diff options
author | netblue30 <netblue30@protonmail.com> | 2020-11-08 07:57:30 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-08 07:57:30 -0500 |
commit | 521b1f442a1ad4a9f1a0904047968dbe608135f7 (patch) | |
tree | 9c4f7eaea15bad06658183037ec38ef444541623 | |
parent | ci: enable test-fs tests on github-ci (diff) | |
parent | Update linphone profile (#3734) (diff) | |
download | firejail-521b1f442a1ad4a9f1a0904047968dbe608135f7.tar.gz firejail-521b1f442a1ad4a9f1a0904047968dbe608135f7.tar.zst firejail-521b1f442a1ad4a9f1a0904047968dbe608135f7.zip |
Merge branch 'master' into tests
-rw-r--r-- | .travis.yml | 12 | ||||
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/inc/whitelist-common.inc | 2 | ||||
-rw-r--r-- | etc/inc/whitelist-usr-share-common.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/filezilla.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-todo.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/linphone.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/minetest.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/spectacle.profile | 64 | ||||
-rw-r--r-- | etc/profile-m-z/xournalpp.profile | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
15 files changed, 92 insertions, 23 deletions
diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index f1590aaa2..000000000 --- a/.travis.yml +++ /dev/null | |||
@@ -1,12 +0,0 @@ | |||
1 | language: c | ||
2 | dist: trusty | ||
3 | sudo: true | ||
4 | |||
5 | script: | ||
6 | - sudo apt-get -y install expect csh xzdec lintian fakeroot | ||
7 | - ( ./configure --enable-fatal-warnings --prefix=/usr && make && sudo make install && make test-travis ) | ||
8 | - ( sudo make install-strip DESTDIR=$(readlink -f appdir) ) | ||
9 | # # If successful, build release tarball | ||
10 | # - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) | ||
11 | # - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 | ||
12 | # - # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead | ||
diff --git a/Makefile.in b/Makefile.in index 56e9bfc70..c070688e4 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -240,10 +240,8 @@ test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-uti | |||
240 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 240 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments |
241 | echo "TEST COMPLETE" | 241 | echo "TEST COMPLETE" |
242 | 242 | ||
243 | test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments | 243 | #test-github: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments |
244 | echo "TEST COMPLETE" | 244 | test-github: test-fs |
245 | |||
246 | test-github: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments | ||
247 | echo "TEST COMPLETE" | 245 | echo "TEST COMPLETE" |
248 | 246 | ||
249 | ########################################## | 247 | ########################################## |
@@ -1,5 +1,4 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Test Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail) | ||
3 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) | 2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) |
4 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 3 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) |
5 | 4 | ||
@@ -66,8 +65,6 @@ FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | |||
66 | 65 | ||
67 | Wiki: https://github.com/netblue30/firejail/wiki | 66 | Wiki: https://github.com/netblue30/firejail/wiki |
68 | 67 | ||
69 | Travis-CI status: https://travis-ci.org/netblue30/firejail | ||
70 | |||
71 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | 68 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ |
72 | 69 | ||
73 | 70 | ||
@@ -197,3 +194,4 @@ Stats: | |||
197 | 194 | ||
198 | ### New profiles: | 195 | ### New profiles: |
199 | 196 | ||
197 | spectacle | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * allow --tmpfs inside $HOME for unprivileged users | 2 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * --disable-usertmpfs compile time option | 3 | * --disable-usertmpfs compile time option |
4 | * new profiles: spectacle | ||
4 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 | 5 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 |
5 | 6 | ||
6 | firejail (0.9.64) baseline; urgency=low | 7 | firejail (0.9.64) baseline; urgency=low |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index b2be4270e..51bfb3fa9 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -480,6 +480,7 @@ blacklist ${RUNUSER}/app | |||
480 | blacklist ${RUNUSER}/doc | 480 | blacklist ${RUNUSER}/doc |
481 | blacklist ${RUNUSER}/.dbus-proxy | 481 | blacklist ${RUNUSER}/.dbus-proxy |
482 | blacklist ${RUNUSER}/.flatpak | 482 | blacklist ${RUNUSER}/.flatpak |
483 | blacklist ${RUNUSER}/.flatpak-cache | ||
483 | blacklist ${RUNUSER}/.flatpak-helper | 484 | blacklist ${RUNUSER}/.flatpak-helper |
484 | blacklist /usr/share/flatpak | 485 | blacklist /usr/share/flatpak |
