3 files changed, 131 insertions, 10 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index ae7b1089a..d36dd32e4 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -12,9 +12,9 @@ Write clear, concise and in textual form.
 - Describe the bug.
 - What did you expect to happen?
-**No profile or disabling firejail**
+**No profile and disabling firejail**
- What changed calling `firejail --noprofile PROGRAM` in a shell?
+- What changed calling `firejail --noprofile /path/to/program` in a terminal?
- What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)?
+- What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)?
 **Reproduce**
 Steps to reproduce the behavior:
@@ -24,19 +24,18 @@ Steps to reproduce the behavior:
 4. Scroll down to '....'
 **Environment**
- - Linux distribution and version (ie output of `lsb_release -a`)
+ - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
- - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
+ - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) 
- - What other programs interact with the affected program for the functionality?
- - Are these listed in the profile? 
 **Additional context**
 Other context about the problem like related errors to understand the problem.
 **Checklist**
 - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.
- - [ ] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`)
+ - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- - [ ] Programs needed for interaction are listed.
+ - [ ] Programs needed for interaction are listed in the profile.
- - [ ] Error was checked in search engine and on issue list without success.
+ - [ ] A short search for duplicates was performed.
+ - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
 <details><summary> debug output </summary>
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..56b38cb71
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,51 @@
+name: Build CI
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install dependencies
+      run: sudo apt-get install gcc-10 libapparmor-dev libselinux1-dev
+    - name: configure
+      run: CC=gcc-10 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux
+    - name: make
+      run: make
+  build-clang:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: make
+      run: make
+  scan-build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install clang-tools-10
+      run: sudo apt-get install clang-tools-10
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: scan-build
+      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
+  cppcheck:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+  profile-sort:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000..a37bbb5c7
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 7 * * 2'
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['cpp', 'python']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+    #- run: |
+    #   make bootstrap
+    #   make release
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index ae7b1089a..d36dd32e4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -12,9 +12,9 @@ Write clear, concise and in textual form.
12	- Describe the bug.	12	- Describe the bug.
13	- What did you expect to happen?	13	- What did you expect to happen?
14		14
15	No profile or disabling firejail	15	No profile and disabling firejail
16	- What changed calling `firejail --noprofile PROGRAM` in a shell?	16	- What changed calling `firejail --noprofile /path/to/program` in a terminal?
17	- What changed calling the program by path=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)?	17	- What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)?
18		18
19	Reproduce	19	Reproduce
20	Steps to reproduce the behavior:	20	Steps to reproduce the behavior:
@@ -24,19 +24,18 @@ Steps to reproduce the behavior:
24	4. Scroll down to '....'	24	4. Scroll down to '....'
25		25
26	Environment	26	Environment
27	- Linux distribution and version (ie output of `lsb_release -a`)	27	- Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
28	- Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)	28	- Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
29	- What other programs interact with the affected program for the functionality?
30	- Are these listed in the profile?
31		29
32	Additional context	30	Additional context
33	Other context about the problem like related errors to understand the problem.	31	Other context about the problem like related errors to understand the problem.
34		32
35	Checklist	33	Checklist
36	- [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.	34	- [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.
37	- [ ] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`)	35	- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
38	- [ ] Programs needed for interaction are listed.	36	- [ ] Programs needed for interaction are listed in the profile.
39	- [ ] Error was checked in search engine and on issue list without success.	37	- [ ] A short search for duplicates was performed.
		38	- [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
40		39
41		40
42	<details><summary> debug output </summary>	41	<details><summary> debug output </summary>


diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000..56b38cb71 --- /dev/null +++ b/.github/workflows/build.yml
@@ -0,0 +1,51 @@
		1	name: Build CI
		2
		3	on:
		4	push:
		5	branches: [ master ]
		6	pull_request:
		7	branches: [ master ]
		8
		9	jobs:
		10	build:
		11	runs-on: ubuntu-20.04
		12	steps:
		13	- uses: actions/checkout@v2
		14	- name: install dependencies
		15	run: sudo apt-get install gcc-10 libapparmor-dev libselinux1-dev
		16	- name: configure
		17	run: CC=gcc-10 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux
		18	- name: make
		19	run: make
		20	build-clang:
		21	runs-on: ubuntu-20.04
		22	steps:
		23	- uses: actions/checkout@v2
		24	- name: configure
		25	run: CC=clang-10 ./configure --enable-fatal-warnings
		26	- name: make
		27	run: make
		28	scan-build:
		29	runs-on: ubuntu-20.04
		30	steps:
		31	- uses: actions/checkout@v2
		32	- name: install clang-tools-10
		33	run: sudo apt-get install clang-tools-10
		34	- name: configure
		35	run: CC=clang-10 ./configure --enable-fatal-warnings
		36	- name: scan-build
		37	run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
		38	cppcheck:
		39	runs-on: ubuntu-20.04
		40	steps:
		41	- uses: actions/checkout@v2
		42	- name: install cppcheck
		43	run: sudo apt-get install cppcheck
		44	- name: cppcheck
		45	run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
		46	profile-sort:
		47	runs-on: ubuntu-20.04
		48	steps:
		49	- uses: actions/checkout@v2
		50	- name: check profiles
		51	run: ./contrib/sort.py etc//{.inc,.net,.profile}


diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000..a37bbb5c7 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,71 @@
		1	# For most projects, this workflow file will not need changing; you simply need
		2	# to commit it to your repository.
		3	#
		4	# You may wish to alter this file to override the set of languages analyzed,
		5	# or to provide custom queries or build logic.
		6	name: "CodeQL"
		7
		8	on:
		9	push:
		10	branches: [master]
		11	pull_request:
		12	# The branches below must be a subset of the branches above
		13	branches: [master]
		14	schedule:
		15	- cron: '0 7 * * 2'
		16
		17	jobs:
		18	analyze:
		19	name: Analyze
		20	runs-on: ubuntu-latest
		21
		22	strategy:
		23	fail-fast: false
		24	matrix:
		25	# Override automatic language detection by changing the below list
		26	# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
		27	language: ['cpp', 'python']
		28	# Learn more...
		29	# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
		30
		31	steps:
		32	- name: Checkout repository
		33	uses: actions/checkout@v2
		34	with:
		35	# We must fetch at least the immediate parents so that if this is
		36	# a pull request then we can checkout the head.
		37	fetch-depth: 2
		38
		39	# If this run was triggered by a pull request event, then checkout
		40	# the head of the pull request instead of the merge commit.
		41	- run: git checkout HEAD^2
		42	if: ${{ github.event_name == 'pull_request' }}
		43
		44	# Initializes the CodeQL tools for scanning.
		45	- name: Initialize CodeQL
		46	uses: github/codeql-action/init@v1
		47	with:
		48	languages: ${{ matrix.language }}
		49	# If you wish to specify custom queries, you can do so here or in a config file.
		50	# By default, queries listed here will override any specified in a config file.
		51	# Prefix the list here with "+" to use these queries and those in the config file.
		52	# queries: ./path/to/local/query, your-org/your-repo/queries@main
		53
		54	# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
		55	# If this step fails, then you should remove it and run the build manually (see below)
		56	- name: Autobuild
		57	uses: github/codeql-action/autobuild@v1
		58
		59	# ℹ️ Command-line programs to run using the OS shell.
		60	# 📚 https://git.io/JvXDl
		61
		62	# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
		63	# and modify them (or add more) to build your code if your project
		64	# uses a compiled language
		65
		66	#- run: \|
		67	# make bootstrap
		68	# make release
		69
		70	- name: Perform CodeQL Analysis
		71	uses: github/codeql-action/analyze@v1