From b214d080e09b18ff58d1facfde67201bc5a672a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 21 Jan 2026 15:07:43 -0500 Subject: [PATCH] removed ./configure --disable-usertmpfs option --- config.mk.in | 2 -- configure | 19 ----------- configure.ac | 9 ----- src/firejail/checkcfg.c | 7 ---- src/firejail/main.c | 2 -- src/firejail/profile.c | 11 +----- src/firejail/sandbox.c | 2 -- test/compile/compile.sh | 75 ++++++++++++++--------------------------- 8 files changed, 27 insertions(+), 100 deletions(-) diff --git a/config.mk.in b/config.mk.in index c74a19ca6..937d58a0b 100644 --- a/config.mk.in +++ b/config.mk.in @@ -45,7 +45,6 @@ HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@ HAVE_SELINUX=@HAVE_SELINUX@ HAVE_SUID=@HAVE_SUID@ HAVE_USERNS=@HAVE_USERNS@ -HAVE_USERTMPFS=@HAVE_USERTMPFS@ HAVE_X11=@HAVE_X11@ MANFLAGS = \ @@ -64,7 +63,6 @@ MANFLAGS = \ $(HAVE_SELINUX) \ $(HAVE_SUID) \ $(HAVE_USERNS) \ - $(HAVE_USERTMPFS) \ $(HAVE_X11) # User variables - should not be modified in the code (as they are reserved for diff --git a/configure b/configure index 4b11f358d..b00470732 100755 --- a/configure +++ b/configure @@ -657,7 +657,6 @@ HAVE_NETWORK HAVE_CHROOT HAVE_PRIVATE_LIB HAVE_PRIVATE_HOME -HAVE_USERTMPFS HAVE_OUTPUT HAVE_DBUSPROXY EXTRA_LDFLAGS @@ -736,7 +735,6 @@ enable_selinux enable_landlock enable_dbusproxy enable_output -enable_usertmpfs enable_private_home enable_private_lib enable_chroot @@ -1394,7 +1392,6 @@ Optional Features: --disable-landlock disable Landlock self-restriction support --disable-dbusproxy disable dbus proxy --disable-output disable --output logging - --disable-usertmpfs disable tmpfs as regular user --disable-private-home disable private home feature --disable-private-lib disable private lib feature --disable-chroot disable chroot @@ -4309,21 +4306,6 @@ then : fi -HAVE_USERTMPFS="" - -# Check whether --enable-usertmpfs was given. -if test ${enable_usertmpfs+y} -then : - enableval=$enable_usertmpfs; -fi - -if test "x$enable_usertmpfs" != "xno" -then : - - HAVE_USERTMPFS="-DHAVE_USERTMPFS" - -fi - HAVE_PRIVATE_HOME="" # Check whether --enable-private-home was given. @@ -5727,7 +5709,6 @@ Compile options: Spectre compiler patch: $HAVE_SPECTRE Features: - allow tmpfs as regular user: $HAVE_USERTMPFS always enforce filters: $HAVE_FORCE_NONEWPRIVS apparmor: $HAVE_APPARMOR busybox workaround: $BUSYBOX_WORKAROUND diff --git a/configure.ac b/configure.ac index 2d9c24e64..8c54c0898 100644 --- a/configure.ac +++ b/configure.ac @@ -129,14 +129,6 @@ AS_IF([test "x$enable_output" != "xno"], [ HAVE_OUTPUT="-DHAVE_OUTPUT" ]) -HAVE_USERTMPFS="" -AC_SUBST([HAVE_USERTMPFS]) -AC_ARG_ENABLE([usertmpfs], - [AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])]) -AS_IF([test "x$enable_usertmpfs" != "xno"], [ - HAVE_USERTMPFS="-DHAVE_USERTMPFS" -]) - HAVE_PRIVATE_HOME="" AC_SUBST([HAVE_PRIVATE_HOME]) AC_ARG_ENABLE([private-home], @@ -282,7 +274,6 @@ Compile options: Spectre compiler patch: $HAVE_SPECTRE Features: - allow tmpfs as regular user: $HAVE_USERTMPFS always enforce filters: $HAVE_FORCE_NONEWPRIVS apparmor: $HAVE_APPARMOR busybox workaround: $BUSYBOX_WORKAROUND diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index b00eb3a63..f37d154e3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -423,13 +423,6 @@ static const char *const compiletime_support = "disabled" #endif - "\n\t- private-cache and tmpfs as user " -#ifdef HAVE_USERTMPFS - "enabled" -#else - "disabled" -#endif - "\n\t- sandbox check is " #ifdef HAVE_SANDBOX_CHECK "enabled" diff --git a/src/firejail/main.c b/src/firejail/main.c index e355a3913..8d16327d8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2082,14 +2082,12 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; } -#ifdef HAVE_USERTMPFS else if (strcmp(argv[i], "--private-cache") == 0) { if (checkcfg(CFG_PRIVATE_CACHE)) arg_private_cache = 1; else exit_err_feature("private-cache"); } -#endif else if (strcmp(argv[i], "--private-cwd") == 0) { cfg.cwd = NULL; arg_private_cwd = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8c21bb744..e916122cd 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -424,12 +424,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "private-cache") == 0) { -#ifdef HAVE_USERTMPFS if (checkcfg(CFG_PRIVATE_CACHE)) arg_private_cache = 1; else warning_feature_disabled("private-cache"); -#endif return 0; } else if (strcmp(ptr, "private-dev") == 0) { @@ -1671,15 +1669,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { ptr += 11; else if (strncmp(ptr, "noexec ", 7) == 0) ptr += 7; - else if (strncmp(ptr, "tmpfs ", 6) == 0) { -#ifndef HAVE_USERTMPFS - if (getuid() != 0) { - fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); - exit(1); - } -#endif + else if (strncmp(ptr, "tmpfs ", 6) == 0) ptr += 6; - } else { if (lineno == 0) fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 05423a911..6105cedd1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -965,13 +965,11 @@ int sandbox(void* sandbox_arg) { } #endif -#ifdef HAVE_USERTMPFS if (arg_private_cache) { EUID_USER(); profile_add("tmpfs ${HOME}/.cache"); EUID_ROOT(); } -#endif if (arg_private_tmp) { // private-tmp is implemented as a whitelist diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 7c3ee845d..19b09361a 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -26,16 +26,15 @@ arr[8]="8: compile --disable-file-transfer" arr[9]="9: compile --enable-apparmor" arr[10]="10: