diff options
-rw-r--r-- | RELNOTES | 5 | ||||
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 2 |
9 files changed, 6 insertions, 49 deletions
@@ -1,3 +1,8 @@ | |||
1 | firejail (0.9.67) baseline; urgency=low | ||
2 | * work in progress | ||
3 | * deprecated --disable-whitelist at compile time | ||
4 | -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 | ||
5 | |||
1 | firejail (0.9.66) baseline; urgency=low | 6 | firejail (0.9.66) baseline; urgency=low |
2 | * deprecated --audit options, relpaced by jailcheck utility | 7 | * deprecated --audit options, relpaced by jailcheck utility |
3 | * deprecated follow-symlink-as-user from firejail.config | 8 | * deprecated follow-symlink-as-user from firejail.config |
@@ -634,7 +634,6 @@ HAVE_GCOV | |||
634 | BUSYBOX_WORKAROUND | 634 | BUSYBOX_WORKAROUND |
635 | HAVE_FATAL_WARNINGS | 635 | HAVE_FATAL_WARNINGS |
636 | HAVE_SUID | 636 | HAVE_SUID |
637 | HAVE_WHITELIST | ||
638 | HAVE_FILE_TRANSFER | 637 | HAVE_FILE_TRANSFER |
639 | HAVE_X11 | 638 | HAVE_X11 |
640 | HAVE_USERNS | 639 | HAVE_USERNS |
@@ -726,7 +725,6 @@ enable_network | |||
726 | enable_userns | 725 | enable_userns |
727 | enable_x11 | 726 | enable_x11 |
728 | enable_file_transfer | 727 | enable_file_transfer |
729 | enable_whitelist | ||
730 | enable_suid | 728 | enable_suid |
731 | enable_fatal_warnings | 729 | enable_fatal_warnings |
732 | enable_busybox_workaround | 730 | enable_busybox_workaround |
@@ -1385,7 +1383,6 @@ Optional Features: | |||
1385 | --disable-userns disable user namespace | 1383 | --disable-userns disable user namespace |
1386 | --disable-x11 disable X11 sandboxing support | 1384 | --disable-x11 disable X11 sandboxing support |
1387 | --disable-file-transfer disable file transfer | 1385 | --disable-file-transfer disable file transfer |
1388 | --disable-whitelist disable whitelist | ||
1389 | --disable-suid install as a non-SUID executable | 1386 | --disable-suid install as a non-SUID executable |
1390 | --enable-fatal-warnings -W -Wall -Werror | 1387 | --enable-fatal-warnings -W -Wall -Werror |
1391 | --enable-busybox-workaround | 1388 | --enable-busybox-workaround |
@@ -3747,19 +3744,6 @@ if test "x$enable_file_transfer" != "xno"; then : | |||
3747 | 3744 | ||
3748 | fi | 3745 | fi |
3749 | 3746 | ||
3750 | HAVE_WHITELIST="" | ||
3751 | # Check whether --enable-whitelist was given. | ||
3752 | if test "${enable_whitelist+set}" = set; then : | ||
3753 | enableval=$enable_whitelist; | ||
3754 | fi | ||
3755 | |||
3756 | if test "x$enable_whitelist" != "xno"; then : | ||
3757 | |||
3758 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
3759 | |||
3760 | |||
3761 | fi | ||
3762 | |||
3763 | HAVE_SUID="" | 3747 | HAVE_SUID="" |
3764 | # Check whether --enable-suid was given. | 3748 | # Check whether --enable-suid was given. |
3765 | if test "${enable_suid+set}" = set; then : | 3749 | if test "${enable_suid+set}" = set; then : |
@@ -5572,7 +5556,6 @@ Configuration options: | |||
5572 | network: $HAVE_NETWORK | 5556 | network: $HAVE_NETWORK |
5573 | user namespace: $HAVE_USERNS | 5557 | user namespace: $HAVE_USERNS |
5574 | X11 sandboxing support: $HAVE_X11 | 5558 | X11 sandboxing support: $HAVE_X11 |
5575 | whitelisting: $HAVE_WHITELIST | ||
5576 | private home support: $HAVE_PRIVATE_HOME | 5559 | private home support: $HAVE_PRIVATE_HOME |
5577 | file transfer support: $HAVE_FILE_TRANSFER | 5560 | file transfer support: $HAVE_FILE_TRANSFER |
5578 | overlayfs support: $HAVE_OVERLAYFS | 5561 | overlayfs support: $HAVE_OVERLAYFS |
diff --git a/configure.ac b/configure.ac index be534e49f..1f8e802b5 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -177,14 +177,6 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [ | |||
177 | AC_SUBST(HAVE_FILE_TRANSFER) | 177 | AC_SUBST(HAVE_FILE_TRANSFER) |
178 | ]) | 178 | ]) |
179 | 179 | ||
180 | HAVE_WHITELIST="" | ||
181 | AC_ARG_ENABLE([whitelist], | ||
182 | AS_HELP_STRING([--disable-whitelist], [disable whitelist])) | ||
183 | AS_IF([test "x$enable_whitelist" != "xno"], [ | ||
184 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
185 | AC_SUBST(HAVE_WHITELIST) | ||
186 | ]) | ||
187 | |||
188 | HAVE_SUID="" | 180 | HAVE_SUID="" |
189 | AC_ARG_ENABLE([suid], | 181 | AC_ARG_ENABLE([suid], |
190 | AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])) | 182 | AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])) |
@@ -323,7 +315,6 @@ Configuration options: | |||
323 | network: $HAVE_NETWORK | 315 | network: $HAVE_NETWORK |
324 | user namespace: $HAVE_USERNS | 316 | user namespace: $HAVE_USERNS |
325 | X11 sandboxing support: $HAVE_X11 | 317 | X11 sandboxing support: $HAVE_X11 |
326 | whitelisting: $HAVE_WHITELIST | ||
327 | private home support: $HAVE_PRIVATE_HOME | 318 | private home support: $HAVE_PRIVATE_HOME |
328 | file transfer support: $HAVE_FILE_TRANSFER | 319 | file transfer support: $HAVE_FILE_TRANSFER |
329 | overlayfs support: $HAVE_OVERLAYFS | 320 | overlayfs support: $HAVE_OVERLAYFS |
diff --git a/src/common.mk.in b/src/common.mk.in index f88da55ac..5ae8bf204 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
15 | HAVE_USERNS=@HAVE_USERNS@ | 15 | HAVE_USERNS=@HAVE_USERNS@ |
16 | HAVE_X11=@HAVE_X11@ | 16 | HAVE_X11=@HAVE_X11@ |
17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
18 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
19 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 18 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
20 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 19 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
21 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
