diff options
64 files changed, 653 insertions, 180 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index fc74640d4..37056a1ce 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -22,7 +22,7 @@ _Describe the bug_ | |||
22 | 22 | ||
23 | _Steps to reproduce the behavior_ | 23 | _Steps to reproduce the behavior_ |
24 | 24 | ||
25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent | 25 | 1. Run in bash `LC_ALL=C firejail /path/to/program` (`LC_ALL=C` to get a consistent |
26 | output in English that can be understood by everybody) | 26 | output in English that can be understood by everybody) |
27 | 2. Click on '....' | 27 | 2. Click on '....' |
28 | 3. Scroll down to '....' | 28 | 3. Scroll down to '....' |
diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 30242923d..7335f1eb2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml | |||
@@ -3,5 +3,5 @@ updates: | |||
3 | - package-ecosystem: "github-actions" | 3 | - package-ecosystem: "github-actions" |
4 | directory: "/" | 4 | directory: "/" |
5 | schedule: | 5 | schedule: |
6 | interval: "weekly" | 6 | interval: "monthly" |
7 | open-pull-requests-limit: 2 | 7 | open-pull-requests-limit: 4 |
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 97a7b20d1..72ba685b5 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -44,7 +44,7 @@ jobs: | |||
44 | timeout-minutes: 10 | 44 | timeout-minutes: 10 |
45 | steps: | 45 | steps: |
46 | - name: Harden Runner | 46 | - name: Harden Runner |
47 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 47 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
48 | with: | 48 | with: |
49 | egress-policy: block | 49 | egress-policy: block |
50 | allowed-endpoints: > | 50 | allowed-endpoints: > |
@@ -52,7 +52,7 @@ jobs: | |||
52 | github.com:443 | 52 | github.com:443 |
53 | packages.microsoft.com:443 | 53 | packages.microsoft.com:443 |
54 | ppa.launchpadcontent.net:443 | 54 | ppa.launchpadcontent.net:443 |
55 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 55 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
56 | - name: update package information | 56 | - name: update package information |
57 | run: sudo apt-get update -qy | 57 | run: sudo apt-get update -qy |
58 | - name: install dependencies | 58 | - name: install dependencies |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 93a115daa..b4ae7a2e9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | timeout-minutes: 10 | 60 | timeout-minutes: 10 |
61 | steps: | 61 | steps: |
62 | - name: Harden Runner | 62 | - name: Harden Runner |
63 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 63 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
64 | with: | 64 | with: |
65 | egress-policy: block | 65 | egress-policy: block |
66 | allowed-endpoints: > | 66 | allowed-endpoints: > |
@@ -68,7 +68,7 @@ jobs: | |||
68 | github.com:443 | 68 | github.com:443 |
69 | packages.microsoft.com:443 | 69 | packages.microsoft.com:443 |
70 | ppa.launchpadcontent.net:443 | 70 | ppa.launchpadcontent.net:443 |
71 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 71 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
72 | - name: update package information | 72 | - name: update package information |
73 | run: sudo apt-get update -qy | 73 | run: sudo apt-get update -qy |
74 | - name: install dependencies | 74 | - name: install dependencies |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 03955b3f9..c41c67798 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -46,7 +46,7 @@ jobs: | |||
46 | timeout-minutes: 10 | 46 | timeout-minutes: 10 |
47 | steps: | 47 | steps: |
48 | - name: Harden Runner | 48 | - name: Harden Runner |
49 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 49 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
50 | with: | 50 | with: |
51 | egress-policy: block | 51 | egress-policy: block |
52 | allowed-endpoints: > | 52 | allowed-endpoints: > |
@@ -56,7 +56,7 @@ jobs: | |||
56 | packages.microsoft.com:443 | 56 | packages.microsoft.com:443 |
57 | ppa.launchpadcontent.net:443 | 57 | ppa.launchpadcontent.net:443 |
58 | security.ubuntu.com:80 | 58 | security.ubuntu.com:80 |
59 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 59 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
60 | - name: update package information | 60 | - name: update package information |
61 | run: sudo apt-get update -qy | 61 | run: sudo apt-get update -qy |
62 | - name: install clang-tools-14 and dependencies | 62 | - name: install clang-tools-14 and dependencies |
@@ -79,7 +79,7 @@ jobs: | |||
79 | timeout-minutes: 10 | 79 | timeout-minutes: 10 |
80 | steps: | 80 | steps: |
81 | - name: Harden Runner | 81 | - name: Harden Runner |
82 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 82 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
83 | with: | 83 | with: |
84 | egress-policy: block | 84 | egress-policy: block |
85 | allowed-endpoints: > | 85 | allowed-endpoints: > |
@@ -89,7 +89,7 @@ jobs: | |||
89 | packages.microsoft.com:443 | 89 | packages.microsoft.com:443 |
90 | ppa.launchpadcontent.net:443 | 90 | ppa.launchpadcontent.net:443 |
91 | security.ubuntu.com:80 | 91 | security.ubuntu.com:80 |
92 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 92 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
93 | - name: update package information | 93 | - name: update package information |
94 | run: sudo apt-get update -qy | 94 | run: sudo apt-get update -qy |
95 | - name: install cppcheck | 95 | - name: install cppcheck |
@@ -109,7 +109,7 @@ jobs: | |||
109 | timeout-minutes: 10 | 109 | timeout-minutes: 10 |
110 | steps: | 110 | steps: |
111 | - name: Harden Runner | 111 | - name: Harden Runner |
112 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 112 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
113 | with: | 113 | with: |
114 | egress-policy: block | 114 | egress-policy: block |
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
@@ -120,7 +120,7 @@ jobs: | |||
120 | ppa.launchpad.net:80 | 120 | ppa.launchpad.net:80 |
121 | ppa.launchpadcontent.net:443 | 121 | ppa.launchpadcontent.net:443 |
122 | security.ubuntu.com:80 | 122 | security.ubuntu.com:80 |
123 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 123 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
124 | - name: update package information | 124 | - name: update package information |
125 | run: sudo apt-get update -qy | 125 | run: sudo apt-get update -qy |
126 | - name: install cppcheck | 126 | - name: install cppcheck |
@@ -143,7 +143,7 @@ jobs: | |||
143 | 143 | ||
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 146 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
147 | with: | 147 | with: |
148 | disable-sudo: true | 148 | disable-sudo: true |
149 | egress-policy: block | 149 | egress-policy: block |
@@ -154,14 +154,14 @@ jobs: | |||
154 | uploads.github.com:443 | 154 | uploads.github.com:443 |
155 | 155 | ||
156 | - name: Checkout repository | 156 | - name: Checkout repository |
157 | uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 157 | uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
158 | 158 | ||
159 | - name: print env | 159 | - name: print env |
160 | run: ./ci/printenv.sh | 160 | run: ./ci/printenv.sh |
161 | 161 | ||
162 | # Initializes the CodeQL tools for scanning. | 162 | # Initializes the CodeQL tools for scanning. |
163 | - name: Initialize CodeQL | 163 | - name: Initialize CodeQL |
164 | uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 | 164 | uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f |
165 | with: | 165 | with: |
166 | languages: cpp | 166 | languages: cpp |
167 | 167 | ||
@@ -172,4 +172,4 @@ jobs: | |||
172 | run: make -j "$(nproc)" | 172 | run: make -j "$(nproc)" |
173 | 173 | ||
174 | - name: Perform CodeQL Analysis | 174 | - name: Perform CodeQL Analysis |
175 | uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 | 175 | uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 5613b6bb7..a7974a994 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -33,14 +33,14 @@ jobs: | |||
33 | 33 | ||
34 | steps: | 34 | steps: |
35 | - name: Harden Runner | 35 | - name: Harden Runner |
36 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 36 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
37 | with: | 37 | with: |
38 | disable-sudo: true | 38 | disable-sudo: true |
39 | egress-policy: block | 39 | egress-policy: block |
40 | allowed-endpoints: > | 40 | allowed-endpoints: > |
41 | github.com:443 | 41 | github.com:443 |
42 | 42 | ||
43 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 43 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
44 | - name: print env | 44 | - name: print env |
45 | run: ./ci/printenv.sh | 45 | run: ./ci/printenv.sh |
46 | - run: python3 --version | 46 | - run: python3 --version |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 8d8e2ac23..0bb67e05e 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | 31 | ||
32 | steps: | 32 | steps: |
33 | - name: Harden Runner | 33 | - name: Harden Runner |
34 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 34 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
35 | with: | 35 | with: |
36 | disable-sudo: true | 36 | disable-sudo: true |
37 | egress-policy: block | 37 | egress-policy: block |
@@ -44,16 +44,16 @@ jobs: | |||
44 | uploads.github.com:443 | 44 | uploads.github.com:443 |
45 | 45 | ||
46 | - name: Checkout repository | 46 | - name: Checkout repository |
47 | uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 47 | uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
48 | 48 | ||
49 | - name: print env | 49 | - name: print env |
50 | run: ./ci/printenv.sh | 50 | run: ./ci/printenv.sh |
51 | 51 | ||
52 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
53 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
54 | uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 | 54 | uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f |
55 | with: | 55 | with: |
56 | languages: python | 56 | languages: python |
57 | 57 | ||
58 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
59 | uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 | 59 | uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index c492a2a03..1e8486bd7 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -24,7 +24,7 @@ jobs: | |||
24 | timeout-minutes: 5 | 24 | timeout-minutes: 5 |
25 | steps: | 25 | steps: |
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 27 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
28 | with: | 28 | with: |
29 | egress-policy: block | 29 | egress-policy: block |
30 | allowed-endpoints: > | 30 | allowed-endpoints: > |
@@ -34,7 +34,7 @@ jobs: | |||
34 | packages.microsoft.com:443 | 34 | packages.microsoft.com:443 |
35 | ppa.launchpadcontent.net:443 | 35 | ppa.launchpadcontent.net:443 |
36 | security.ubuntu.com:80 | 36 | security.ubuntu.com:80 |
37 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 37 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
38 | - name: update package information | 38 | - name: update package information |
39 | run: sudo apt-get update -qy | 39 | run: sudo apt-get update -qy |
40 | - name: install dependencies | 40 | - name: install dependencies |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2613a30a8..ea9890b5e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -54,7 +54,7 @@ jobs: | |||
54 | SHELL: /bin/bash | 54 | SHELL: /bin/bash |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 57 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -62,7 +62,7 @@ jobs: | |||
62 | github.com:443 | 62 | github.com:443 |
63 | packages.microsoft.com:443 | 63 | packages.microsoft.com:443 |
64 | ppa.launchpadcontent.net:443 | 64 | ppa.launchpadcontent.net:443 |
65 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 65 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
66 | - name: update package information | 66 | - name: update package information |
67 | run: sudo apt-get update -qy | 67 | run: sudo apt-get update -qy |
68 | - name: install dependencies | 68 | - name: install dependencies |
@@ -103,7 +103,7 @@ jobs: | |||
103 | SHELL: /bin/bash | 103 | SHELL: /bin/bash |
104 | steps: | 104 | steps: |
105 | - name: Harden Runner | 105 | - name: Harden Runner |
106 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 106 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
107 | with: | 107 | with: |
108 | egress-policy: block | 108 | egress-policy: block |
109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
@@ -111,7 +111,7 @@ jobs: | |||
111 | github.com:443 | 111 | github.com:443 |
112 | packages.microsoft.com:443 | 112 | packages.microsoft.com:443 |
113 | ppa.launchpadcontent.net:443 | 113 | ppa.launchpadcontent.net:443 |
114 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 114 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
115 | - name: update package information | 115 | - name: update package information |
116 | run: sudo apt-get update -qy | 116 | run: sudo apt-get update -qy |
117 | - name: install dependencies | 117 | - name: install dependencies |
