From 033074ab6d859fbd11fc3e1946d637572666ff48 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 20 Oct 2017 11:08:58 -0400
Subject: allow blacklists noexec etc. in private home directories; fix bug 
 #1608

---
 RELNOTES                     |  3 +++
 src/firejail/firejail.h      |  1 -
 src/firejail/fs.c            |  8 --------
 src/firejail/main.c          |  3 ++-
 src/firejail/profile.c       |  3 ++-
 src/man/firejail.txt         |  9 ---------
 test/fs/private-home-dir.exp | 26 --------------------------
 7 files changed, 7 insertions(+), 46 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 9a15686db..49ec862a1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,8 @@
 firejail (0.9.51) baseline; urgency=low
   * work in progress!
+  * modif: --allow-private-blacklists was deprecated; blacklisting,
+    read-only, read-write, tmpfs and noexec are allowed in
+    private home directories
   * enhancement: support Firejail user config directory in firecfg
   * enhancement: disable DBus activation in firecfg
   * enhancement; enumerate root directories in apparmor profile
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e10a5d346..d853daa44 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -298,7 +298,6 @@ void clear_run_files(pid_t pid);
 
 extern int arg_private;		// mount private /home
 extern int arg_private_template; // private /home template
-extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;		// print debug messages
 extern int arg_debug_check_filename;		// print debug messages for filename checking
 extern int arg_debug_blacklists;	// print debug messages for blacklists
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0a6f40959..ed2c9a566 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -220,14 +220,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 			}
 		}
 
-		// We don't usually need to blacklist things in private home directories
-		if (okay_to_blacklist
-		 && cfg.homedir
-		 && arg_private
-		 && (!arg_allow_private_blacklist)
-		 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
-			okay_to_blacklist = false;
-
 		if (okay_to_blacklist)
 			disable_file(op, path);
 		else if (arg_debug)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 584d0c293..126f98d9b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1600,7 +1600,8 @@ int main(int argc, char **argv) {
 			arg_machineid = 1;
 		}
 		else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-			arg_allow_private_blacklist = 1;
+			if (!arg_quiet)
+				fprintf(stderr, "--allow-private-blacklist was deprecated\n");
 		}
 		else if (strcmp(argv[i], "--private") == 0) {
 			arg_private = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a1c94579c..622306c22 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -242,7 +242,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-		arg_allow_private_blacklist = 1;
+		if (!arg_quiet)
+			fprintf(stderr, "--allow-private-blacklist was deprecated\n");
 		return 0;
 	}
 	else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7ba09ba8a..00481d4d3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -87,15 +87,6 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
-\fB\-\-allow-private-blacklist
-Allow blacklisting files in private home directory. By default these blacklists are disabled.
-.br
-
-.br
-Example:
-.br
-$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
-.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 9c97ff4ea..d58adf801 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -73,32 +73,6 @@ send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
 sleep 1
 
 send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
-expect {
-	timeout {puts "TESTING ERROR 6\n";exit}
-	"Not blacklist"
-}
-expect {
-	timeout {puts "TESTING ERROR 7\n";exit}
-	"test_dir_2"
-}
-expect {
-	timeout {puts "TESTING ERROR 8\n";exit}
-	"Child process initialized"
-}
-
-sleep 1
-
-send -- "find ~\r"
-expect {
-	timeout {puts "TESTING ERROR 9\n";exit}
-	"testfile"
-}
-after 100
-
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
 expect {
 	timeout {puts "TESTING ERROR 10\n";exit}
 	"Disable"
-- 
cgit v1.2.3-54-g00ecf