diff options
| -rw-r--r-- | .github/workflows/build-extra.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/build.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/check-c.yml | 12 | ||||
| -rw-r--r-- | .github/workflows/check-profiles.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/check-python.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/codespell.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/test.yml | 10 | ||||
| -rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/clamtk.profile | 16 | ||||
| -rw-r--r-- | etc/profile-a-l/discord.profile | 1 | ||||
| -rw-r--r-- | etc/profile-a-l/freshclam.profile | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/lutris.profile | 2 | ||||
| -rw-r--r-- | etc/profile-m-z/steam.profile | 2 | ||||
| -rw-r--r-- | etc/profile-m-z/tesseract.profile | 1 | ||||
| -rw-r--r-- | etc/profile-m-z/tiny-rdm.profile | 61 | ||||
| -rw-r--r-- | src/fcopy/main.c | 4 | ||||
| -rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
| -rw-r--r-- | src/firejail/ls.c | 2 |
18 files changed, 105 insertions, 27 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 7fb51e92f..6c2905e43 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
| @@ -43,7 +43,7 @@ jobs: | |||
| 43 | runs-on: ubuntu-22.04 | 43 | runs-on: ubuntu-22.04 |
| 44 | steps: | 44 | steps: |
| 45 | - name: Harden Runner | 45 | - name: Harden Runner |
| 46 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 46 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 47 | with: | 47 | with: |
| 48 | egress-policy: block | 48 | egress-policy: block |
| 49 | allowed-endpoints: > | 49 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5eb84a843..ae1aef039 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
| @@ -59,7 +59,7 @@ jobs: | |||
| 59 | runs-on: ubuntu-22.04 | 59 | runs-on: ubuntu-22.04 |
| 60 | steps: | 60 | steps: |
| 61 | - name: Harden Runner | 61 | - name: Harden Runner |
| 62 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 62 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 63 | with: | 63 | with: |
| 64 | egress-policy: block | 64 | egress-policy: block |
| 65 | allowed-endpoints: > | 65 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 2658ce1d1..496efb76c 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
| @@ -45,7 +45,7 @@ jobs: | |||
| 45 | runs-on: ubuntu-22.04 | 45 | runs-on: ubuntu-22.04 |
| 46 | steps: | 46 | steps: |
| 47 | - name: Harden Runner | 47 | - name: Harden Runner |
| 48 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 48 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 49 | with: | 49 | with: |
| 50 | egress-policy: block | 50 | egress-policy: block |
| 51 | allowed-endpoints: > | 51 | allowed-endpoints: > |
| @@ -76,7 +76,7 @@ jobs: | |||
| 76 | runs-on: ubuntu-22.04 | 76 | runs-on: ubuntu-22.04 |
| 77 | steps: | 77 | steps: |
| 78 | - name: Harden Runner | 78 | - name: Harden Runner |
| 79 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 79 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 80 | with: | 80 | with: |
| 81 | egress-policy: block | 81 | egress-policy: block |
| 82 | allowed-endpoints: > | 82 | allowed-endpoints: > |
| @@ -103,7 +103,7 @@ jobs: | |||
| 103 | runs-on: ubuntu-20.04 | 103 | runs-on: ubuntu-20.04 |
| 104 | steps: | 104 | steps: |
| 105 | - name: Harden Runner | 105 | - name: Harden Runner |
| 106 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 106 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 107 | with: | 107 | with: |
| 108 | egress-policy: block | 108 | egress-policy: block |
| 109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
| @@ -132,7 +132,7 @@ jobs: | |||
| 132 | 132 | ||
| 133 | steps: | 133 | steps: |
| 134 | - name: Harden Runner | 134 | - name: Harden Runner |
| 135 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 135 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 136 | with: | 136 | with: |
