diff options
41 files changed, 269 insertions, 145 deletions
diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md new file mode 100644 index 000000000..7e0b822bb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/build_issue.md | |||
@@ -0,0 +1,72 @@ | |||
1 | --- | ||
2 | name: Build issue | ||
3 | about: There is an issue when trying to build the project from source | ||
4 | title: 'build: ' | ||
5 | labels: '' | ||
6 | assignees: '' | ||
7 | |||
8 | --- | ||
9 | |||
10 | <!-- | ||
11 | See the following links for help with formatting: | ||
12 | |||
13 | https://guides.github.com/features/mastering-markdown/ | ||
14 | https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax | ||
15 | --> | ||
16 | |||
17 | ### Description | ||
18 | |||
19 | _Describe the bug_ | ||
20 | |||
21 | ### Steps to Reproduce | ||
22 | |||
23 | <!-- | ||
24 | Note: If the output is too long to embed it into the comment, you can post it | ||
25 | in a gist at <https://gist.github.com/> and link it here or upload the build | ||
26 | log as a file. | ||
27 | |||
28 | Note: Make sure to include the exact command-line used for all commands and to | ||
29 | include the full output of ./configure. | ||
30 | |||
31 | Feel free to include only the errors in the make output if they are | ||
32 | self-explanatory (for example, with `make >/dev/null`). | ||
33 | --> | ||
34 | |||
35 | _Post the commands used to reproduce the issue and their output_ | ||
36 | |||
37 | Example: | ||
38 | |||
39 | ```console | ||
40 | $ ./configure --prefix=/usr --enable-apparmor | ||
41 | checking for gcc... gcc | ||
42 | checking whether the C compiler works... yes | ||
43 | [...] | ||
44 | $ make | ||
45 | make -C src/lib | ||
46 | gcc [...] | ||
47 | [...] | ||
48 | ``` | ||
49 | |||
50 | _If ./configure fails, include the output of config.log_ | ||
51 | |||
52 | Example: | ||
53 | |||
54 | ```console | ||
55 | $ cat config.log | ||
56 | This file contains any messages produced by compilers while | ||
57 | running configure, to aid debugging if configure makes a mistake. | ||
58 | [...] | ||
59 | ``` | ||
60 | |||
61 | ### Additional context | ||
62 | |||
63 | _(Optional) Any other detail that may help to understand/debug the problem_ | ||
64 | |||
65 | ### Environment | ||
66 | |||
67 | - Name/version/arch of the Linux kernel (e.g. the output of `uname -srm`) | ||
68 | - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux") | ||
69 | - Name/version of the C compiler (e.g. "gcc 14.1.1-1") | ||
70 | - Name/version of the libc (e.g. "glibc 2.40-1") | ||
71 | - Version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on Arch Linux) | ||
72 | - Version of the source code being built (e.g. the output of `git rev-parse HEAD`) | ||
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index ccc5c9bf7..8ad73bb45 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -44,7 +44,7 @@ jobs: | |||
44 | timeout-minutes: 10 | 44 | timeout-minutes: 10 |
45 | steps: | 45 | steps: |
46 | - name: Harden Runner | 46 | - name: Harden Runner |
47 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 47 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
48 | with: | 48 | with: |
49 | egress-policy: block | 49 | egress-policy: block |
50 | allowed-endpoints: > | 50 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7752f3d3..e8bfd0c16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | timeout-minutes: 10 | 60 | timeout-minutes: 10 |
61 | steps: | 61 | steps: |
62 | - name: Harden Runner | 62 | - name: Harden Runner |
63 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 63 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
64 | with: | 64 | with: |
65 | egress-policy: block | 65 | egress-policy: block |
66 | allowed-endpoints: > | 66 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index a0b7245e5..1b35f684f 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -46,7 +46,7 @@ jobs: | |||
46 | timeout-minutes: 10 | 46 | timeout-minutes: 10 |
47 | steps: | 47 | steps: |
48 | - name: Harden Runner | 48 | - name: Harden Runner |
49 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 49 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
50 | with: | 50 | with: |
51 | egress-policy: block | 51 | egress-policy: block |
52 | allowed-endpoints: > | 52 | allowed-endpoints: > |
@@ -79,7 +79,7 @@ jobs: | |||
79 | timeout-minutes: 10 | 79 | timeout-minutes: 10 |
80 | steps: | 80 | steps: |
81 | - name: Harden Runner | 81 | - name: Harden Runner |
82 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 82 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
83 | with: | 83 | with: |
