disable cgroup code

2026-05-15 14:16:14 -06:00 · 2022-06-13 09:03:45 -04:00 · 2022-06-13 09:03:45 -04:00 · 73b089092d
commit 73b089092d
parent a1972c24f8
8 changed files with 0 additions and 178 deletions
--- a/etc/firejail.config
+++ b/etc/firejail.config
@ -25,9 +25,6 @@
 # Disable U2F in browsers, default enabled.
 # browser-disable-u2f yes

-# Enable or disable cgroup support, default enabled.
-# cgroup yes
-
 # Enable or disable chroot support, default enabled.
 # chroot yes

--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2014-2022 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include "../include/gcov_wrapper.h"
-#include <sys/wait.h>
-#include <errno.h>
-
-#define MAXBUF 4096
-
-void save_cgroup(void) {
-	if (cfg.cgroup == NULL)
-		return;
-
-	FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
-	if (fp) {
-		fprintf(fp, "%s", cfg.cgroup);
-		fflush(0);
-		SET_PERMS_STREAM(fp, 0, 0, 0644);
-		if (fclose(fp))
-			goto errout;
-	}
-	else
-		goto errout;
-
-	return;
-
-errout:
-	fprintf(stderr, "Error: cannot save cgroup\n");
-	exit(1);
-}
-
-static int is_cgroup_path(const char *fname) {
-	// path starts with /sys/fs/cgroup
-	if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
-		return 0;
-
-	// no .. traversal
-	char *ptr = strstr(fname, "..");
-	if (ptr)
-		return 0;
-
-	return 1;
-}
-
-void check_cgroup_file(const char *fname) {
-	assert(fname);
-	invalid_filename(fname, 0); // no globbing
-
-	if (!is_cgroup_path(fname))
-		goto errout;
-
-	const char *base = gnu_basename(fname);
-	if (strcmp(base, "tasks") != 0 &&  // cgroup v1
-	    strcmp(base, "cgroup.procs") != 0)
-		goto errout;
-
-	if (access(fname, W_OK) == 0)
-		return;
-
-errout:
-	fprintf(stderr, "Error: invalid cgroup\n");
-	exit(1);
-}
-
-static void do_set_cgroup(const char *fname, pid_t pid) {
-	FILE *fp = fopen(fname, "ae");
-	if (!fp) {
-		fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
-		return;
-	}
-
-	int rv = fprintf(fp, "%d\n", pid);
-	(void) rv;
-	fclose(fp);
-}
-
-void set_cgroup(const char *fname, pid_t pid) {
-	pid_t child = fork();
-	if (child < 0)
-		errExit("fork");
-	if (child == 0) {
-		drop_privs(0);
-
-		do_set_cgroup(fname, pid);
-
-		__gcov_flush();
-
-		_exit(0);
-	}
-	waitpid(child, NULL, 0);
-}
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@ -100,7 +100,6 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_X11, "x11")
 			PARSE_YESNO(CFG_APPARMOR, "apparmor")
 			PARSE_YESNO(CFG_BIND, "bind")
-			PARSE_YESNO(CFG_CGROUP, "cgroup")
 			PARSE_YESNO(CFG_NAME_CHANGE, "name-change")
 			PARSE_YESNO(CFG_USERNS, "userns")
 			PARSE_YESNO(CFG_CHROOT, "chroot")
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -211,7 +211,6 @@ typedef struct config_t {
 	// cpu affinity, nice and control groups
 	uint32_t cpus;
 	int nice;
-	char *cgroup;

 	// command line
 	char *command_line;
@ -669,11 +668,6 @@ void set_cpu_affinity(void);
 void save_cpu(void);
 void cpu_print_filter(pid_t pid) __attribute__((noreturn));

-// cgroup.c
-void save_cgroup(void);
-void check_cgroup_file(const char *fname);
-void set_cgroup(const char *fname, pid_t pid);
-
 // output.c
 void check_output(int argc, char **argv);