@@ -143,7 +143,7 @@ jobs: | |||
143 | SHELL: /bin/bash | 143 | SHELL: /bin/bash |
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 146 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
147 | with: | 147 | with: |
148 | egress-policy: block | 148 | egress-policy: block |
149 | allowed-endpoints: > | 149 | allowed-endpoints: > |
@@ -151,7 +151,7 @@ jobs: | |||
151 | github.com:443 | 151 | github.com:443 |
152 | packages.microsoft.com:443 | 152 | packages.microsoft.com:443 |
153 | ppa.launchpadcontent.net:443 | 153 | ppa.launchpadcontent.net:443 |
154 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 154 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
155 | - name: update package information | 155 | - name: update package information |
156 | run: sudo apt-get update -qy | 156 | run: sudo apt-get update -qy |
157 | - name: install dependencies | 157 | - name: install dependencies |
@@ -183,7 +183,7 @@ jobs: | |||
183 | SHELL: /bin/bash | 183 | SHELL: /bin/bash |
184 | steps: | 184 | steps: |
185 | - name: Harden Runner | 185 | - name: Harden Runner |
186 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 186 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
187 | with: | 187 | with: |
188 | egress-policy: block | 188 | egress-policy: block |
189 | allowed-endpoints: > | 189 | allowed-endpoints: > |
@@ -194,7 +194,7 @@ jobs: | |||
194 | ppa.launchpadcontent.net:443 | 194 | ppa.launchpadcontent.net:443 |
195 | www.debian.org:443 | 195 | www.debian.org:443 |
196 | www.debian.org:80 | 196 | www.debian.org:80 |
197 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 197 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
198 | - name: update package information | 198 | - name: update package information |
199 | run: sudo apt-get update -qy | 199 | run: sudo apt-get update -qy |
200 | - name: install dependencies | 200 | - name: install dependencies |
@@ -225,7 +225,7 @@ jobs: | |||
225 | SHELL: /bin/bash | 225 | SHELL: /bin/bash |
226 | steps: | 226 | steps: |
227 | - name: Harden Runner | 227 | - name: Harden Runner |
228 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 228 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
229 | with: | 229 | with: |
230 | egress-policy: block | 230 | egress-policy: block |
231 | allowed-endpoints: > | 231 | allowed-endpoints: > |
@@ -240,7 +240,7 @@ jobs: | |||
240 | www.debian.org:443 | 240 | www.debian.org:443 |
241 | www.debian.org:80 | 241 | www.debian.org:80 |
242 | yahoo.com:1025 | 242 | yahoo.com:1025 |
243 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | 243 | - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 |
244 | - name: update package information | 244 | - name: update package information |
245 | run: sudo apt-get update -qy | 245 | run: sudo apt-get update -qy |
246 | - name: install dependencies | 246 | - name: install dependencies |
@@ -2,12 +2,19 @@ | |||
2 | ROOT = . | 2 | ROOT = . |
3 | -include config.mk | 3 | -include config.mk |
4 | 4 | ||
5 | # Default programs | 5 | # Default programs (in configure.ac). |
6 | CC ?= cc | 6 | CC ?= cc |
7 | CODESPELL ?= codespell | 7 | CODESPELL ?= codespell |
8 | CPPCHECK ?= cppcheck | 8 | CPPCHECK ?= cppcheck |
9 | GAWK ?= gawk | 9 | GAWK ?= gawk |
10 | GZIP ?= gzip | ||
10 | SCAN_BUILD ?= scan-build | 11 | SCAN_BUILD ?= scan-build |
12 | STRIP ?= strip | ||
13 | TAR ?= tar | ||
14 | |||
15 | # Default programs (not in configure.ac). | ||
16 | INSTALL ?= install | ||
17 | RM ?= rm -f | ||
11 | 18 | ||
12 | ifneq ($(HAVE_MAN),no) | 19 | ifneq ($(HAVE_MAN),no) |
13 | MAN_TARGET = man | 20 | MAN_TARGET = man |
@@ -69,6 +76,10 @@ mydirs: $(MYDIRS) | |||
69 | $(MYDIRS): | 76 | $(MYDIRS): |
70 | $(MAKE) -C $@ | 77 | $(MAKE) -C $@ |
71 | 78 | ||
79 | .PHONY: strip | ||
80 | strip: all | ||
81 | $(STRIP) $(ALL_ITEMS) | ||
82 | |||
72 | .PHONY: filters | 83 | .PHONY: filters |
73 | filters: $(SECCOMP_FILTERS) | 84 | filters: $(SECCOMP_FILTERS) |
74 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile | 85 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile |
@@ -179,121 +190,119 @@ clean: | |||
179 | done | 190 | done |
180 | $(MAKE) -C src/man clean | 191 | $(MAKE) -C src/man clean |
181 | $(MAKE) -C test clean | 192 | $(MAKE) -C test clean |
182 | rm -f $(SECCOMP_FILTERS) | 193 | $(RM) $(SECCOMP_FILTERS) |
183 | rm -f $(SYNTAX_FILES) | 194 | $(RM) $(SYNTAX_FILES) |
184 | rm -fr ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz | 195 | $(RM) -r ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz |
185 | rm -f ./$(TARNAME)*.deb | 196 | $(RM) ./$(TARNAME)*.deb |
186 | rm -f ./$(TARNAME)*.rpm | 197 | $(RM) ./$(TARNAME)*.rpm |
187 | 198 | ||
188 | .PHONY: distclean | 199 | .PHONY: distclean |
189 | distclean: clean | 200 | distclean: clean |
190 | rm -fr autom4te.cache config.log config.mk config.sh config.status | 201 | $(RM) -r autom4te.cache config.log config.mk config.sh config.status |
191 | 202 | ||
192 | .PHONY: realinstall | 203 | .PHONY: install |
193 | realinstall: config.mk | 204 | install: all config.mk |
194 | # firejail executable | 205 | # firejail executable |
195 | install -m 0755 -d $(DESTDIR)$(bindir) | 206 | $(INSTALL) -m 0755 -d $(DESTDIR)$(bindir) |
196 | install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir) | 207 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firejail/firejail |
197 | ifeq ($(HAVE_SUID),-DHAVE_SUID) | 208 | ifeq ($(HAVE_SUID),-DHAVE_SUID) |
198 | chmod u+s $(DESTDIR)$(bindir)/firejail | 209 | chmod u+s $(DESTDIR)$(bindir)/firejail |
199 | endif | 210 | endif |
200 | # firemon executable | 211 | # firemon executable |
201 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) | 212 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firemon/firemon |
202 | # firecfg executable | 213 | # firecfg executable |
203 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) | 214 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firecfg/firecfg |
204 | # jailcheck executable | 215 | # jailcheck executable |
205 | install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) | 216 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/jailcheck/jailcheck |
206 | # libraries and plugins | 217 | # libraries and plugins |
207 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 218 | $(INSTALL) -m 0755 -d $(DESTDIR)$(libdir)/firejail |
208 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh | 219 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh |
209 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) | 220 | $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) |
210 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 221 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
211 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats | 222 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats |
212 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup | 223 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup |
213 | # plugins w/o read permission (non-dumpable) | 224 | # plugins w/o read permission (non-dumpable) |
214 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 225 | $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
215 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh | 226 | $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh |
216 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map | 227 | $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map |
217 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 228 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
218 | # contrib scripts | 229 | # contrib scripts |
219 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 230 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
220 | # vim syntax | 231 | # vim syntax |
221 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 232 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |
222 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 233 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect contrib/vim/ftdetect/firejail.vim |
223 | install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 234 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
224 | install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 235 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax contrib/syntax/files/firejail.vim |
225 | # gtksourceview language-specs | 236 | # gtksourceview language-specs |
226 | install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | 237 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs |
227 | install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | 238 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs contrib/syntax/files/firejail-profile.lang |
228 | endif | 239 | endif |
229 | # documents | 240 | # documents |
230 | install -m 0755 -d $(DESTDIR)$(docdir) | 241 | $(INSTALL) -m 0755 -d $(DESTDIR)$(docdir) |
231 | install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* | 242 | $(INSTALL) -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* |
232 | # profiles and settings | 243 | # profiles and settings |
233 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail | 244 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail |
234 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d | 245 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d |
235 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 246 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
236 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config | 247 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config |
237 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 248 | sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \ |
249 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \ | ||
250 | fi" | ||
238 | ifeq ($(HAVE_IDS),-DHAVE_IDS) | 251 | ifeq ($(HAVE_IDS),-DHAVE_IDS) |
239 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config | 252 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config |
240 | endif | 253 | endif |
241 | ifeq ($(BUSYBOX_WORKAROUND),yes) | 254 | ifeq ($(BUSYBOX_WORKAROUND),yes) |
242 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc | 255 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc |
243 | endif | 256 | endif |
244 | ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | 257 | ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) |
245 | # install apparmor profile | 258 | # install apparmor profile |
246 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" | 259 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d |
247 | install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d | 260 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/firejail-default |
248 | # install apparmor profile customization file | 261 | # install apparmor profile customization file |
249 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" | 262 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/local |
250 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" | 263 | sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default ]; then \ |
264 | $(INSTALL) -m 0644 etc/apparmor/firejail-local $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default; \ | ||
265 | fi" | ||
251 | # install apparmor base abstraction drop-in | 266 | # install apparmor base abstraction drop-in |
252 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;" | 267 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d |
253 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;" | 268 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d etc/apparmor/firejail-base |
254 | install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d | ||
255 | endif | 269 | endif |
256 | ifneq ($(HAVE_MAN),no) | 270 | ifneq ($(HAVE_MAN),no) |
257 | # man pages | 271 | # man pages |
258 | install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 | 272 | $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man1 |
259 | install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/ | 273 | $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man1 $(MANPAGES1_GZ) |
260 | install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/ | 274 | $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man5 |
275 | $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man5 $(MANPAGES5_GZ) | ||
261 | endif | 276 | endif |
262 | # bash completion | 277 | # bash completion |
263 | install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions | 278 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions |
264 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 279 | $(INSTALL) -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
265 | install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 280 | $(INSTALL) -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
266 | install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 281 | $(INSTALL) -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
267 | # zsh completion | 282 | # zsh completion |
268 | install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions | 283 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions |
