deprecated whitelist=yes/no in /etc/firejail/firejail.config

kmk3 · Jul 4, 2021 · c32924b · c32924b
1 parent a11707e
commit c32924b
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 35 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.67) baseline; urgency=low
  * work in progress
  * deprecated --disable-whitelist at compile time
+ * deprecated whitelist=yes/no in /etc/firejail/firejail.config
  -- netblue30 <[email protected]> Mon, 28 Jun 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low

diff --git a/etc/firejail.config b/etc/firejail.config
@@ -123,9 +123,6 @@
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
-# Enable or disable whitelisting support, default enabled.
-# whitelist yes
-
 # Disable whitelist top level directories, in addition to those
 # that are disabled out of the box. None by default; this is an example.
 # whitelist-disable-topdir /etc,/usr/etc

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -106,7 +106,6 @@ int checkcfg(int val) {
  PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
  PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
  PARSE_YESNO(CFG_SECCOMP, "seccomp")
- PARSE_YESNO(CFG_WHITELIST, "whitelist")
  PARSE_YESNO(CFG_NETWORK, "network")
  PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
  PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -776,7 +776,6 @@ enum {
  CFG_NETWORK,
  CFG_RESTRICTED_NETWORK,
  CFG_FORCE_NONEWPRIVS,
- CFG_WHITELIST,
  CFG_XEPHYR_WINDOW_TITLE,
  CFG_OVERLAYFS,
  CFG_PRIVATE_BIN,

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -1602,28 +1602,20 @@ int main(int argc, char **argv, char **envp) {
 
  // whitelist
  else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
- if (checkcfg(CFG_WHITELIST)) {
- char *line;
- if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
- errExit("asprintf");
+ char *line;
+ if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+ errExit("asprintf");
 
- profile_check_line(line, 0, NULL); // will exit if something wrong
- profile_add(line);
- }
- else
- exit_err_feature("whitelist");
+ profile_check_line(line, 0, NULL); // will exit if something wrong
+ profile_add(line);
  }
  else if (strncmp(argv[i], "--allow=", 8) == 0) {
- if (checkcfg(CFG_WHITELIST)) {
- char *line;
- if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
- errExit("asprintf");
+ char *line;
+ if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
+ errExit("asprintf");
 
- profile_check_line(line, 0, NULL); // will exit if something wrong
- profile_add(line);
- }
- else
- exit_err_feature("whitelist");
+ profile_check_line(line, 0, NULL); // will exit if something wrong
+ profile_add(line);
  }
  else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
  char *line;

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -1589,18 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  else if (strncmp(ptr, "noblacklist ", 12) == 0)
  ptr += 12;
  else if (strncmp(ptr, "whitelist ", 10) == 0) {
- if (checkcfg(CFG_WHITELIST)) {
- arg_whitelist = 1;
- ptr += 10;
- }
- else {
- static int whitelist_warning_printed = 0;
- if (!whitelist_warning_printed) {
- warning_feature_disabled("whitelist");
- whitelist_warning_printed = 1;
- }
- return 0;
- }
+ arg_whitelist = 1;
+ ptr += 10;
  }
  else if (strncmp(ptr, "nowhitelist ", 12) == 0)
  ptr += 12;