diff --git a/README b/README index 81cf42dcdc4..b21de0f659f 100644 --- a/README +++ b/README @@ -59,7 +59,7 @@ Committers: - rusty-snake (https://github.com/rusty-snake) - smitsohu (https://github.com/smitsohu) - SkewedZeppelin (https://github.com/SkewedZeppelin) -- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches +- startx2017 (https://github.com/startx2017) maintainer) - Topi Miettinen (https://github.com/topimiettinen) - veloute (https://github.com/veloute) diff --git a/RELNOTES b/RELNOTES index 02d9259a9be..0ffd4004904 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.73) baseline; urgency=low * work in progress + * removed LTS and FIRETUNNEL support * feature: Add "keep-shell-rc" command and option (#1127 #5634) * feature: Print the argument when failing with "too long arguments" (#5677) * feature: a random hostname is assigned to each sandbox unless diff --git a/config.mk.in b/config.mk.in index d50c7d2f5a3..958efdb3416 100644 --- a/config.mk.in +++ b/config.mk.in @@ -34,12 +34,10 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_CHROOT=@HAVE_CHROOT@ HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ -HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_IDS=@HAVE_IDS@ HAVE_LANDLOCK=@HAVE_LANDLOCK@ -HAVE_LTS=@HAVE_LTS@ HAVE_NETWORK=@HAVE_NETWORK@ HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ HAVE_OUTPUT=@HAVE_OUTPUT@ @@ -57,12 +55,10 @@ MANFLAGS = \ $(HAVE_CHROOT) \ $(HAVE_DBUSPROXY) \ $(HAVE_FILE_TRANSFER) \ - $(HAVE_FIRETUNNEL) \ $(HAVE_FORCE_NONEWPRIVS) \ $(HAVE_GLOBALCFG) \ $(HAVE_IDS) \ $(HAVE_LANDLOCK) \ - $(HAVE_LTS) \ $(HAVE_NETWORK) \ $(HAVE_ONLY_SYSCFG_PROFILES) \ $(HAVE_OUTPUT) \ diff --git a/configure b/configure index 8c2d3b8949f..6bc68741e14 100755 --- a/configure +++ b/configure @@ -650,7 +650,6 @@ ac_includes_default="\ ac_header_c_list= ac_subst_vars='LTLIBOBJS LIBOBJS -HAVE_LTS HAVE_ONLY_SYSCFG_PROFILES HAVE_FORCE_NONEWPRIVS HAVE_CONTRIB_INSTALL @@ -666,7 +665,6 @@ HAVE_GLOBALCFG HAVE_CHROOT HAVE_PRIVATE_LIB HAVE_PRIVATE_HOME -HAVE_FIRETUNNEL HAVE_GAWK HAVE_MAN HAVE_USERTMPFS @@ -743,7 +741,6 @@ enable_dbusproxy enable_output enable_usertmpfs enable_man -enable_firetunnel enable_private_home enable_private_lib enable_chroot @@ -759,7 +756,6 @@ enable_gcov enable_contrib_install enable_force_nonewprivs enable_only_syscfg_profiles -enable_lts ' ac_precious_vars='build_alias host_alias @@ -1403,7 +1399,6 @@ Optional Features: --disable-output disable --output logging --disable-usertmpfs disable tmpfs as regular user --disable-man disable man pages - --enable-firetunnel enable firetunnel --disable-private-home disable private home feature --disable-private-lib disable private lib feature --disable-chroot disable chroot @@ -1424,7 +1419,6 @@ Optional Features: enable force nonewprivs --enable-only-syscfg-profiles disable profiles in $HOME/.config/firejail - --enable-lts enable long-term support software version (LTS) Some influential environment variables: CC C compiler command @@ -3913,21 +3907,6 @@ fi fi -HAVE_FIRETUNNEL="" - -# Check whether --enable-firetunnel was given. -if test ${enable_firetunnel+y} -then : - enableval=$enable_firetunnel; -fi - -if test "x$enable_firetunnel" = "xyes" -then : - - HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" - -fi - HAVE_PRIVATE_HOME="" # Check whether --enable-private-home was given. @@ -4155,39 +4134,6 @@ then : fi -HAVE_LTS="" - -# Check whether --enable-lts was given. -if test ${enable_lts+y} -then : - enableval=$enable_lts; -fi - -if test "x$enable_lts" = "xyes" -then : - - HAVE_LTS="-DHAVE_LTS" - HAVE_LANDLOCK="" - HAVE_IDS="" - HAVE_DBUSPROXY="" - HAVE_OVERLAYFS="" - HAVE_OUTPUT="" - HAVE_USERTMPFS="" - HAVE_MAN="-DHAVE_MAN" - HAVE_FIRETUNNEL="" - HAVE_PRIVATE_HOME="" - HAVE_PRIVATE_LIB="" - HAVE_CHROOT="" - HAVE_GLOBALCFG="" - HAVE_USERNS="" - HAVE_X11="" - HAVE_FILE_TRANSFER="" - HAVE_SUID="-DHAVE_SUID" - BUSYBOX_WORKAROUND="no" - HAVE_CONTRIB_INSTALL="no" - -fi - ac_fn_c_check_header_compile "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" if test "x$ac_cv_header_linux_seccomp_h" = xyes then : @@ -5384,11 +5330,9 @@ Features: disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES enable --output logging: $HAVE_OUTPUT file transfer support: $HAVE_FILE_TRANSFER - firetunnel support: $HAVE_FIRETUNNEL global config: $HAVE_GLOBALCFG IDS support: $HAVE_IDS Landlock support: $HAVE_LANDLOCK - LTS: $HAVE_LTS manpage support: $HAVE_MAN network: $HAVE_NETWORK overlayfs support: $HAVE_OVERLAYFS @@ -5400,13 +5344,3 @@ Features: EOF -if test "$HAVE_LTS" = -DHAVE_LTS; then - cat <<\EOF -********************************************************* -* Warning: Long-term support (LTS) was enabled! * -* Most compile-time options have been rewritten! * -********************************************************* - -EOF -fi - diff --git a/configure.ac b/configure.ac index bd80150edd0..fc99820de8c 100644 --- a/configure.ac +++ b/configure.ac @@ -137,14 +137,6 @@ AS_IF([test "x$enable_man" != "xno"], [ AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR([*** gawk not found ***])]) ]) -HAVE_FIRETUNNEL="" -AC_SUBST([HAVE_FIRETUNNEL]) -AC_ARG_ENABLE([firetunnel], - [AS_HELP_STRING([--enable-firetunnel], [enable firetunnel])]) -AS_IF([test "x$enable_firetunnel" = "xyes"], [ - HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" -]) - HAVE_PRIVATE_HOME="" AC_SUBST([HAVE_PRIVATE_HOME]) AC_ARG_ENABLE([private-home], @@ -268,32 +260,6 @@ AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [ HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" ]) -HAVE_LTS="" -AC_SUBST([HAVE_LTS]) -AC_ARG_ENABLE([lts], - [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])]) -AS_IF([test "x$enable_lts" = "xyes"], [ - HAVE_LTS="-DHAVE_LTS" - HAVE_LANDLOCK="" - HAVE_IDS="" - HAVE_DBUSPROXY="" - HAVE_OVERLAYFS="" - HAVE_OUTPUT="" - HAVE_USERTMPFS="" - HAVE_MAN="-DHAVE_MAN" - HAVE_FIRETUNNEL="" - HAVE_PRIVATE_HOME="" - HAVE_PRIVATE_LIB="" - HAVE_CHROOT="" - HAVE_GLOBALCFG="" - HAVE_USERNS="" - HAVE_X11="" - HAVE_FILE_TRANSFER="" - HAVE_SUID="-DHAVE_SUID" - BUSYBOX_WORKAROUND="no" - HAVE_CONTRIB_INSTALL="no" -]) - AC_CHECK_HEADER([linux/seccomp.h], [], [AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])]) @@ -332,11 +298,9 @@ Features: disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES enable --output logging: $HAVE_OUTPUT file transfer support: $HAVE_FILE_TRANSFER - firetunnel support: $HAVE_FIRETUNNEL global config: $HAVE_GLOBALCFG IDS support: $HAVE_IDS Landlock support: $HAVE_LANDLOCK - LTS: $HAVE_LTS manpage support: $HAVE_MAN network: $HAVE_NETWORK overlayfs support: $HAVE_OVERLAYFS @@ -347,13 +311,3 @@ Features: X11 sandboxing support: $HAVE_X11 EOF - -if test "$HAVE_LTS" = -DHAVE_LTS; then - cat <<\EOF -********************************************************* -* Warning: Long-term support (LTS) was enabled! * -* Most compile-time options have been rewritten! * -********************************************************* - -EOF -fi diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7792c6541f2..3283fae1317 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -349,13 +349,6 @@ static const char *const compiletime_support = "disabled" #endif - "\n\t- firetunnel support is " -#ifdef HAVE_FIRETUNNEL - "enabled" -#else - "disabled" -#endif - "\n\t- IDS support is " #ifdef HAVE_IDS "enabled" diff --git a/src/firejail/main.c b/src/firejail/main.c index aaa7c8a2f29..76bfcede8aa 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1826,33 +1826,6 @@ int main(int argc, char **argv, char **envp) { else exit_err_feature("overlayfs"); } -#endif -#ifdef HAVE_FIRETUNNEL - else if (strcmp(argv[i], "--tunnel") == 0) { - // try to connect to the default client side of the tunnel - // if this fails, try the default server side of the tunnel - if (access("/run/firetunnel/ftc", R_OK) == 0) - profile_read("/run/firetunnel/ftc"); - else if (access("/run/firetunnel/fts", R_OK) == 0) - profile_read("/run/firetunnel/fts"); - else { - fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n"); - exit(1); - } - } - else if (strncmp(argv[i], "--tunnel=", 9) == 0) { - char *fname; - - if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1) - errExit("asprintf"); - invalid_filename(fname, 0); // no globbing - if (access(fname, R_OK) == 0) - profile_read(fname); - else { - fprintf(stderr, "Error: tunnel not found\n"); - exit(1); - } - } #endif else if (strncmp(argv[i], "--include=", 10) == 0) { char *ppath = expand_macros(argv[i] + 10); diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 9761edb76d1..ccc9a50a561 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -42,15 +42,6 @@ Miscellaneous: firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} .RE .SH DESCRIPTION -#ifdef HAVE_LTS -This is Firejail long-term support (LTS), an enterprise focused version of the software, -LTS is usually supported for two or three years. -During this time only bugs and the occasional documentation problems are fixed. -The attack surface of the SUID executable was greatly reduced by removing some of the features. -.br - -.br -#endif Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. @@ -3043,28 +3034,6 @@ $ firejail \-\-tree .br 11970:netblue:transmission-gtk -#ifdef HAVE_FIRETUNNEL -.TP -\fB\-\-tunnel[=devname] -Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options -tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active, -please specify the tunnel device using \-\-tunnel=devname. -.br - -.br -The available tunnel devices are listed in /etc/firetunnel directory, one file for each device. -The files are regular firejail profile files containing the network configuration, -and are created and managed by firetunnel utility. -By default ftc is the client-side device and fts is the server-side device. For more information -please see man 1 firetunnel. -.br - -.br -Example: -.br -$ firejail --tunnel firefox -.br -#endif .TP \fB\-\-version Print program version/compile time support and exit. diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index bea5df2bee5..c4056b902e9 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -213,10 +213,6 @@ _firejail_args=( '--ls=-[list files in sandbox container name|pid]: :_all_firejails' #endif -#ifdef HAVE_FIRETUNNEL - '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' -#endif - #ifdef HAVE_NETWORK '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' '--defaultgw=[configure default gateway]: :'