From 3fe1b06a36cefc497e957b603d1a5231ba7fbc02 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Apr 2018 09:28:42 -0400 Subject: cleanup --- src/firejail/Makefile.in | 2 +- src/firejail/checkcfg.c | 7 ------- src/firejail/firejail.h | 4 ---- src/firejail/main.c | 32 -------------------------------- src/firejail/no_sandbox.c | 4 +--- src/firejail/profile.c | 4 ---- src/firejail/usage.c | 6 +----- src/firejail/util.c | 3 --- src/firemon/usage.c | 1 + src/lib/firejail_user.c | 6 ++++++ src/man/firejail-users.txt | 2 +- src/man/firejail.txt | 31 +------------------------------ 12 files changed, 12 insertions(+), 90 deletions(-) (limited to 'src') diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 48d985d73..d0f43041c 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -2,7 +2,7 @@ all: firejail include ../common.mk -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7b0ae30b6..f8094e893 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -166,10 +166,6 @@ int checkcfg(int val) { else goto errout; } - // follow symlink in private-bin command - else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { - fwarning("follow-symlink-private-bin from firejail.config was deprecated\n"); - } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) @@ -311,9 +307,6 @@ int checkcfg(int val) { else goto errout; } - else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { - fwarning("remount-proc-sys from firejail.config was deprecated\n"); - } else if (strncmp(ptr, "overlayfs ", 10) == 0) { if (strcmp(ptr + 10, "yes") == 0) cfg_val[CFG_OVERLAYFS] = 1; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 718c0b328..2746deea1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -309,7 +309,6 @@ static inline int any_interface_configured(void) { extern int arg_private; // mount private /home extern int arg_private_template; // private /home template extern int arg_debug; // print debug messages -extern int arg_debug_check_filename; // print debug messages for filename checking extern int arg_debug_blacklists; // print debug messages for blacklists extern int arg_debug_whitelists; // print debug messages for whitelists extern int arg_debug_private_lib; // print debug messages for private-lib @@ -577,9 +576,6 @@ void caps_keep_list(const char *clist); void caps_print_filter(pid_t pid); void caps_drop_dac_override(void); -// syscall.c -const char *syscall_find_nr(int nr); - // fs_trace.c void fs_trace_preload(void); void fs_trace(void); diff --git a/src/firejail/main.c b/src/firejail/main.c index e676bbd7c..2d8af7f41 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -47,7 +47,6 @@ Config cfg; // configuration int arg_private = 0; // mount private /home and /tmp directoryu int arg_private_template = 0; // mount private /home using a template int arg_debug = 0; // print debug messages -int arg_debug_check_filename = 0; // print debug messages for filename checking int arg_debug_blacklists = 0; // print debug messages for blacklists int arg_debug_whitelists = 0; // print debug messages for whitelists int arg_debug_private_lib = 0; // print debug messages for private-lib @@ -1051,8 +1050,6 @@ int main(int argc, char **argv) { if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) arg_debug = 1; - else if (strcmp(argv[i], "--debug-check-filename") == 0) - arg_debug_check_filename = 1; else if (strcmp(argv[i], "--debug-blacklists") == 0) arg_debug_blacklists = 1; else if (strcmp(argv[i], "--debug-whitelists") == 0) @@ -1439,9 +1436,6 @@ int main(int argc, char **argv) { custom_profile = 1; free(ppath); } - else if (strncmp(argv[i], "--profile-path=", 15) == 0) { - fwarning("--profile-path has been deprecated\n"); - } else if (strcmp(argv[i], "--noprofile") == 0) { if (custom_profile) { fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); @@ -1541,9 +1535,6 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--machine-id") == 0) { arg_machineid = 1; } - else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { - fwarning("--allow-private-blacklist was deprecated\n"); - } else if (strcmp(argv[i], "--private") == 0) { arg_private = 1; } @@ -2117,29 +2108,6 @@ int main(int argc, char **argv) { } else if (strcmp(argv[i], "--appimage") == 0) arg_appimage = 1; - else if (strcmp(argv[i], "--csh") == 0) { - if (arg_shell_none) { - - fprintf(stderr, "Error: --shell=none was already specified.\n"); - return 1; - } - if (cfg.shell) { - fprintf(stderr, "Error: only one default user shell can be specified\n"); - return 1; - } - cfg.shell = "/bin/csh"; - } - else if (strcmp(argv[i], "--zsh") == 0) { - if (arg_shell_none) { - fprintf(stderr, "Error: --shell=none was already specified.\n"); - return 1; - } - if (cfg.shell) { - fprintf(stderr, "Error: only one default user shell can be specified\n"); - return 1; - } - cfg.shell = "/bin/zsh"; - } else if (strcmp(argv[i], "--shell=none") == 0) { arg_shell_none = 1; if (cfg.shell) { diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index ba955bcca..5bd3f7e09 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) { for (i = 0; i < argc; i++) { if (strcmp(argv[i], "--debug") == 0) arg_debug = 1; - else if (strcmp(argv[i], "--csh") == 0 || - strcmp(argv[i], "--zsh") == 0 || - strcmp(argv[i], "--shell=none") == 0 || + else if (strcmp(argv[i], "--shell=none") == 0 || strncmp(argv[i], "--shell=", 8) == 0) fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3ef9a1856..156ffa24a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_nodbus = 1; return 0; } - else if (strcmp(ptr, "allow-private-blacklist") == 0) { - fmessage("--allow-private-blacklist was deprecated\n"); - return 0; - } else if (strcmp(ptr, "netfilter") == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a9dcc78e5..742fc0465 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -29,8 +29,6 @@ static char *usage_str = "Options:\n" " -- - signal the end of options and disables further option processing.