269 | install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ | 284 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/zsh/site-functions src/zsh_completion/_firejail |
270 | |||
271 | .PHONY: install | ||
272 | install: all | ||
273 | $(MAKE) realinstall | ||
274 | 285 | ||
275 | .PHONY: install-strip | 286 | .PHONY: install-strip |
276 | install-strip: all | 287 | install-strip: strip install |
277 | strip $(ALL_ITEMS) | ||
278 | $(MAKE) realinstall | ||
279 | 288 | ||
280 | .PHONY: uninstall | 289 | .PHONY: uninstall |
281 | uninstall: config.mk | 290 | uninstall: config.mk |
282 | rm -f $(DESTDIR)$(bindir)/firejail | 291 | $(RM) $(DESTDIR)$(bindir)/firejail |
283 | rm -f $(DESTDIR)$(bindir)/firemon | 292 | $(RM) $(DESTDIR)$(bindir)/firemon |
284 | rm -f $(DESTDIR)$(bindir)/firecfg | 293 | $(RM) $(DESTDIR)$(bindir)/firecfg |
285 | rm -f $(DESTDIR)$(bindir)/jailcheck | 294 | $(RM) $(DESTDIR)$(bindir)/jailcheck |
286 | rm -fr $(DESTDIR)$(libdir)/firejail | 295 | $(RM) -r $(DESTDIR)$(libdir)/firejail |
287 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 296 | $(RM) -r $(DESTDIR)$(datarootdir)/doc/firejail |
288 | rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ))) | 297 | $(RM) $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ))) |
289 | rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ))) | 298 | $(RM) $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ))) |
290 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 299 | $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
291 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 300 | $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
292 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 301 | $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
293 | rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail | 302 | $(RM) $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail |
294 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim | 303 | $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim |
295 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim | 304 | $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim |
296 | rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang | 305 | $(RM) $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang |
297 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 306 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
298 | 307 | ||
299 | # Note: Keep this list in sync with `paths` in .github/workflows/build.yml. | 308 | # Note: Keep this list in sync with `paths` in .github/workflows/build.yml. |
@@ -338,9 +347,9 @@ dist: clean config.mk | |||
338 | mkdir -p $(TARNAME)-$(VERSION)/test | 347 | mkdir -p $(TARNAME)-$(VERSION)/test |
339 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) | 348 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) |
340 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test | 349 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test |
341 | rm -rf $(TARNAME)-$(VERSION)/src/tools | 350 | $(RM) -r $(TARNAME)-$(VERSION)/src/tools |
342 | tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION) | 351 | $(TAR) -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION) |
343 | rm -fr $(TARNAME)-$(VERSION) | 352 | $(RM) -r $(TARNAME)-$(VERSION) |
344 | 353 | ||
345 | .PHONY: asc | 354 | .PHONY: asc |
346 | asc: config.sh | 355 | asc: config.sh |
@@ -363,13 +372,13 @@ extras: all | |||
363 | $(MAKE) -C extras/firetools | 372 | $(MAKE) -C extras/firetools |
364 | 373 | ||
365 | .PHONY: cppcheck | 374 | .PHONY: cppcheck |
366 | cppcheck: clean | 375 | cppcheck: |
367 | $(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance \ | 376 | $(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance \ |
368 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | 377 | -i src/firejail/checkcfg.c -i src/firejail/main.c . |
369 | 378 | ||
370 | # For cppcheck 1.x; see .github/workflows/check-c.yml | 379 | # For cppcheck 1.x; see .github/workflows/check-c.yml |
371 | .PHONY: cppcheck-old | 380 | .PHONY: cppcheck-old |
372 | cppcheck-old: clean | 381 | cppcheck-old: |
373 | $(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance . | 382 | $(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance . |
374 | 383 | ||
375 | .PHONY: scan-build | 384 | .PHONY: scan-build |
@@ -40,6 +40,8 @@ firejail (0.9.73) baseline; urgency=low | |||
40 | (#5965 #5976) | 40 | (#5965 #5976) |
41 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 | 41 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 |
42 | #6086) | 42 | #6086) |
43 | * bugfix: fix various resource leaks (#6367) | ||
44 | * bugfix: profstats: fix restrict-namespaces max count (#6369) | ||
43 | * build: auto-generate syntax files (#5627) | 45 | * build: auto-generate syntax files (#5627) |
44 | * build: mark all phony targets as such (#5637) | 46 | * build: mark all phony targets as such (#5637) |
45 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 47 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
@@ -70,7 +72,11 @@ firejail (0.9.73) baseline; urgency=low | |||
70 | * build: reduce hardcoding and inconsistencies (#6230) | 72 | * build: reduce hardcoding and inconsistencies (#6230) |
71 | * build: sort.py: filter empty and duplicate items (#6261) | 73 | * build: sort.py: filter empty and duplicate items (#6261) |
72 | * build: fix "warning: "_FORTIFY_SOURCE" redefined" (#6282 #6283) | 74 | * build: fix "warning: "_FORTIFY_SOURCE" redefined" (#6282 #6283) |
73 | * build: sort.py: add and require -i to edit in-place (#6290) | 75 | * build: sort.py: add -i/-n/-- options (#6290 #6339) |
76 | * build: add strip target and simplify install targets (#6342) | ||
77 | * build: remove clean dependency from cppcheck targets (#6343) | ||
78 | * build: allow overriding common tools (#6354) | ||
79 | * build: standardize install commands (#6366) | ||
74 | * ci: always update the package db before installing packages (#5742) | 80 | * ci: always update the package db before installing packages (#5742) |
75 | * ci: fix codeql unable to download its own bundle (#5783) | 81 | * ci: fix codeql unable to download its own bundle (#5783) |
76 | * ci: split configure/build/install commands on gitlab (#5784) | 82 | * ci: split configure/build/install commands on gitlab (#5784) |
@@ -85,6 +91,7 @@ firejail (0.9.73) baseline; urgency=low | |||
85 | * ci: allow running workflows manually (#6026) | 91 | * ci: allow running workflows manually (#6026) |
86 | * ci: re-enable sort.py (#6104) | 92 | * ci: re-enable sort.py (#6104) |
87 | * ci: add timeout limits (#6178) | 93 | * ci: add timeout limits (#6178) |
94 | * ci: make dependabot updates monthly and bump PR limit (#6338) | ||
88 | * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 | 95 | * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 |
89 | #6059) | 96 | #6059) |
90 | * contrib/vim: match profile files more broadly (#5850) | 97 | * contrib/vim: match profile files more broadly (#5850) |
@@ -95,6 +102,8 @@ firejail (0.9.73) baseline; urgency=low | |||
95 | * docs: fix typos (#5693) | 102 | * docs: fix typos (#5693) |
96 | * docs: markdown formatting and misc improvements (#5757) | 103 | * docs: markdown formatting and misc improvements (#5757) |
97 | * docs: add uninstall instructions to README.md (#5812) | 104 | * docs: add uninstall instructions to README.md (#5812) |
105 | * docs: add precedence info to manpage & fix noblacklist example (#6358 | ||
106 | #6359) | ||
98 | * legal: selinux.c: Split Copyright notice & use same license as upstream | 107 | * legal: selinux.c: Split Copyright notice & use same license as upstream |
99 | (#5667) | 108 | (#5667) |
100 | * profiles: qutebrowser: fix links not opening in the existing instance | 109 | * profiles: qutebrowser: fix links not opening in the existing instance |
@@ -119,6 +128,8 @@ firejail (0.9.73) baseline; urgency=low | |||
119 | * profiles: add allow-php.inc to profile.template (#6299) | 128 | * profiles: add allow-php.inc to profile.template (#6299) |
120 | * profiles: clarify and add opengl-game to profile.template (#6300) | 129 | * profiles: clarify and add opengl-game to profile.template (#6300) |
121 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) | 130 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) |
131 | * profiles: libreoffice: support signing documents with GPG (#6352 #6353) | ||
132 | * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) | ||
122 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater | 133 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
123 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 | 134 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
124 | 135 | ||
diff --git a/config.mk.in b/config.mk.in index a7f66fbb5..812573a14 100644 --- a/config.mk.in +++ b/config.mk.in | |||
@@ -78,7 +78,10 @@ CC=@CC@ | |||
78 | CODESPELL=@CODESPELL@ | 78 | CODESPELL=@CODESPELL@ |
79 | CPPCHECK=@CPPCHECK@ | 79 | CPPCHECK=@CPPCHECK@ |
80 | GAWK=@GAWK@ | 80 | GAWK=@GAWK@ |
81 | GZIP=@GZIP@ | ||
81 | SCAN_BUILD=@SCAN_BUILD@ | 82 | SCAN_BUILD=@SCAN_BUILD@ |
83 | STRIP=@STRIP@ | ||
84 | TAR=@TAR@ | ||
82 | 85 | ||
83 | CFLAGS=@CFLAGS@ | 86 | CFLAGS=@CFLAGS@ |
84 | CPPFLAGS=@CPPFLAGS@ | 87 | CPPFLAGS=@CPPFLAGS@ |
@@ -682,7 +682,10 @@ PKG_CONFIG | |||
682 | HAVE_APPARMOR | 682 | HAVE_APPARMOR |
683 | HAVE_IDS | 683 | HAVE_IDS |
684 | DEPS_CFLAGS | 684 | DEPS_CFLAGS |
685 | TAR | ||
686 | STRIP | ||
685 | SCAN_BUILD | 687 | SCAN_BUILD |
688 | GZIP | ||
686 | GAWK | 689 | GAWK |
687 | CPPCHECK | 690 | CPPCHECK |
688 | CODESPELL | 691 | CODESPELL |
@@ -3414,6 +3417,53 @@ fi | |||
3414 | test -n "$GAWK" && break | 3417 | test -n "$GAWK" && break |
3415 | done | 3418 | done |
3416 | 3419 | ||
3420 | for ac_prog in gzip | ||
3421 | do | ||
3422 | # Extract the first word of "$ac_prog", so it can be a program name with args. | ||
3423 | set dummy $ac_prog; ac_word=$2 | ||
3424 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3425 | printf %s "checking for $ac_word... " >&6; } | ||
3426 | if test ${ac_cv_prog_GZIP+y} | ||
3427 | then : | ||
3428 | printf %s "(cached) " >&6 | ||
3429 | else $as_nop | ||
3430 | if test -n "$GZIP"; then | ||
3431 | ac_cv_prog_GZIP="$GZIP" # Let the user override the test. | ||
3432 | else | ||
3433 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3434 | for as_dir in $PATH | ||
3435 | do | ||
3436 | IFS=$as_save_IFS | ||
3437 | case $as_dir in #((( | ||
3438 | '') as_dir=./ ;; | ||
3439 | */) ;; | ||
3440 | *) as_dir=$as_dir/ ;; | ||
3441 | esac | ||
3442 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3443 | if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then | ||
3444 | ac_cv_prog_GZIP="$ac_prog" | ||
3445 | printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 | ||
3446 | break 2 | ||
3447 | fi | ||
3448 | done | ||
3449 | done | ||
3450 | IFS=$as_save_IFS | ||
3451 | |||
3452 | fi | ||
3453 | fi | ||
3454 | GZIP=$ac_cv_prog_GZIP | ||
3455 | if test -n "$GZIP"; then | ||
3456 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GZIP" >&5 | ||
3457 | printf "%s\n" "$GZIP" >&6; } | ||
3458 | else | ||
3459 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3460 | printf "%s\n" "no" >&6; } | ||
3461 | fi | ||
3462 | |||
3463 | |||
3464 | test -n "$GZIP" && break | ||
3465 | done | ||
3466 | |||
3417 | for ac_prog in scan-build | 3467 | for ac_prog in scan-build |
3418 | do | 3468 | do |
3419 | # Extract the first word of "$ac_prog", so it can be a program name with args. | 3469 | # Extract the first word of "$ac_prog", so it can be a program name with args. |
@@ -3461,6 +3511,100 @@ fi | |||
3461 | test -n "$SCAN_BUILD" && break | 3511 | test -n "$SCAN_BUILD" && break |
3462 | done | 3512 | done |
3463 | 3513 | ||
3514 | for ac_prog in strip | ||
3515 | do | ||
3516 | # Extract the first word of "$ac_prog", so it can be a program name with args. | ||
3517 | set dummy $ac_prog; ac_word=$2 | ||
3518 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3519 | printf %s "checking for $ac_word... " >&6; } | ||
3520 | if test ${ac_cv_prog_STRIP+y} | ||
3521 | then : | ||
3522 | printf %s "(cached) " >&6 | ||
3523 | else $as_nop | ||
3524 | if test -n "$STRIP"; then | ||
3525 | ac_cv_prog_STRIP="$STRIP" # Let the user override the test. | ||
3526 | else | ||
3527 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3528 | for as_dir in $PATH | ||
3529 | do | ||
3530 | IFS=$as_save_IFS | ||
3531 | case $as_dir in #((( | ||
3532 | '') as_dir=./ ;; | ||
3533 | */) ;; | ||
3534 | *) as_dir=$as_dir/ ;; | ||
3535 | esac | ||
3536 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3537 | if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then | ||
3538 | ac_cv_prog_STRIP="$ac_prog" | ||
3539 | printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 | ||
3540 | break 2 | ||
3541 | fi | ||
3542 | done | ||
3543 | done | ||
3544 | IFS=$as_save_IFS | ||
3545 | |||
3546 | fi | ||
3547 | fi | ||
3548 | STRIP=$ac_cv_prog_STRIP | ||
