11 files changed, 7 insertions, 244 deletions
diff --git a/RELNOTES b/RELNOTES
index d751b2511..711977052 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
  * work in progress
  * modif: removed CFG_CHROOT_DESKTOP configuration option
  * modif: removed compile time --enable-network=restricted
+  * modif: removed compile time --disable-bind
  * modif: --net=none allowed even if networking was disabled at compile
     time or at run time
  * support wireless devices in --net option
diff --git a/configure b/configure
index 6e6f84256..cfcdae929 100755
--- a/configure
+++ b/configure
@@ -636,7 +636,6 @@ HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
 HAVE_GLOBALCFG
-HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
 HAVE_PRIVATE_HOME
@@ -705,7 +704,6 @@ enable_overlayfs
 enable_private_home
 enable_seccomp
 enable_chroot
-enable_bind
 enable_globalcfg
 enable_network
 enable_userns
@@ -1352,7 +1350,6 @@ Optional Features:
  --disable-private-home  disable private home feature
  --disable-seccomp       disable seccomp
  --disable-chroot        disable chroot
-  --disable-bind          disable bind
  --disable-globalcfg     if the global config file firejail.cfg is not
                          present, continue the program using defaults
  --disable-network       disable network
@@ -3626,19 +3623,6 @@ if test "x$enable_chroot" != "xno"; then :
 fi
-HAVE_BIND=""
-# Check whether --enable-bind was given.
-if test "${enable_bind+set}" = set; then :
-  enableval=$enable_bind;
-fi
-if test "x$enable_bind" != "xno"; then :
-        HAVE_BIND="-DHAVE_BIND"
-fi
 HAVE_GLOBALCFG=""
 # Check whether --enable-globalcfg was given.
 if test "${enable_globalcfg+set}" = set; then :
@@ -5043,7 +5027,6 @@ echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
-echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
diff --git a/configure.ac b/configure.ac
index 8c6459335..73736abc2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -83,14 +83,6 @@ AS_IF([test "x$enable_chroot" != "xno"], [
        AC_SUBST(HAVE_CHROOT)
 ])
-HAVE_BIND=""
-AC_ARG_ENABLE([bind],
-    AS_HELP_STRING([--disable-bind], [disable bind]))
-AS_IF([test "x$enable_bind" != "xno"], [
-        HAVE_BIND="-DHAVE_BIND"
-        AC_SUBST(HAVE_BIND)
-])
 HAVE_GLOBALCFG=""
 AC_ARG_ENABLE([globalcfg],
    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
@@ -207,7 +199,6 @@ echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
-echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
diff --git a/src/common.mk.in b/src/common.mk.in
index fd9f2e5a5..7a2056e7b 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -11,7 +11,6 @@ NAME=@PACKAGE_NAME@
 HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
 HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
@@ -29,7 +28,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 EXTRA_CFLAGS +=@EXTRA_CFLAGS@
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt
deleted file mode 100644
index cfed454f8..000000000
--- a/src/firejail/arg-checking.txt
+++ /dev/null
@@ -1,84 +0,0 @@
-arg checking:
-1. --output=filename
-        - not supported in profiles
-        - checking no "..",
-        - checking no link,
-        - checking no dir,
-        - checking same permissions,
-        - checking no hard links
-        - unit test
-2. --chroot=dirname
-        - not supported in profiles
-        - expand "~"
-        - checking no "..",
-        - checking is dir,
-        - checking no link
-        - checking directory structure
-        - unit test
-3. --bind=dirname1,dirname2, --bind=filename1,filenam2
-        - supported in profiles
-        - accepted only when running as root
-        - checking string chars
-        - checking no ".."
-        - unit test non root
-4. --tmpfs=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-5. --blacklist=filename, --blacklist=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-6. --read-only=filename, --read-only=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-7. --profile=filename
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
-8. --private=dirname
-        - supported in profiles
-        - expand "~"
-        - check is dir
-        - check no link
-        - checking no ".."
-        - check same owner
-        - unit test
-9. --private-home=filelist
-        - supported in profiles
-        - checking no ".."