84 | egress-policy: block | 84 | egress-policy: block |
85 | allowed-endpoints: > | 85 | allowed-endpoints: > |
@@ -109,7 +109,7 @@ jobs: | |||
109 | timeout-minutes: 10 | 109 | timeout-minutes: 10 |
110 | steps: | 110 | steps: |
111 | - name: Harden Runner | 111 | - name: Harden Runner |
112 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 112 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
113 | with: | 113 | with: |
114 | egress-policy: block | 114 | egress-policy: block |
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | 143 | ||
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 146 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
147 | with: | 147 | with: |
148 | disable-sudo: true | 148 | disable-sudo: true |
149 | egress-policy: block | 149 | egress-policy: block |
@@ -161,7 +161,7 @@ jobs: | |||
161 | 161 | ||
162 | # Initializes the CodeQL tools for scanning. | 162 | # Initializes the CodeQL tools for scanning. |
163 | - name: Initialize CodeQL | 163 | - name: Initialize CodeQL |
164 | uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c | 164 | uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
165 | with: | 165 | with: |
166 | languages: cpp | 166 | languages: cpp |
167 | 167 | ||
@@ -172,4 +172,4 @@ jobs: | |||
172 | run: make -j "$(nproc)" | 172 | run: make -j "$(nproc)" |
173 | 173 | ||
174 | - name: Perform CodeQL Analysis | 174 | - name: Perform CodeQL Analysis |
175 | uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c | 175 | uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 38cb1f29b..cb9d9ce87 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -33,7 +33,7 @@ jobs: | |||
33 | 33 | ||
34 | steps: | 34 | steps: |
35 | - name: Harden Runner | 35 | - name: Harden Runner |
36 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 36 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
37 | with: | 37 | with: |
38 | disable-sudo: true | 38 | disable-sudo: true |
39 | egress-policy: block | 39 | egress-policy: block |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 838414498..ed317a86f 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | 31 | ||
32 | steps: | 32 | steps: |
33 | - name: Harden Runner | 33 | - name: Harden Runner |
34 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 34 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
35 | with: | 35 | with: |
36 | disable-sudo: true | 36 | disable-sudo: true |
37 | egress-policy: block | 37 | egress-policy: block |
@@ -51,9 +51,9 @@ jobs: | |||
51 | 51 | ||
52 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
53 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
54 | uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c | 54 | uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
55 | with: | 55 | with: |
56 | languages: python | 56 | languages: python |
57 | 57 | ||
58 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
59 | uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c | 59 | uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 6e0fe73d2..27c6ab125 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -24,7 +24,7 @@ jobs: | |||
24 | timeout-minutes: 5 | 24 | timeout-minutes: 5 |
25 | steps: | 25 | steps: |
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 27 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
28 | with: | 28 | with: |
29 | egress-policy: block | 29 | egress-policy: block |
30 | allowed-endpoints: > | 30 | allowed-endpoints: > |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c1ee00934..92eb212e4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -54,7 +54,7 @@ jobs: | |||
54 | SHELL: /bin/bash | 54 | SHELL: /bin/bash |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 57 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -103,7 +103,7 @@ jobs: | |||
103 | SHELL: /bin/bash | 103 | SHELL: /bin/bash |
104 | steps: | 104 | steps: |
105 | - name: Harden Runner | 105 | - name: Harden Runner |
106 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 106 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
107 | with: | 107 | with: |
108 | egress-policy: block | 108 | egress-policy: block |
109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | SHELL: /bin/bash | 143 | SHELL: /bin/bash |
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 146 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
147 | with: | 147 | with: |
148 | egress-policy: block | 148 | egress-policy: block |
149 | allowed-endpoints: > | 149 | allowed-endpoints: > |
@@ -183,7 +183,7 @@ jobs: | |||
183 | SHELL: /bin/bash | 183 | SHELL: /bin/bash |
184 | steps: | 184 | steps: |
