diff --git a/RELNOTES b/RELNOTES index a560c79b9..647377e8b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.53) baseline; urgency=low * work in progress - * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) + * --force depercated * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. @@ -10,6 +10,7 @@ firejail (0.9.53) baseline; urgency=low All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. + * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 25b52f5ce..29cca0761 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -707,8 +707,6 @@ void fs_basic_fs(void) { restrict_users(); // when starting as root, firejail config is not disabled; - // this mode could be used to install and test new software by chaining - // firejail sandboxes (firejail --force) if (uid) disable_config(); } @@ -1020,8 +1018,6 @@ void fs_overlayfs(void) { restrict_users(); // when starting as root, firejail config is not disabled; - // this mode could be used to install and test new software by chaining - // firejail sandboxes (firejail --force) if (getuid() != 0) disable_config(); @@ -1265,8 +1261,6 @@ void fs_chroot(const char *rootdir) { restrict_users(); // when starting as root, firejail config is not disabled; - // this mode could be used to install and test new software by chaining - // firejail sandboxes (firejail --force) if (getuid() != 0) disable_config(); } diff --git a/src/firejail/main.c b/src/firejail/main.c index 52f6af667..787fa28e1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -829,7 +829,6 @@ int main(int argc, char **argv) { int lockfd_network = -1; int lockfd_directory = -1; int option_cgroup = 0; - int option_force = 0; int custom_profile = 0; // custom profile loaded atexit(clear_atexit); @@ -900,27 +899,21 @@ int main(int argc, char **argv) { // check if we already have a sandbox running // If LXC is detected, start firejail sandbox // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: - // - if --force flag is set, start firejail sandbox - // -- if --force flag is not set, start the application in a /bin/bash shell + // - start the application in a /bin/bash shell if (check_namespace_virt() == 0) { EUID_ROOT(); int rv = check_kernel_procs(); EUID_USER(); if (rv == 0) { - // if --force option is passed to the program, disregard the existing sandbox - if (check_arg(argc, argv, "--force", 1)) - option_force = 1; - else { - if (check_arg(argc, argv, "--version", 1)) { - printf("firejail version %s\n", VERSION); - exit(0); - } - - // start the program directly without sandboxing - run_no_sandbox(argc, argv); - // it will never get here! - assert(0); + if (check_arg(argc, argv, "--version", 1)) { + printf("firejail version %s\n", VERSION); + exit(0); } + + // start the program directly without sandboxing + run_no_sandbox(argc, argv); + // it will never get here! + assert(0); } } @@ -1064,12 +1057,8 @@ int main(int argc, char **argv) { for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized - if (strcmp(argv[i], "--debug") == 0) { - if (!arg_quiet) { - arg_debug = 1; - if (option_force) - fmessage("Entering sandbox-in-sandbox mode\n"); - } + if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) { + arg_debug = 1; } else if (strcmp(argv[i], "--debug-check-filename") == 0) arg_debug_check_filename = 1; @@ -1083,8 +1072,6 @@ int main(int argc, char **argv) { arg_quiet = 1; arg_debug = 0; } - else if (strcmp(argv[i], "--force") == 0) - ; else if (strcmp(argv[i], "--allow-debuggers") == 0) { // already handled } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1c878c818..542747efc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -76,7 +76,6 @@ static char *usage_str = " --dns=address - set DNS server.\n" " --dns.print=name|pid - print DNS configuration.\n" " --env=name=value - set environment variable.\n" - " --force - attempt to start a new sandbox inside the existing sandbox.\n" " --fs.print=name|pid - print the filesystem log.\n" " --get=name|pid filename - get a file from sandbox container.\n" #ifdef HAVE_GIT_INSTALL diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f481f5c46..85550e576 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -467,13 +467,6 @@ Example: .br $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib -.TP -\fB\-\-force -By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell. -This option disables this behavior, and attempts to start Firejail in the existing sandbox. -There could be lots of reasons for it to fail, for example if the existing sandbox disables -admin capabilities, SUID binaries, or if it runs seccomp. - .TP \fB\-\-fs.print=name|print Print the filesystem log for the sandbox identified by name or by PID. diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 6f8f4316f..29f82007b 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp @@ -24,26 +24,6 @@ after 100 send -- "exit\r" after 100 -send -- "firejail --force\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "cannot rise privileges" -} -after 100 - -send -- "firejail --version\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "firejail version" -} -after 100 - -send -- "firejail --version --force\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "firejail version" -} -after 100 puts "\nall done\n"