3549 | if test -n "$STRIP"; then | ||
3550 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 | ||
3551 | printf "%s\n" "$STRIP" >&6; } | ||
3552 | else | ||
3553 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3554 | printf "%s\n" "no" >&6; } | ||
3555 | fi | ||
3556 | |||
3557 | |||
3558 | test -n "$STRIP" && break | ||
3559 | done | ||
3560 | |||
3561 | for ac_prog in tar | ||
3562 | do | ||
3563 | # Extract the first word of "$ac_prog", so it can be a program name with args. | ||
3564 | set dummy $ac_prog; ac_word=$2 | ||
3565 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3566 | printf %s "checking for $ac_word... " >&6; } | ||
3567 | if test ${ac_cv_prog_TAR+y} | ||
3568 | then : | ||
3569 | printf %s "(cached) " >&6 | ||
3570 | else $as_nop | ||
3571 | if test -n "$TAR"; then | ||
3572 | ac_cv_prog_TAR="$TAR" # Let the user override the test. | ||
3573 | else | ||
3574 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3575 | for as_dir in $PATH | ||
3576 | do | ||
3577 | IFS=$as_save_IFS | ||
3578 | case $as_dir in #((( | ||
3579 | '') as_dir=./ ;; | ||
3580 | */) ;; | ||
3581 | *) as_dir=$as_dir/ ;; | ||
3582 | esac | ||
3583 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3584 | if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then | ||
3585 | ac_cv_prog_TAR="$ac_prog" | ||
3586 | printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 | ||
3587 | break 2 | ||
3588 | fi | ||
3589 | done | ||
3590 | done | ||
3591 | IFS=$as_save_IFS | ||
3592 | |||
3593 | fi | ||
3594 | fi | ||
3595 | TAR=$ac_cv_prog_TAR | ||
3596 | if test -n "$TAR"; then | ||
3597 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TAR" >&5 | ||
3598 | printf "%s\n" "$TAR" >&6; } | ||
3599 | else | ||
3600 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3601 | printf "%s\n" "no" >&6; } | ||
3602 | fi | ||
3603 | |||
3604 | |||
3605 | test -n "$TAR" && break | ||
3606 | done | ||
3607 | |||
3464 | 3608 | ||
3465 | DEPS_CFLAGS="" | 3609 | DEPS_CFLAGS="" |
3466 | 3610 | ||
diff --git a/configure.ac b/configure.ac index 73bd334f8..3701b7b4c 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -22,7 +22,10 @@ AC_PROG_CC | |||
22 | AC_CHECK_PROGS([CODESPELL], [codespell]) | 22 | AC_CHECK_PROGS([CODESPELL], [codespell]) |
23 | AC_CHECK_PROGS([CPPCHECK], [cppcheck]) | 23 | AC_CHECK_PROGS([CPPCHECK], [cppcheck]) |
24 | AC_CHECK_PROGS([GAWK], [gawk]) | 24 | AC_CHECK_PROGS([GAWK], [gawk]) |
25 | AC_CHECK_PROGS([GZIP], [gzip]) | ||
25 | AC_CHECK_PROGS([SCAN_BUILD], [scan-build]) | 26 | AC_CHECK_PROGS([SCAN_BUILD], [scan-build]) |
27 | AC_CHECK_PROGS([STRIP], [strip]) | ||
28 | AC_CHECK_PROGS([TAR], [tar]) | ||
26 | 29 | ||
27 | DEPS_CFLAGS="" | 30 | DEPS_CFLAGS="" |
28 | AC_SUBST([DEPS_CFLAGS]) | 31 | AC_SUBST([DEPS_CFLAGS]) |
diff --git a/contrib/sort.py b/contrib/sort.py index b65d87ab7..d6e601ff8 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -11,7 +11,7 @@ from sys import argv, exit as sys_exit, stderr | |||
11 | __doc__ = f"""\ | 11 | __doc__ = f"""\ |
12 | Sort the arguments of commands in profiles. | 12 | Sort the arguments of commands in profiles. |
13 | 13 | ||
14 | Usage: {path.basename(argv[0])} [-i] [/path/to/profile ...] | 14 | Usage: {path.basename(argv[0])} [-i] [-n] [--] [/path/to/profile ...] |
15 | 15 | ||
16 | The following commands are supported: | 16 | The following commands are supported: |
17 | 17 | ||
@@ -21,13 +21,15 @@ The following commands are supported: | |||
21 | Note that this is only applicable to commands that support multiple arguments. | 21 | Note that this is only applicable to commands that support multiple arguments. |
22 | 22 | ||
23 | Options: | 23 | Options: |
24 | -i Edit the profile file(s) in-place. | 24 | -i Edit the profile file(s) in-place (this is the default). |
25 | -n Do not edit the profile file(s) in-place. | ||
26 | -- End of options | ||
25 | 27 | ||
26 | Examples: | 28 | Examples: |
27 | $ {argv[0]} -i MyAwesomeProfile.profile | 29 | $ {argv[0]} MyAwesomeProfile.profile |
28 | $ {argv[0]} -i new_profile.profile second_new_profile.profile | 30 | $ {argv[0]} new_profile.profile second_new_profile.profile |
29 | $ {argv[0]} -i ~/.config/firejail/*.{{profile,inc,local}} | 31 | $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}} |
30 | $ sudo {argv[0]} -i /etc/firejail/*.{{profile,inc,local}} | 32 | $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}} |
31 | 33 | ||
32 | Exit Codes: | 34 | Exit Codes: |
33 | 0: Success: No profiles needed fixing. | 35 | 0: Success: No profiles needed fixing. |
@@ -101,10 +103,22 @@ def check_profile(filename, overwrite): | |||
101 | 103 | ||
102 | 104 | ||
103 | def main(args): | 105 | def main(args): |
104 | overwrite = False | 106 | overwrite = True |
105 | if len(args) > 0 and args[0] == "-i": | 107 | while len(args) > 0: |
106 | overwrite = True | 108 | if args[0] == "-i": |
107 | args.pop(0) | 109 | overwrite = True |
110 | args.pop(0) | ||
111 | elif args[0] == "-n": | ||
112 | overwrite = False | ||
113 | args.pop(0) | ||
114 | elif args[0] == "--": | ||
115 | args.pop(0) | ||
116 | break | ||
117 | elif args[0][0] == "-": | ||
118 | print(f"[ Error ] Unknown option: {args[0]}", file=stderr) | ||
119 | return 2 | ||
120 | else: | ||
121 | break | ||
108 | 122 | ||
109 | if len(args) < 1: | 123 | if len(args) < 1: |
110 | print(__doc__, file=stderr) | 124 | print(__doc__, file=stderr) |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 55aabbc73..14f7d8cf7 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo | |||
167 | blacklist ${RUNUSER}/gnome-shell | 167 | blacklist ${RUNUSER}/gnome-shell |
168 | blacklist ${RUNUSER}/gsconnect | 168 | blacklist ${RUNUSER}/gsconnect |
169 | 169 | ||
170 | # i3 IPC socket (allows arbitrary shell script execution) | ||
171 | blacklist ${RUNUSER}/i3/ipc-socket.* | ||
172 | blacklist /tmp/i3-*/ipc-socket.* | ||
173 | |||
170 | # systemd | 174 | # systemd |
171 | blacklist ${HOME}/.config/systemd | 175 | blacklist ${HOME}/.config/systemd |
172 | blacklist ${HOME}/.local/share/systemd | 176 | blacklist ${HOME}/.local/share/systemd |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 1f373279c..6e624a1ea 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -100,6 +100,7 @@ blacklist ${HOME}/.cache/cantata | |||
100 | blacklist ${HOME}/.cache/champlain | 100 | blacklist ${HOME}/.cache/champlain |
101 | blacklist ${HOME}/.cache/chromium | 101 | blacklist ${HOME}/.cache/chromium |
102 | blacklist ${HOME}/.cache/chromium-dev | 102 | blacklist ${HOME}/.cache/chromium-dev |
103 | blacklist ${HOME}/.cache/claws-mail | ||
103 | blacklist ${HOME}/.cache/cliqz | 104 | blacklist ${HOME}/.cache/cliqz |
104 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | 105 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate |
105 | blacklist ${HOME}/.cache/darktable | 106 | blacklist ${HOME}/.cache/darktable |
@@ -140,6 +141,7 @@ blacklist ${HOME}/.cache/google-chrome-beta | |||
140 | blacklist ${HOME}/.cache/google-chrome-unstable | 141 | blacklist ${HOME}/.cache/google-chrome-unstable |
141 | blacklist ${HOME}/.cache/gradio | 142 | blacklist ${HOME}/.cache/gradio |
142 | blacklist ${HOME}/.cache/gummi | 143 | blacklist ${HOME}/.cache/gummi |
144 | blacklist ${HOME}/.cache/hashcat | ||
143 | blacklist ${HOME}/.cache/icedove | 145 | blacklist ${HOME}/.cache/icedove |
144 | blacklist ${HOME}/.cache/inkscape | 146 | blacklist ${HOME}/.cache/inkscape |
145 | blacklist ${HOME}/.cache/inox | 147 | blacklist ${HOME}/.cache/inox |
@@ -189,6 +191,7 @@ blacklist ${HOME}/.cache/mutt | |||
189 | blacklist ${HOME}/.cache/mypaint | 191 | blacklist ${HOME}/.cache/mypaint |
190 | blacklist ${HOME}/.cache/netsurf | 192 | blacklist ${HOME}/.cache/netsurf |
191 | blacklist ${HOME}/.cache/nheko | 193 | blacklist ${HOME}/.cache/nheko |
194 | blacklist ${HOME}/.cache/nhex | ||
192 | blacklist ${HOME}/.cache/nvim | 195 | blacklist ${HOME}/.cache/nvim |
193 | blacklist ${HOME}/.cache/ocenaudio | 196 | blacklist ${HOME}/.cache/ocenaudio |
194 | blacklist ${HOME}/.cache/okular | 197 | blacklist ${HOME}/.cache/okular |
@@ -258,6 +261,7 @@ blacklist ${HOME}/.clonk | |||
258 | blacklist ${HOME}/.config/0ad | 261 | blacklist ${HOME}/.config/0ad |
259 | blacklist ${HOME}/.config/1Password | 262 | blacklist ${HOME}/.config/1Password |
260 | blacklist ${HOME}/.config/2048-qt | 263 | blacklist ${HOME}/.config/2048-qt |
264 | blacklist ${HOME}/.config/ArmCord | ||
261 | blacklist ${HOME}/.config/Atom | 265 | blacklist ${HOME}/.config/Atom |
262 | blacklist ${HOME}/.config/Audaciousrc | 266 | blacklist ${HOME}/.config/Audaciousrc |
263 | blacklist ${HOME}/.config/Authenticator | 267 | blacklist ${HOME}/.config/Authenticator |
@@ -936,6 +940,7 @@ blacklist ${HOME}/.local/share/data/MusE | |||
936 | blacklist ${HOME}/.local/share/data/MuseScore | 940 | blacklist ${HOME}/.local/share/data/MuseScore |
937 | blacklist ${HOME}/.local/share/data/nomacs | 941 | blacklist ${HOME}/.local/share/data/nomacs |
938 | blacklist ${HOME}/.local/share/data/qBittorrent | 942 | blacklist ${HOME}/.local/share/data/qBittorrent |
943 | blacklist ${HOME}/.local/share/dev.nhex | ||
939 | blacklist ${HOME}/.local/share/dino | 944 | blacklist ${HOME}/.local/share/dino |
940 | blacklist ${HOME}/.local/share/dolphin | 945 | blacklist ${HOME}/.local/share/dolphin |
941 | blacklist ${HOME}/.local/share/dolphin-emu | 946 | blacklist ${HOME}/.local/share/dolphin-emu |
@@ -971,6 +976,7 @@ blacklist ${HOME}/.local/share/gnote | |||
971 | blacklist ${HOME}/.local/share/godot | 976 | blacklist ${HOME}/.local/share/godot |
972 | blacklist ${HOME}/.local/share/gradio | 977 | blacklist ${HOME}/.local/share/gradio |
973 | blacklist ${HOME}/.local/share/gwenview | 978 | blacklist ${HOME}/.local/share/gwenview |
979 | blacklist ${HOME}/.local/share/hashcat | ||
974 | blacklist ${HOME}/.local/share/i2p | 980 | blacklist ${HOME}/.local/share/i2p |
975 | blacklist ${HOME}/.local/share/io.github.lainsce.Notejot | 981 | blacklist ${HOME}/.local/share/io.github.lainsce.Notejot |
976 | blacklist ${HOME}/.local/share/jami | 982 | blacklist ${HOME}/.local/share/jami |
@@ -1248,11 +1254,13 @@ blacklist ${HOME}/yt-dlp.conf | |||
1248 | blacklist ${HOME}/yt-dlp.conf.txt | 1254 | blacklist ${HOME}/yt-dlp.conf.txt |
1249 | blacklist ${RUNUSER}/*firefox* | 1255 | blacklist ${RUNUSER}/*firefox* |
1250 | blacklist ${RUNUSER}/akonadi | 1256 | blacklist ${RUNUSER}/akonadi |
1257 | blacklist ${RUNUSER}/i3 | ||
1251 | blacklist ${RUNUSER}/psd/*firefox* | 1258 | blacklist ${RUNUSER}/psd/*firefox* |
1252 | blacklist ${RUNUSER}/qutebrowser | 1259 | blacklist ${RUNUSER}/qutebrowser |
1253 | blacklist /etc/ssmtp | 1260 | blacklist /etc/ssmtp |
1254 | blacklist /tmp/.wine-* | 1261 | blacklist /tmp/.wine-* |
1255 | blacklist /tmp/akonadi-* | 1262 | blacklist /tmp/akonadi-* |
1263 | blacklist /tmp/i3-* | ||
1256 | blacklist /tmp/lwjgl_* | 1264 | blacklist /tmp/lwjgl_* |
1257 | blacklist /var/games/nethack | 1265 | blacklist /var/games/nethack |
1258 | blacklist /var/games/slashem | 1266 | blacklist /var/games/slashem |
diff --git a/etc/profile-a-l/armcord.profile b/etc/profile-a-l/armcord.profile new file mode 100644 index 000000000..470e0dee0 --- /dev/null +++ b/etc/profile-a-l/armcord.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for armcord | ||
2 | # Description: Standalone Discord client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include armcord.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Modules might depend on nodejs. | ||
10 | # Add the below lines to your armcord.local if you need this. | ||
11 | # Allow node (disabled by disable-interpreters.inc) | ||
12 | #include allow-nodejs.inc | ||
13 | #private-bin node | ||
14 | |||
15 | # The lines below are needed to find the default Firefox profile name, to allow | ||
16 | # opening links in an existing instance of Firefox (note that it still fails if | ||
17 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
18 | noblacklist ${HOME}/.mozilla | ||
19 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
20 | |||
21 | noblacklist ${HOME}/.config/ArmCord | ||
22 | |||
23 | mkdir ${HOME}/.config/ArmCord | ||
24 | whitelist ${HOME}/.config/ArmCord | ||
25 | whitelist /opt/armcord | ||
26 | whitelist /usr/share/armcord | ||
27 | |||
28 | ignore novideo | ||
29 | private-bin armcord | ||
30 | |||
31 | dbus-user filter | ||
32 | dbus-user.talk org.freedesktop.Notifications | ||
33 | # Allow D-Bus communication with Firefox for opening links | ||
34 | dbus-user.talk org.mozilla.* | ||
35 | ignore dbus-user none | ||
36 | |||
37 | join-or-start armcord | ||
38 | |||
39 | # Redirect | ||
40 | include electron-common.profile | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 53db480a4..2d2f0e48d 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -6,9 +6,17 @@ include claws-mail.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: If you use things like claws-mail's "fancy" (html rendering) plugin and | ||
10 | # the X11 window freezes, 'no3d' is likely the cause. In which case, try | ||
11 | # adding the following line to claws-mail.local: | ||
