From c32924b825a4225d4924222c0584087c0270a670 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 4 Jul 2021 08:21:06 -0400 Subject: deprecated whitelist=yes/no in /etc/firejail/firejail.config --- RELNOTES | 1 + etc/firejail.config | 3 --- src/firejail/checkcfg.c | 1 - src/firejail/firejail.h | 1 - src/firejail/main.c | 28 ++++++++++------------------ src/firejail/profile.c | 14 ++------------ 6 files changed, 13 insertions(+), 35 deletions(-) diff --git a/RELNOTES b/RELNOTES index 2a2d9fbac..905c25096 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.67) baseline; urgency=low * work in progress * deprecated --disable-whitelist at compile time + * deprecated whitelist=yes/no in /etc/firejail/firejail.config -- netblue30 Mon, 28 Jun 2021 09:00:00 -0500 firejail (0.9.66) baseline; urgency=low diff --git a/etc/firejail.config b/etc/firejail.config index 43db49422..2e355586b 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -123,9 +123,6 @@ # Enable or disable user namespace support, default enabled. # userns yes -# Enable or disable whitelisting support, default enabled. -# whitelist yes - # Disable whitelist top level directories, in addition to those # that are disabled out of the box. None by default; this is an example. # whitelist-disable-topdir /etc,/usr/etc diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 501804cbb..06e6f0ccb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -106,7 +106,6 @@ int checkcfg(int val) { PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") PARSE_YESNO(CFG_SECCOMP, "seccomp") - PARSE_YESNO(CFG_WHITELIST, "whitelist") PARSE_YESNO(CFG_NETWORK, "network") PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9971d30b6..6c9d70c0b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -776,7 +776,6 @@ enum { CFG_NETWORK, CFG_RESTRICTED_NETWORK, CFG_FORCE_NONEWPRIVS, - CFG_WHITELIST, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, CFG_PRIVATE_BIN, diff --git a/src/firejail/main.c b/src/firejail/main.c index b97b1f6ad..f64994e02 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1602,28 +1602,20 @@ int main(int argc, char **argv, char **envp) { // whitelist else if (strncmp(argv[i], "--whitelist=", 12) == 0) { - if (checkcfg(CFG_WHITELIST)) { - char *line; - if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) - errExit("asprintf"); + char *line; + if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) + errExit("asprintf"); - profile_check_line(line, 0, NULL); // will exit if something wrong - profile_add(line); - } - else - exit_err_feature("whitelist"); + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); } else if (strncmp(argv[i], "--allow=", 8) == 0) { - if (checkcfg(CFG_WHITELIST)) { - char *line; - if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) - errExit("asprintf"); + char *line; + if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) + errExit("asprintf"); - profile_check_line(line, 0, NULL); // will exit if something wrong - profile_add(line); - } - else - exit_err_feature("whitelist"); + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); } else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { char *line; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 430187809..29bb5fbac 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1589,18 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { - if (checkcfg(CFG_WHITELIST)) { - arg_whitelist = 1; - ptr += 10; - } - else { - static int whitelist_warning_printed = 0; - if (!whitelist_warning_printed) { - warning_feature_disabled("whitelist"); - whitelist_warning_printed = 1; - } - return 0; - } + arg_whitelist = 1; + ptr += 10; } else if (strncmp(ptr, "nowhitelist ", 12) == 0) ptr += 12; -- cgit v1.2.3-70-g09d2