Skip to content

Commit

Permalink
remove LTS and FIRETUNNEL support
Browse files Browse the repository at this point in the history
  • Loading branch information
netblue30 committed Dec 23, 2023
1 parent a5e72ca commit db09546
Show file tree
Hide file tree
Showing 9 changed files with 2 additions and 186 deletions.
2 changes: 1 addition & 1 deletion README
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ Committers:
- rusty-snake (https://github.com/rusty-snake)
- smitsohu (https://github.com/smitsohu)
- SkewedZeppelin (https://github.com/SkewedZeppelin)
- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches
- startx2017 (https://github.com/startx2017)
maintainer)
- Topi Miettinen (https://github.com/topimiettinen)
- veloute (https://github.com/veloute)
Expand Down
1 change: 1 addition & 0 deletions RELNOTES
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
firejail (0.9.73) baseline; urgency=low
* work in progress
* removed LTS and FIRETUNNEL support
* feature: Add "keep-shell-rc" command and option (#1127 #5634)
* feature: Print the argument when failing with "too long arguments" (#5677)
* feature: a random hostname is assigned to each sandbox unless
Expand Down
4 changes: 0 additions & 4 deletions config.mk.in
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,10 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
HAVE_CHROOT=@HAVE_CHROOT@
HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
HAVE_IDS=@HAVE_IDS@
HAVE_LANDLOCK=@HAVE_LANDLOCK@
HAVE_LTS=@HAVE_LTS@
HAVE_NETWORK=@HAVE_NETWORK@
HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
HAVE_OUTPUT=@HAVE_OUTPUT@
Expand All @@ -57,12 +55,10 @@ MANFLAGS = \
$(HAVE_CHROOT) \
$(HAVE_DBUSPROXY) \
$(HAVE_FILE_TRANSFER) \
$(HAVE_FIRETUNNEL) \
$(HAVE_FORCE_NONEWPRIVS) \
$(HAVE_GLOBALCFG) \
$(HAVE_IDS) \
$(HAVE_LANDLOCK) \
$(HAVE_LTS) \
$(HAVE_NETWORK) \
$(HAVE_ONLY_SYSCFG_PROFILES) \
$(HAVE_OUTPUT) \
Expand Down
66 changes: 0 additions & 66 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -650,7 +650,6 @@ ac_includes_default="\
ac_header_c_list=
ac_subst_vars='LTLIBOBJS
LIBOBJS
HAVE_LTS
HAVE_ONLY_SYSCFG_PROFILES
HAVE_FORCE_NONEWPRIVS
HAVE_CONTRIB_INSTALL
Expand All @@ -666,7 +665,6 @@ HAVE_GLOBALCFG
HAVE_CHROOT
HAVE_PRIVATE_LIB
HAVE_PRIVATE_HOME
HAVE_FIRETUNNEL
HAVE_GAWK
HAVE_MAN
HAVE_USERTMPFS
Expand Down Expand Up @@ -743,7 +741,6 @@ enable_dbusproxy
enable_output
enable_usertmpfs
enable_man
enable_firetunnel
enable_private_home
enable_private_lib
enable_chroot
Expand All @@ -759,7 +756,6 @@ enable_gcov
enable_contrib_install
enable_force_nonewprivs
enable_only_syscfg_profiles
enable_lts
'
ac_precious_vars='build_alias
host_alias
Expand Down Expand Up @@ -1403,7 +1399,6 @@ Optional Features:
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
--disable-man disable man pages
--enable-firetunnel enable firetunnel
--disable-private-home disable private home feature
--disable-private-lib disable private lib feature
--disable-chroot disable chroot
Expand All @@ -1424,7 +1419,6 @@ Optional Features:
enable force nonewprivs
--enable-only-syscfg-profiles
disable profiles in $HOME/.config/firejail
--enable-lts enable long-term support software version (LTS)
Some influential environment variables:
CC C compiler command
Expand Down Expand Up @@ -3913,21 +3907,6 @@ fi
fi
HAVE_FIRETUNNEL=""
# Check whether --enable-firetunnel was given.
if test ${enable_firetunnel+y}
then :
enableval=$enable_firetunnel;
fi
if test "x$enable_firetunnel" = "xyes"
then :
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
fi
HAVE_PRIVATE_HOME=""
# Check whether --enable-private-home was given.
Expand Down Expand Up @@ -4155,39 +4134,6 @@ then :
fi
HAVE_LTS=""
# Check whether --enable-lts was given.
if test ${enable_lts+y}
then :
enableval=$enable_lts;
fi
if test "x$enable_lts" = "xyes"
then :
HAVE_LTS="-DHAVE_LTS"
HAVE_LANDLOCK=""
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
HAVE_OUTPUT=""
HAVE_USERTMPFS=""
HAVE_MAN="-DHAVE_MAN"
HAVE_FIRETUNNEL=""
HAVE_PRIVATE_HOME=""
HAVE_PRIVATE_LIB=""
HAVE_CHROOT=""
HAVE_GLOBALCFG=""
HAVE_USERNS=""
HAVE_X11=""
HAVE_FILE_TRANSFER=""
HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
HAVE_CONTRIB_INSTALL="no"
fi
ac_fn_c_check_header_compile "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes
then :
Expand Down Expand Up @@ -5384,11 +5330,9 @@ Features:
disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
enable --output logging: $HAVE_OUTPUT
file transfer support: $HAVE_FILE_TRANSFER
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
Landlock support: $HAVE_LANDLOCK
LTS: $HAVE_LTS
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
overlayfs support: $HAVE_OVERLAYFS
Expand All @@ -5400,13 +5344,3 @@ Features:
EOF
if test "$HAVE_LTS" = -DHAVE_LTS; then
cat <<\EOF
*********************************************************
* Warning: Long-term support (LTS) was enabled! *
* Most compile-time options have been rewritten! *
*********************************************************
EOF
fi
46 changes: 0 additions & 46 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -137,14 +137,6 @@ AS_IF([test "x$enable_man" != "xno"], [
AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR([*** gawk not found ***])])
])

