diff options
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 4 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/include/rundefs.h | 1 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 | ||||
-rwxr-xr-x | test/root/cgroup.exp | 65 | ||||
-rwxr-xr-x | test/root/root.sh | 3 |
7 files changed, 2 insertions, 76 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 714ed8e6e..51e9cfdad 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
49 | 49 | ||
50 | " Commands grabbed from: src/firejail/profile.c | 50 | " Commands grabbed from: src/firejail/profile.c |
51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index ff411c807..8e047ce90 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -42,10 +42,6 @@ _firejail() | |||
42 | _filedir -d | 42 | _filedir -d |
43 | return 0 | 43 | return 0 |
44 | ;; | 44 | ;; |
45 | --cgroup) | ||
46 | _filedir -d | ||
47 | return 0 | ||
48 | ;; | ||
49 | --tmpfs) | 45 | --tmpfs) |
50 | _filedir | 46 | _filedir |
51 | return 0 | 47 | return 0 |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 7e05fc785..b47089b0e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -414,7 +414,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
414 | if (!arg_shell_none) | 414 | if (!arg_shell_none) |
415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
416 | 416 | ||
417 | // in user mode set caps seccomp, cpu, cgroup, etc | 417 | // in user mode set caps seccomp, cpu etc. |
418 | if (getuid() != 0) { | 418 | if (getuid() != 0) { |
419 | extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps | 419 | extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps |
420 | extract_caps(sandbox); | 420 | extract_caps(sandbox); |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 2f6b47461..08042d2c4 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -37,7 +37,6 @@ | |||
37 | #define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir" | 37 | #define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir" |
38 | #define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file" | 38 | #define RUN_RO_FILE RUN_FIREJAIL_DIR "/firejail.ro.file" |
39 | #define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created | 39 | #define RUN_MNT_DIR RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created |
40 | #define RUN_CGROUP_CFG RUN_MNT_DIR "/cgroup" | ||
41 | #define RUN_CPU_CFG RUN_MNT_DIR "/cpu" | 40 | #define RUN_CPU_CFG RUN_MNT_DIR "/cpu" |
42 | #define RUN_GROUPS_CFG RUN_MNT_DIR "/groups" | 41 | #define RUN_GROUPS_CFG RUN_MNT_DIR "/groups" |
43 | #define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol" | 42 | #define RUN_PROTOCOL_CFG RUN_MNT_DIR "/protocol" |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f7cd3cdff..8383d83d3 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -91,7 +91,6 @@ _firejail_args=( | |||
91 | '--caps.drop=all[drop all capabilities]' | 91 | '--caps.drop=all[drop all capabilities]' |
92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
94 | '--cgroup=-[place the sandbox in the specified control group]: :' | ||
95 | '--cpu=-[set cpu affinity]: :->cpus' | 94 | '--cpu=-[set cpu affinity]: :->cpus' |
96 | "--deterministic-exit-code[always exit with first child's status code]" | 95 | "--deterministic-exit-code[always exit with first child's status code]" |
97 | '--deterministic-shutdown[terminate orphan processes]' | 96 | '--deterministic-shutdown[terminate orphan processes]' |
diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp deleted file mode 100755 index 9a1bbe161..000000000 --- a/test/root/cgroup.exp +++ /dev/null | |||
@@ -1,65 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | cd /home | ||
8 | spawn $env(SHELL) | ||
9 | match_max 100000 | ||
10 | |||
11 | |||
12 | send -- "mkdir /sys/fs/cgroup/systemd/firejail\r" | ||
13 | sleep 1 | ||
14 | send -- "ls /sys/fs/cgroup/systemd/firejail\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
17 | "tasks" | ||
18 | } | ||
19 | |||
20 | send -- "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1\n";exit} | ||
23 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
24 | } | ||
25 | sleep 2 | ||
26 | |||
27 | spawn $env(SHELL) | ||
28 | send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r" | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 2\n";exit} | ||
31 | "3" | ||
32 | } | ||
33 | |||
34 | spawn $env(SHELL) | ||
35 | send -- "firejail --join=\"join testing\"\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 3\n";exit} | ||
38 | "Switching to pid" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 4\n";exit} | ||
42 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
43 | } | ||
44 | sleep 1 | ||
45 | send -- "ps aux\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5\n";exit} | ||
48 | "/bin/bash" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 6\n";exit} | ||
52 | "/bin/bash" | ||
53 | } | ||
54 | |||
55 | after 100 | ||
56 | |||
57 | spawn $env(SHELL) | ||
58 | send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 7\n";exit} | ||
61 | "3" | ||
62 | } | ||
63 | after 100 | ||
64 | |||
65 | puts "\nall done\n" | ||
diff --git a/test/root/root.sh b/test/root/root.sh index 78a6619d7..e8c0ec1ac 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -103,9 +103,6 @@ echo "TESTING: firejail configuration (test/root/checkcfg.exp)" | |||
103 | ./checkcfg.exp | 103 | ./checkcfg.exp |
104 | cp ../../etc/firejail.config /etc/firejail/. | 104 | cp ../../etc/firejail.config /etc/firejail/. |
105 | 105 | ||
106 | echo "TESTING: cgroup (test/root/cgroup.exp)" | ||
107 | ./cgroup.exp | ||
108 | |||
109 | echo "TESTING: tmpfs (test/root/option_tmpfs.exp)" | 106 | echo "TESTING: tmpfs (test/root/option_tmpfs.exp)" |
110 | ./option_tmpfs.exp | 107 | ./option_tmpfs.exp |
111 | 108 | ||