485 | noblacklist /var/lib/flatpak/exports | 486 | noblacklist /var/lib/flatpak/exports |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 42d690c94..1fba79f43 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -291,6 +291,7 @@ blacklist ${HOME}/.config/kwriterc | |||
291 | blacklist ${HOME}/.config/leafpad | 291 | blacklist ${HOME}/.config/leafpad |
292 | blacklist ${HOME}/.config/libreoffice | 292 | blacklist ${HOME}/.config/libreoffice |
293 | blacklist ${HOME}/.config/liferea | 293 | blacklist ${HOME}/.config/liferea |
294 | blacklist ${HOME}/.config/linphone | ||
294 | blacklist ${HOME}/.config/lugaru | 295 | blacklist ${HOME}/.config/lugaru |
295 | blacklist ${HOME}/.config/lximage-qt | 296 | blacklist ${HOME}/.config/lximage-qt |
296 | blacklist ${HOME}/.config/mailtransports | 297 | blacklist ${HOME}/.config/mailtransports |
@@ -372,6 +373,7 @@ blacklist ${HOME}/.config/smuxi | |||
372 | blacklist ${HOME}/.config/snox | 373 | blacklist ${HOME}/.config/snox |
373 | blacklist ${HOME}/.config/sound-juicer | 374 | blacklist ${HOME}/.config/sound-juicer |
374 | blacklist ${HOME}/.config/specialmailcollectionsrc | 375 | blacklist ${HOME}/.config/specialmailcollectionsrc |
376 | blacklist ${HOME}/.config/spectaclerc | ||
375 | blacklist ${HOME}/.config/spotify | 377 | blacklist ${HOME}/.config/spotify |
376 | blacklist ${HOME}/.config/sqlitebrowser | 378 | blacklist ${HOME}/.config/sqlitebrowser |
377 | blacklist ${HOME}/.config/stellarium | 379 | blacklist ${HOME}/.config/stellarium |
@@ -653,6 +655,7 @@ blacklist ${HOME}/.local/share/kube | |||
653 | blacklist ${HOME}/.local/share/kwrite | 655 | blacklist ${HOME}/.local/share/kwrite |
654 | blacklist ${HOME}/.local/share/kxmlgui5/* | 656 | blacklist ${HOME}/.local/share/kxmlgui5/* |
655 | blacklist ${HOME}/.local/share/liferea | 657 | blacklist ${HOME}/.local/share/liferea |
658 | blacklist ${HOME}/.local/share/linphone | ||
656 | blacklist ${HOME}/.local/share/local-mail | 659 | blacklist ${HOME}/.local/share/local-mail |
657 | blacklist ${HOME}/.local/share/lollypop | 660 | blacklist ${HOME}/.local/share/lollypop |
658 | blacklist ${HOME}/.local/share/love | 661 | blacklist ${HOME}/.local/share/love |
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index 1b4e98d0e..fda02be06 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -60,11 +60,13 @@ whitelist ${HOME}/.themes | |||
60 | whitelist ${HOME}/.cache/kioexec/krun | 60 | whitelist ${HOME}/.cache/kioexec/krun |
61 | whitelist ${HOME}/.config/Kvantum | 61 | whitelist ${HOME}/.config/Kvantum |
62 | whitelist ${HOME}/.config/Trolltech.conf | 62 | whitelist ${HOME}/.config/Trolltech.conf |
63 | whitelist ${HOME}/.config/QtProject.conf | ||
63 | whitelist ${HOME}/.config/kdeglobals | 64 | whitelist ${HOME}/.config/kdeglobals |
64 | whitelist ${HOME}/.config/kio_httprc | 65 | whitelist ${HOME}/.config/kio_httprc |
65 | whitelist ${HOME}/.config/kioslaverc | 66 | whitelist ${HOME}/.config/kioslaverc |
66 | whitelist ${HOME}/.config/ksslcablacklist | 67 | whitelist ${HOME}/.config/ksslcablacklist |
67 | whitelist ${HOME}/.config/qt5ct | 68 | whitelist ${HOME}/.config/qt5ct |
69 | whitelist ${HOME}/.config/qtcurve | ||
68 | whitelist ${HOME}/.kde/share/config/kdeglobals | 70 | whitelist ${HOME}/.kde/share/config/kdeglobals |
69 | whitelist ${HOME}/.kde/share/config/kio_httprc | 71 | whitelist ${HOME}/.kde/share/config/kio_httprc |
70 | whitelist ${HOME}/.kde/share/config/kioslaverc | 72 | whitelist ${HOME}/.kde/share/config/kioslaverc |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index ceeb14dcc..de4ae2101 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -16,6 +16,7 @@ whitelist /usr/share/enchant-2 | |||
16 | whitelist /usr/share/file | 16 | whitelist /usr/share/file |
17 | whitelist /usr/share/fontconfig | 17 | whitelist /usr/share/fontconfig |
18 | whitelist /usr/share/fonts | 18 | whitelist /usr/share/fonts |
19 | whitelist /usr/share/fonts-config | ||
19 | whitelist /usr/share/gir-1.0 | 20 | whitelist /usr/share/gir-1.0 |
20 | whitelist /usr/share/gjs-1.0 | 21 | whitelist /usr/share/gjs-1.0 |
21 | whitelist /usr/share/glib-2.0 | 22 | whitelist /usr/share/glib-2.0 |
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 6c7ab8f0d..43e877fd0 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/filezilla | 9 | noblacklist ${HOME}/.config/filezilla |
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | noblacklist ${HOME}/.ssh | ||
11 | 12 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | include allow-python2.inc | 14 | include allow-python2.inc |
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 2fab3dcc7..5bef96ae7 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -53,8 +53,8 @@ dbus-user filter | |||
53 | dbus-user.own org.gnome.Todo | 53 | dbus-user.own org.gnome.Todo |
54 | dbus-user.talk ca.desrt.dconf | 54 | dbus-user.talk ca.desrt.dconf |