-        - checking file found
-        - checking same owner
-        - checking no link
-        - unit test
-10. --netfilter=filename
-        - supported in profiles
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
-11. --shell=filename
-        - not supported in profiles
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7483136f4..06820ce24 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -410,14 +410,6 @@ void print_compiletime_support(void) {
 #endif
                );
-        printf("\t- bind support is %s\n",
-#ifdef HAVE_BIND
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
        printf("\t- chroot support is %s\n",
 #ifdef HAVE_CHROOT
                "enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4faef025a..b3a8dcfd7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1270,7 +1270,6 @@ int main(int argc, char **argv) {
                //*************************************
                else if (strcmp(argv[i], "--allusers") == 0)
                        arg_allusers = 1;
-#ifdef HAVE_BIND
                else if (strncmp(argv[i], "--bind=", 7) == 0) {
                        if (checkcfg(CFG_BIND)) {
                                char *line;
@@ -1283,7 +1282,6 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("bind");
                }
-#endif
                else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
                        char *line;
                        if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
deleted file mode 100644
index 75bdc346d..000000000
--- a/src/firejail/network.txt
+++ /dev/null
@@ -1,95 +0,0 @@
-struct Bridge {
-        char *dev;              // bridge device name
-        uint32_t ip;            // bridge device IP address
-        uint32_t mask;          // bridge device mask
-        uint32_t ipsandbox      // sandbox interface IP address
-}
-net_configure_bridge(br, device) {
-        br->dev  = devname;
-        br->ip = extracted from kernel device - using net_get_if_addr() in network.c
-        br->mask = extracted from kernel device - using net_get_if_addr() in network.c
-        check available network range; /31 networks are not supported
-}
-net_configure_sandbox_ip(br) {
-        if br->ip_sandbox
-                check br->ipsandbox inside the bridge network
-                arp_check(br->ipsandbox)        // send an arp req to check if anybody else is using this address
-        else
-                br->ipsandbox = arp_assign();
-}
-net_configure_veth_pair {
-        create a veth pair
-        place one interface end in the bridge
-        place the other end in the namespace of the child process
-}
-net_bridge_wait_ip {
-        arp_check br->ipsandbox address to come up
-        wait for not more than 5 seconds
-}
-main() {
-        foreach argv[i] {
-                if --net
-                        br = next bridge available
-                        net_configure_bridge(br, device name from argv[i]);
-                else if --ip
-                        br = last bridge configured
-                        br->ipsandbox = ip address extracted from argv[i]
-                else if --defaultgw
-                        cfg.defaultgw = ip address extracted from argv[i]
-        }
-        net_check_cfg(); // check the validity of network configuration so far
-        if (any bridge configured) {
-                lock /var/lock/firejail.lock file
-                for each bridge
-                        net_configure_sandbox_ip(br)
-        }
-        clone (new network namespace if any bridge configured or --net=none)
-        if (any bridge configured) {
-                for each bridge
-                        net_configure_veth_pair
-        }
-        notify child init is done
-        if (any bridge configured) {
-                for each bridge
-                        net_bridge_wait_ip
-                unlock /var/lock/firejail.lock file
-        }
-        wait on child
-        exit
-}
-******************************************************
-* macvlan notes
-******************************************************
-Configure a macvlan interface
-# ip link add virtual0 link eth0 type macvlan mode bridge
-(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
-Create a new network namespace and move the interface in the new network namespace
-# ip netns add dummy0
-# ip link set virtual0 netns dummy0
-Join the namespace and configure the interfaces
-# ip netns exec dummy0 bash
-# ifconfig lo up
-# ifconfig virtual0 192.168.1.52/24
-Investigate ipvlan interface - added to linux kernel 3.19
-https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 606378908..168d7e268 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1044,7 +1044,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // filesystem bind
        if (strncmp(ptr, "bind ", 5) == 0) {
-#ifdef HAVE_BIND
                if (checkcfg(CFG_BIND)) {
                        if (getuid() != 0) {
                                fprintf(stderr, "Error: --bind option is available only if running as root\n");
@@ -1077,7 +1076,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                else
                        warning_feature_disabled("bind");
-#endif
                return 0;
        }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 78cd30926..c8866da3a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -37,10 +37,8 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