@@ -42,7 +41,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
42 | CFLAGS = @CFLAGS@ | 41 | CFLAGS = @CFLAGS@ |
43 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 42 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
44 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 43 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
45 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) | 44 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) |
46 | CFLAGS += $(MANFLAGS) | 45 | CFLAGS += $(MANFLAGS) |
47 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 46 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
48 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 47 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1e9f4b641..501804cbb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -342,14 +342,6 @@ void print_compiletime_support(void) { | |||
342 | #endif | 342 | #endif |
343 | ); | 343 | ); |
344 | 344 | ||
345 | printf("\t- file and directory whitelisting support is %s\n", | ||
346 | #ifdef HAVE_WHITELIST | ||
347 | "enabled" | ||
348 | #else | ||
349 | "disabled" | ||
350 | #endif | ||
351 | ); | ||
352 | |||
353 | printf("\t- file transfer support is %s\n", | 345 | printf("\t- file transfer support is %s\n", |
354 | #ifdef HAVE_FILE_TRANSFER | 346 | #ifdef HAVE_FILE_TRANSFER |
355 | "enabled" | 347 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a0d52837..cf3f8a82d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1581,8 +1581,6 @@ int main(int argc, char **argv, char **envp) { | |||
1581 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1581 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1582 | profile_add(line); | 1582 | profile_add(line); |
1583 | } | 1583 | } |
1584 | |||
1585 | #ifdef HAVE_WHITELIST | ||
1586 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1584 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1587 | if (checkcfg(CFG_WHITELIST)) { | 1585 | if (checkcfg(CFG_WHITELIST)) { |
1588 | char *line; | 1586 | char *line; |
@@ -1603,7 +1601,6 @@ int main(int argc, char **argv, char **envp) { | |||
1603 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1601 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1604 | profile_add(line); | 1602 | profile_add(line); |
1605 | } | 1603 | } |
1606 | #endif | ||
1607 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1604 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
1608 | char *line; | 1605 | char *line; |
1609 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) | 1606 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e52bdc6e3..350122844 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1589,7 +1589,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
1590 | ptr += 12; | 1590 | ptr += 12; |
1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
1592 | #ifdef HAVE_WHITELIST | ||
1593 | if (checkcfg(CFG_WHITELIST)) { | 1592 | if (checkcfg(CFG_WHITELIST)) { |
1594 | arg_whitelist = 1; | 1593 | arg_whitelist = 1; |
1595 | ptr += 10; | 1594 | ptr += 10; |
@@ -1602,9 +1601,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1602 | } | 1601 | } |
1603 | return 0; | 1602 | return 0; |
1604 | } | 1603 | } |
1605 | #else | ||
1606 | return 0; | ||
1607 | #endif | ||
1608 | } | 1604 | } |
1609 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) | 1605 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) |
1610 | ptr += 12; | 1606 | ptr += 12; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 888a6ffed..2093a4ed3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -80,9 +80,7 @@ static char *usage_str = | |||
80 | " --debug-protocols - print all recognized protocols.\n" | 80 | " --debug-protocols - print all recognized protocols.\n" |
81 | " --debug-syscalls - print all recognized system calls.\n" | 81 | " --debug-syscalls - print all recognized system calls.\n" |
82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
83 | #ifdef HAVE_WHITELIST | ||
84 | " --debug-whitelists - debug whitelisting.\n" | 83 | " --debug-whitelists - debug whitelisting.\n" |
85 | #endif | ||
86 | #ifdef HAVE_NETWORK | 84 | #ifdef HAVE_NETWORK |
87 | " --defaultgw=address - configure default gateway.\n" | 85 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 86 | #endif |
@@ -252,9 +250,7 @@ static char *usage_str = | |||
252 | #ifdef HAVE_NETWORK | 250 | #ifdef HAVE_NETWORK |
253 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 251 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
254 | #endif | 252 | #endif |
255 | #ifdef HAVE_WHITELIST | ||
256 | " --whitelist=filename - whitelist directory or file.\n" | 253 | " --whitelist=filename - whitelist directory or file.\n" |
257 | #endif | ||
258 | " --writable-etc - /etc directory is mounted read-write.\n" | 254 | " --writable-etc - /etc directory is mounted read-write.\n" |
259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 255 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
260 | "\t/run/user/$UID/gnupg.\n" | 256 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f1a19b86d..cede9c101 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -251,10 +251,8 @@ _firejail_args=( | |||
251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
252 | #endif | 252 | #endif |
253 | 253 | ||
254 | #ifdef HAVE_WHITELIST | ||
255 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | 254 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
256 | '*--whitelist=-[whitelist directory or file]: :_files' | 255 | '*--whitelist=-[whitelist directory or file]: :_files' |
257 | #endif | ||
258 | 256 | ||
259 | #ifdef HAVE_X11 | 257 | #ifdef HAVE_X11 |
260 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |