deprecated --disable-whitelist at compile time

netblue30 · Jul 3, 2021 · c08414f · c08414f
1 parent 0562ceb
commit c08414f
Show file tree

Hide file tree

Showing 9 changed files with 6 additions and 49 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -1,3 +1,8 @@
+firejail (0.9.67) baseline; urgency=low
+ * work in progress
+ * deprecated --disable-whitelist at compile time
+ -- netblue30 <[email protected]> Mon, 28 Jun 2021 09:00:00 -0500
+
 firejail (0.9.66) baseline; urgency=low
  * deprecated --audit options, relpaced by jailcheck utility
  * deprecated follow-symlink-as-user from firejail.config

diff --git a/configure b/configure
@@ -634,7 +634,6 @@ HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
 HAVE_SUID
-HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
@@ -726,7 +725,6 @@ enable_network
 enable_userns
 enable_x11
 enable_file_transfer
-enable_whitelist
 enable_suid
 enable_fatal_warnings
 enable_busybox_workaround
@@ -1385,7 +1383,6 @@ Optional Features:
  --disable-userns disable user namespace
  --disable-x11 disable X11 sandboxing support
  --disable-file-transfer disable file transfer
- --disable-whitelist disable whitelist
  --disable-suid install as a non-SUID executable
  --enable-fatal-warnings -W -Wall -Werror
  --enable-busybox-workaround
@@ -3745,19 +3742,6 @@ if test "x$enable_file_transfer" != "xno"; then :
  HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
 
 
-fi
-
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
- enableval=$enable_whitelist;
-fi
-
-if test "x$enable_whitelist" != "xno"; then :
-
- HAVE_WHITELIST="-DHAVE_WHITELIST"
-
-
 fi
 
 HAVE_SUID=""
@@ -5572,7 +5556,6 @@ Configuration options:
  network: $HAVE_NETWORK
  user namespace: $HAVE_USERNS
  X11 sandboxing support: $HAVE_X11
- whitelisting: $HAVE_WHITELIST
  private home support: $HAVE_PRIVATE_HOME
  file transfer support: $HAVE_FILE_TRANSFER
  overlayfs support: $HAVE_OVERLAYFS

diff --git a/configure.ac b/configure.ac
@@ -177,14 +177,6 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
  AC_SUBST(HAVE_FILE_TRANSFER)
 ])
 
-HAVE_WHITELIST=""
-AC_ARG_ENABLE([whitelist],
- AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
-AS_IF([test "x$enable_whitelist" != "xno"], [
- HAVE_WHITELIST="-DHAVE_WHITELIST"
- AC_SUBST(HAVE_WHITELIST)
-])
-
 HAVE_SUID=""
 AC_ARG_ENABLE([suid],
  AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
@@ -323,7 +315,6 @@ Configuration options:
  network: $HAVE_NETWORK
  user namespace: $HAVE_USERNS
  X11 sandboxing support: $HAVE_X11
- whitelisting: $HAVE_WHITELIST
  private home support: $HAVE_PRIVATE_HOME
  file transfer support: $HAVE_FILE_TRANSFER
  overlayfs support: $HAVE_OVERLAYFS

diff --git a/src/common.mk.in b/src/common.mk.in
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
@@ -42,7 +41,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -342,14 +342,6 @@ void print_compiletime_support(void) {
 #endif
  );
 
- printf("\t- file and directory whitelisting support is %s\n",
-#ifdef HAVE_WHITELIST
- "enabled"
-#else
- "disabled"
-#endif
- );
-
  printf("\t- file transfer support is %s\n",
 #ifdef HAVE_FILE_TRANSFER
  "enabled"

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -1581,8 +1581,6 @@ int main(int argc, char **argv, char **envp) {
  profile_check_line(line, 0, NULL); // will exit if something wrong
  profile_add(line);
  }
-
-#ifdef HAVE_WHITELIST
  else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
  if (checkcfg(CFG_WHITELIST)) {
  char *line;
@@ -1603,7 +1601,6 @@ int main(int argc, char **argv, char **envp) {
  profile_check_line(line, 0, NULL); // will exit if something wrong
  profile_add(line);
  }
-#endif
  else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
  char *line;
  if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -1589,7 +1589,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  else if (strncmp(ptr, "noblacklist ", 12) == 0)
  ptr += 12;
  else if (strncmp(ptr, "whitelist ", 10) == 0) {
-#ifdef HAVE_WHITELIST
  if (checkcfg(CFG_WHITELIST)) {
  arg_whitelist = 1;
  ptr += 10;
@@ -1602,9 +1601,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  }
  return 0;
  }
-#else
- return 0;
-#endif
  }
  else if (strncmp(ptr, "nowhitelist ", 12) == 0)
  ptr += 12;

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -80,9 +80,7 @@ static char *usage_str =
  " --debug-protocols - print all recognized protocols.\n"
  " --debug-syscalls - print all recognized system calls.\n"
  " --debug-syscalls32 - print all recognized 32 bit system calls.\n"
-#ifdef HAVE_WHITELIST
  " --debug-whitelists - debug whitelisting.\n"
-#endif
 #ifdef HAVE_NETWORK
  " --defaultgw=address - configure default gateway.\n"
 #endif
@@ -252,9 +250,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
  " --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
-#ifdef HAVE_WHITELIST
  " --whitelist=filename - whitelist directory or file.\n"
-#endif
  " --writable-etc - /etc directory is mounted read-write.\n"
  " --writable-run-user - allow access to /run/user/$UID/systemd and\n"
  "\t/run/user/$UID/gnupg.\n"

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
@@ -251,10 +251,8 @@ _firejail_args=(
  '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
 
-#ifdef HAVE_WHITELIST
  '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
  '*--whitelist=-[whitelist directory or file]: :_files'
-#endif
 
 #ifdef HAVE_X11
  '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'