185 | - name: Harden Runner | 185 | - name: Harden Runner |
186 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 186 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
187 | with: | 187 | with: |
188 | egress-policy: block | 188 | egress-policy: block |
189 | allowed-endpoints: > | 189 | allowed-endpoints: > |
@@ -225,7 +225,7 @@ jobs: | |||
225 | SHELL: /bin/bash | 225 | SHELL: /bin/bash |
226 | steps: | 226 | steps: |
227 | - name: Harden Runner | 227 | - name: Harden Runner |
228 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 | 228 | uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde |
229 | with: | 229 | with: |
230 | egress-policy: block | 230 | egress-policy: block |
231 | allowed-endpoints: > | 231 | allowed-endpoints: > |
@@ -171,7 +171,7 @@ aoand (https://github.com/aoand) | |||
171 | Arne Welzel (https://github.com/awelzel) | 171 | Arne Welzel (https://github.com/awelzel) |
172 | - ignore SIGTTOU during flush_stdin() | 172 | - ignore SIGTTOU during flush_stdin() |
173 | archaon616 (https://github.com/archaon616) | 173 | archaon616 (https://github.com/archaon616) |
174 | - steam.profile: Allow Factorio | 174 | - steam.profile: allow Factorio, Zomboid |
175 | Atrate (https://github.com/Atrate) | 175 | Atrate (https://github.com/Atrate) |
176 | - BetterDiscord support | 176 | - BetterDiscord support |
177 | Austin Morton (https://github.com/apmorton) | 177 | Austin Morton (https://github.com/apmorton) |
@@ -326,6 +326,8 @@ curiosityseeker (https://github.com/curiosityseeker - new) | |||
326 | - fixed conky profile | 326 | - fixed conky profile |
327 | - thunderbird.profile: harden and enable the rules necessary to make | 327 | - thunderbird.profile: harden and enable the rules necessary to make |
328 | Firefox open links | 328 | Firefox open links |
329 | D357R0Y3R (https://github.com/D357R0Y3R) | ||
330 | - added floorp to firejail.config | ||
329 | da2x (https://github.com/da2x) | 331 | da2x (https://github.com/da2x) |
330 | - matched RPM license tag | 332 | - matched RPM license tag |
331 | Daan Bakker (https://github.com/dbakker) | 333 | Daan Bakker (https://github.com/dbakker) |
@@ -371,6 +373,8 @@ DiGitHubCap (https://github.com/DiGitHubCap) | |||
371 | - fix qt5ct colour schemes and QSS | 373 | - fix qt5ct colour schemes and QSS |
372 | Dieter Plaetinck (https://github.com/Dieterbe) | 374 | Dieter Plaetinck (https://github.com/Dieterbe) |
373 | - qutebrowser: update MPRIS name for qutebrowser-qt6 | 375 | - qutebrowser: update MPRIS name for qutebrowser-qt6 |
376 | - fix email-common.profile | ||
377 | - fix claws-mail profile | ||
374 | Disconnect3d (https://github.com/disconnect3d) | 378 | Disconnect3d (https://github.com/disconnect3d) |
375 | - code cleanup | 379 | - code cleanup |
376 | dm9pZCAq (https://github.com/dm9pZCAq) | 380 | dm9pZCAq (https://github.com/dm9pZCAq) |
@@ -408,13 +412,18 @@ Fabian Würfl (https://github.com/BafDyce) | |||
408 | - Liferea profile | 412 | - Liferea profile |
409 | Felipe Barriga Richards (https://github.com/fbarriga) | 413 | Felipe Barriga Richards (https://github.com/fbarriga) |
410 | - --private-etc fix | 414 | - --private-etc fix |
415 | Felix Pehla (https://github.com/FelixPehla) | ||
416 | - fix fractal profile | ||
411 | fenuks (https://github.com/fenuks) | 417 | fenuks (https://github.com/fenuks) |
412 | - fix sound in games using FMOD | 418 | - fix sound in games using FMOD |
413 | - allow /opt/tor-browser for Tor Browser profile | 419 | - allow /opt/tor-browser for Tor Browser profile |
414 | fkrone (https://github.com/fkrone) | 420 | fkrone (https://github.com/fkrone) |
415 | - fix Zoom profile | 421 | - fix Zoom profile |
416 | Fidel Ramos (https://github.com/haplo) | 422 | Fidel Ramos (https://github.com/haplo) |
417 | - Ledger Live profile | 423 | - added Ledger Live profile |
424 | - fixed geeqie profile | ||
425 | - added rawtherapee profile | ||
426 | - added electron-cache profile | ||
418 | Florian Begusch (https://github.com/florianbegusch) | 427 | Florian Begusch (https://github.com/florianbegusch) |
419 | - (la)tex profiles | 428 | - (la)tex profiles |
420 | - fixed transmission-common.profile | 429 | - fixed transmission-common.profile |
@@ -567,6 +576,9 @@ Haowei Yu (https://github.com/sfc-gh-hyu) | |||
567 | Icaro Perseo (https://github.com/icaroperseo) | 576 | Icaro Perseo (https://github.com/icaroperseo) |
568 | - Icecat profile | 577 | - Icecat profile |
569 | - several profile fixes | 578 | - several profile fixes |
579 | Ilya Pankratov (https://github.com/i-pankrat) | ||
580 | - profstats fix | ||
581 | - fix various memory resource leaks | ||
