build: remove remnants of IDS/fids

Remove what remains of the Intrusion Detection System (IDS)/fids, `--ids` commands and the `--enable-ids` configure option. Commands: * `--ids-check` * `--ids-init` Related commits: * 5e962ff78 ("removed IDS feature, it was never enabled by default in our builds", 2025-12-17) Relates to #6995.
2026-05-15 06:06:02 -06:00 · 2025-12-19 10:09:02 -03:00 · 2025-12-19 10:09:02 -03:00 · 381c3cf1a3
commit 381c3cf1a3
parent 8d927220b5
6 changed files with 0 additions and 275 deletions
--- a/.gitignore
+++ b/.gitignore
@ -28,7 +28,6 @@ src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
-src/fids/fids
 src/tags
 src/faudit/faudit
 src/fnet/fnet
--- a/3
+++ b/3
@ -251,9 +251,6 @@ endif
 	sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \
 		$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \
 	fi"
-ifeq ($(HAVE_IDS),-DHAVE_IDS)
-	$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
-endif
 ifeq ($(BUSYBOX_WORKAROUND),yes)
 	./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif
--- a/etc/ids.config
+++ b/etc/ids.config
@ -1,164 +0,0 @@
-# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
-# This config file is overwritten when a new version of Firejail is installed.
-# For global customization use /etc/firejail/ids.config.local.
-include ids.config.local
-#
-# Each line is a file or directory name such as
-#       /usr/bin
-# or
-#       ${HOME}/Desktop/*.desktop
-#
-# ${HOME} is expanded to the user's home directory, and * is the regular
-# globbing match for zero or more characters.
-#
-# File or directory names starting with ! are not scanned. For example
-#        !${HOME}/.ssh/known_hosts
-#        ${HOME}/.ssh
-# will scan all files in ~/.ssh directory with the exception of known_hosts
-
-### system executables ###
-/bin
-/sbin
-/usr/bin
-/usr/games
-/usr/libexec
-/usr/sbin
-
-### user executables ###
-#/opt
-#/usr/local
-
-### system libraries ###
-#/lib
-#/usr/lib
-#/usr/lib32
-#/usr/lib64
-#/usr/libx32
-
-### shells local ###
-# bash
-${HOME}/.bash_aliases
-${HOME}/.bash_login
-${HOME}/.bash_logout
-${HOME}/.bash_profile
-${HOME}/.bashrc
-# fish
-${HOME}/.config/fish/config.fish
-# others
-${HOME}/.cshrc
-${HOME}/.kshrc
-${HOME}/.login
-${HOME}/.logout
-${HOME}/.profile
-${HOME}/.tcshrc
-# zsh
-${HOME}/.zlogin
-${HOME}/.zlogout
-${HOME}/.zshenv
-${HOME}/.zshprofile
-${HOME}/.zshrc
-
-# Note: This list should be kept in sync with the one in inc/disable-shell.inc.
-### shells global ###
-# all
-/etc/dircolors
-/etc/environment
-/etc/profile
-/etc/profile.d
-/etc/shells
-/etc/skel
-# bash
-/etc/bash
-/etc/bash.bashrc
-/etc/bash_completion*
-/etc/bashrc
-# fish
-/etc/fish
-# ksh
-/etc/ksh.kshrc
-/etc/suid_profile
-# tcsh
-/etc/complete.tcsh
-/etc/csh.cshrc
-/etc/csh.login
-/etc/csh.logout
-# zsh
-/etc/zlogin
-/etc/zlogout
-/etc/zprofile
-/etc/zsh
-/etc/zshenv
-/etc/zshrc
-
-### X11 ###
-/etc/X11
-${HOME}/.xinitrc
-${HOME}/.xmodmaprc
-${HOME}/.xprofile
-${HOME}/.Xresources
-${HOME}/.xserverrc
-${HOME}/.Xsession
-${HOME}/.xsession
-${HOME}/.xsessionrc
-
-### window/desktop manager ###
-${HOME}/Desktop/*.desktop
-${HOME}/.config/autostart
-${HOME}/.config/autostart-scripts
-${HOME}/.config/lxsession/LXDE/autostart
-${HOME}/.config/openbox/autostart
-${HOME}/.config/openbox/environment
-${HOME}/.config/plasma-workspace/env
-${HOME}/.config/plasma-workspace/shutdown
-${HOME}/.gnomerc
-${HOME}/.gtkrc
-${HOME}/.kde/Autostart
-${HOME}/.kde/env
-${HOME}/.kde/share/autostart
-${HOME}/.kde/shutdown
-${HOME}/.kde4/Autostart
-${HOME}/.kde4/env
-${HOME}/.kde4/share/autostart
-${HOME}/.kde4/shutdown
-${HOME}/.kderc
-${HOME}/.local/share/autostart
-
-### security ###
-/etc/aide
-/etc/apparmor*
-/etc/chkrootkit.conf
-/etc/cracklib
-/etc/doas.conf
-/etc/libaudit.conf
-/etc/group*
-/etc/gshadow*
-/etc/pam.*
-/etc/passwd*
-/etc/rkhunter*
-/etc/securetty
-/etc/security
-/etc/selinux
-/etc/shadow*
-/etc/sudo*.conf
-/etc/sudoers*
-/etc/tripwire
-${HOME}/.config/firejail
-${HOME}/.gnupg
-${HOME}/.pam_environment
-
-### network security ###
-/etc/ca-certificates*
-/etc/hosts.*
-/etc/services
-/etc/snort
-/etc/ssh
-/etc/ssl
-/etc/wireshark
-!${HOME}/.ssh/known_hosts # excluding
-${HOME}/.ssh
-/usr/share/ca-certificates
-
-### system config ###
-/etc/cron.*
-/etc/crontab
-/etc/default
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@ -957,28 +957,6 @@ $ sudo firejail --icmptrace
 20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
 .br