| 137 | disable-sudo: true | 137 | disable-sudo: true |
| 138 | egress-policy: block | 138 | egress-policy: block |
| @@ -150,7 +150,7 @@ jobs: | |||
| 150 | 150 | ||
| 151 | # Initializes the CodeQL tools for scanning. | 151 | # Initializes the CodeQL tools for scanning. |
| 152 | - name: Initialize CodeQL | 152 | - name: Initialize CodeQL |
| 153 | uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 | 153 | uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b |
| 154 | with: | 154 | with: |
| 155 | languages: cpp | 155 | languages: cpp |
| 156 | 156 | ||
| @@ -161,4 +161,4 @@ jobs: | |||
| 161 | run: make -j "$(nproc)" | 161 | run: make -j "$(nproc)" |
| 162 | 162 | ||
| 163 | - name: Perform CodeQL Analysis | 163 | - name: Perform CodeQL Analysis |
| 164 | uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 | 164 | uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index f1b69ec47..b5490c944 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
| @@ -31,7 +31,7 @@ jobs: | |||
| 31 | runs-on: ubuntu-latest | 31 | runs-on: ubuntu-latest |
| 32 | steps: | 32 | steps: |
| 33 | - name: Harden Runner | 33 | - name: Harden Runner |
| 34 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 34 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 35 | with: | 35 | with: |
| 36 | disable-sudo: true | 36 | disable-sudo: true |
| 37 | egress-policy: block | 37 | egress-policy: block |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 0581da320..535b9234b 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
| @@ -30,7 +30,7 @@ jobs: | |||
| 30 | 30 | ||
| 31 | steps: | 31 | steps: |
| 32 | - name: Harden Runner | 32 | - name: Harden Runner |
| 33 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 33 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 34 | with: | 34 | with: |
| 35 | disable-sudo: true | 35 | disable-sudo: true |
| 36 | egress-policy: block | 36 | egress-policy: block |
| @@ -50,9 +50,9 @@ jobs: | |||
| 50 | 50 | ||
| 51 | # Initializes the CodeQL tools for scanning. | 51 | # Initializes the CodeQL tools for scanning. |
| 52 | - name: Initialize CodeQL | 52 | - name: Initialize CodeQL |
| 53 | uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 | 53 | uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b |
| 54 | with: | 54 | with: |
| 55 | languages: python | 55 | languages: python |
| 56 | 56 | ||
| 57 | - name: Perform CodeQL Analysis | 57 | - name: Perform CodeQL Analysis |
| 58 | uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 | 58 | uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 3da4411cc..f3c512c3e 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
| @@ -23,7 +23,7 @@ jobs: | |||
| 23 | runs-on: ubuntu-22.04 | 23 | runs-on: ubuntu-22.04 |
| 24 | steps: | 24 | steps: |
| 25 | - name: Harden Runner | 25 | - name: Harden Runner |
| 26 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 26 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 27 | with: | 27 | with: |
| 28 | egress-policy: block | 28 | egress-policy: block |
| 29 | allowed-endpoints: > | 29 | allowed-endpoints: > |
| @@ -38,6 +38,8 @@ jobs: | |||
| 38 | run: sudo apt-get update -qy | 38 | run: sudo apt-get update -qy |
| 39 | - name: install dependencies | 39 | - name: install dependencies |
| 40 | run: sudo apt-get install -qy codespell | 40 | run: sudo apt-get install -qy codespell |
| 41 | - name: print env | ||
| 42 | run: ./ci/printenv.sh | ||
| 41 | - name: configure | 43 | - name: configure |
| 42 | run: ./configure || (cat config.log; exit 1) | 44 | run: ./configure || (cat config.log; exit 1) |
| 43 | - run: codespell --version | 45 | - run: codespell --version |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a63abafcb..0a6069a5c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
| @@ -53,7 +53,7 @@ jobs: | |||
| 53 | SHELL: /bin/bash | 53 | SHELL: /bin/bash |
| 54 | steps: | 54 | steps: |
| 55 | - name: Harden Runner | 55 | - name: Harden Runner |