55 | #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 | 55 | #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 |
56 | #dbus-user.talk org.gnome.evolution.dataserver.Calendar8 | 56 | dbus-user.talk org.gnome.evolution.dataserver.Calendar8 |
57 | #dbus-user.talk org.gnome.evolution.dataserver.Sources5 | 57 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 |
58 | #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* | 58 | #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* |
59 | #dbus-user.talk org.gnome.OnlineAccounts | 59 | #dbus-user.talk org.gnome.OnlineAccounts |
60 | dbus-system none | 60 | dbus-system none |
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile index dc156b298..c509122e2 100644 --- a/etc/profile-a-l/linphone.profile +++ b/etc/profile-a-l/linphone.profile | |||
@@ -6,8 +6,10 @@ include linphone.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/linphone | ||
9 | noblacklist ${HOME}/.linphone-history.db | 10 | noblacklist ${HOME}/.linphone-history.db |
10 | noblacklist ${HOME}/.linphonerc | 11 | noblacklist ${HOME}/.linphonerc |
12 | noblacklist ${HOME}/.local/share/linphone | ||
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -16,10 +18,15 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | 20 | ||
19 | mkfile ${HOME}/.linphone-history.db | 21 | # linphone 4.0 (released 2017-06-26) moved config and database files to respect |
20 | mkfile ${HOME}/.linphonerc | 22 | # freedesktop standards. For backward compatibility we continue to whitelist |
23 | # ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile. | ||
24 | mkdir ${HOME}/.config/linphone | ||
25 | mkdir ${HOME}/.local/share/linphone | ||
26 | whitelist ${HOME}/.config/linphone | ||
21 | whitelist ${HOME}/.linphone-history.db | 27 | whitelist ${HOME}/.linphone-history.db |
22 | whitelist ${HOME}/.linphonerc | 28 | whitelist ${HOME}/.linphonerc |
29 | whitelist ${HOME}/.local/share/linphone | ||
23 | whitelist ${DOWNLOADS} | 30 | whitelist ${DOWNLOADS} |
24 | include whitelist-common.inc | 31 | include whitelist-common.inc |
25 | 32 | ||
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 1da430ce6..9f46ba17b 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -12,6 +12,9 @@ include globals.local | |||
12 | noblacklist ${HOME}/.cache/minetest | 12 | noblacklist ${HOME}/.cache/minetest |
13 | noblacklist ${HOME}/.minetest | 13 | noblacklist ${HOME}/.minetest |
14 | 14 | ||
15 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
16 | include allow-lua.inc | ||
17 | |||
15 | include disable-common.inc | 18 | include disable-common.inc |
16 | include disable-devel.inc | 19 | include disable-devel.inc |
17 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile new file mode 100644 index 000000000..ad39f1071 --- /dev/null +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for spectacle | ||
2 | # Description: Spectacle is a simple application for capturing desktop screenshots. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include spectacle.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Uncomment the following lines to use sharing services. | ||
10 | #netfilter | ||
11 | #ignore net none | ||
12 | #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
13 | #protocol unix,inet,inet6 | ||
14 | |||
15 | noblacklist ${HOME}/.config/spectaclerc | ||
16 | noblacklist ${PICTURES} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkfile ${HOME}/.config/spectaclerc | ||
27 | whitelist ${HOME}/.config/spectaclerc | ||
28 | whitelist ${PICTURES} | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | machine-id | ||
37 | net none | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-bin spectacle | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,fonts,ld.so.conf | ||
57 | private-tmp | ||
58 | |||
59 | dbus-user filter | ||
60 | dbus-user.own org.kde.spectacle | ||
61 | dbus-user.talk org.freedesktop.FileManager1 | ||
62 | #dbus-user.talk org.kde.JobViewServer | ||
63 | #dbus-user.talk org.kde.kglobalaccel | ||
64 | dbus-system none | ||
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 4fd6fad9d..a52858870 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -18,6 +18,7 @@ include whitelist-runuser-common.inc | |||
18 | 18 | ||
19 | #mkdir ${HOME}/.xournalpp | 19 | #mkdir ${HOME}/.xournalpp |
20 | #whitelist ${HOME}/.xournalpp | 20 | #whitelist ${HOME}/.xournalpp |
21 | #whitelist ${HOME}/.texlive2019 | ||
21 | #whitelist ${DOCUMENTS} | 22 | #whitelist ${DOCUMENTS} |
22 | #include whitelist-common.inc | 23 | #include whitelist-common.inc |
23 | 24 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 906d86484..e41ed32b3 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -668,6 +668,7 @@ soffice | |||
668 | sol | 668 | sol |
669 | sound-juicer | 669 | sound-juicer |
670 | soundconverter | 670 | soundconverter |
671 | spectacle | ||
671 | spectral | 672 | spectral |
672 | spotify | 673 | spotify |
673 | sqlitebrowser | 674 | sqlitebrowser |