-#ifdef HAVE_IDS
-.TP
-\fB\-\-ids-check
-Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-ids-check
-
-.TP
-\fB\-\-ids-init
-Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-ids-init
-#endif
-
 .TP
 \fB\-\-ignore=command
 Ignore command in profile file.
@ -3645,66 +3623,6 @@ $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
 #endif

-#ifdef HAVE_IDS
-.SH INTRUSION DETECTION SYSTEM (IDS)
-The host-based intrusion detection system tracks down and audits user and system file modifications.
-The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
-where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
-
-As a regular user, initialize the database:
-.br
-
-.br
-$ firejail --ids-init
-.br
-Opening config file /etc/firejail/ids.config
-.br
-Loading config file /etc/firejail/ids.config
-.br
-Opening config file /etc/firejail/ids.config.local
-.br
-500 1000 1500 2000
-.br
-2466 files scanned
-.br
-IDS database initialized
-.br
-
-.br
-The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
-such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
-.br
-
-.br
-Run --ids-check to audit the system:
-.br
-
-.br
-$ firejail --ids-check
-.br
-Opening config file /etc/firejail/ids.config
-.br
-Loading config file /etc/firejail/ids.config
-.br
-Opening config file /etc/firejail/ids.config.local
-.br
-500 1000 1500
-.br
-Warning: modified /home/netblue/.bashrc
-.br
-2000
-.br
-2466 files scanned: modified 1, permissions 0, new 0, removed 0
-.br
-
-.br
-The program will print the files that have been modified since the database was created, or the files with different access permissions.
-New files and deleted files are also flagged.
-
-Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
-The program can also be run as root (sudo firejail --ids-init/--ids-check).
-#endif
-
 #ifdef HAVE_LANDLOCK
 .SH LANDLOCK
 Warning: Landlock support in firejail is considered experimental and unstable.
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@ -62,9 +62,6 @@ _firejail_args=(
    '--tree[print a tree of all sandboxed processes]'
    '--version[print program version and exit]'

-    '--ids-check[verify file system]'
-    '--ids-init[initialize IDS database]'
-
    '--debug[print sandbox debug messages]'
    '--debug-blacklists[debug blacklisting]'
    '--debug-caps[print all recognized capabilities]'
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@ -31,7 +31,6 @@ arr[15]="TEST 15: compile private-home disabled"
 arr[16]="TEST 16: compile disable manpages"
 arr[17]="TEST 17: disable tmpfs as regular user"
 arr[18]="TEST 18: disable private home"
-arr[19]="TEST 19: enable ids"

 # remove previous reports and output file
 cleanup() {
@ -412,26 +411,6 @@ cp output-configure oc18
 cp output-make om18
 rm output-configure output-make

-#*****************************************************************
-# TEST 19
-#*****************************************************************
-# - enable ids
-#*****************************************************************
-print_title "${arr[19]}"
-cd firejail || exit 1
-make distclean
-./configure --prefix=/usr --enable-fatal-warnings \
-  --enable-ids \
-  2>&1 | tee ../output-configure
-
-make -j "$(nproc)" 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test19
-grep Error output-configure output-make >> ./report-test19
-cp output-configure oc19
-cp output-make om19
-rm output-configure output-make
-
 #*****************************************************************
 # PRINT REPORTS
 #*****************************************************************
@ -463,4 +442,3 @@ echo "${arr[15]}"
 echo "${arr[16]}"
 echo "${arr[17]}"
 echo "${arr[18]}"
-echo "${arr[19]}"