d3 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp | |||
@@ -23,7 +23,7 @@ after 100 | |||
23 | send -- "exit\r" | 23 | send -- "exit\r" |
24 | sleep 1 | 24 | sleep 1 |
25 | 25 | ||
26 | send -- "firejail --ignore=seccomp --ignore=shell --profile=ignore.profile \r" | 26 | send -- "firejail --ignore=seccomp --ignore=name --profile=ignore.profile \r" |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 3\n";exit} | 28 | timeout {puts "TESTING ERROR 3\n";exit} |
29 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 29 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -39,7 +39,7 @@ after 100 | |||
39 | send -- "exit\r" | 39 | send -- "exit\r" |
40 | sleep 1 | 40 | sleep 1 |
41 | 41 | ||
42 | send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r" | 42 | send -- "firejail --ignore=private --ignore=name --profile=ignore.profile \r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 5\n";exit} | 44 | timeout {puts "TESTING ERROR 5\n";exit} |
45 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 45 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -66,7 +66,7 @@ after 100 | |||
66 | send -- "exit\r" | 66 | send -- "exit\r" |
67 | sleep 1 | 67 | sleep 1 |
68 | 68 | ||
69 | send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r" | 69 | send -- "firejail --ignore=quiet --ignore=name --profile=ignore.profile \r" |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 9\n";exit} | 71 | timeout {puts "TESTING ERROR 9\n";exit} |
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
diff --git a/test/profiles/ignore.profile b/test/profiles/ignore.profile index aec231ad2..dec4a5db7 100644 --- a/test/profiles/ignore.profile +++ b/test/profiles/ignore.profile | |||
@@ -1,3 +1,3 @@ | |||
1 | private | 1 | private |
2 | seccomp | 2 | seccomp |
3 | shell none | 3 | name test |
diff --git a/test/profiles/ignore2.profile b/test/profiles/ignore2.profile index c85cd9544..9d7362599 100644 --- a/test/profiles/ignore2.profile +++ b/test/profiles/ignore2.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | ignore seccomp | 1 | ignore seccomp |
2 | ignore shell | 2 | ignore name |
3 | private | 3 | private |
4 | seccomp | 4 | seccomp |
5 | shell none | 5 | name test |
diff --git a/test/profiles/ignore3.profile b/test/profiles/ignore3.profile index f0c9699e1..4ad474851 100644 --- a/test/profiles/ignore3.profile +++ b/test/profiles/ignore3.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | quiet | 1 | quiet |
2 | private | 2 | private |
3 | seccomp | 3 | seccomp |
4 | shell none | 4 | name test |
diff --git a/test/utils/build.exp b/test/utils/build.exp index 3f42a74be..e1ea6af69 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp | |||
@@ -57,10 +57,6 @@ expect { | |||
57 | } | 57 | } |
58 | expect { | 58 | expect { |
59 | timeout {puts "TESTING ERROR 11\n";exit} | 59 | timeout {puts "TESTING ERROR 11\n";exit} |
60 | "shell none" | ||
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 11\n";exit} | ||
64 | "private-bin cat," | 60 | "private-bin cat," |
65 | } | 61 | } |
66 | expect { | 62 | expect { |