@ -830,7 +824,6 @@ enum {
 	CFG_BROWSER_ALLOW_DRM,
 	CFG_APPARMOR,
 	CFG_DBUS,
-	CFG_CGROUP,
 	CFG_NAME_CHANGE,
 	CFG_SECCOMP_ERROR_ACTION,
 	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@ -204,24 +204,6 @@ static void extract_cpu(ProcessHandle sandbox) {
 	fclose(fp);
 }

-static void extract_cgroup(ProcessHandle sandbox) {
-	int fd = process_rootfs_open(sandbox, RUN_CGROUP_CFG);
-	if (fd < 0)
-		return; // not configured
-
-	FILE *fp = fdopen(fd, "r");
-	if (!fp)
-		errExit("fdopen");
-
-	char buf[BUFLEN];
-	if (fgets(buf, BUFLEN, fp)) {
-		cfg.cgroup = strdup(buf);
-		if (!cfg.cgroup)
-			errExit("strdup");
-	}
-	fclose(fp);
-}
-
 static void extract_umask(ProcessHandle sandbox) {
 	int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE);
 	if (fd < 0) {
@ -437,16 +419,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
 		extract_nonewprivs(sandbox);  // redundant on Linux >= 4.10; duplicated in function extract_caps
 		extract_caps(sandbox);
 		extract_cpu(sandbox);
-		extract_cgroup(sandbox);
 		extract_nogroups(sandbox);
 		extract_user_namespace(sandbox);
 		extract_umask(sandbox);
 	}

-	// set cgroup
-	if (cfg.cgroup)	// not available for uid 0
-		set_cgroup(cfg.cgroup, getpid());
-
 	// join namespaces
 	EUID_ROOT();
 	if (arg_join_network) {
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -1012,7 +1012,6 @@ int main(int argc, char **argv, char **envp) {
 	int lockfd_network = -1;
 	int lockfd_directory = -1;
 	int lockfd_sandboxfile = -1;
-	int option_cgroup = 0;
 	int custom_profile = 0;	// custom profile loaded
 	int arg_caps_cmdline = 0; 	// caps requested on command line (used to break out of --chroot)
 	int arg_netlock = 0;
@ -1566,23 +1565,6 @@ int main(int argc, char **argv, char **envp) {
 				cfg.nice = 0;
 			arg_nice = 1;
 		}
-		else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
-			if (checkcfg(CFG_CGROUP)) {
-				if (option_cgroup) {
-					fprintf(stderr, "Error: only one cgroup can be defined\n");
-					exit(1);
-				}
-				cfg.cgroup = strdup(argv[i] + 9);
-				if (!cfg.cgroup)
-					errExit("strdup");
-
-				check_cgroup_file(cfg.cgroup);
-				set_cgroup(cfg.cgroup, getpid());
-				option_cgroup = 1;
-			}
-			else
-				exit_err_feature("cgroup");
-		}

 		//*************************************
 		// filesystem
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -1144,21 +1144,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}

-	// cgroup
-	if (strncmp(ptr, "cgroup ", 7) == 0) {
-		if (checkcfg(CFG_CGROUP)) {
-			cfg.cgroup = strdup(ptr + 7);
-			if (!cfg.cgroup)
-				errExit("strdup");
-
-			check_cgroup_file(cfg.cgroup);
-			set_cgroup(cfg.cgroup, getpid());
-		}
-		else
-			warning_feature_disabled("cgroup");
-		return 0;
-	}
-
 	// writable-etc
 	if (strcmp(ptr, "writable-etc") == 0) {
 		if (cfg.etc_private_keep) {
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@ -1150,9 +1150,6 @@ int sandbox(void* sandbox_arg) {
 	// save cpu affinity mask to CPU_CFG file
 	save_cpu();

-	// save cgroup in CGROUP_CFG file
-	save_cgroup();
-
 	// set seccomp
 	// install protocol filter
 #ifdef SYS_socket