| 56 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 56 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 57 | with: | 57 | with: |
| 58 | egress-policy: block | 58 | egress-policy: block |
| 59 | allowed-endpoints: > | 59 | allowed-endpoints: > |
| @@ -100,7 +100,7 @@ jobs: | |||
| 100 | SHELL: /bin/bash | 100 | SHELL: /bin/bash |
| 101 | steps: | 101 | steps: |
| 102 | - name: Harden Runner | 102 | - name: Harden Runner |
| 103 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 103 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 104 | with: | 104 | with: |
| 105 | egress-policy: block | 105 | egress-policy: block |
| 106 | allowed-endpoints: > | 106 | allowed-endpoints: > |
| @@ -138,7 +138,7 @@ jobs: | |||
| 138 | SHELL: /bin/bash | 138 | SHELL: /bin/bash |
| 139 | steps: | 139 | steps: |
| 140 | - name: Harden Runner | 140 | - name: Harden Runner |
| 141 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 141 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 142 | with: | 142 | with: |
| 143 | egress-policy: block | 143 | egress-policy: block |
| 144 | allowed-endpoints: > | 144 | allowed-endpoints: > |
| @@ -176,7 +176,7 @@ jobs: | |||
| 176 | SHELL: /bin/bash | 176 | SHELL: /bin/bash |
| 177 | steps: | 177 | steps: |
| 178 | - name: Harden Runner | 178 | - name: Harden Runner |
| 179 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 179 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 180 | with: | 180 | with: |
| 181 | egress-policy: block | 181 | egress-policy: block |
| 182 | allowed-endpoints: > | 182 | allowed-endpoints: > |
| @@ -216,7 +216,7 @@ jobs: | |||
| 216 | SHELL: /bin/bash | 216 | SHELL: /bin/bash |
| 217 | steps: | 217 | steps: |
| 218 | - name: Harden Runner | 218 | - name: Harden Runner |
| 219 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 219 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
| 220 | with: | 220 | with: |
| 221 | egress-policy: block | 221 | egress-policy: block |
| 222 | allowed-endpoints: > | 222 | allowed-endpoints: > |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 5a61bd448..13b4b2078 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -221,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart | |||
| 221 | blacklist ${HOME}/.cache/systemsettings | 221 | blacklist ${HOME}/.cache/systemsettings |
| 222 | blacklist ${HOME}/.cache/telepathy | 222 | blacklist ${HOME}/.cache/telepathy |
| 223 | blacklist ${HOME}/.cache/thunderbird | 223 | blacklist ${HOME}/.cache/thunderbird |
| 224 | blacklist ${HOME}/.cache/tiny-rdm | ||
| 224 | blacklist ${HOME}/.cache/torbrowser | 225 | blacklist ${HOME}/.cache/torbrowser |
| 225 | blacklist ${HOME}/.cache/transmission | 226 | blacklist ${HOME}/.cache/transmission |
| 226 | blacklist ${HOME}/.cache/ueberzugpp | 227 | blacklist ${HOME}/.cache/ueberzugpp |
| @@ -345,6 +346,7 @@ blacklist ${HOME}/.config/Slack | |||
| 345 | blacklist ${HOME}/.config/Standard Notes | 346 | blacklist ${HOME}/.config/Standard Notes |
| 346 | blacklist ${HOME}/.config/SubDownloader | 347 | blacklist ${HOME}/.config/SubDownloader |
| 347 | blacklist ${HOME}/.config/Thunar | 348 | blacklist ${HOME}/.config/Thunar |
| 349 | blacklist ${HOME}/.config/TinyRDM | ||
| 348 | blacklist ${HOME}/.config/Twitch | 350 | blacklist ${HOME}/.config/Twitch |
| 349 | blacklist ${HOME}/.config/Unknown Organization | 351 | blacklist ${HOME}/.config/Unknown Organization |
| 350 | blacklist ${HOME}/.config/VSCodium | 352 | blacklist ${HOME}/.config/VSCodium |
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 9fc73ee55..7651c5d32 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | # Firejail profile for clamtk | 1 | # Firejail profile for clamtk |
| 2 | # Description: Easy to use, light-weight, on-demand virus scanner for Linux systems | ||
| 2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 3 | # Persistent local customizations | 4 | # Persistent local customizations |
