aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--RELNOTES1
-rw-r--r--etc/firejail.config3
-rw-r--r--src/firejail/checkcfg.c1
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c28
-rw-r--r--src/firejail/profile.c14
6 files changed, 13 insertions, 35 deletions
diff --git a/RELNOTES b/RELNOTES
index 2a2d9fbac..905c25096 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
1firejail (0.9.67) baseline; urgency=low 1firejail (0.9.67) baseline; urgency=low
2 * work in progress 2 * work in progress
3 * deprecated --disable-whitelist at compile time 3 * deprecated --disable-whitelist at compile time
4 * deprecated whitelist=yes/no in /etc/firejail/firejail.config
4 -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500 5 -- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500
5 6
6firejail (0.9.66) baseline; urgency=low 7firejail (0.9.66) baseline; urgency=low
diff --git a/etc/firejail.config b/etc/firejail.config
index 43db49422..2e355586b 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -123,9 +123,6 @@
123# Enable or disable user namespace support, default enabled. 123# Enable or disable user namespace support, default enabled.
124# userns yes 124# userns yes
125 125
126# Enable or disable whitelisting support, default enabled.
127# whitelist yes
128
129# Disable whitelist top level directories, in addition to those 126# Disable whitelist top level directories, in addition to those
130# that are disabled out of the box. None by default; this is an example. 127# that are disabled out of the box. None by default; this is an example.
131# whitelist-disable-topdir /etc,/usr/etc 128# whitelist-disable-topdir /etc,/usr/etc
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 501804cbb..06e6f0ccb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -106,7 +106,6 @@ int checkcfg(int val) {
106 PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") 106 PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
107 PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") 107 PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
108 PARSE_YESNO(CFG_SECCOMP, "seccomp") 108 PARSE_YESNO(CFG_SECCOMP, "seccomp")
109 PARSE_YESNO(CFG_WHITELIST, "whitelist")
110 PARSE_YESNO(CFG_NETWORK, "network") 109 PARSE_YESNO(CFG_NETWORK, "network")
111 PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") 110 PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
112 PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") 111 PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9971d30b6..6c9d70c0b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -776,7 +776,6 @@ enum {
776 CFG_NETWORK, 776 CFG_NETWORK,
777 CFG_RESTRICTED_NETWORK, 777 CFG_RESTRICTED_NETWORK,
778 CFG_FORCE_NONEWPRIVS, 778 CFG_FORCE_NONEWPRIVS,
779 CFG_WHITELIST,
780 CFG_XEPHYR_WINDOW_TITLE, 779 CFG_XEPHYR_WINDOW_TITLE,
781 CFG_OVERLAYFS, 780 CFG_OVERLAYFS,
782 CFG_PRIVATE_BIN, 781 CFG_PRIVATE_BIN,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b97b1f6ad..f64994e02 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1602,28 +1602,20 @@ int main(int argc, char **argv, char **envp) {
1602 1602
1603 // whitelist 1603 // whitelist
1604 else if (strncmp(argv[i], "--whitelist=", 12) == 0) { 1604 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
1605 if (checkcfg(CFG_WHITELIST)) { 1605 char *line;
1606 char *line; 1606 if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
1607 if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) 1607 errExit("asprintf");
1608 errExit("asprintf");
1609 1608
1610 profile_check_line(line, 0, NULL); // will exit if something wrong 1609 profile_check_line(line, 0, NULL); // will exit if something wrong
1611 profile_add(line); 1610 profile_add(line);
1612 }
1613 else
1614 exit_err_feature("whitelist");
1615 } 1611 }
1616 else if (strncmp(argv[i], "--allow=", 8) == 0) { 1612 else if (strncmp(argv[i], "--allow=", 8) == 0) {
1617 if (checkcfg(CFG_WHITELIST)) { 1613 char *line;
1618 char *line; 1614 if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
1619 if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) 1615 errExit("asprintf");
1620 errExit("asprintf");
1621 1616
1622 profile_check_line(line, 0, NULL); // will exit if something wrong 1617 profile_check_line(line, 0, NULL); // will exit if something wrong
1623 profile_add(line); 1618 profile_add(line);
1624 }
1625 else
1626 exit_err_feature("whitelist");
1627 } 1619 }
1628 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { 1620 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
1629 char *line; 1621 char *line;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 430187809..29bb5fbac 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1589,18 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1589 else if (strncmp(ptr, "noblacklist ", 12) == 0) 1589 else if (strncmp(ptr, "noblacklist ", 12) == 0)
1590 ptr += 12; 1590 ptr += 12;
1591 else if (strncmp(ptr, "whitelist ", 10) == 0) { 1591 else if (strncmp(ptr, "whitelist ", 10) == 0) {
1592 if (checkcfg(CFG_WHITELIST)) { 1592 arg_whitelist = 1;
1593 arg_whitelist = 1; 1593 ptr += 10;
1594 ptr += 10;
1595 }
1596 else {
1597 static int whitelist_warning_printed = 0;
1598 if (!whitelist_warning_printed) {
1599 warning_feature_disabled("whitelist");
1600 whitelist_warning_printed = 1;
1601 }
1602 return 0;
1603 }
1604 } 1594 }
1605 else if (strncmp(ptr, "nowhitelist ", 12) == 0) 1595 else if (strncmp(ptr, "nowhitelist ", 12) == 0)
1606 ptr += 12; 1596 ptr += 12;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-05 16:20:10 +0000