HAVE_FIRETUNNEL=""
AC_SUBST([HAVE_FIRETUNNEL])
AC_ARG_ENABLE([firetunnel],
[AS_HELP_STRING([--enable-firetunnel], [enable firetunnel])])
AS_IF([test "x$enable_firetunnel" = "xyes"], [
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
])

HAVE_PRIVATE_HOME=""
AC_SUBST([HAVE_PRIVATE_HOME])
AC_ARG_ENABLE([private-home],
Expand Down Expand Up @@ -268,32 +260,6 @@ AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
])

HAVE_LTS=""
AC_SUBST([HAVE_LTS])
AC_ARG_ENABLE([lts],
[AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
AS_IF([test "x$enable_lts" = "xyes"], [
HAVE_LTS="-DHAVE_LTS"
HAVE_LANDLOCK=""
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
HAVE_OUTPUT=""
HAVE_USERTMPFS=""
HAVE_MAN="-DHAVE_MAN"
HAVE_FIRETUNNEL=""
HAVE_PRIVATE_HOME=""
HAVE_PRIVATE_LIB=""
HAVE_CHROOT=""
HAVE_GLOBALCFG=""
HAVE_USERNS=""
HAVE_X11=""
HAVE_FILE_TRANSFER=""
HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
HAVE_CONTRIB_INSTALL="no"
])

AC_CHECK_HEADER([linux/seccomp.h], [],
[AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])])

Expand Down Expand Up @@ -332,11 +298,9 @@ Features:
disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
enable --output logging: $HAVE_OUTPUT
file transfer support: $HAVE_FILE_TRANSFER
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
Landlock support: $HAVE_LANDLOCK
LTS: $HAVE_LTS
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
overlayfs support: $HAVE_OVERLAYFS
Expand All @@ -347,13 +311,3 @@ Features:
X11 sandboxing support: $HAVE_X11