| 4 | include clamtk.local | 5 | include clamtk.local |
| @@ -7,15 +8,22 @@ include globals.local | |||
| 7 | 8 | ||
| 8 | include disable-exec.inc | 9 | include disable-exec.inc |
| 9 | 10 | ||
| 11 | # Add the below lines to your clamtk.local if you update signatures databases per-user: | ||
| 12 | #ignore net none | ||
| 13 | #netfilter | ||
| 14 | #protocol inet,inet6 | ||
| 15 | |||
| 10 | caps.drop all | 16 | caps.drop all |
| 11 | ipc-namespace | 17 | ipc-namespace |
| 12 | net none | 18 | net none |
| 13 | no3d | 19 | no3d |
| 14 | nodvd | 20 | nodvd |
| 15 | nogroups | 21 | # nogroups breaks scanning |
| 22 | #nogroups | ||
| 16 | noinput | 23 | noinput |
| 17 | nonewprivs | 24 | nonewprivs |
| 18 | noroot | 25 | # noroot breaks scanning |
| 26 | #noroot | ||
| 19 | nosound | 27 | nosound |
| 20 | notv | 28 | notv |
| 21 | nou2f | 29 | nou2f |
| @@ -25,7 +33,9 @@ seccomp | |||
| 25 | 33 | ||
| 26 | private-dev | 34 | private-dev |
| 27 | 35 | ||
| 28 | dbus-user none | 36 | dbus-user filter |
| 37 | dbus-user.talk ca.desrt.dconf | ||
| 38 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
| 29 | dbus-system none | 39 | dbus-system none |
| 30 | 40 | ||
| 31 | restrict-namespaces | 41 | restrict-namespaces |
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index d52683658..9776b41d5 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile | |||
| @@ -11,6 +11,7 @@ mkdir ${HOME}/.config/discord | |||
| 11 | whitelist ${HOME}/.config/discord | 11 | whitelist ${HOME}/.config/discord |
| 12 | whitelist /opt/Discord | 12 | whitelist /opt/Discord |
| 13 | whitelist /opt/discord | 13 | whitelist /opt/discord |
| 14 | whitelist /usr/share/discord | ||
| 14 | 15 | ||
| 15 | private-bin Discord,discord | 16 | private-bin Discord,discord |
| 16 | 17 | ||
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index 133d66f0d..f59094567 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
| 3 | quiet | 3 | quiet |
| 4 | # Persistent local customizations | 4 | # Persistent local customizations |
| 5 | include clamav.local | 5 | include freshclam.local |
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index c3497c3bd..2f22df3a1 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
| @@ -69,7 +69,7 @@ notv | |||
| 69 | nou2f | 69 | nou2f |
| 70 | novideo | 70 | novideo |
| 71 | protocol unix,inet,inet6,netlink | 71 | protocol unix,inet,inet6,netlink |
| 72 | seccomp !modify_ldt | 72 | seccomp !clone3,modify_ldt,!process_vm_readv,!ptrace |
| 73 | seccomp.32 !modify_ldt | 73 | seccomp.32 !modify_ldt |
| 74 | 74 | ||
| 75 | # Add the next line to your lutris.local if you do not need controller support. | 75 | # Add the next line to your lutris.local if you do not need controller support. |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 34cb3631a..41de746dd 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
| @@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink | |||
| 163 | # Add 'ignore seccomp' to your steam.local if you experience this. | 163 | # Add 'ignore seccomp' to your steam.local if you experience this. |
| 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
| 165 | # (see #4366). | 165 | # (see #4366). |
| 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2 |
| 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). |
| 168 | seccomp.32 !process_vm_readv | 168 | seccomp.32 !process_vm_readv |
| 169 | # tracelog breaks integrated browser | 169 | # tracelog breaks integrated browser |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 5babfb8d2..c0293406d 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
| @@ -26,6 +26,7 @@ include whitelist-common.inc | |||
| 26 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
| 27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
| 28 | whitelist /usr/share/tessdata | 28 | whitelist /usr/share/tessdata |
| 29 | whitelist /usr/share/tesseract-ocr | ||
| 29 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
