aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/build-extra.yml2
-rw-r--r--.github/workflows/build.yml2
-rw-r--r--.github/workflows/check-c.yml12
-rw-r--r--.github/workflows/check-profiles.yml2
-rw-r--r--.github/workflows/check-python.yml6
-rw-r--r--.github/workflows/codespell.yml4
-rw-r--r--.github/workflows/test.yml10
-rwxr-xr-xcontrib/sort.py4
-rw-r--r--etc/inc/disable-common.inc1
-rw-r--r--etc/inc/disable-programs.inc10
-rw-r--r--etc/profile-a-l/clamtk.profile16
-rw-r--r--etc/profile-a-l/discord.profile1
-rw-r--r--etc/profile-a-l/freshclam.profile2
-rw-r--r--etc/profile-m-z/nodejs-common.profile5
-rw-r--r--etc/profile-m-z/pnpm.profile11
-rw-r--r--etc/profile-m-z/pnpx.profile11
-rw-r--r--etc/profile-m-z/tesseract.profile1
-rw-r--r--etc/profile-m-z/tiny-rdm.profile61
-rw-r--r--src/fcopy/main.c4
-rw-r--r--src/firecfg/firecfg.config1
-rw-r--r--src/firejail/ls.c2
21 files changed, 133 insertions, 35 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 7fb51e92f..6c2905e43 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -43,7 +43,7 @@ jobs:
43 runs-on: ubuntu-22.04 43 runs-on: ubuntu-22.04
44 steps: 44 steps:
45 - name: Harden Runner 45 - name: Harden Runner
46 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 46 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
47 with: 47 with:
48 egress-policy: block 48 egress-policy: block
49 allowed-endpoints: > 49 allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5eb84a843..ae1aef039 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -59,7 +59,7 @@ jobs:
59 runs-on: ubuntu-22.04 59 runs-on: ubuntu-22.04
60 steps: 60 steps:
61 - name: Harden Runner 61 - name: Harden Runner
62 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 62 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
63 with: 63 with:
64 egress-policy: block 64 egress-policy: block
65 allowed-endpoints: > 65 allowed-endpoints: >
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 2658ce1d1..496efb76c 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -45,7 +45,7 @@ jobs:
45 runs-on: ubuntu-22.04 45 runs-on: ubuntu-22.04
46 steps: 46 steps:
47 - name: Harden Runner 47 - name: Harden Runner
48 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 48 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
49 with: 49 with:
50 egress-policy: block 50 egress-policy: block
51 allowed-endpoints: > 51 allowed-endpoints: >
@@ -76,7 +76,7 @@ jobs:
76 runs-on: ubuntu-22.04 76 runs-on: ubuntu-22.04
77 steps: 77 steps:
78 - name: Harden Runner 78 - name: Harden Runner
79 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 79 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
80 with: 80 with:
81 egress-policy: block 81 egress-policy: block
82 allowed-endpoints: > 82 allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
103 runs-on: ubuntu-20.04 103 runs-on: ubuntu-20.04
104 steps: 104 steps:
105 - name: Harden Runner 105 - name: Harden Runner
106 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 106 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
107 with: 107 with:
108 egress-policy: block 108 egress-policy: block
109 allowed-endpoints: > 109 allowed-endpoints: >
@@ -132,7 +132,7 @@ jobs:
132 132
133 steps: 133 steps:
134 - name: Harden Runner 134 - name: Harden Runner
135 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 135 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
136 with: 136 with:
137 disable-sudo: true 137 disable-sudo: true
138 egress-policy: block 138 egress-policy: block
@@ -150,7 +150,7 @@ jobs:
150 150
151 # Initializes the CodeQL tools for scanning. 151 # Initializes the CodeQL tools for scanning.