compile --enable-busybox-workaround" arr[11]="11: compile --disable-private-home" -arr[12]="12: compile --disable-usertmpfs" -arr[13]="13: compile --disable-sandbox-check" -arr[14]="14: compile --disable-landlock" -arr[15]="15: compile --disable-output" -arr[16]="16: compile --disable-man" -arr[17]="17: compile --disable-private-lib" -arr[18]="18: compile --disable-suid" -arr[19]="19: compile --enable-contrib-install" -arr[20]="20: compile --enable-only-syscfg-profiles" -arr[21]="21: compile --enable-force-nonewprivs" +arr[12]="12: compile --disable-sandbox-check" +arr[13]="13: compile --disable-landlock" +arr[14]="14: compile --disable-output" +arr[15]="15: compile --disable-man" +arr[16]="16: compile --disable-private-lib" +arr[17]="17: compile --disable-suid" +arr[18]="18: compile --enable-contrib-install" +arr[19]="19: compile --enable-only-syscfg-profiles" +arr[20]="20: compile --enable-force-nonewprivs" print_title() { echo @@ -311,31 +310,9 @@ cd .. #***************************************************************** # TEST 12 #***************************************************************** -# - disable tmpfs as regular user" -#***************************************************************** -print_title "${arr[12]}" -cd firejail || exit 1 - -./configure --enable-fatal-warnings --disable-usertmpfs 2>&1 | tee output -if grep -E '(WARNING|ERROR)' output; then - echo "TESTING ERROR"; - exit 1 -fi - -make -j4 2>&1 | tee output -if grep -E -i 'error:' output; then - echo "TESTING ERROR"; - exit 1 -fi -make distclean -cd .. - -#***************************************************************** -# TEST 13 -#***************************************************************** # - disable sandbox check #***************************************************************** -print_title "${arr[13]}" +print_title "${arr[12]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --disable-sandbox-check 2>&1 | tee output @@ -353,11 +330,11 @@ make distclean cd .. #***************************************************************** -# TEST 14 +# TEST 13 #***************************************************************** # - disable landlock #***************************************************************** -print_title "${arr[14]}" +print_title "${arr[13]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --disable-landlock 2>&1 | tee output @@ -375,11 +352,11 @@ make distclean cd .. #***************************************************************** -# TEST 15 +# TEST 14 #***************************************************************** # - disable --output logging #***************************************************************** -print_title "${arr[15]}" +print_title "${arr[14]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --disable-output 2>&1 | tee output @@ -396,11 +373,11 @@ fi cd .. #***************************************************************** -# TEST 16 +# TEST 15 #***************************************************************** # - disable man pages #***************************************************************** -print_title "${arr[16]}" +print_title "${arr[15]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --disable-man 2>&1 | tee output @@ -418,11 +395,11 @@ make distclean cd .. #***************************************************************** -# TEST 17 +# TEST 16 #***************************************************************** # - disable private-lib #***************************************************************** -print_title "${arr[17]}" +print_title "${arr[16]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --disable-private-lib 2>&1 | tee output @@ -440,11 +417,11 @@ make distclean cd .. #***************************************************************** -# TEST 18 +# TEST 17 #***************************************************************** # - disable suid #***************************************************************** -print_title "${arr[18]}" +print_title "${arr[17]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --disable-suid 2>&1 | tee output @@ -462,11 +439,11 @@ make distclean cd .. #***************************************************************** -# TEST 19 +# TEST 18 #***************************************************************** # - enable contrib install #***************************************************************** -print_title "${arr[19]}" +print_title "${arr[18]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --enable-contrib-install 2>&1 | tee output @@ -484,11 +461,11 @@ make distclean cd .. #***************************************************************** -# TEST 20 +# TEST 19 #***************************************************************** # --enable-only-syscfg-profile #***************************************************************** -print_title "${arr[20]}" +print_title "${arr[19]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --enable-only-syscfg-profiles 2>&1 | tee output @@ -506,11 +483,11 @@ make distclean cd .. #***************************************************************** -# TEST 21 +# TEST 20 #***************************************************************** # - enable force nonewprivs #***************************************************************** -print_title "${arr[21]}" +print_title "${arr[20]}" cd firejail || exit 1 ./configure --enable-fatal-warnings --enable-force-nonewprivs 2>&1 | tee output