        "    --bandwidth=name|pid - set bandwidth limits.\n"
 #endif
-#ifdef HAVE_BIND
        "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
        "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
-#endif
        "    --blacklist=filename - blacklist directory or file.\n"
        "    --build - build a whitelisted profile for the application.\n"
        "    --build=filename - build a whitelisted profile for the application.\n"
@@ -153,6 +151,7 @@ static char *usage_str =
        "    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
        "    --private - temporary home directory.\n"
        "    --private=directory - use directory as user home.\n"
+        "    --private-cache - temporary ~/.cache directory.\n"
        "    --private-home=file,directory - build a new user home in a temporary\n"
        "\tfilesystem, and copy the files and directories in the list in\n"
        "\tthe new home.\n"
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 9d35bbcde..adacab616 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -3,7 +3,7 @@
 arr[1]="TEST 1: standard compilation"
 arr[2]="TEST 2: compile seccomp disabled"
 arr[3]="TEST 3: compile chroot disabled"
-arr[4]="TEST 4: compile bind disabled"
+arr[4]="deprecated: TEST 4: compile bind disabled"
 arr[5]="TEST 5: compile user namespace disabled"
 arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
@@ -14,7 +14,7 @@ arr[11]="TEST 11: compile disable global config"
 arr[12]="TEST 12: compile apparmor"
 arr[13]="TEST 13: compile busybox"
 arr[14]="TEST 14: compile overlayfs disabled"
-arr[15]="TEST 15: compile apparmor enabled"
+arr[14]="TEST 15: compile private-home disabled"
 # remove previous reports and output file
 cleanup() {
@@ -108,24 +108,6 @@ cp output-make om3
 rm output-configure output-make
 #*****************************************************************
-# TEST 4
-#*****************************************************************
-# - disable bind configuration
-#*****************************************************************
-print_title "${arr[4]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-bind  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test4
-grep Error output-configure output-make >> ./report-test4
-cp output-configure oc4
-cp output-make om4
-rm output-configure output-make
-#*****************************************************************
 # TEST 5
 #*****************************************************************
 # - disable user namespace configuration
@@ -292,13 +274,13 @@ rm output-configure output-make
 #*****************************************************************
 # TEST 15
 #*****************************************************************
-# - enable apparmor
+# - disable private home
 #*****************************************************************
 print_title "${arr[15]}"
 # seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test15
@@ -307,7 +289,6 @@ cp output-configure oc15
 cp output-make om15
 rm output-configure output-make
 #*****************************************************************
 # PRINT REPORTS
 #*****************************************************************

diff --git a/RELNOTES b/RELNOTES index d751b2511..711977052 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
2	* work in progress	2	* work in progress
3	* modif: removed CFG_CHROOT_DESKTOP configuration option	3	* modif: removed CFG_CHROOT_DESKTOP configuration option
4	* modif: removed compile time --enable-network=restricted	4	* modif: removed compile time --enable-network=restricted
		5	* modif: removed compile time --disable-bind
5	* modif: --net=none allowed even if networking was disabled at compile	6	* modif: --net=none allowed even if networking was disabled at compile
6	time or at run time	7	time or at run time
7	* support wireless devices in --net option	8	* support wireless devices in --net option


diff --git a/configure b/configure index 6e6f84256..cfcdae929 100755 --- a/configure +++ b/configure
@@ -636,7 +636,6 @@ HAVE_X11
636	HAVE_USERNS	636	HAVE_USERNS
637	HAVE_NETWORK	637	HAVE_NETWORK
638	HAVE_GLOBALCFG	638	HAVE_GLOBALCFG
639	HAVE_BIND
640	HAVE_CHROOT	639	HAVE_CHROOT
641	HAVE_SECCOMP	640	HAVE_SECCOMP
642	HAVE_PRIVATE_HOME	641	HAVE_PRIVATE_HOME
@@ -705,7 +704,6 @@ enable_overlayfs
705	enable_private_home	704	enable_private_home
706	enable_seccomp	705	enable_seccomp
707	enable_chroot	706	enable_chroot
708	enable_bind
709	enable_globalcfg	707	enable_globalcfg
710	enable_network	708	enable_network
711	enable_userns	709	enable_userns
@@ -1352,7 +1350,6 @@ Optional Features:
1352	--disable-private-home disable private home feature	1350	--disable-private-home disable private home feature
1353	--disable-seccomp disable seccomp	1351	--disable-seccomp disable seccomp
1354	--disable-chroot disable chroot	1352	--disable-chroot disable chroot
1355	--disable-bind disable bind
1356	--disable-globalcfg if the global config file firejail.cfg is not	1353	--disable-globalcfg if the global config file firejail.cfg is not
1357	present, continue the program using defaults	1354	present, continue the program using defaults
1358	--disable-network disable network	1355	--disable-network disable network
@@ -3626,19 +3623,6 @@ if test "x$enable_chroot" != "xno"; then :
3626		3623
3627	fi	3624	fi
3628		3625
3629	HAVE_BIND=""
3630	# Check whether --enable-bind was given.