152 - name: Initialize CodeQL 152 - name: Initialize CodeQL
153 uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 153 uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b
154 with: 154 with:
155 languages: cpp 155 languages: cpp
156 156
@@ -161,4 +161,4 @@ jobs:
161 run: make -j "$(nproc)" 161 run: make -j "$(nproc)"
162 162
163 - name: Perform CodeQL Analysis 163 - name: Perform CodeQL Analysis
164 uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 164 uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index f1b69ec47..b5490c944 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -31,7 +31,7 @@ jobs:
31 runs-on: ubuntu-latest 31 runs-on: ubuntu-latest
32 steps: 32 steps:
33 - name: Harden Runner 33 - name: Harden Runner
34 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 34 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
35 with: 35 with:
36 disable-sudo: true 36 disable-sudo: true
37 egress-policy: block 37 egress-policy: block
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 0581da320..535b9234b 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -30,7 +30,7 @@ jobs:
30 30
31 steps: 31 steps:
32 - name: Harden Runner 32 - name: Harden Runner
33 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 33 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
34 with: 34 with:
35 disable-sudo: true 35 disable-sudo: true
36 egress-policy: block 36 egress-policy: block
@@ -50,9 +50,9 @@ jobs:
50 50
51 # Initializes the CodeQL tools for scanning. 51 # Initializes the CodeQL tools for scanning.
52 - name: Initialize CodeQL 52 - name: Initialize CodeQL
53 uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 53 uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b
54 with: 54 with:
55 languages: python 55 languages: python
56 56
57 - name: Perform CodeQL Analysis 57 - name: Perform CodeQL Analysis
58 uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 58 uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 3da4411cc..f3c512c3e 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -23,7 +23,7 @@ jobs:
23 runs-on: ubuntu-22.04 23 runs-on: ubuntu-22.04
24 steps: 24 steps:
25 - name: Harden Runner 25 - name: Harden Runner
26 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 26 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
27 with: 27 with:
28 egress-policy: block 28 egress-policy: block
29 allowed-endpoints: > 29 allowed-endpoints: >
@@ -38,6 +38,8 @@ jobs:
38 run: sudo apt-get update -qy 38 run: sudo apt-get update -qy
39 - name: install dependencies 39 - name: install dependencies
40 run: sudo apt-get install -qy codespell 40 run: sudo apt-get install -qy codespell
41 - name: print env
42 run: ./ci/printenv.sh
41 - name: configure 43 - name: configure
42 run: ./configure || (cat config.log; exit 1) 44 run: ./configure || (cat config.log; exit 1)
43 - run: codespell --version 45 - run: codespell --version
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a63abafcb..0a6069a5c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -53,7 +53,7 @@ jobs:
53 SHELL: /bin/bash 53 SHELL: /bin/bash
54 steps: 54 steps:
55 - name: Harden Runner 55 - name: Harden Runner
56 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 56 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
57 with: 57 with:
58 egress-policy: block 58 egress-policy: block
59 allowed-endpoints: > 59 allowed-endpoints: >
@@ -100,7 +100,7 @@ jobs:
100 SHELL: /bin/bash 100 SHELL: /bin/bash
101 steps: 101 steps:
102 - name: Harden Runner 102 - name: Harden Runner
103 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 103 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
104 with: 104 with:
105 egress-policy: block 105 egress-policy: block
106 allowed-endpoints: > 106 allowed-endpoints: >
@@ -138,7 +138,7 @@ jobs:
138 SHELL: /bin/bash 138 SHELL: /bin/bash
139 steps: 139 steps:
140 - name: Harden Runner 140 - name: Harden Runner
141 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 141 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
142 with: 142 with:
143 egress-policy: block 143 egress-policy: block
144 allowed-endpoints: > 144 allowed-endpoints: >
@@ -176,7 +176,7 @@ jobs:
176 SHELL: /bin/bash 176 SHELL: /bin/bash
177 steps: 177 steps:
178 - name: Harden Runner 178 - name: Harden Runner
179 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 179 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
180 with: 180 with:
181 egress-policy: block 181 egress-policy: block
182 allowed-endpoints: > 182 allowed-endpoints: >
@@ -216,7 +216,7 @@ jobs:
216 SHELL: /bin/bash 216 SHELL: /bin/bash
217 steps: 217 steps:
218 - name: Harden Runner 218 - name: Harden Runner
219 uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 219 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
220 with: 220 with:
221 egress-policy: block 221 egress-policy: block
222 allowed-endpoints: > 222 allowed-endpoints: >
diff --git a/contrib/sort.py b/contrib/sort.py
index cdeecf99b..026384e1a 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -15,8 +15,8 @@ Usage: {path.basename(argv[0])} [/path/to/profile ...]
