From 033074ab6d859fbd11fc3e1946d637572666ff48 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 20 Oct 2017 11:08:58 -0400
Subject: allow blacklists noexec etc. in private home directories; fix bug 
 #1608

---
 src/firejail/firejail.h | 1 -
 src/firejail/fs.c       | 8 --------
 src/firejail/main.c     | 3 ++-
 src/firejail/profile.c  | 3 ++-
 src/man/firejail.txt    | 9 ---------
 5 files changed, 4 insertions(+), 20 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e10a5d346..d853daa44 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -298,7 +298,6 @@ void clear_run_files(pid_t pid);
 
 extern int arg_private;		// mount private /home
 extern int arg_private_template; // private /home template
-extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;		// print debug messages
 extern int arg_debug_check_filename;		// print debug messages for filename checking
 extern int arg_debug_blacklists;	// print debug messages for blacklists
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0a6f40959..ed2c9a566 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -220,14 +220,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 			}
 		}
 
-		// We don't usually need to blacklist things in private home directories
-		if (okay_to_blacklist
-		 && cfg.homedir
-		 && arg_private
-		 && (!arg_allow_private_blacklist)
-		 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
-			okay_to_blacklist = false;
-
 		if (okay_to_blacklist)
 			disable_file(op, path);
 		else if (arg_debug)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 584d0c293..126f98d9b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1600,7 +1600,8 @@ int main(int argc, char **argv) {
 			arg_machineid = 1;
 		}
 		else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-			arg_allow_private_blacklist = 1;
+			if (!arg_quiet)
+				fprintf(stderr, "--allow-private-blacklist was deprecated\n");
 		}
 		else if (strcmp(argv[i], "--private") == 0) {
 			arg_private = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a1c94579c..622306c22 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -242,7 +242,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-		arg_allow_private_blacklist = 1;
+		if (!arg_quiet)
+			fprintf(stderr, "--allow-private-blacklist was deprecated\n");
 		return 0;
 	}
 	else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7ba09ba8a..00481d4d3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -87,15 +87,6 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
-\fB\-\-allow-private-blacklist
-Allow blacklisting files in private home directory. By default these blacklists are disabled.
-.br
-
-.br
-Example:
-.br
-$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
-.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
-- 
cgit v1.2.3-54-g00ecf