3631	if test "${enable_bind+set}" = set; then :
3632	enableval=$enable_bind;
3633	fi
3634
3635	if test "x$enable_bind" != "xno"; then :
3636
3637	HAVE_BIND="-DHAVE_BIND"
3638
3639
3640	fi
3641
3642	HAVE_GLOBALCFG=""	3626	HAVE_GLOBALCFG=""
3643	# Check whether --enable-globalcfg was given.	3627	# Check whether --enable-globalcfg was given.
3644	if test "${enable_globalcfg+set}" = set; then :	3628	if test "${enable_globalcfg+set}" = set; then :
@@ -5043,7 +5027,6 @@ echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
5043	echo " apparmor: $HAVE_APPARMOR"	5027	echo " apparmor: $HAVE_APPARMOR"
5044	echo " global config: $HAVE_GLOBALCFG"	5028	echo " global config: $HAVE_GLOBALCFG"
5045	echo " chroot: $HAVE_CHROOT"	5029	echo " chroot: $HAVE_CHROOT"
5046	echo " bind: $HAVE_BIND"
5047	echo " network: $HAVE_NETWORK"	5030	echo " network: $HAVE_NETWORK"
5048	echo " user namespace: $HAVE_USERNS"	5031	echo " user namespace: $HAVE_USERNS"
5049	echo " X11 sandboxing support: $HAVE_X11"	5032	echo " X11 sandboxing support: $HAVE_X11"


diff --git a/configure.ac b/configure.ac index 8c6459335..73736abc2 100644 --- a/configure.ac +++ b/configure.ac
@@ -83,14 +83,6 @@ AS_IF([test "x$enable_chroot" != "xno"], [
83	AC_SUBST(HAVE_CHROOT)	83	AC_SUBST(HAVE_CHROOT)
84	])	84	])
85		85
86	HAVE_BIND=""
87	AC_ARG_ENABLE([bind],
88	AS_HELP_STRING([--disable-bind], [disable bind]))
89	AS_IF([test "x$enable_bind" != "xno"], [
90	HAVE_BIND="-DHAVE_BIND"
91	AC_SUBST(HAVE_BIND)
92	])
93
94	HAVE_GLOBALCFG=""	86	HAVE_GLOBALCFG=""
95	AC_ARG_ENABLE([globalcfg],	87	AC_ARG_ENABLE([globalcfg],
96	AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))	88	AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
@@ -207,7 +199,6 @@ echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
207	echo " apparmor: $HAVE_APPARMOR"	199	echo " apparmor: $HAVE_APPARMOR"
208	echo " global config: $HAVE_GLOBALCFG"	200	echo " global config: $HAVE_GLOBALCFG"
209	echo " chroot: $HAVE_CHROOT"	201	echo " chroot: $HAVE_CHROOT"
210	echo " bind: $HAVE_BIND"
211	echo " network: $HAVE_NETWORK"	202	echo " network: $HAVE_NETWORK"
212	echo " user namespace: $HAVE_USERNS"	203	echo " user namespace: $HAVE_USERNS"
213	echo " X11 sandboxing support: $HAVE_X11"	204	echo " X11 sandboxing support: $HAVE_X11"


diff --git a/src/common.mk.in b/src/common.mk.in index fd9f2e5a5..7a2056e7b 100644 --- a/src/common.mk.in +++ b/src/common.mk.in
@@ -11,7 +11,6 @@ NAME=@PACKAGE_NAME@
11	HAVE_SECCOMP_H=@HAVE_SECCOMP_H@	11	HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12	HAVE_SECCOMP=@HAVE_SECCOMP@	12	HAVE_SECCOMP=@HAVE_SECCOMP@
13	HAVE_CHROOT=@HAVE_CHROOT@	13	HAVE_CHROOT=@HAVE_CHROOT@
14	HAVE_BIND=@HAVE_BIND@
15	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@	14	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16	HAVE_NETWORK=@HAVE_NETWORK@	15	HAVE_NETWORK=@HAVE_NETWORK@
17	HAVE_USERNS=@HAVE_USERNS@	16	HAVE_USERNS=@HAVE_USERNS@
@@ -29,7 +28,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
29	OBJS = $(C_FILE_LIST:.c=.o)	28	OBJS = $(C_FILE_LIST:.c=.o)
30	BINOBJS = $(foreach file, $(OBJS), $file)	29	BINOBJS = $(foreach file, $(OBJS), $file)
31		30
32	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	31	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
33	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	32	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
34	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@	33	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
35	EXTRA_CFLAGS +=@EXTRA_CFLAGS@	34	EXTRA_CFLAGS +=@EXTRA_CFLAGS@


diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt deleted file mode 100644 index cfed454f8..000000000 --- a/src/firejail/arg-checking.txt +++ /dev/null
@@ -1,84 +0,0 @@
1	arg checking:
2
3	1. --output=filename
4	- not supported in profiles
5	- checking no "..",
6	- checking no link,
7	- checking no dir,
8	- checking same permissions,
9	- checking no hard links
10	- unit test
11
12	2. --chroot=dirname
13	- not supported in profiles
14	- expand "~"
15	- checking no "..",
16	- checking is dir,
17	- checking no link
18	- checking directory structure
19	- unit test
20
21	3. --bind=dirname1,dirname2, --bind=filename1,filenam2
22	- supported in profiles
23	- accepted only when running as root
24	- checking string chars
25	- checking no ".."