15 15
16The following commands are supported: 16The following commands are supported:
17 17
18 private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, 18 private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp,
19 seccomp.drop, protocol 19 seccomp.drop, seccomp.keep, protocol
20 20
21Note that this is only applicable to commands that support multiple arguments. 21Note that this is only applicable to commands that support multiple arguments.
22 22
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 264fc29b2..55aabbc73 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -192,6 +192,7 @@ blacklist ${HOME}/.VirtualBox
192blacklist ${HOME}/VirtualBox VMs 192blacklist ${HOME}/VirtualBox VMs
193 193
194# GNOME Boxes 194# GNOME Boxes
195blacklist ${HOME}/.cache/gnome-boxes
195blacklist ${HOME}/.config/gnome-boxes 196blacklist ${HOME}/.config/gnome-boxes
196blacklist ${HOME}/.local/share/gnome-boxes 197blacklist ${HOME}/.local/share/gnome-boxes
197 198
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e013872df..13b4b2078 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid
22blacklist ${HOME}/.TelegramDesktop 22blacklist ${HOME}/.TelegramDesktop
23blacklist ${HOME}/.VSCodium 23blacklist ${HOME}/.VSCodium
24blacklist ${HOME}/.ViberPC 24blacklist ${HOME}/.ViberPC
25blacklist ${HOME}/.VirtualBox
26blacklist ${HOME}/.WebStorm* 25blacklist ${HOME}/.WebStorm*
27blacklist ${HOME}/.Wolfram Research 26blacklist ${HOME}/.Wolfram Research
28blacklist ${HOME}/.ZAP 27blacklist ${HOME}/.ZAP
@@ -125,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie
125blacklist ${HOME}/.cache/gegl-0.4 124blacklist ${HOME}/.cache/gegl-0.4
126blacklist ${HOME}/.cache/gfeeds 125blacklist ${HOME}/.cache/gfeeds
127blacklist ${HOME}/.cache/gimp 126blacklist ${HOME}/.cache/gimp
128blacklist ${HOME}/.cache/gnome-boxes
129blacklist ${HOME}/.cache/gnome-builder 127blacklist ${HOME}/.cache/gnome-builder
130blacklist ${HOME}/.cache/gnome-control-center 128blacklist ${HOME}/.cache/gnome-control-center
131blacklist ${HOME}/.cache/gnome-recipes 129blacklist ${HOME}/.cache/gnome-recipes
@@ -223,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart
223blacklist ${HOME}/.cache/systemsettings 221blacklist ${HOME}/.cache/systemsettings
224blacklist ${HOME}/.cache/telepathy 222blacklist ${HOME}/.cache/telepathy
225blacklist ${HOME}/.cache/thunderbird 223blacklist ${HOME}/.cache/thunderbird
224blacklist ${HOME}/.cache/tiny-rdm
226blacklist ${HOME}/.cache/torbrowser 225blacklist ${HOME}/.cache/torbrowser
227blacklist ${HOME}/.cache/transmission 226blacklist ${HOME}/.cache/transmission
228blacklist ${HOME}/.cache/ueberzugpp 227blacklist ${HOME}/.cache/ueberzugpp
@@ -347,10 +346,10 @@ blacklist ${HOME}/.config/Slack
347blacklist ${HOME}/.config/Standard Notes 346blacklist ${HOME}/.config/Standard Notes
348blacklist ${HOME}/.config/SubDownloader 347blacklist ${HOME}/.config/SubDownloader
349blacklist ${HOME}/.config/Thunar 348blacklist ${HOME}/.config/Thunar
349blacklist ${HOME}/.config/TinyRDM
350blacklist ${HOME}/.config/Twitch 350blacklist ${HOME}/.config/Twitch
351blacklist ${HOME}/.config/Unknown Organization 351blacklist ${HOME}/.config/Unknown Organization
