more on removing cgroups (#5200)

contrib/vim/syntax/firejail.vim

@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
 syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained

src/bash_completion/firejail.bash_completion.in

@@ -42,10 +42,6 @@ _firejail()
             _filedir -d
             return 0
             ;;
-        --cgroup)
-            _filedir -d
-            return 0
-            ;;
         --tmpfs)
             _filedir
             return 0

src/firejail/join.c

@@ -414,7 +414,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (!arg_shell_none)
 		shfd = open_shell();
 
-	// in user mode set caps seccomp, cpu, cgroup, etc
+	// in user mode set caps seccomp, cpu etc.
 	if (getuid() != 0) {
 		extract_nonewprivs(sandbox);  // redundant on Linux >= 4.10; duplicated in function extract_caps
 		extract_caps(sandbox);

src/include/rundefs.h

@@ -37,7 +37,6 @@
 #define RUN_RO_DIR			RUN_FIREJAIL_DIR "/firejail.ro.dir"
 #define RUN_RO_FILE			RUN_FIREJAIL_DIR "/firejail.ro.file"
 #define RUN_MNT_DIR			RUN_FIREJAIL_DIR "/mnt"	// a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG			RUN_MNT_DIR "/cgroup"
 #define RUN_CPU_CFG			RUN_MNT_DIR "/cpu"
 #define RUN_GROUPS_CFG			RUN_MNT_DIR "/groups"
 #define RUN_PROTOCOL_CFG		RUN_MNT_DIR "/protocol"

src/zsh_completion/_firejail.in

@@ -91,7 +91,6 @@ _firejail_args=(
     '--caps.drop=all[drop all capabilities]'
     '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
     '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
-    '--cgroup=-[place the sandbox in the specified control group]: :'
     '--cpu=-[set cpu affinity]: :->cpus'
     "--deterministic-exit-code[always exit with first child's status code]"
     '--deterministic-shutdown[terminate orphan processes]'

test/root/cgroup.exp

@@ -1,65 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2022 Firejail Authors
-# License GPL v2
-
-set timeout 10
-cd /home
-spawn $env(SHELL)
-match_max 100000
-
-
-send -- "mkdir /sys/fs/cgroup/systemd/firejail\r"
-sleep 1
-send -- "ls /sys/fs/cgroup/systemd/firejail\r"
-expect {
-	timeout {puts "TESTING ERROR 0\n";exit}
-	"tasks"
-}
-
-send --  "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"3"
-}
-
-spawn $env(SHELL)
-send --  "firejail --join=\"join testing\"\r"
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	"Switching to pid"
-}
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-send -- "ps aux\r"
-expect {
-	timeout {puts "TESTING ERROR 5\n";exit}
-	"/bin/bash"
-}
-expect {
-	timeout {puts "TESTING ERROR 6\n";exit}
-	"/bin/bash"
-}
-
-after 100
-
-spawn $env(SHELL)
-send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
-expect {
-	timeout {puts "TESTING ERROR 7\n";exit}
-	"3"
-}
-after 100
-
-puts "\nall done\n"

test/root/root.sh

@@ -103,9 +103,6 @@ echo "TESTING: firejail configuration (test/root/checkcfg.exp)"
 ./checkcfg.exp
 cp ../../etc/firejail.config /etc/firejail/.
 
-echo "TESTING: cgroup (test/root/cgroup.exp)"
-./cgroup.exp
-
 echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
 ./option_tmpfs.exp