26	- unit test non root
27
28	4. --tmpfs=dirname
29	- supported in profiles
30	- checking string chars
31	- checking no ".."
32	- unit test
33
34	5. --blacklist=filename, --blacklist=dirname
35	- supported in profiles
36	- checking string chars
37	- checking no ".."
38	- unit test
39
40	6. --read-only=filename, --read-only=dirname
41	- supported in profiles
42	- checking string chars
43	- checking no ".."
44	- unit test
45
46	7. --profile=filename
47	- check access as real GID/UID
48	- checking no dir
49	- checking no link
50	- checking no ".."
51	- unit test
52
53	8. --private=dirname
54	- supported in profiles
55	- expand "~"
56	- check is dir
57	- check no link
58	- checking no ".."
59	- check same owner
60	- unit test
61
62	9. --private-home=filelist
63	- supported in profiles
64	- checking no ".."
65	- checking file found
66	- checking same owner
67	- checking no link
68	- unit test
69
70	10. --netfilter=filename
71	- supported in profiles
72	- check access as real GID/UID
73	- checking no dir
74	- checking no link
75	- checking no ".."
76	- unit test
77
78	11. --shell=filename
79	- not supported in profiles
80	- check access as real GID/UID
81	- checking no dir
82	- checking no link
83	- checking no ".."
84	- unit test


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7483136f4..06820ce24 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -410,14 +410,6 @@ void print_compiletime_support(void) {
410	#endif	410	#endif
411	);	411	);
412		412
413	printf("\t- bind support is %s\n",
414	#ifdef HAVE_BIND
415	"enabled"
416	#else
417	"disabled"
418	#endif
419	);
420
421	printf("\t- chroot support is %s\n",	413	printf("\t- chroot support is %s\n",
422	#ifdef HAVE_CHROOT	414	#ifdef HAVE_CHROOT
423	"enabled"	415	"enabled"


diff --git a/src/firejail/main.c b/src/firejail/main.c index 4faef025a..b3a8dcfd7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1270,7 +1270,6 @@ int main(int argc, char **argv) {
1270	//*************************************	1270	//*************************************
1271	else if (strcmp(argv[i], "--allusers") == 0)	1271	else if (strcmp(argv[i], "--allusers") == 0)
1272	arg_allusers = 1;	1272	arg_allusers = 1;
1273	#ifdef HAVE_BIND
1274	else if (strncmp(argv[i], "--bind=", 7) == 0) {	1273	else if (strncmp(argv[i], "--bind=", 7) == 0) {
1275	if (checkcfg(CFG_BIND)) {	1274	if (checkcfg(CFG_BIND)) {
1276	char *line;	1275	char *line;
@@ -1283,7 +1282,6 @@ int main(int argc, char **argv) {
1283	else	1282	else
1284	exit_err_feature("bind");	1283	exit_err_feature("bind");
1285	}	1284	}
1286	#endif
1287	else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {	1285	else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
1288	char *line;	1286	char *line;
1289	if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)	1287	if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)


diff --git a/src/firejail/network.txt b/src/firejail/network.txt deleted file mode 100644 index 75bdc346d..000000000 --- a/src/firejail/network.txt +++ /dev/null
@@ -1,95 +0,0 @@
1	struct Bridge {
2	char *dev; // bridge device name
3	uint32_t ip; // bridge device IP address
4	uint32_t mask; // bridge device mask
5	uint32_t ipsandbox // sandbox interface IP address
6	}
7
8	net_configure_bridge(br, device) {
9	br->dev = devname;
10	br->ip = extracted from kernel device - using net_get_if_addr() in network.c
11	br->mask = extracted from kernel device - using net_get_if_addr() in network.c
12	check available network range; /31 networks are not supported
13	}
14
15	net_configure_sandbox_ip(br) {
16	if br->ip_sandbox
17	check br->ipsandbox inside the bridge network
18	arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address
19	else
20	br->ipsandbox = arp_assign();
21	}
22
23	net_configure_veth_pair {
24	create a veth pair
25	place one interface end in the bridge
26	place the other end in the namespace of the child process
27	}
28
29	net_bridge_wait_ip {
30	arp_check br->ipsandbox address to come up
31	wait for not more than 5 seconds
32	}
33
34	main() {
35
36	foreach argv[i] {
37	if --net
38	br = next bridge available
39	net_configure_bridge(br, device name from argv[i]);
