cleanup

RELNOTES

@@ -1,6 +1,8 @@
 firejail (0.9.53) baseline; urgency=low
  * work in progress
  * modif: --force depercated
+ * modif: --csg, --zsh deprecated
+ * modif: --debug-check-filename deprecated
  * modif: --git-install and --git-uninstall deprecated
  * modif: support for private-bin, private-lib and shell none has been
  disabled while running AppImage archives in order to be able to use

src/firejail/Makefile.in

@@ -2,7 +2,7 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
  $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o

src/firejail/checkcfg.c

@@ -166,10 +166,6 @@ int checkcfg(int val) {
  else
  goto errout;
  }
- // follow symlink in private-bin command
- else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
- fwarning("follow-symlink-private-bin from firejail.config was deprecated\n");
- }
  // nonewprivs
  else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
  if (strcmp(ptr + 17, "yes") == 0)
@@ -311,9 +307,6 @@ int checkcfg(int val) {
  else
  goto errout;
  }
- else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
- fwarning("remount-proc-sys from firejail.config was deprecated\n");
- }
  else if (strncmp(ptr, "overlayfs ", 10) == 0) {
  if (strcmp(ptr + 10, "yes") == 0)
  cfg_val[CFG_OVERLAYFS] = 1;

src/firejail/firejail.h

@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private; // mount private /home
 extern int arg_private_template; // private /home template
 extern int arg_debug; // print debug messages
-extern int arg_debug_check_filename; // print debug messages for filename checking
 extern int arg_debug_blacklists; // print debug messages for blacklists
 extern int arg_debug_whitelists; // print debug messages for whitelists
 extern int arg_debug_private_lib; // print debug messages for private-lib
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
 void caps_drop_dac_override(void);
 
-// syscall.c
-const char *syscall_find_nr(int nr);
-
 // fs_trace.c
 void fs_trace_preload(void);
 void fs_trace(void);

src/firejail/main.c

@@ -47,7 +47,6 @@ Config cfg; // configuration
 int arg_private = 0; // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0; // print debug messages
-int arg_debug_check_filename = 0; // print debug messages for filename checking
 int arg_debug_blacklists = 0; // print debug messages for blacklists
 int arg_debug_whitelists = 0; // print debug messages for whitelists
 int arg_debug_private_lib = 0; // print debug messages for private-lib
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) {
 
  if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
  arg_debug = 1;
- else if (strcmp(argv[i], "--debug-check-filename") == 0)
- arg_debug_check_filename = 1;
  else if (strcmp(argv[i], "--debug-blacklists") == 0)
  arg_debug_blacklists = 1;
  else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) {
  custom_profile = 1;
  free(ppath);
  }
- else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
- fwarning("--profile-path has been deprecated\n");
- }
  else if (strcmp(argv[i], "--noprofile") == 0) {
  if (custom_profile) {
  fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) {
  else if (strcmp(argv[i], "--machine-id") == 0) {
  arg_machineid = 1;
  }
- else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
- fwarning("--allow-private-blacklist was deprecated\n");
- }
  else if (strcmp(argv[i], "--private") == 0) {
  arg_private = 1;
  }
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) {
  }
  else if (strcmp(argv[i], "--appimage") == 0)
  arg_appimage = 1;
- else if (strcmp(argv[i], "--csh") == 0) {
- if (arg_shell_none) {
-
- fprintf(stderr, "Error: --shell=none was already specified.\n");
- return 1;
- }
- if (cfg.shell) {
- fprintf(stderr, "Error: only one default user shell can be specified\n");
- return 1;
- }
- cfg.shell = "/bin/csh";
- }
- else if (strcmp(argv[i], "--zsh") == 0) {
- if (arg_shell_none) {
- fprintf(stderr, "Error: --shell=none was already specified.\n");
- return 1;
- }
- if (cfg.shell) {
- fprintf(stderr, "Error: only one default user shell can be specified\n");
- return 1;
- }
- cfg.shell = "/bin/zsh";
- }
  else if (strcmp(argv[i], "--shell=none") == 0) {
  arg_shell_none = 1;
  if (cfg.shell) {

src/firejail/no_sandbox.c

@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) {
  for (i = 0; i < argc; i++) {
  if (strcmp(argv[i], "--debug") == 0)
  arg_debug = 1;
- else if (strcmp(argv[i], "--csh") == 0 ||
- strcmp(argv[i], "--zsh") == 0 ||
- strcmp(argv[i], "--shell=none") == 0 ||
+ else if (strcmp(argv[i], "--shell=none") == 0 ||
  strncmp(argv[i], "--shell=", 8) == 0)
  fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
  }

src/firejail/profile.c

@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  arg_nodbus = 1;
  return 0;
  }
- else if (strcmp(ptr, "allow-private-blacklist") == 0) {
- fmessage("--allow-private-blacklist was deprecated\n");
- return 0;
- }
  else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
  if (checkcfg(CFG_NETWORK))