12 | #ignore no3d | ||
13 | |||
14 | noblacklist ${HOME}/.cache/claws-mail | ||
9 | noblacklist ${HOME}/.claws-mail | 15 | noblacklist ${HOME}/.claws-mail |
10 | 16 | ||
17 | mkdir ${HOME}/.cache/claws-mail | ||
11 | mkdir ${HOME}/.claws-mail | 18 | mkdir ${HOME}/.claws-mail |
19 | whitelist ${HOME}/.cache/claws-mail | ||
12 | whitelist ${HOME}/.claws-mail | 20 | whitelist ${HOME}/.claws-mail |
13 | 21 | ||
14 | # Add the below lines to your claws-mail.local if you use python-based plugins. | 22 | # Add the below lines to your claws-mail.local if you use python-based plugins. |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 544756877..603ea4e2f 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -35,7 +35,7 @@ dbus-user filter | |||
35 | dbus-user.talk org.freedesktop.Notifications | 35 | dbus-user.talk org.freedesktop.Notifications |
36 | dbus-user.talk org.freedesktop.secrets | 36 | dbus-user.talk org.freedesktop.secrets |
37 | dbus-user.talk org.gnome.keyring.SystemPrompter | 37 | dbus-user.talk org.gnome.keyring.SystemPrompter |
38 | # allow D-Bus communication with firefox for opening links | 38 | # Allow D-Bus communication with Firefox for opening links |
39 | dbus-user.talk org.mozilla.* | 39 | dbus-user.talk org.mozilla.* |
40 | 40 | ||
41 | # Redirect | 41 | # Redirect |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index cffa85fd5..42971ecae 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -10,7 +10,6 @@ include email-common.local | |||
10 | noblacklist ${HOME}/.bogofilter | 10 | noblacklist ${HOME}/.bogofilter |
11 | noblacklist ${HOME}/.bsfilter | 11 | noblacklist ${HOME}/.bsfilter |
12 | noblacklist ${HOME}/.gnupg | 12 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.mozilla | ||
14 | noblacklist ${HOME}/.signature | 13 | noblacklist ${HOME}/.signature |
15 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | 14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
16 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | 15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
@@ -31,6 +30,12 @@ include disable-interpreters.inc | |||
31 | include disable-programs.inc | 30 | include disable-programs.inc |
32 | include disable-xdg.inc | 31 | include disable-xdg.inc |
33 | 32 | ||
33 | # The lines below are needed to find the default Firefox profile name, to allow | ||
34 | # opening links in an existing instance of Firefox (note that it still fails if | ||
35 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
36 | noblacklist ${HOME}/.mozilla | ||
37 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
38 | |||
34 | mkdir ${HOME}/.gnupg | 39 | mkdir ${HOME}/.gnupg |
35 | mkfile ${HOME}/.config/mimeapps.list | 40 | mkfile ${HOME}/.config/mimeapps.list |
36 | mkfile ${HOME}/.signature | 41 | mkfile ${HOME}/.signature |
@@ -38,7 +43,6 @@ whitelist ${HOME}/.bogofilter | |||
38 | whitelist ${HOME}/.bsfilter | 43 | whitelist ${HOME}/.bsfilter |
39 | whitelist ${HOME}/.config/mimeapps.list | 44 | whitelist ${HOME}/.config/mimeapps.list |
40 | whitelist ${HOME}/.gnupg | 45 | whitelist ${HOME}/.gnupg |
41 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
42 | whitelist ${HOME}/.signature | 46 | whitelist ${HOME}/.signature |
43 | whitelist ${DOCUMENTS} | 47 | whitelist ${DOCUMENTS} |
44 | whitelist ${DOWNLOADS} | 48 | whitelist ${DOWNLOADS} |
@@ -48,7 +52,7 @@ whitelist ${RUNUSER}/gnupg | |||
48 | whitelist /usr/share/bogofilter | 52 | whitelist /usr/share/bogofilter |
49 | whitelist /usr/share/gnupg | 53 | whitelist /usr/share/gnupg |
50 | whitelist /usr/share/gnupg2 | 54 | whitelist /usr/share/gnupg2 |
51 | whitelist /var/lib/clamav | 55 | whitelist /var/lib/clamav |
52 | whitelist /var/mail | 56 | whitelist /var/mail |
53 | whitelist /var/spool/mail | 57 | whitelist /var/spool/mail |
54 | include whitelist-common.inc | 58 | include whitelist-common.inc |
@@ -90,6 +94,7 @@ dbus-user.talk org.freedesktop.Notifications | |||
90 | dbus-user.talk org.freedesktop.secrets | 94 | dbus-user.talk org.freedesktop.secrets |
91 | dbus-user.talk org.gnome.keyring.* | 95 | dbus-user.talk org.gnome.keyring.* |
92 | dbus-user.talk org.gnome.seahorse.* | 96 | dbus-user.talk org.gnome.seahorse.* |
97 | # Allow D-Bus communication with Firefox for opening links | ||
93 | dbus-user.talk org.mozilla.* | 98 | dbus-user.talk org.mozilla.* |
94 | dbus-system none | 99 | dbus-system none |
95 | 100 | ||
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile index 63fe28f2f..e1b13edad 100644 --- a/etc/profile-a-l/fluffychat.profile +++ b/etc/profile-a-l/fluffychat.profile | |||
@@ -64,7 +64,7 @@ private-tmp | |||
64 | 64 | ||
65 | dbus-user filter | 65 | dbus-user filter |
66 | dbus-user.talk org.freedesktop.secrets | 66 | dbus-user.talk org.freedesktop.secrets |
67 | # allow D-Bus communication with firefox for opening links | 67 | # Allow D-Bus communication with Firefox for opening links |
68 | dbus-user.talk org.mozilla.* | 68 | dbus-user.talk org.mozilla.* |
69 | dbus-system filter | 69 | dbus-system filter |
70 | dbus-system.talk org.freedesktop.NetworkManager | 70 | dbus-system.talk org.freedesktop.NetworkManager |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index da240c36a..1303922c8 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -14,9 +14,9 @@ noblacklist ${HOME}/.config/geary | |||
14 | noblacklist ${HOME}/.local/share/evolution | 14 | noblacklist ${HOME}/.local/share/evolution |
15 | noblacklist ${HOME}/.local/share/geary | 15 | noblacklist ${HOME}/.local/share/geary |
16 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
17 | noblacklist ${HOME}/.mozilla | ||
18 | noblacklist ${HOME}/.pki | 17 | noblacklist ${HOME}/.pki |
19 | 18 | ||
19 | # sh is needed to allow Firefox to open links | ||
20 | include allow-bin-sh.inc | 20 | include allow-bin-sh.inc |
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
@@ -27,6 +27,12 @@ include disable-programs.inc | |||
27 | include disable-shell.inc | 27 | include disable-shell.inc |
28 | include disable-xdg.inc | 28 | include disable-xdg.inc |
29 | 29 | ||
30 | # The lines below are needed to find the default Firefox profile name, to allow | ||
31 | # opening links in an existing instance of Firefox (note that it still fails if | ||
32 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
33 | noblacklist ${HOME}/.mozilla | ||
34 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
35 | |||
30 | mkdir ${HOME}/.cache/evolution | 36 | mkdir ${HOME}/.cache/evolution |
31 | mkdir ${HOME}/.cache/folks | 37 | mkdir ${HOME}/.cache/folks |
32 | mkdir ${HOME}/.cache/geary | 38 | mkdir ${HOME}/.cache/geary |
@@ -43,7 +49,6 @@ whitelist ${HOME}/.config/geary | |||
43 | whitelist ${HOME}/.local/share/evolution | 49 | whitelist ${HOME}/.local/share/evolution |
44 | whitelist ${HOME}/.local/share/geary | 50 | whitelist ${HOME}/.local/share/geary |
45 | whitelist ${HOME}/.local/share/pki | 51 | whitelist ${HOME}/.local/share/pki |
46 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
47 | whitelist ${HOME}/.pki | 52 | whitelist ${HOME}/.pki |
48 | whitelist /usr/share/geary | 53 | whitelist /usr/share/geary |
49 | include whitelist-common.inc | 54 | include whitelist-common.inc |
@@ -88,6 +93,7 @@ dbus-user.talk org.gnome.OnlineAccounts | |||
88 | dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 | 93 | dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 |
89 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 | 94 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 |
90 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 95 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
96 | # Allow D-Bus communication with Firefox for opening links | ||
91 | dbus-user.talk org.mozilla.* | 97 | dbus-user.talk org.mozilla.* |
92 | dbus-system none | 98 | dbus-system none |
93 | 99 | ||
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile index 049448a23..b27a4fa35 100644 --- a/etc/profile-a-l/gtk-youtube-viewers-common.profile +++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile | |||
@@ -18,5 +18,5 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini | |||
18 | private-bin firefox,xterm | 18 | private-bin firefox,xterm |
19 | 19 | ||
20 | dbus-user filter | 20 | dbus-user filter |
21 | # allow D-Bus communication with firefox for opening links | 21 | # Allow D-Bus communication with Firefox for opening links |
22 | dbus-user.talk org.mozilla.* | 22 | dbus-user.talk org.mozilla.* |
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile index e5b0a06af..b4e0d53f3 100644 --- a/etc/profile-a-l/hashcat.profile +++ b/etc/profile-a-l/hashcat.profile | |||
@@ -9,7 +9,9 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | 11 | ||
12 | noblacklist ${HOME}/.cache/hashcat | ||
12 | noblacklist ${HOME}/.hashcat | 13 | noblacklist ${HOME}/.hashcat |
14 | noblacklist ${HOME}/.local/share/hashcat | ||
13 | noblacklist /usr/include | 15 | noblacklist /usr/include |
14 | noblacklist ${DOCUMENTS} | 16 | noblacklist ${DOCUMENTS} |
15 | 17 | ||
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index def7bf25f..82c83f970 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/hexchat | |||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | 11 | # Allow /bin/sh (blacklisted by disable-shell.inc) |
12 | include allow-bin-sh.inc | 12 | include allow-bin-sh.inc |
13 | 13 | ||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
15 | include allow-lua.inc | ||
16 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | 17 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | include allow-perl.inc | 18 | include allow-perl.inc |
16 | 19 | ||
@@ -18,17 +21,24 @@ include allow-perl.inc | |||
18 | include allow-python2.inc | 21 | include allow-python2.inc |
19 | include allow-python3.inc | 22 | include allow-python3.inc |
20 | 23 | ||
24 | blacklist /usr/libexec | ||
25 | |||
21 | include disable-common.inc | 26 | include disable-common.inc |
22 | include disable-devel.inc | 27 | include disable-devel.inc |
23 | include disable-exec.inc | 28 | include disable-exec.inc |
24 | include disable-interpreters.inc | 29 | include disable-interpreters.inc |
30 | include disable-proc.inc | ||
25 | include disable-programs.inc | 31 | include disable-programs.inc |
26 | include disable-shell.inc | 32 | include disable-shell.inc |
27 | include disable-xdg.inc | 33 | include disable-xdg.inc |
28 | 34 | ||
29 | mkdir ${HOME}/.config/hexchat | 35 | mkdir ${HOME}/.config/hexchat |
36 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.config/hexchat | 37 | whitelist ${HOME}/.config/hexchat |
31 | include whitelist-common.inc | 38 | include whitelist-common.inc |
39 | include whitelist-run-common.inc | ||
40 | include whitelist-runuser-common.inc | ||
41 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
33 | 43 | ||
34 | caps.drop all | 44 | caps.drop all |
@@ -39,20 +49,27 @@ nodvd | |||
39 | nogroups | 49 | nogroups |
40 | noinput | 50 | noinput |
41 | nonewprivs | 51 | nonewprivs |
52 | noprinters | ||
42 | noroot | 53 | noroot |
43 | notv | 54 | notv |
44 | nou2f | 55 | nou2f |
45 | novideo | 56 | novideo |
46 | protocol unix,inet,inet6 | 57 | protocol unix,inet,inet6 |
47 | seccomp | 58 | seccomp |
59 | seccomp.block-secondary | ||
48 | tracelog | 60 | tracelog |
49 | 61 | ||
50 | disable-mnt | 62 | disable-mnt |
51 | # debug note: private-bin requires perl, python, etc on some systems | 63 | # If you need Lua and/or Perl support, add the relevant binaries from |
64 | # allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local. | ||
52 | private-bin hexchat,python*,sh | 65 | private-bin hexchat,python*,sh |
53 | private-dev | 66 | private-dev |
54 | #private-lib # python problems | 67 | #private-lib # python problems |
55 | private-tmp | 68 | private-tmp |
56 | 69 | ||
70 | dbus-user filter | ||
71 | dbus-user.own org.hexchat.service | ||
72 | dbus-system none | ||
73 | |||
57 | #memory-deny-write-execute # breaks python | 74 | #memory-deny-write-execute # breaks python |
58 | restrict-namespaces | 75 | restrict-namespaces |
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index 2268072ef..412e31762 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile | |||
@@ -8,6 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | # all applications started in i3 will run in this profile | 9 | # all applications started in i3 will run in this profile |
10 | noblacklist ${HOME}/.config/i3 | 10 | noblacklist ${HOME}/.config/i3 |
11 | noblacklist ${RUNUSER}/i3 | ||
12 | noblacklist ${RUNUSER}/i3/ipc-socket.* | ||
13 | noblacklist /tmp/i3-* | ||
14 | noblacklist /tmp/i3-*/ipc-socket.* | ||
11 | include disable-common.inc | 15 | include disable-common.inc |
12 | 16 | ||
13 | caps.drop all | 17 | caps.drop all |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 1f8757edb..79b286e58 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.gnupg | |||
13 | noblacklist ${HOME}/.local/share/kube | 13 | noblacklist ${HOME}/.local/share/kube |
14 | noblacklist ${HOME}/.local/share/sink | 14 | noblacklist ${HOME}/.local/share/sink |
15 | 15 | ||