40	else if --ip
41	br = last bridge configured
42	br->ipsandbox = ip address extracted from argv[i]
43	else if --defaultgw
44	cfg.defaultgw = ip address extracted from argv[i]
45	}
46
47	net_check_cfg(); // check the validity of network configuration so far
48
49	if (any bridge configured) {
50	lock /var/lock/firejail.lock file
51	for each bridge
52	net_configure_sandbox_ip(br)
53	}
54
55	clone (new network namespace if any bridge configured or --net=none)
56
57	if (any bridge configured) {
58	for each bridge
59	net_configure_veth_pair
60	}
61
62	notify child init is done
63
64	if (any bridge configured) {
65	for each bridge
66	net_bridge_wait_ip
67	unlock /var/lock/firejail.lock file
68	}
69
70	wait on child
71	exit
72	}
73
74
75	******************************************************
76	* macvlan notes
77	******************************************************
78	Configure a macvlan interface
79
80	# ip link add virtual0 link eth0 type macvlan mode bridge
81	(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
82
83	Create a new network namespace and move the interface in the new network namespace
84
85	# ip netns add dummy0
86	# ip link set virtual0 netns dummy0
87
88	Join the namespace and configure the interfaces
89
90	# ip netns exec dummy0 bash
91	# ifconfig lo up
92	# ifconfig virtual0 192.168.1.52/24
93
94	Investigate ipvlan interface - added to linux kernel 3.19
95	https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 606378908..168d7e268 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1044,7 +1044,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1044		1044
1045	// filesystem bind	1045	// filesystem bind
1046	if (strncmp(ptr, "bind ", 5) == 0) {	1046	if (strncmp(ptr, "bind ", 5) == 0) {
1047	#ifdef HAVE_BIND
1048	if (checkcfg(CFG_BIND)) {	1047	if (checkcfg(CFG_BIND)) {
1049	if (getuid() != 0) {	1048	if (getuid() != 0) {
1050	fprintf(stderr, "Error: --bind option is available only if running as root\n");	1049	fprintf(stderr, "Error: --bind option is available only if running as root\n");
@@ -1077,7 +1076,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1077	}	1076	}
1078	else	1077	else
1079	warning_feature_disabled("bind");	1078	warning_feature_disabled("bind");
1080	#endif
1081	return 0;	1079	return 0;
1082	}	1080	}
1083		1081


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78cd30926..c8866da3a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -37,10 +37,8 @@ static char *usage_str =
37	#ifdef HAVE_NETWORK	37	#ifdef HAVE_NETWORK
38	" --bandwidth=name\|pid - set bandwidth limits.\n"	38	" --bandwidth=name\|pid - set bandwidth limits.\n"
39	#endif	39	#endif
40	#ifdef HAVE_BIND
41	" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"	40	" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
42	" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"	41	" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
43	#endif
44	" --blacklist=filename - blacklist directory or file.\n"	42	" --blacklist=filename - blacklist directory or file.\n"
45	" --build - build a whitelisted profile for the application.\n"	43	" --build - build a whitelisted profile for the application.\n"
46	" --build=filename - build a whitelisted profile for the application.\n"	44	" --build=filename - build a whitelisted profile for the application.\n"
@@ -153,6 +151,7 @@ static char *usage_str =
153	" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"	151	" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
154	" --private - temporary home directory.\n"	152	" --private - temporary home directory.\n"
155	" --private=directory - use directory as user home.\n"	153	" --private=directory - use directory as user home.\n"
		154	" --private-cache - temporary ~/.cache directory.\n"
156	" --private-home=file,directory - build a new user home in a temporary\n"	155	" --private-home=file,directory - build a new user home in a temporary\n"
157	"\tfilesystem, and copy the files and directories in the list in\n"	156	"\tfilesystem, and copy the files and directories in the list in\n"
158	"\tthe new home.\n"	157	"\tthe new home.\n"


diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 9d35bbcde..adacab616 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh
@@ -3,7 +3,7 @@
3	arr[1]="TEST 1: standard compilation"	3	arr[1]="TEST 1: standard compilation"
4	arr[2]="TEST 2: compile seccomp disabled"	4	arr[2]="TEST 2: compile seccomp disabled"
5	arr[3]="TEST 3: compile chroot disabled"	5	arr[3]="TEST 3: compile chroot disabled"
6	arr[4]="TEST 4: compile bind disabled"	6	arr[4]="deprecated: TEST 4: compile bind disabled"
7	arr[5]="TEST 5: compile user namespace disabled"	7	arr[5]="TEST 5: compile user namespace disabled"
8	arr[6]="TEST 6: compile network disabled"	8	arr[6]="TEST 6: compile network disabled"
9	arr[7]="TEST 7: compile X11 disabled"	9	arr[7]="TEST 7: compile X11 disabled"
@@ -14,7 +14,7 @@ arr[11]="TEST 11: compile disable global config"
14	arr[12]="TEST 12: compile apparmor"	14	arr[12]="TEST 12: compile apparmor"
15	arr[13]="TEST 13: compile busybox"	15	arr[13]="TEST 13: compile busybox"
16	arr[14]="TEST 14: compile overlayfs disabled"	16	arr[14]="TEST 14: compile overlayfs disabled"
17	arr[15]="TEST 15: compile apparmor enabled"	17	arr[14]="TEST 15: compile private-home disabled"
18		18
19	# remove previous reports and output file	19	# remove previous reports and output file
20	cleanup() {	20	cleanup() {
@@ -108,24 +108,6 @@ cp output-make om3
108	rm output-configure output-make	108	rm output-configure output-make
109		109
110	#*****************************************************************	110	#*****************************************************************
111	# TEST 4
112	#*****************************************************************
113	# - disable bind configuration
114	#*****************************************************************
115	print_title "${arr[4]}"
116	# seccomp
117	cd firejail
118	make distclean
119	./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 \| tee ../output-configure
120	make -j4 2>&1 \| tee ../output-make
121	cd ..
122	grep Warning output-configure output-make > ./report-test4
123	grep Error output-configure output-make >> ./report-test4
124	cp output-configure oc4
125	cp output-make om4
126	rm output-configure output-make
127
128	#*****************************************************************
129	# TEST 5	111	# TEST 5
130	#*****************************************************************	112	#*****************************************************************
131	# - disable user namespace configuration	113	# - disable user namespace configuration
@@ -292,13 +274,13 @@ rm output-configure output-make
292	#*****************************************************************	274	#*****************************************************************
293	# TEST 15	275	# TEST 15
294	#*****************************************************************	276	#*****************************************************************
295	# - enable apparmor	277	# - disable private home
296	#*****************************************************************	278	#*****************************************************************
297	print_title "${arr[15]}"	279	print_title "${arr[15]}"
298	# seccomp	280	# seccomp
299	cd firejail	281	cd firejail
300	make distclean	282	make distclean
301	./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 \| tee ../output-configure	283	./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 \| tee ../output-configure
302	make -j4 2>&1 \| tee ../output-make	284	make -j4 2>&1 \| tee ../output-make
303	cd ..	285	cd ..
304	grep Warning output-configure output-make > ./report-test15	286	grep Warning output-configure output-make > ./report-test15
@@ -307,7 +289,6 @@ cp output-configure oc15
307	cp output-make om15	289	cp output-make om15
308	rm output-configure output-make	290	rm output-configure output-make
309		291
310
311	#*****************************************************************	292	#*****************************************************************
312	# PRINT REPORTS	293	# PRINT REPORTS
313	#*****************************************************************	294	#*****************************************************************