src/firejail/usage.c

@@ -29,8 +29,6 @@ static char *usage_str =
  "Options:\n"
  " -- - signal the end of options and disables further option processing.\n"
  " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
- " --allow-private-blacklist - allow blacklisting files in private\n"
- "\thome directories.\n"
  " --allusers - all user home directories are visible inside the sandbox.\n"
  " --apparmor - enable AppArmor confinement.\n"
  " --apparmor.print=name|pid - print apparmor status.\n"
@@ -58,11 +56,9 @@ static char *usage_str =
 #endif
  " --cpu=cpu-number,cpu-number - set cpu affinity.\n"
  " --cpu.print=name|pid - print the cpus in use.\n"
- " --csh - use /bin/csh as default shell.\n"
  " --debug - print sandbox debug messages.\n"
  " --debug-blacklists - debug blacklisting.\n"
  " --debug-caps - print all recognized capabilities.\n"
- " --debug-check-filename - debug filename checking.\n"
  " --debug-errnos - print all recognized error numbers.\n"
  " --debug-private-lib - debug for --private-lib option.\n"
  " --debug-protocols - print all recognized protocols.\n"
@@ -163,6 +159,7 @@ static char *usage_str =
  "\tfilesystem, and copy the files and directories in the list.\n"
  " --private-tmp - mount a tmpfs on top of /tmp directory.\n"
  " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+ " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
  " --profile=filename - use a custom profile.\n"
  " --profile.print=name|pid - print the name of profile file.\n"
  " --profile-path=directory - use this directory to look for profile files.\n"
@@ -236,7 +233,6 @@ static char *usage_str =
  " --x11=xvfb - enable Xvfb X11 server.\n"
  " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
- " --zsh - use /usr/bin/zsh as default shell.\n"
  "\n"
  "Examples:\n"
  " $ firejail firefox\n"

src/firejail/util.c

@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) {
  assert(fname);
  const char *ptr = fname;
 
- if (arg_debug_check_filename)
- printf("Checking filename %s\n", fname);
-
  if (strncmp(ptr, "${HOME}", 7) == 0)
  ptr = fname + 7;
  else if (strncmp(ptr, "${PATH}", 7) == 0)

src/firemon/usage.c

@@ -43,6 +43,7 @@ static char *help_str =
  "\t--tree - print a tree of all sandboxed processes.\n\n"
  "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
  "\t--version - print program version and exit.\n\n"
+ "\t--x11 - print X11 display number.\n\n"
 
  "Without any options, firemon monitors all fork, exec, id change, and exit\n"
  "events in the sandbox. Monitoring a specific PID is also supported.\n\n"

src/lib/firejail_user.c

@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) {
  if (strcmp(name, "root") == 0)
  return 1;
 
+ // user nobody disabled by default
+ if (strcmp(name, "nobody") == 0) {
+ fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n");
+ exit(1);
+ }
+
  // check file existence
  char *fname = get_fname();
  if (access(fname, F_OK)) {

src/man/firejail-users.txt

@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default.
+root user is allowed by default, user nobody is denied access by default.
 
 Example:
 

src/man/firejail.txt

@@ -313,15 +313,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-cpu.print=3272
 
-.TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-csh
 .TP
 \fB\-\-debug\fR
 Print debug messages.
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 
 .TP
 \fB\-\-debug-errnos
@@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
-shell.
+By default Bash shell (/bin/bash) is used.
 .br
 
 .br
@@ -2324,16 +2305,6 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 
-.TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-zsh
-
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place

test/appimage/appimage-args.exp

@@ -56,7 +56,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
  timeout {puts "TESTING ERROR 8\n";exit}
  "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
  "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
  timeout {puts "TESTING ERROR 11\n";exit}
  "appimage Leafpad"

test/appimage/appimage-v1.exp

@@ -44,7 +44,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
  timeout {puts "TESTING ERROR 5\n";exit}
  "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
  "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
  timeout {puts "TESTING ERROR 6\n";exit}
  "appimage Leafpad"

test/environment/csh.exp

@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --csh\r"
+send -- "firejail --private --shell=/bin/csh\r"
 expect {
  timeout {puts "TESTING ERROR 0\n";exit}
  "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
  timeout {puts "TESTING ERROR 1\n";exit}
- ".cshrc"
-}
-
-send -- "env | grep SHELL\r"
-expect {
- timeout {puts "TESTING ERROR 2\n";exit}
- "SHELL"
+ "SHELL"
 }
 expect {
- timeout {puts "TESTING ERROR 2.1\n";exit}
+ timeout {puts "TESTING ERROR 2\n";exit}
  "/bin/csh"
 }
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --shell=none --csh\r"
 expect {
  timeout {puts "TESTING ERROR 3\n";exit}
- "shell=none was already specified"
-}
-after 100
-
-send -- "firejail --csh --shell=none\r"
-expect {
- timeout {puts "TESTING ERROR 4\n";exit}
- "a shell was already specified"
+ "home"
 }
+send -- "exit\r"
 after 100
 
-puts "\n"
+puts "\nall done\n"