352blacklist ${HOME}/.config/VSCodium 352blacklist ${HOME}/.config/VSCodium
353blacklist ${HOME}/.config/VirtualBox
354blacklist ${HOME}/.config/Whalebird 353blacklist ${HOME}/.config/Whalebird
355blacklist ${HOME}/.config/Wire 354blacklist ${HOME}/.config/Wire
356blacklist ${HOME}/.config/Youtube 355blacklist ${HOME}/.config/Youtube
@@ -559,7 +558,6 @@ blacklist ${HOME}/.config/mpDris2
559blacklist ${HOME}/.config/mpd 558blacklist ${HOME}/.config/mpd
560blacklist ${HOME}/.config/mps-youtube 559blacklist ${HOME}/.config/mps-youtube
561blacklist ${HOME}/.config/mpv 560blacklist ${HOME}/.config/mpv
562blacklist ${HOME}/.config/msmtp
563blacklist ${HOME}/.config/mullvad-browser-flags.conf 561blacklist ${HOME}/.config/mullvad-browser-flags.conf
564blacklist ${HOME}/.config/mupen64plus 562blacklist ${HOME}/.config/mupen64plus
565blacklist ${HOME}/.config/mutt 563blacklist ${HOME}/.config/mutt
@@ -939,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie
939blacklist ${HOME}/.local/share/ghostwriter 937blacklist ${HOME}/.local/share/ghostwriter
940blacklist ${HOME}/.local/share/gitg 938blacklist ${HOME}/.local/share/gitg
941blacklist ${HOME}/.local/share/gnome-2048 939blacklist ${HOME}/.local/share/gnome-2048
942blacklist ${HOME}/.local/share/gnome-boxes
943blacklist ${HOME}/.local/share/gnome-builder 940blacklist ${HOME}/.local/share/gnome-builder
944blacklist ${HOME}/.local/share/gnome-chess 941blacklist ${HOME}/.local/share/gnome-chess
945blacklist ${HOME}/.local/share/gnome-klotski 942blacklist ${HOME}/.local/share/gnome-klotski
@@ -1019,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage
1019blacklist ${HOME}/.local/share/org.kde.gwenview 1016blacklist ${HOME}/.local/share/org.kde.gwenview
1020blacklist ${HOME}/.local/share/pix 1017blacklist ${HOME}/.local/share/pix
1021blacklist ${HOME}/.local/share/plasma_notes 1018blacklist ${HOME}/.local/share/plasma_notes
1019blacklist ${HOME}/.local/share/pnpm
1022blacklist ${HOME}/.local/share/profanity 1020blacklist ${HOME}/.local/share/profanity
1023blacklist ${HOME}/.local/share/psi 1021blacklist ${HOME}/.local/share/psi
1024blacklist ${HOME}/.local/share/psi+ 1022blacklist ${HOME}/.local/share/psi+
@@ -1084,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk
1084blacklist ${HOME}/.mpd 1082blacklist ${HOME}/.mpd
1085blacklist ${HOME}/.mpdconf 1083blacklist ${HOME}/.mpdconf
1086blacklist ${HOME}/.mplayer 1084blacklist ${HOME}/.mplayer
1087blacklist ${HOME}/.msmtprc
1088blacklist ${HOME}/.mullvad/mullvadbrowser 1085blacklist ${HOME}/.mullvad/mullvadbrowser
1089blacklist ${HOME}/.multimc5 1086blacklist ${HOME}/.multimc5
1090blacklist ${HOME}/.nanorc 1087blacklist ${HOME}/.nanorc
@@ -1233,7 +1230,6 @@ blacklist ${RUNUSER}/*firefox*
1233blacklist ${RUNUSER}/akonadi 1230blacklist ${RUNUSER}/akonadi
1234blacklist ${RUNUSER}/psd/*firefox* 1231blacklist ${RUNUSER}/psd/*firefox*
1235blacklist ${RUNUSER}/qutebrowser 1232blacklist ${RUNUSER}/qutebrowser
1236blacklist /etc/msmtprc
1237blacklist /etc/ssmtp 1233blacklist /etc/ssmtp
1238blacklist /tmp/.wine-* 1234blacklist /tmp/.wine-*
1239blacklist /tmp/akonadi-* 1235blacklist /tmp/akonadi-*
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 9fc73ee55..7651c5d32 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -1,4 +1,5 @@