| 30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
| 31 | 32 | ||
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile new file mode 100644 index 000000000..4134d666c --- /dev/null +++ b/etc/profile-m-z/tiny-rdm.profile | |||
| @@ -0,0 +1,61 @@ | |||
| 1 | # Firejail profile for tiny-rdm | ||
| 2 | # Description: A Modern Redis GUI Client | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include tiny-rdm.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.cache/tiny-rdm | ||
| 10 | noblacklist ${HOME}/.config/TinyRDM | ||
| 11 | |||
| 12 | include disable-common.inc | ||
| 13 | include disable-devel.inc | ||
| 14 | include disable-exec.inc | ||
| 15 | include disable-interpreters.inc | ||
| 16 | include disable-programs.inc | ||
| 17 | include disable-proc.inc | ||
| 18 | include disable-shell.inc | ||
| 19 | include disable-xdg.inc | ||
| 20 | |||
| 21 | mkdir ${HOME}/.cache/tiny-rdm | ||
| 22 | mkdir ${HOME}/.config/TinyRDM | ||
| 23 | whitelist ${HOME}/.cache/tiny-rdm | ||
| 24 | whitelist ${HOME}/.config/TinyRDM | ||
| 25 | include whitelist-common.inc | ||
| 26 | include whitelist-run-common.inc | ||
| 27 | include whitelist-runuser-common.inc | ||
| 28 | include whitelist-usr-share-common.inc | ||
| 29 | include whitelist-var-common.inc | ||
| 30 | |||
| 31 | apparmor | ||
| 32 | caps.drop all | ||
| 33 | ipc-namespace | ||
| 34 | netfilter | ||
| 35 | no3d | ||
| 36 | nodvd | ||
| 37 | nogroups | ||
| 38 | noinput | ||
| 39 | nonewprivs | ||
| 40 | noprinters | ||
| 41 | noroot | ||
| 42 | notv | ||
| 43 | nou2f | ||
| 44 | novideo | ||
| 45 | nosound | ||
| 46 | protocol unix,inet,inet6 | ||
| 47 | seccomp | ||
| 48 | seccomp.block-secondary | ||
| 49 | tracelog | ||
| 50 | |||
| 51 | disable-mnt | ||
| 52 | private-bin tiny-rdm | ||
| 53 | private-cache | ||
| 54 | private-dev | ||
| 55 | private-etc @network,@tls-ca,@x11 | ||
| 56 | private-tmp | ||
| 57 | |||
| 58 | dbus-user none | ||
| 59 | dbus-system none | ||
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index a56e8a91b..84fe44d73 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
| @@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
| 277 | 277 | ||
| 278 | // don't copy it if we already have the file | 278 | // don't copy it if we already have the file |
| 279 | struct stat s; | 279 | struct stat s; |
| 280 | if (stat(outfname, &s) == 0) { | 280 | if (lstat(outfname, &s) == 0) { |
| 281 | if (first) | 281 | if (first) |
| 282 | first = 0; | 282 | first = 0; |
| 283 | else if (!arg_quiet) | 283 | else if (!arg_quiet) |
| @@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
| 286 | } | 286 | } |
| 287 | 287 | ||
| 288 | // extract mode and ownership | 288 | // extract mode and ownership |
| 289 | if (stat(infname, &s) != 0) | 289 | if (lstat(infname, &s) != 0) |
| 290 | goto out; | 290 | goto out; |
| 291 | 291 | ||
| 292 | uid_t uid = s.st_uid; | 292 | uid_t uid = s.st_uid; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 19c3166fa..558fe51ed 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
| @@ -834,6 +834,7 @@ thunderbird-beta | |||
| 834 | thunderbird-wayland | 834 | thunderbird-wayland |
| 835 | tidal-hifi | 835 | tidal-hifi |
| 836 | tilp | 836 | tilp |
| 837 | tiny-rdm | ||
| 837 | tor-browser | 838 | tor-browser |
| 838 | tor-browser-ar | 839 | tor-browser-ar |
| 839 | tor-browser-ca | 840 | tor-browser-ca |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2ab1c188..6dc4904fc 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
| @@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) { | |||
| 154 | 154 | ||
| 155 | // file size | 155 | // file size |
| 156 | char *sz; | 156 | char *sz; |
| 157 | if (asprintf(&sz, "%d", (int) s.st_size) == -1) | 157 | if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1) |
| 158 | errExit("asprintf"); | 158 | errExit("asprintf"); |
| 159 | 159 | ||
| 160 | // file name | 160 | // file name |