EOF

if test "$HAVE_LTS" = -DHAVE_LTS; then
cat <<\EOF
*********************************************************
* Warning: Long-term support (LTS) was enabled! *
* Most compile-time options have been rewritten! *
*********************************************************

EOF
fi
7 changes: 0 additions & 7 deletions src/firejail/checkcfg.c
Original file line number Diff line number Diff line change
Expand Up @@ -349,13 +349,6 @@ static const char *const compiletime_support =
"disabled"
#endif

"\n\t- firetunnel support is "
#ifdef HAVE_FIRETUNNEL
"enabled"
#else
"disabled"
#endif

"\n\t- IDS support is "
#ifdef HAVE_IDS
"enabled"
Expand Down
27 changes: 0 additions & 27 deletions src/firejail/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -1826,33 +1826,6 @@ int main(int argc, char **argv, char **envp) {
else
exit_err_feature("overlayfs");
}
#endif
#ifdef HAVE_FIRETUNNEL
else if (strcmp(argv[i], "--tunnel") == 0) {
// try to connect to the default client side of the tunnel
// if this fails, try the default server side of the tunnel
if (access("/run/firetunnel/ftc", R_OK) == 0)
profile_read("/run/firetunnel/ftc");
else if (access("/run/firetunnel/fts", R_OK) == 0)
profile_read("/run/firetunnel/fts");
else {
fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
exit(1);
}
}
else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
char *fname;

if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
errExit("asprintf");
invalid_filename(fname, 0); // no globbing
if (access(fname, R_OK) == 0)
profile_read(fname);
else {
fprintf(stderr, "Error: tunnel not found\n");
exit(1);
}
}
#endif
else if (strncmp(argv[i], "--include=", 10) == 0) {
char *ppath = expand_macros(argv[i] + 10);
Expand Down
31 changes: 0 additions & 31 deletions src/man/firejail.1.in
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,6 @@ Miscellaneous:
firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
.RE
.SH DESCRIPTION
#ifdef HAVE_LTS
This is Firejail long-term support (LTS), an enterprise focused version of the software,
LTS is usually supported for two or three years.
During this time only bugs and the occasional documentation problems are fixed.
The attack surface of the SUID executable was greatly reduced by removing some of the features.
.br

.br
#endif
Firejail is a SUID sandbox program that reduces the risk of security breaches by
restricting the running environment of untrusted applications using Linux
namespaces, seccomp-bpf and Linux capabilities.
Expand Down Expand Up @@ -3043,28 +3034,6 @@ $ firejail \-\-tree
.br
11970:netblue:transmission-gtk

#ifdef HAVE_FIRETUNNEL
.TP
\fB\-\-tunnel[=devname]
Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
please specify the tunnel device using \-\-tunnel=devname.
.br

.br
The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
The files are regular firejail profile files containing the network configuration,
and are created and managed by firetunnel utility.
By default ftc is the client-side device and fts is the server-side device. For more information
please see man 1 firetunnel.
.br

.br
Example:
.br
$ firejail --tunnel firefox
.br
#endif
.TP
\fB\-\-version
Print program version/compile time support and exit.
Expand Down
4 changes: 0 additions & 4 deletions src/zsh_completion/_firejail.in
Original file line number Diff line number Diff line change
Expand Up @@ -213,10 +213,6 @@ _firejail_args=(
'--ls=-[list files in sandbox container name|pid]: :_all_firejails'
#endif

#ifdef HAVE_FIRETUNNEL
'--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :'
#endif

#ifdef HAVE_NETWORK
'--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails'
'--defaultgw=[configure default gateway]: :'
Expand Down

0 comments on commit db09546

Please sign in to comment.