16 | # sh is needed to allow Firefox to open links | ||
17 | include allow-bin-sh.inc | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-exec.inc | 21 | include disable-exec.inc |
@@ -78,7 +81,7 @@ dbus-user filter | |||
78 | dbus-user.talk ca.desrt.dconf | 81 | dbus-user.talk ca.desrt.dconf |
79 | dbus-user.talk org.freedesktop.secrets | 82 | dbus-user.talk org.freedesktop.secrets |
80 | dbus-user.talk org.freedesktop.Notifications | 83 | dbus-user.talk org.freedesktop.Notifications |
81 | # allow D-Bus communication with firefox for opening links | 84 | # Allow D-Bus communication with Firefox for opening links |
82 | dbus-user.talk org.mozilla.* | 85 | dbus-user.talk org.mozilla.* |
83 | dbus-system none | 86 | dbus-system none |
84 | 87 | ||
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile index 94a455355..32f0909fb 100644 --- a/etc/profile-a-l/lettura.profile +++ b/etc/profile-a-l/lettura.profile | |||
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/com.lettura.dev | |||
11 | noblacklist ${HOME}/.lettura | 11 | noblacklist ${HOME}/.lettura |
12 | noblacklist ${HOME}/.local/share/com.lettura.dev | 12 | noblacklist ${HOME}/.local/share/com.lettura.dev |
13 | 13 | ||
14 | # sh is needed to allow Firefox to open links | ||
15 | include allow-bin-sh.inc | ||
16 | |||
14 | include disable-common.inc | 17 | include disable-common.inc |
15 | include disable-devel.inc | 18 | include disable-devel.inc |
16 | include disable-exec.inc | 19 | include disable-exec.inc |
@@ -69,7 +72,7 @@ private-tmp | |||
69 | dbus-user filter | 72 | dbus-user filter |
70 | dbus-user.talk org.freedesktop.Notifications | 73 | dbus-user.talk org.freedesktop.Notifications |
71 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 74 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
72 | # allow D-Bus communication with firefox for opening links | 75 | # Allow D-Bus communication with Firefox for opening links |
73 | dbus-user.talk org.mozilla.* | 76 | dbus-user.talk org.mozilla.* |
74 | dbus-system none | 77 | dbus-system none |
75 | 78 | ||
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index d7144d8c3..f9e018a33 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -9,6 +9,16 @@ include globals.local | |||
9 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
10 | noblacklist ${HOME}/.config/libreoffice | 10 | noblacklist ${HOME}/.config/libreoffice |
11 | 11 | ||
12 | # libreoffice can sign documents with GPG | ||
13 | noblacklist ${HOME}/.gnupg | ||
14 | read-only ${HOME}/.gnupg/trustdb.gpg | ||
15 | read-only ${HOME}/.gnupg/pubring.kbx | ||
16 | blacklist ${HOME}/.gnupg/crls.d | ||
17 | blacklist ${HOME}/.gnupg/openpgp-revocs.d | ||
18 | blacklist ${HOME}/.gnupg/private-keys-v1.d | ||
19 | blacklist ${HOME}/.gnupg/pubring.kbx~ | ||
20 | blacklist ${HOME}/.gnupg/random_seed | ||
21 | |||
12 | # libreoffice uses java for some functionality. | 22 | # libreoffice uses java for some functionality. |
13 | # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. | 23 | # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. |
14 | # Allow java (blacklisted by disable-devel.inc) | 24 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index e900c0914..278797fb3 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -7,15 +7,20 @@ include linuxqq.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/QQ | 9 | noblacklist ${HOME}/.config/QQ |
10 | noblacklist ${HOME}/.mozilla | ||
11 | 10 | ||
11 | # sh is needed to allow Firefox to open links | ||
12 | include allow-bin-sh.inc | 12 | include allow-bin-sh.inc |
13 | 13 | ||
14 | include disable-shell.inc | 14 | include disable-shell.inc |
15 | 15 | ||
16 | # The lines below are needed to find the default Firefox profile name, to allow | ||
17 | # opening links in an existing instance of Firefox (note that it still fails if | ||
18 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
19 | noblacklist ${HOME}/.mozilla | ||
20 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
21 | |||
16 | mkdir ${HOME}/.config/QQ | 22 | mkdir ${HOME}/.config/QQ |
17 | whitelist ${HOME}/.config/QQ | 23 | whitelist ${HOME}/.config/QQ |
18 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | whitelist ${DESKTOP} | 24 | whitelist ${DESKTOP} |
20 | whitelist /opt/QQ | 25 | whitelist /opt/QQ |
21 | 26 | ||
@@ -34,6 +39,7 @@ dbus-user.talk org.freedesktop.portal.IBus | |||
34 | dbus-user.talk org.freedesktop.ScreenSaver | 39 | dbus-user.talk org.freedesktop.ScreenSaver |
35 | dbus-user.talk org.gnome.Mutter.IdleMonitor | 40 | dbus-user.talk org.gnome.Mutter.IdleMonitor |
36 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 41 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
42 | # Allow D-Bus communication with Firefox for opening links | ||
37 | dbus-user.talk org.mozilla.* | 43 | dbus-user.talk org.mozilla.* |
38 | ignore dbus-user none | 44 | ignore dbus-user none |
39 | 45 | ||
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile index 5d39341f5..9406053fd 100644 --- a/etc/profile-a-l/loupe.profile +++ b/etc/profile-a-l/loupe.profile | |||
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.local/share/Trash | |||
10 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
12 | 12 | ||
13 | #include disable-common.inc | 13 | noblacklist ${PATH}/bwrap |
14 | |||
15 | include disable-common.inc | ||
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
16 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
@@ -22,7 +24,7 @@ include whitelist-runuser-common.inc | |||
22 | #include whitelist-usr-share-common.inc | 24 | #include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
24 | 26 | ||
25 | apparmor | 27 | #apparmor |
26 | caps.drop all | 28 | caps.drop all |
27 | ipc-namespace | 29 | ipc-namespace |
28 | machine-id | 30 | machine-id |
@@ -44,7 +46,13 @@ protocol unix,netlink | |||
44 | seccomp.block-secondary | 46 | seccomp.block-secondary |
45 | tracelog | 47 | tracelog |
46 | 48 | ||
49 | private-bin bwrap,loupe | ||
47 | private-cache | 50 | private-cache |
48 | private-dev | 51 | private-dev |
49 | private-etc @x11 | 52 | private-etc @x11 |
50 | private-tmp | 53 | private-tmp |
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | #read-only ${HOME} # breaks "Move to trash" and "Set as background" | ||
diff --git a/etc/profile-m-z/nhex.profile b/etc/profile-m-z/nhex.profile new file mode 100644 index 000000000..184e41a9a --- /dev/null +++ b/etc/profile-m-z/nhex.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for nhex | ||
2 | # Description: Tauri-based IRC client inspired by HexChat | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nhex.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/nhex | ||
10 | noblacklist ${HOME}/.local/share/dev.nhex | ||
11 | |||
12 | blacklist /usr/libexec | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-proc.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/nhex | ||
24 | mkdir ${HOME}/.local/share/dev.nhex | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.cache/nhex | ||
27 | whitelist ${HOME}/.local/share/dev.nhex | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-run-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | noinput | ||
41 | nonewprivs | ||
42 | noprinters | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix,inet,inet6 | ||
49 | seccomp | ||
50 | seccomp.block-secondary | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin nhex | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-tmp | ||
58 | |||
59 | dbus-user none | ||
60 | dbus-system none | ||
61 | |||
62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index 7d0e01d98..c2e4999ea 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -15,6 +15,8 @@ | |||
15 | 15 | ||
16 | noblacklist /sys/fs | 16 | noblacklist /sys/fs |
17 | noblacklist /sys/module | 17 | noblacklist /sys/module |
18 | nowhitelist /sys/module/nvidia* | ||
19 | ignore read-only /sys/module/nvidia* | ||
18 | 20 | ||
19 | allow-debuggers | 21 | allow-debuggers |
20 | allusers | 22 | allusers |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 8cb4e4173..d1db0ba86 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -5,6 +5,9 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # sh is needed to allow Firefox to open links | ||
9 | include allow-bin-sh.inc | ||
10 | |||
8 | ignore novideo | 11 | ignore novideo |
9 | 12 | ||
10 | ignore noexec /tmp | 13 | ignore noexec /tmp |
@@ -25,7 +28,7 @@ private-etc @tls-ca | |||
25 | dbus-user filter | 28 | dbus-user filter |
26 | # allow D-Bus notifications | 29 | # allow D-Bus notifications |
27 | dbus-user.talk org.freedesktop.Notifications | 30 | dbus-user.talk org.freedesktop.Notifications |
28 | # allow D-Bus communication with firefox for opening links | 31 | # Allow D-Bus communication with Firefox for opening links |
29 | dbus-user.talk org.mozilla.* | 32 | dbus-user.talk org.mozilla.* |
30 | 33 | ||
31 | ignore dbus-user none | 34 | ignore dbus-user none |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index e0ced2030..d44da9f71 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -159,7 +159,8 @@ nonewprivs | |||
159 | noroot | 159 | noroot |
160 | notv | 160 | notv |
161 | nou2f | 161 | nou2f |
162 | # For VR support add 'ignore novideo' to your steam.local. | 162 | # To allow VR and camera-based motion tracking, add 'ignore novideo' to your |
163 | # steam.local. | ||
163 | novideo | 164 | novideo |
164 | protocol unix,inet,inet6,netlink | 165 | protocol unix,inet,inet6,netlink |
165 | # seccomp sometimes causes issues (see #2951, #3267). | 166 | # seccomp sometimes causes issues (see #2951, #3267). |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 979971ac2..fda32d038 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -15,7 +15,7 @@ dbus-user filter | |||
15 | dbus-user.own org.mozilla.thunderbird.* | 15 | dbus-user.own org.mozilla.thunderbird.* |
16 | dbus-user.talk ca.desrt.dconf | 16 | dbus-user.talk ca.desrt.dconf |
17 | dbus-user.talk org.freedesktop.Notifications | 17 | dbus-user.talk org.freedesktop.Notifications |
18 | # allow D-Bus communication with firefox for opening links | 18 | # Allow D-Bus communication with Firefox for opening links |
19 | dbus-user.talk org.mozilla.* | 19 | dbus-user.talk org.mozilla.* |
20 | # e2ee email needs writable-run-user | 20 | # e2ee email needs writable-run-user |
21 | # https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption | 21 | # https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 5e9e7f127..dc0f5b906 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.abook | |||
10 | noblacklist ${HOME}/.cache/flaska.net/trojita | 10 | noblacklist ${HOME}/.cache/flaska.net/trojita |
11 | noblacklist ${HOME}/.config/flaska.net | 11 | noblacklist ${HOME}/.config/flaska.net |
12 | 12 | ||
13 | # sh is needed to allow Firefox to open links | ||
14 | include allow-bin-sh.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -61,7 +64,7 @@ private-tmp | |||
61 | 64 | ||
62 | dbus-user filter | 65 | dbus-user filter |
63 | dbus-user.talk org.freedesktop.secrets | 66 | dbus-user.talk org.freedesktop.secrets |
64 | # allow D-Bus communication with firefox for opening links | 67 | # Allow D-Bus communication with Firefox for opening links |
65 | dbus-user.talk org.mozilla.* | 68 | dbus-user.talk org.mozilla.* |
66 | dbus-system none | 69 | dbus-system none |
67 | 70 | ||
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index f0a0cacaf..6c6de108b 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile | |||
@@ -40,7 +40,7 @@ dbus-user filter | |||
40 | dbus-user.talk org.freedesktop.Notifications | 40 | dbus-user.talk org.freedesktop.Notifications |
41 | dbus-user.talk org.freedesktop.secrets | 41 | dbus-user.talk org.freedesktop.secrets |
42 | dbus-user.talk org.gnome.keyring.SystemPrompter | 42 | dbus-user.talk org.gnome.keyring.SystemPrompter |
43 | # allow D-Bus communication with firefox for opening links | 43 | # Allow D-Bus communication with Firefox for opening links |
44 | dbus-user.talk org.mozilla.* | 44 | dbus-user.talk org.mozilla.* |
45 | 45 | ||
46 | # Redirect | 46 | # Redirect |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index f957954dd..dbde8e0be 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/yelp | 9 | noblacklist ${HOME}/.config/yelp |
10 | 10 | ||
11 | # sh is needed to allow Firefox to open links | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -16,6 +19,12 @@ include disable-programs.inc | |||
16 | include disable-shell.inc | 19 | include disable-shell.inc |
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
22 | # The lines below are needed to find the default Firefox profile name, to allow | ||
23 | # opening links in an existing instance of Firefox (note that it still fails if | ||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
25 | noblacklist ${HOME}/.mozilla | ||
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | |||
19 | mkdir ${HOME}/.config/yelp | 28 | mkdir ${HOME}/.config/yelp |
20 | whitelist ${HOME}/.config/yelp | 29 | whitelist ${HOME}/.config/yelp |