1# Firejail profile for clamtk 1# Firejail profile for clamtk
2# Description: Easy to use, light-weight, on-demand virus scanner for Linux systems
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include clamtk.local 5include clamtk.local
@@ -7,15 +8,22 @@ include globals.local
7 8
8include disable-exec.inc 9include disable-exec.inc
9 10
11# Add the below lines to your clamtk.local if you update signatures databases per-user:
12#ignore net none
13#netfilter
14#protocol inet,inet6
15
10caps.drop all 16caps.drop all
11ipc-namespace 17ipc-namespace
12net none 18net none
13no3d 19no3d
14nodvd 20nodvd
15nogroups 21# nogroups breaks scanning
22#nogroups
16noinput 23noinput
17nonewprivs 24nonewprivs
18noroot 25# noroot breaks scanning
26#noroot
19nosound 27nosound
20notv 28notv
21nou2f 29nou2f
@@ -25,7 +33,9 @@ seccomp
25 33
26private-dev 34private-dev
27 35
28dbus-user none 36dbus-user filter
37dbus-user.talk ca.desrt.dconf
38dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
29dbus-system none 39dbus-system none
30 40
31restrict-namespaces 41restrict-namespaces
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index a4fcae5b8..6e7d8f91d 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -11,6 +11,7 @@ mkdir ${HOME}/.config/discord
11whitelist ${HOME}/.config/discord 11whitelist ${HOME}/.config/discord
12whitelist /opt/Discord 12whitelist /opt/Discord
13whitelist /opt/discord 13whitelist /opt/discord
14whitelist /usr/share/discord
14 15
15private-bin discord,Discord 16private-bin discord,Discord
16 17
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 133d66f0d..f59094567 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,7 +2,7 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet 3quiet
4# Persistent local customizations 4# Persistent local customizations
5include clamav.local 5include freshclam.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
7# added by caller profile 7# added by caller profile
8#include globals.local 8#include globals.local
9 9
10# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts 10# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
11# using the `#!/usr/bin/env node` shebang. By sandboxing node the full 11# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
12# node.js stack will be firejailed. The only exception is nvm, which is implemented 12# node.js stack will be firejailed. The only exception is nvm, which is implemented
13# as a sourced shell function, not an executable binary. Hence it is not 13# as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
22ignore read-only ${HOME}/.nvm 22ignore read-only ${HOME}/.nvm
23ignore read-only ${HOME}/.yarnrc 23ignore read-only ${HOME}/.yarnrc
24 24
25noblacklist ${HOME}/.local/share/pnpm
25noblacklist ${HOME}/.node-gyp 26noblacklist ${HOME}/.node-gyp
26noblacklist ${HOME}/.npm 27noblacklist ${HOME}/.npm
27noblacklist ${HOME}/.npmrc 28noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
43 44
44# If you want whitelisting, change ${HOME}/Projects below to your node projects directory 45# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
45# and add the next lines to your nodejs-common.local. 46# and add the next lines to your nodejs-common.local.