\n" " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" - " --allow-private-blacklist - allow blacklisting files in private\n" - "\thome directories.\n" " --allusers - all user home directories are visible inside the sandbox.\n" " --apparmor - enable AppArmor confinement.\n" " --apparmor.print=name|pid - print apparmor status.\n" @@ -58,11 +56,9 @@ static char *usage_str = #endif " --cpu=cpu-number,cpu-number - set cpu affinity.\n" " --cpu.print=name|pid - print the cpus in use.\n" - " --csh - use /bin/csh as default shell.\n" " --debug - print sandbox debug messages.\n" " --debug-blacklists - debug blacklisting.\n" " --debug-caps - print all recognized capabilities.\n" - " --debug-check-filename - debug filename checking.\n" " --debug-errnos - print all recognized error numbers.\n" " --debug-private-lib - debug for --private-lib option.\n" " --debug-protocols - print all recognized protocols.\n" @@ -163,6 +159,7 @@ static char *usage_str = "\tfilesystem, and copy the files and directories in the list.\n" " --private-tmp - mount a tmpfs on top of /tmp directory.\n" " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" + " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" " --profile=filename - use a custom profile.\n" " --profile.print=name|pid - print the name of profile file.\n" " --profile-path=directory - use this directory to look for profile files.\n" @@ -236,7 +233,6 @@ static char *usage_str = " --x11=xvfb - enable Xvfb X11 server.\n" " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" #endif - " --zsh - use /usr/bin/zsh as default shell.\n" "\n" "Examples:\n" " $ firejail firefox\n" diff --git a/src/firejail/util.c b/src/firejail/util.c index 3437d495f..a44e52e98 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) { assert(fname); const char *ptr = fname; - if (arg_debug_check_filename) - printf("Checking filename %s\n", fname); - if (strncmp(ptr, "${HOME}", 7) == 0) ptr = fname + 7; else if (strncmp(ptr, "${PATH}", 7) == 0) diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 37bd4e874..a4d642d66 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c @@ -43,6 +43,7 @@ static char *help_str = "\t--tree - print a tree of all sandboxed processes.\n\n" "\t--top - monitor the most CPU-intensive sandboxes.\n\n" "\t--version - print program version and exit.\n\n" + "\t--x11 - print X11 display number.\n\n" "Without any options, firemon monitors all fork, exec, id change, and exit\n" "events in the sandbox. Monitoring a specific PID is also supported.\n\n" diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 5d92aa133..7d9784392 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c @@ -45,6 +45,12 @@ int firejail_user_check(const char *name) { if (strcmp(name, "root") == 0) return 1; + // user nobody disabled by default + if (strcmp(name, "nobody") == 0) { + fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n"); + exit(1); + } + // check file existence char *fname = get_fname(); if (access(fname, F_OK)) { diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index fcc0f914b..ec91e495c 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt @@ -5,7 +5,7 @@ firejail.users \- Firejail user access database .SH DESCRIPTION /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. If the file is not present in the system, all users are allowed to use the sandbox. -root user is allowed by default. +root user is allowed by default, user nobody is denied access by default. Example: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6e8e4eb2c..2e410061d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -313,15 +313,6 @@ $ firejail \-\-list .br $ firejail \-\-cpu.print=3272 -.TP -\fB\-\-csh -Use /bin/csh as default user shell. -.br - -.br -Example: -.br -$ firejail \-\-csh .TP \fB\-\-debug\fR Print debug messages. @@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi Example: .br $ firejail \-\-debug-caps -.TP -\fB\-\-debug-check-filename\fR -Debug filename checking. -.br - -.br -Example: -.br -$ firejail \-\-debug-check-filename firefox .TP \fB\-\-debug-errnos @@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh \fB\-\-shell=program Set default user shell. Use this shell to run the application using \-c shell option. For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". -By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default -shell. +By default Bash shell (/bin/bash) is used. .br .br @@ -2324,16 +2305,6 @@ Example: $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox .br -.TP -\fB\-\-zsh -Use /usr/bin/zsh as default user shell. -.br - -.br -Example: -.br -$ firejail \-\-zsh - .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place -- cgit v1.2.3-54-g00ecf