21 | whitelist /usr/libexec/webkit2gtk-4.0 | 30 | whitelist /usr/libexec/webkit2gtk-4.0 |
@@ -59,6 +68,8 @@ private-tmp | |||
59 | dbus-user filter | 68 | dbus-user filter |
60 | dbus-user.own org.gnome.Yelp | 69 | dbus-user.own org.gnome.Yelp |
61 | dbus-user.talk ca.desrt.dconf | 70 | dbus-user.talk ca.desrt.dconf |
71 | # Allow D-Bus communication with Firefox for opening links | ||
72 | dbus-user.talk org.mozilla.* | ||
62 | dbus-system none | 73 | dbus-system none |
63 | 74 | ||
64 | # read-only ${HOME} breaks some features: | 75 | # read-only ${HOME} breaks some features: |
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index d576dbefd..f862bfce0 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/Zeal | |||
10 | noblacklist ${HOME}/.config/Zeal | 10 | noblacklist ${HOME}/.config/Zeal |
11 | noblacklist ${HOME}/.local/share/Zeal | 11 | noblacklist ${HOME}/.local/share/Zeal |
12 | 12 | ||
13 | # sh is needed to allow Firefox to open links | ||
14 | include allow-bin-sh.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -19,8 +22,9 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 22 | include disable-shell.inc |
20 | include disable-xdg.inc | 23 | include disable-xdg.inc |
21 | 24 | ||
22 | # Allow zeal to open links in Firefox browsers. | 25 | # The lines below are needed to find the default Firefox profile name, to allow |
23 | # This also requires dbus-user filtering (see below). | 26 | # opening links in an existing instance of Firefox (note that it still fails if |
27 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
24 | noblacklist ${HOME}/.mozilla | 28 | noblacklist ${HOME}/.mozilla |
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 29 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
26 | 30 | ||
@@ -63,8 +67,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services | |||
63 | private-tmp | 67 | private-tmp |
64 | 68 | ||
65 | dbus-user filter | 69 | dbus-user filter |
66 | dbus-user.talk org.mozilla.* | ||
67 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 70 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
71 | # Allow D-Bus communication with Firefox for opening links | ||
72 | dbus-user.talk org.mozilla.* | ||
68 | dbus-system none | 73 | dbus-system none |
69 | 74 | ||
70 | #memory-deny-write-execute # breaks on Arch | 75 | #memory-deny-write-execute # breaks on Arch |
diff --git a/src/bash_completion/Makefile b/src/bash_completion/Makefile index c7ef6afc6..c06323f64 100644 --- a/src/bash_completion/Makefile +++ b/src/bash_completion/Makefile | |||
@@ -2,14 +2,17 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | GAWK ?= gawk | ||
6 | RM ?= rm -f | ||
7 | |||
5 | .PHONY: all | 8 | .PHONY: all |
6 | all: firejail.bash_completion | 9 | all: firejail.bash_completion |
7 | 10 | ||
8 | firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk | 11 | firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk |
9 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | 12 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp |
10 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 13 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
11 | rm $@.tmp | 14 | $(RM) $@.tmp |
12 | 15 | ||
13 | .PHONY: clean | 16 | .PHONY: clean |
14 | clean: | 17 | clean: |
15 | rm -fr firejail.bash_completion | 18 | $(RM) -r firejail.bash_completion |
diff --git a/src/fids/main.c b/src/fids/main.c index 92b6468f3..415694f1e 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) { | |||
106 | } | 106 | } |
107 | else { | 107 | else { |
108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | 108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); |
109 | close(fd); | ||
110 | mmapped = 1; | 109 | mmapped = 1; |
111 | } | 110 | } |
111 | close(fd); | ||
112 | 112 | ||
113 | unsigned char checksum[KEY_SIZE / 8]; | 113 | unsigned char checksum[KEY_SIZE / 8]; |
114 | blake2b(checksum, sizeof(checksum), content, size); | 114 | blake2b(checksum, sizeof(checksum), content, size); |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 1895e437b..8c21757ab 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) { | |||
300 | 300 | ||
301 | if (stat(outname, &sb) == 0) { | 301 | if (stat(outname, &sb) == 0) { |
302 | printf(" %s skipped: file exists\n", filename); | 302 | printf(" %s skipped: file exists\n", filename); |
303 | free(outname); | ||
303 | if (change_exec) | 304 | if (change_exec) |
304 | free(change_exec); | 305 | free(change_exec); |
305 | continue; | 306 | continue; |
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) { | |||
308 | FILE *fpin = fopen(filename, "r"); | 309 | FILE *fpin = fopen(filename, "r"); |
309 | if (!fpin) { | 310 | if (!fpin) { |
310 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); | 311 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); |
312 | free(outname); | ||
311 | if (change_exec) | 313 | if (change_exec) |
312 | free(change_exec); | 314 | free(change_exec); |
313 | continue; | 315 | continue; |
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) { | |||
317 | if (!fpout) { | 319 | if (!fpout) { |
318 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); | 320 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); |
319 | fclose(fpin); | 321 | fclose(fpin); |
322 | free(outname); | ||
320 | if (change_exec) | 323 | if (change_exec) |
321 | free(change_exec); | 324 | free(change_exec); |
322 | continue; | 325 | continue; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8a20d939f..8d0a30521 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -63,6 +63,7 @@ arduino | |||
63 | aria2c | 63 | aria2c |
64 | ark | 64 | ark |
65 | arm | 65 | arm |
66 | armcord | ||
66 | artha | 67 | artha |
67 | assogiate | 68 | assogiate |
68 | asunder | 69 | asunder |
@@ -647,6 +648,7 @@ newsflash | |||
647 | nextcloud | 648 | nextcloud |
648 | nextcloud-desktop | 649 | nextcloud-desktop |
649 | nheko | 650 | nheko |
651 | nhex | ||
650 | nicotine | 652 | nicotine |
651 | nitroshare | 653 | nitroshare |
652 | nitroshare-cli | 654 | nitroshare-cli |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index db130afd3..cbfcc90ed 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) { | |||
198 | 198 | ||
199 | fclose(fp); | 199 | fclose(fp); |
200 | } | 200 | } |
201 | |||
202 | free(fname); | ||
201 | } | 203 | } |
202 | 204 | ||
203 | static void write_bandwidth_file(pid_t pid) { | 205 | static void write_bandwidth_file(pid_t pid) { |
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) { | |||
217 | ptr = ptr->next; | 219 | ptr = ptr->next; |
218 | } | 220 | } |
219 | fclose(fp); | 221 | fclose(fp); |
222 | free(fname); | ||
220 | } | 223 | } |
221 | else | 224 | else |
222 | goto errout; | 225 | goto errout; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cdad5e220..abef85515 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) { | |||
743 | 743 | ||
744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
746 | { // allow user access to some directories in /sys/ by specifying 'noblacklist' option | 746 | |
747 | profile_add("blacklist /sys/fs"); | 747 | // Soft-block some paths in /sys/ (can be undone in profiles). |
748 | profile_add("blacklist /sys/fs"); | ||
749 | |||
750 | // Hardware acceleration with the nvidia proprietary driver may fail | ||
751 | // without access to these paths (see #6372). | ||
752 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
753 | profile_add("whitelist /sys/module/nvidia*"); | ||
754 | profile_add("read-only /sys/module/nvidia*"); | ||
755 | } | ||
756 | else { | ||
748 | profile_add("blacklist /sys/module"); | 757 | profile_add("blacklist /sys/module"); |
749 | } | 758 | } |
759 | |||
750 | disable_file(BLACKLIST_FILE, "/sys/power"); | 760 | disable_file(BLACKLIST_FILE, "/sys/power"); |
751 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 761 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
752 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 762 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index fa88bbe12..e8e486f12 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -52,7 +52,8 @@ typedef struct { | |||
52 | 52 | ||
53 | static DevEntry dev[] = { | 53 | static DevEntry dev[] = { |
54 | {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device | 54 | {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device |
55 | {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d device | 55 | {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d devices |
56 | {"/dev/kfd", RUN_DEV_DIR "/kfd", DEV_3D}, | ||
56 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D}, | 57 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D}, |
57 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D}, | 58 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D}, |
58 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D}, | 59 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D}, |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 7c3f3835b..9d9832c15 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -67,8 +67,10 @@ static void skel(const char *homedir) { | |||
67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) | 67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) |
68 | errExit("asprintf"); | 68 | errExit("asprintf"); |
69 | // don't copy it if we already have the file | 69 | // don't copy it if we already have the file |
70 | if (access(fname, F_OK) == 0) | 70 | if (access(fname, F_OK) == 0) { |
71 | free(fname); | ||
71 | return; | 72 | return; |
73 | } | ||
72 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 74 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
73 | fprintf(stderr, "Error: invalid %s file\n", fname); | 75 | fprintf(stderr, "Error: invalid %s file\n", fname); |
74 | exit(1); | 76 | exit(1); |
@@ -91,8 +93,10 @@ static void skel(const char *homedir) { | |||
91 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) | 93 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) |
92 | errExit("asprintf"); | 94 | errExit("asprintf"); |
93 | // don't copy it if we already have the file | 95 | // don't copy it if we already have the file |
94 | if (access(fname, F_OK) == 0) | 96 | if (access(fname, F_OK) == 0) { |
97 | free(fname); | ||
95 | return; | 98 | return; |
99 | } | ||
96 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 100 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
97 | fprintf(stderr, "Error: invalid %s file\n", fname); | 101 | fprintf(stderr, "Error: invalid %s file\n", fname); |
98 | exit(1); | 102 | exit(1); |
@@ -115,8 +119,10 @@ static void skel(const char *homedir) { | |||
115 | if (asprintf(&fname, "%s/.bashrc", homedir) == -1) | 119 | if (asprintf(&fname, "%s/.bashrc", homedir) == -1) |
116 | errExit("asprintf"); | 120 | errExit("asprintf"); |
117 | // don't copy it if we already have the file | 121 | // don't copy it if we already have the file |
118 | if (access(fname, F_OK) == 0) | 122 | if (access(fname, F_OK) == 0) { |
123 | free(fname); | ||
119 | return; | 124 | return; |
125 | } | ||
120 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 126 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
121 | fprintf(stderr, "Error: invalid %s file\n", fname); | 127 | fprintf(stderr, "Error: invalid %s file\n", fname); |
122 | exit(1); | 128 | exit(1); |
diff --git a/src/firejail/ids.c b/src/firejail/ids.c index 40bbe6d02..0759a205d 100644 --- a/src/firejail/ids.c +++ b/src/firejail/ids.c | |||
@@ -42,6 +42,7 @@ static void ids_init(void) { | |||
42 | if (dup(fd) != STDOUT_FILENO) | 42 | if (dup(fd) != STDOUT_FILENO) |
43 | errExit("dup"); | 43 | errExit("dup"); |
44 | close(fd); | 44 | close(fd); |
45 | free(fname); | ||
45 | 46 | ||
46 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); | 47 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); |
47 | } | 48 | } |
@@ -63,6 +64,7 @@ static void ids_check(void) { | |||
63 | if (dup(fd) != STDIN_FILENO) | 64 | if (dup(fd) != STDIN_FILENO) |
64 | errExit("dup"); | 65 | errExit("dup"); |
65 | close(fd); | 66 | close(fd); |
67 | free(fname); | ||
66 | 68 | ||
67 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); | 69 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); |
68 | } | 70 | } |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index 3ac1bddae..2b3512320 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -139,7 +139,7 @@ static void _ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
139 | target.parent_fd = allowed_fd; | 139 | target.parent_fd = allowed_fd; |
140 | target.allowed_access = allowed_access; | 140 | target.allowed_access = allowed_access; |
141 | int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | 141 | int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
142 | &target, 0); | 142 | &target, 0); |
143 | if (error) { | 143 | if (error) { |
144 | fprintf(stderr, "Error: %s: failed to add Landlock rule " | 144 | fprintf(stderr, "Error: %s: failed to add Landlock rule " |
145 | "(abi=%d fs=%llx) for %s: %s\n", | 145 | "(abi=%d fs=%llx) for %s: %s\n", |
@@ -170,7 +170,6 @@ static void ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
