deprecating --force

2026-05-15 14:16:14 -06:00 · 2018-04-03 11:01:22 -04:00 · 2018-04-03 11:01:22 -04:00 · 4c71ddbcd8
commit 4c71ddbcd8
parent a0502dc514
6 changed files with 13 additions and 59 deletions
--- a/3
+++ b/3
@ -1,6 +1,6 @@
 firejail (0.9.53) baseline; urgency=low
  * work in progress
-  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
+  * --force depercated
  * modif: support for private-bin, private-lib and shell none has been
     disabled while running AppImage archives in order to be able to use
     our regular profile files with AppImages.
@ -10,6 +10,7 @@ firejail (0.9.53) baseline; urgency=low
     All users of Firefox-based browsers who use addons and plugins
     that read/write from ${HOME} will need to uncomment the includes for
     firefox-common-addons.inc in firefox-common.profile.
+  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
  * Spectre mitigation patch for gcc and clang compiler
  * D-Bus handling (--nodbus)
  * AppArmor support for overlayfs and chroot sandboxes
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@ -707,8 +707,6 @@ void fs_basic_fs(void) {
 	restrict_users();

 	// when starting as root, firejail config is not disabled;
-	// this mode could be used to install and test new software by chaining
-	// firejail sandboxes (firejail --force)
 	if (uid)
 		disable_config();
 }
@ -1020,8 +1018,6 @@ void fs_overlayfs(void) {
 	restrict_users();

 	// when starting as root, firejail config is not disabled;
-	// this mode could be used to install and test new software by chaining
-	// firejail sandboxes (firejail --force)
 	if (getuid() != 0)
 		disable_config();

@ -1265,8 +1261,6 @@ void fs_chroot(const char *rootdir) {
 		restrict_users();

 		// when starting as root, firejail config is not disabled;
-		// this mode could be used to install and test new software by chaining
-		// firejail sandboxes (firejail --force)
 		if (getuid() != 0)
 			disable_config();
 	}
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -829,7 +829,6 @@ int main(int argc, char **argv) {
 	int lockfd_network = -1;
 	int lockfd_directory = -1;
 	int option_cgroup = 0;
-	int option_force = 0;
 	int custom_profile = 0;	// custom profile loaded

 	atexit(clear_atexit);
@ -900,27 +899,21 @@ int main(int argc, char **argv) {
 	// check if we already have a sandbox running
 	// If LXC is detected, start firejail sandbox
 	// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
-	//	- if --force flag is set, start firejail sandbox
-	//	-- if --force flag is not set, start the application in a /bin/bash shell
+	//	- start the application in a /bin/bash shell
 	if (check_namespace_virt() == 0) {
 		EUID_ROOT();
 		int rv = check_kernel_procs();
 		EUID_USER();
 		if (rv == 0) {
-			// if --force option is passed to the program, disregard the existing sandbox
-			if (check_arg(argc, argv, "--force", 1))
-				option_force = 1;
-			else {
-				if (check_arg(argc, argv, "--version", 1)) {
-					printf("firejail version %s\n", VERSION);
-					exit(0);
-				}
-
-				// start the program directly without sandboxing
-				run_no_sandbox(argc, argv);
-				// it will never get here!
-				assert(0);
+			if (check_arg(argc, argv, "--version", 1)) {
+				printf("firejail version %s\n", VERSION);
+				exit(0);
 			}
+
+			// start the program directly without sandboxing
+			run_no_sandbox(argc, argv);
+			// it will never get here!
+			assert(0);
 		}
 	}

@ -1064,12 +1057,8 @@ int main(int argc, char **argv) {
 	for (i = 1; i < argc; i++) {
 		run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized

-		if (strcmp(argv[i], "--debug") == 0) {
-			if (!arg_quiet) {
-				arg_debug = 1;
-				if (option_force)
-					fmessage("Entering sandbox-in-sandbox mode\n");
-			}
+		if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) {
+			arg_debug = 1;
 		}
 		else if (strcmp(argv[i], "--debug-check-filename") == 0)
 			arg_debug_check_filename = 1;
@ -1083,8 +1072,6 @@ int main(int argc, char **argv) {
 			arg_quiet = 1;
 			arg_debug = 0;
 		}
-		else if (strcmp(argv[i], "--force") == 0)
-			;
 		else if (strcmp(argv[i], "--allow-debuggers") == 0) {
 			// already handled
 		}
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@ -76,7 +76,6 @@ static char *usage_str =
 	"    --dns=address - set DNS server.\n"
 	"    --dns.print=name|pid - print DNS configuration.\n"
 	"    --env=name=value - set environment variable.\n"
-	"    --force - attempt to start a new sandbox inside the existing sandbox.\n"
 	"    --fs.print=name|pid - print the filesystem log.\n"
 	"    --get=name|pid filename - get a file from sandbox container.\n"
 #ifdef HAVE_GIT_INSTALL
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -467,13 +467,6 @@ Example:
 .br
 $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib

-.TP
-\fB\-\-force
-By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell.
-This option disables this behavior, and attempts to start Firejail in the existing sandbox.
-There could be lots of reasons for it to fail, for example if the existing sandbox disables
-admin capabilities, SUID binaries, or if it runs seccomp.
-
 .TP
 \fB\-\-fs.print=name|print
 Print the filesystem log for the sandbox identified by name or by PID.
--- a/test/environment/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@ -24,26 +24,6 @@ after 100
 send --  "exit\r"
 after 100

-send --  "firejail --force\r"
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	"cannot rise privileges"
-}
-after 100
-
-send --  "firejail --version\r"
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	"firejail version"
-}
-after 100
-
-send --  "firejail --version --force\r"
-expect {
-	timeout {puts "TESTING ERROR 5\n";exit}
-	"firejail version"
-}
-after 100


 puts "\nall done\n"