47#mkdir ${HOME}/.local/share/pnpm
46#mkdir ${HOME}/.node-gyp 48#mkdir ${HOME}/.node-gyp
47#mkdir ${HOME}/.npm 49#mkdir ${HOME}/.npm
48#mkdir ${HOME}/.npm-packages 50#mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
52#mkdir ${HOME}/.yarn-config 54#mkdir ${HOME}/.yarn-config
53#mkdir ${HOME}/.yarncache 55#mkdir ${HOME}/.yarncache
54#mkfile ${HOME}/.yarnrc 56#mkfile ${HOME}/.yarnrc
57#whitelist ${HOME}/.local/share/pnpm
55#whitelist ${HOME}/.node-gyp 58#whitelist ${HOME}/.node-gyp
56#whitelist ${HOME}/.npm 59#whitelist ${HOME}/.npm
57#whitelist ${HOME}/.npm-packages 60#whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
1# Firejail profile for pnpm
2# Description: Fast, disk space efficient package manager
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include pnpm.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
1# Firejail profile for pnpx
2# Description: Part of the Node.js stack
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include pnpx.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
26include whitelist-run-common.inc 26include whitelist-run-common.inc
27include whitelist-runuser-common.inc 27include whitelist-runuser-common.inc
28whitelist /usr/share/tessdata 28whitelist /usr/share/tessdata
29whitelist /usr/share/tesseract-ocr
29include whitelist-usr-share-common.inc 30include whitelist-usr-share-common.inc
30include whitelist-var-common.inc 31include whitelist-var-common.inc
31 32
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
1# Firejail profile for tiny-rdm
2# Description: A Modern Redis GUI Client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include tiny-rdm.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/tiny-rdm
10noblacklist ${HOME}/.config/TinyRDM
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-programs.inc
17include disable-proc.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/tiny-rdm
22mkdir ${HOME}/.config/TinyRDM
23whitelist ${HOME}/.cache/tiny-rdm
24whitelist ${HOME}/.config/TinyRDM
25include whitelist-common.inc
26include whitelist-run-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33ipc-namespace
34netfilter
35no3d
36nodvd
37nogroups
38noinput
39nonewprivs
40noprinters
41noroot
42notv
43nou2f
44novideo
45nosound
46protocol unix,inet,inet6
47seccomp
48seccomp.block-secondary
49tracelog
50
51disable-mnt
52private-bin tiny-rdm
53private-cache
54private-dev
55private-etc @network,@tls-ca,@x11
56private-tmp
57
58dbus-user none
59dbus-system none
60
61restrict-namespaces
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index a56e8a91b..84fe44d73 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
277 277
278 // don't copy it if we already have the file 278 // don't copy it if we already have the file
279 struct stat s; 279 struct stat s;
280 if (stat(outfname, &s) == 0) { 280 if (lstat(outfname, &s) == 0) {
281 if (first) 281 if (first)
282 first = 0; 282 first = 0;
283 else if (!arg_quiet) 283 else if (!arg_quiet)
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
286 } 286 }
287 287
288 // extract mode and ownership 288 // extract mode and ownership
289 if (stat(infname, &s) != 0) 289 if (lstat(infname, &s) != 0)
290 goto out; 290 goto out;
291 291
292 uid_t uid = s.st_uid; 292 uid_t uid = s.st_uid;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 19c3166fa..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -834,6 +834,7 @@ thunderbird-beta
834thunderbird-wayland 834thunderbird-wayland
835tidal-hifi 835tidal-hifi
836tilp 836tilp
837tiny-rdm
837tor-browser 838tor-browser
838tor-browser-ar 839tor-browser-ar
839tor-browser-ca 840tor-browser-ca
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
154 154
155 // file size 155 // file size
156 char *sz; 156 char *sz;
157 if (asprintf(&sz, "%d", (int) s.st_size) == -1) 157 if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
158 errExit("asprintf"); 158 errExit("asprintf");
159 159
160 // file name 160 // file name
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-01 22:29:26 +0000