170 | return; | 170 | return; |
171 | } | 171 | } |
172 | 172 | ||
173 | |||
174 | expanded_path = expand_macros(allowed_path); | 173 | expanded_path = expand_macros(allowed_path); |
175 | _ll_fs(expanded_path, allowed_access, caller); | 174 | _ll_fs(expanded_path, allowed_access, caller); |
176 | free(expanded_path); | 175 | free(expanded_path); |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index cb078b580..4bd0ba459 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) { | |||
122 | // mode and ownership | 122 | // mode and ownership |
123 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 123 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
124 | fclose(fp); | 124 | fclose(fp); |
125 | free(fname); | ||
125 | } | 126 | } |
126 | 127 | ||
127 | 128 | ||
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) { | |||
141 | // mode and ownership | 142 | // mode and ownership |
142 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 143 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
143 | fclose(fp); | 144 | fclose(fp); |
145 | free(fname); | ||
144 | } | 146 | } |
145 | 147 | ||
146 | void set_profile_run_file(pid_t pid, const char *fname) { | 148 | void set_profile_run_file(pid_t pid, const char *fname) { |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 323133f8d..5d7c244b1 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) { | |||
1392 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); | 1392 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); |
1393 | exit(1); | 1393 | exit(1); |
1394 | } | 1394 | } |
1395 | free(name); | ||
1395 | 1396 | ||
1396 | // join the namespace | 1397 | // join the namespace |
1397 | EUID_ROOT(); | 1398 | EUID_ROOT(); |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 39dc38ec9..e70174b1e 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) { | |||
152 | struct stat s; | 152 | struct stat s; |
153 | if (stat(name, &s) == -1) { | 153 | if (stat(name, &s) == -1) { |
154 | // the sandbox doesn't have a --net= option, don't print | 154 | // the sandbox doesn't have a --net= option, don't print |
155 | free(name); | ||
155 | if (cmd) | 156 | if (cmd) |
156 | free(cmd); | 157 | free(cmd); |
157 | return; | 158 | return; |
158 | } | 159 | } |
160 | free(name); | ||
159 | 161 | ||
160 | // pid | 162 | // pid |
161 | char pidstr[11]; | 163 | char pidstr[11]; |
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c index 50c51839b..5fbcb5a15 100644 --- a/src/jailcheck/access.c +++ b/src/jailcheck/access.c | |||
@@ -80,10 +80,13 @@ void access_setup(const char *directory) { | |||
80 | FILE *fp = fopen(test_file, "w"); | 80 | FILE *fp = fopen(test_file, "w"); |
81 | if (!fp) { | 81 | if (!fp) { |
82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | 82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); |
83 | free(test_file); | ||
84 | free(path); | ||
83 | return; | 85 | return; |
84 | } | 86 | } |
85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | 87 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); |
86 | fclose(fp); | 88 | fclose(fp); |
89 | free(path); | ||
87 | int rv = chown(test_file, user_uid, user_gid); | 90 | int rv = chown(test_file, user_uid, user_gid); |
88 | if (rv) | 91 | if (rv) |
89 | errExit("chown"); | 92 | errExit("chown"); |
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index 37234c648..e5657135d 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -55,6 +55,7 @@ void noexec_setup(void) { | |||
55 | execfile_len = s.st_size; | 55 | execfile_len = s.st_size; |
56 | close(fd); | 56 | close(fd); |
57 | } | 57 | } |
58 | free(self); | ||
58 | } | 59 | } |
59 | } | 60 | } |
60 | 61 | ||
@@ -110,4 +111,5 @@ void noexec_test(const char *path) { | |||
110 | wait(&status); | 111 | wait(&status); |
111 | int rv = unlink(fname); | 112 | int rv = unlink(fname); |
112 | (void) rv; | 113 | (void) rv; |
114 | free(fname); | ||
113 | } | 115 | } |
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c index d4bfd1923..348efc784 100644 --- a/src/jailcheck/virtual.c +++ b/src/jailcheck/virtual.c | |||
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) { | |||
49 | FILE *fp = fopen(test_file, "w"); | 49 | FILE *fp = fopen(test_file, "w"); |
50 | if (!fp) { | 50 | if (!fp) { |
51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | 51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); |
52 | free(test_file); | ||
52 | return; | 53 | return; |
53 | } | 54 | } |
54 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | 55 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); |
diff --git a/src/man/Makefile b/src/man/Makefile index 1c1fd49a5..767920e2b 100644 --- a/src/man/Makefile +++ b/src/man/Makefile | |||
@@ -2,6 +2,10 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | GAWK ?= gawk | ||
6 | GZIP ?= gzip | ||
7 | RM ?= rm -f | ||
8 | |||
5 | MOD_DIR := $(ROOT)/src/man | 9 | MOD_DIR := $(ROOT)/src/man |
6 | MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in)) | 10 | MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in)) |
7 | MANPAGES_GZ := $(MANPAGES_IN:.in=.gz) | 11 | MANPAGES_GZ := $(MANPAGES_IN:.in=.gz) |
@@ -19,8 +23,8 @@ $(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk | |||
19 | # foo.1.gz: foo.1 | 23 | # foo.1.gz: foo.1 |
20 | $(MOD_DIR)/%.gz: $(MOD_DIR)/% | 24 | $(MOD_DIR)/%.gz: $(MOD_DIR)/% |
21 | @printf 'Generating %s from %s\n' $@ $< | 25 | @printf 'Generating %s from %s\n' $@ $< |
22 | @rm -f $@ | 26 | @$(RM) $@ |
23 | @gzip -n9 $< | 27 | @$(GZIP) -n9 $< |
24 | 28 | ||
25 | .PHONY: clean | 29 | .PHONY: clean |
26 | clean:; rm -f *.1 *.5 *.gz | 30 | clean:; $(RM) *.1 *.5 *.gz |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 87bd6fcc2..fa2329d67 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -95,7 +95,12 @@ $ firejail [OPTIONS] # starting the program specified in $SHELL, | |||
95 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 95 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
96 | .PP | 96 | .PP |
97 | # sudo firejail [OPTIONS] /etc/init.d/nginx start | 97 | # sudo firejail [OPTIONS] /etc/init.d/nginx start |
98 | 98 | .PP | |
99 | When an option is specified multiple times (whether in a profile, on the | ||
100 | command line, or both) or conflicts with a related option, the | ||
101 | precedence/behavior is option-specific and usually documented in the | ||
102 | \fBOPTIONS\fR section below. Note that an option specified in a profile can | ||
103 | generally be disabled on the command line using \fB--ignore\fR. | ||
99 | .SH OPTIONS | 104 | .SH OPTIONS |
100 | .TP | 105 | .TP |
101 | \fB\-\- | 106 | \fB\-\- |
@@ -1729,6 +1734,16 @@ See --keep-config-pulse. | |||
1729 | Disable blacklist for this directory or file. | 1734 | Disable blacklist for this directory or file. |
1730 | .br | 1735 | .br |
1731 | 1736 | ||
1737 | Note that blacklist entries containing ${PATH} can not currently be partially | ||
1738 | disabled for individual expanded paths. Only the whole unexpanded path | ||
1739 | including ${PATH} can be disabled, which then applies to all expansions. | ||
1740 | This limitation does not apply to expansions of other variables or wildcards. | ||
1741 | For details, see | ||
1742 | .UR https://github.com/netblue30/firejail/issues/6360 | ||
1743 | #6360 | ||
1744 | .UE | ||
1745 | .br | ||
1746 | |||
1732 | .br | 1747 | .br |
1733 | Example: | 1748 | Example: |
1734 | .br | 1749 | .br |
@@ -1744,6 +1759,14 @@ $ exit | |||
1744 | .br | 1759 | .br |
1745 | $ firejail --noblacklist=/bin/nc | 1760 | $ firejail --noblacklist=/bin/nc |
1746 | .br | 1761 | .br |
1762 | bash: /bin/nc: Permission denied | ||
1763 | .br | ||
1764 | $ exit | ||
1765 | .br | ||
1766 | |||
1767 | .br | ||
1768 | $ firejail --noblacklist='${PATH}/nc' | ||
1769 | .br | ||
1747 | $ nc dict.org 2628 | 1770 | $ nc dict.org 2628 |
1748 | .br | 1771 | .br |
1749 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 1772 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
diff --git a/src/profstats/main.c b/src/profstats/main.c index ad27bfe79..10eee3c4b 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -344,7 +344,7 @@ int main(int argc, char **argv) { | |||
344 | if (cnt_seccomp > (seccomp + 1)) | 344 | if (cnt_seccomp > (seccomp + 1)) |
345 | cnt_seccomp = seccomp + 1; | 345 | cnt_seccomp = seccomp + 1; |
346 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | 346 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) |
347 | cnt_seccomp = restrict_namespaces + 1; | 347 | cnt_restrict_namespaces = restrict_namespaces + 1; |
348 | if (cnt_dbus_user_none > (dbususernone + 1)) | 348 | if (cnt_dbus_user_none > (dbususernone + 1)) |
349 | cnt_dbus_user_none = dbususernone + 1; | 349 | cnt_dbus_user_none = dbususernone + 1; |
350 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | 350 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
diff --git a/src/prog.mk b/src/prog.mk index a639e87fc..3e89a6ba8 100644 --- a/src/prog.mk +++ b/src/prog.mk | |||
@@ -5,6 +5,9 @@ | |||
5 | # The includer should probably define PROG and TARGET and may also want to | 5 | # The includer should probably define PROG and TARGET and may also want to |
6 | # define EXTRA_OBJS and extend CLEANFILES. | 6 | # define EXTRA_OBJS and extend CLEANFILES. |
7 | 7 | ||
8 | CC ?= cc | ||
9 | RM ?= rm -f | ||
10 | |||
8 | HDRS := | 11 | HDRS := |
9 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) | 12 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) |
10 | OBJS := $(SRCS:.c=.o) | 13 | OBJS := $(SRCS:.c=.o) |
@@ -25,4 +28,4 @@ $(PROG): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk | |||
25 | $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) $(LIBS) | 28 | $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) $(LIBS) |
26 | 29 | ||
27 | .PHONY: clean | 30 | .PHONY: clean |
28 | clean:; rm -fr $(PROG) $(CLEANFILES) | 31 | clean:; $(RM) -r $(PROG) $(CLEANFILES) |
@@ -5,6 +5,9 @@ | |||
5 | # The includer should probably define SO and TARGET and may also want to define | 5 | # The includer should probably define SO and TARGET and may also want to define |
6 | # EXTRA_OBJS and extend CLEANFILES. | 6 | # EXTRA_OBJS and extend CLEANFILES. |
7 | 7 | ||
8 | CC ?= cc | ||
9 | RM ?= rm -f | ||
10 | |||
8 | HDRS := | 11 | HDRS := |
9 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) | 12 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) |
10 | OBJS := $(SRCS:.c=.o) | 13 | OBJS := $(SRCS:.c=.o) |
@@ -25,4 +28,4 @@ $(SO): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk | |||
25 | $(CC) $(SO_LDFLAGS) -shared $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) -ldl | 28 | $(CC) $(SO_LDFLAGS) -shared $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) -ldl |
26 | 29 | ||
27 | .PHONY: clean | 30 | .PHONY: clean |
28 | clean:; rm -fr $(SO) $(CLEANFILES) | 31 | clean:; $(RM) -r $(SO) $(CLEANFILES) |
diff --git a/src/zsh_completion/Makefile b/src/zsh_completion/Makefile index e964d39ec..cbc476a73 100644 --- a/src/zsh_completion/Makefile +++ b/src/zsh_completion/Makefile | |||
@@ -2,14 +2,17 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | GAWK ?= gawk | ||
6 | RM ?= rm -f | ||
7 | |||
5 | .PHONY: all | 8 | .PHONY: all |
6 | all: _firejail | 9 | all: _firejail |
7 | 10 | ||
8 | _firejail: _firejail.in $(ROOT)/config.mk | 11 | _firejail: _firejail.in $(ROOT)/config.mk |
9 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | 12 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp |
10 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 13 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
11 | rm $@.tmp | 14 | $(RM) $@.tmp |
12 | 15 | ||
13 | .PHONY: clean | 16 | .PHONY: clean |
14 | clean: | 17 | clean: |
15 | rm -fr _firejail | 18 | $(RM) -r _firejail |
diff --git a/test/Makefile b/test/Makefile index 52fada86c..89855d082 100644 --- a/test/Makefile +++ b/test/Makefile | |||
@@ -2,6 +2,8 @@ | |||
2 | ROOT = .. | 2 | ROOT = .. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | RM ?= rm -f | ||
6 | |||
5 | TESTS=$(patsubst %/,%,$(wildcard */)) | 7 | TESTS=$(patsubst %/,%,$(wildcard */)) |
6 | 8 | ||
7 | .PHONY: $(TESTS) | 9 | .PHONY: $(TESTS) |
@@ -11,14 +13,14 @@ $(TESTS): | |||
11 | 13 | ||
12 | .PHONY: clean | 14 | .PHONY: clean |
13 | clean: | 15 | clean: |
14 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | 16 | for test in $(TESTS); do $(RM) "$$test/$$test.log"; done |
15 | rm -fr environment/-testdir | 17 | $(RM) -r environment/-testdir |
16 | rm -f environment/index.html* | 18 | $(RM) environment/index.html* |
17 | rm -f environment/logfile* | 19 | $(RM) environment/logfile* |
18 | rm -f environment/wget-log* | 20 | $(RM) environment/wget-log* |
19 | rm -f sysutils/firejail_t* | 21 | $(RM) sysutils/firejail_t* |
20 | rm -f utils/firejail-test-file* | 22 | $(RM) utils/firejail-test-file* |
21 | rm -f utils/index.html* | 23 | $(RM) utils/index.html* |
22 | rm -f utils/lstesting | 24 | $(RM) utils/lstesting |
23 | rm -f utils/wget-log | 25 | $(RM) utils/wget-log |
24 | cd compile && (./compile.sh --clean || true) | 26 | cd compile && (./compile.sh --clean || true) |