570 | Igor Bukanov (https://github.com/ibukanov) | 582 | Igor Bukanov (https://github.com/ibukanov) |
571 | - found/fiixed privilege escalation in --hosts-file option | 583 | - found/fiixed privilege escalation in --hosts-file option |
572 | iiotx (https://github.com/iiotx) | 584 | iiotx (https://github.com/iiotx) |
@@ -739,6 +751,8 @@ Liorst4 (https://github.com/Liorst4) | |||
739 | - minetest fixes | 751 | - minetest fixes |
740 | Lockdis (https://github.com/Lockdis) | 752 | Lockdis (https://github.com/Lockdis) |
741 | - Added crow, nyx, and google-earth-pro profiles | 753 | - Added crow, nyx, and google-earth-pro profiles |
754 | luca0N (https://github.com/luca0N) | ||
755 | - fixed crawl profile | ||
742 | Lukáš Krejčí (https://github.com/lskrejci) | 756 | Lukáš Krejčí (https://github.com/lskrejci) |
743 | - fixed parsing of --keep-var-tmp | 757 | - fixed parsing of --keep-var-tmp |
744 | luzpaz (https://github.com/luzpaz) | 758 | luzpaz (https://github.com/luzpaz) |
@@ -794,6 +808,8 @@ Michael Haas (https://github.com/mhaas) | |||
794 | - bugfixes | 808 | - bugfixes |
795 | Michael Hoffmann (https://github.com/brisad) | 809 | Michael Hoffmann (https://github.com/brisad) |
796 | - added support for subdirs in private-etc | 810 | - added support for subdirs in private-etc |
811 | Michele Sorcinelli (https://github.com/michelesr) | ||
812 | - fix ssh profile | ||
797 | Mike Frysinger (vapier@gentoo.org) | 813 | Mike Frysinger (vapier@gentoo.org) |
798 | - Gentoo compile patch | 814 | - Gentoo compile patch |
799 | minus7 (https://github.com/minus7) | 815 | minus7 (https://github.com/minus7) |
@@ -855,6 +871,7 @@ nolanl (https://github.com/nolanl) | |||
855 | nutta-git (https://github.com/nutta-git) | 871 | nutta-git (https://github.com/nutta-git) |
856 | - steam.profile: allow process_vm_readv syscall | 872 | - steam.profile: allow process_vm_readv syscall |
857 | - lutris.profile: allow more syscalls | 873 | - lutris.profile: allow more syscalls |
874 | - steam.profile: update novideo comment for webcam motion trackers | ||
858 | nyancat18 (https://github.com/nyancat18) | 875 | nyancat18 (https://github.com/nyancat18) |
859 | - added ardour4, dooble, karbon, krita profiles | 876 | - added ardour4, dooble, karbon, krita profiles |
860 | nya1 (https://github.com/nya1) | 877 | nya1 (https://github.com/nya1) |
@@ -949,6 +966,8 @@ pszxzsd (https://github.com/pszxzsd) | |||
949 | -uGet profile | 966 | -uGet profile |
950 | pwnage-pineapple (https://github.com/pwnage-pineapple) | 967 | pwnage-pineapple (https://github.com/pwnage-pineapple) |
951 | - update Okular profile | 968 | - update Okular profile |
969 | qdii (https://github.com/qdii) | ||
970 | - added notpm command & keep tpm devices in private-dev | ||
952 | Quentin Retornaz (https://github.com/qretornaz-adapei42) | 971 | Quentin Retornaz (https://github.com/qretornaz-adapei42) |
953 | - microsoft-edge profiles fixes | 972 | - microsoft-edge profiles fixes |
954 | Quentin Minster (https://github.com/laomaiweng) | 973 | Quentin Minster (https://github.com/laomaiweng) |
@@ -1003,6 +1022,8 @@ rootalc (https://github.com/rootalc) | |||
1003 | - add nolocal6.net filter | 1022 | - add nolocal6.net filter |
1004 | Ruan (https://github.com/ruany) | 1023 | Ruan (https://github.com/ruany) |
1005 | - fixed hexchat profile | 1024 | - fixed hexchat profile |
1025 | RundownRhino (https://github.com/RundownRhino) | ||
1026 | - firefox profile fix | ||
1006 | rusty-snake (https://github.com/rusty-snake) | 1027 | rusty-snake (https://github.com/rusty-snake) |
1007 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter | 1028 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter |
1008 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano | 1029 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano |
@@ -1040,18 +1061,17 @@ Serphentas (https://github.com/Serphentas) | |||
1040 | - add Paradox Launcher to Steam profile | 1061 | - add Paradox Launcher to Steam profile |
1041 | Slava Monich (https://github.com/monich) | 1062 | Slava Monich (https://github.com/monich) |
1042 | - added configure option to disable man pages | 1063 | - added configure option to disable man pages |
1043 | Tobias Schmidl (https://github.com/schtobia) | ||
1044 | - added profile for webui-aria2 | ||
1045 | Simon Peter (https://github.com/probonopd) | 1064 | Simon Peter (https://github.com/probonopd) |
1046 | - set $APPIMAGE and $APPDIR environment variables | 1065 | - set $APPIMAGE and $APPDIR environment variables |
1047 | - AppImage version detection | 1066 | - AppImage version detection |
1048 | - Leafppad type v1 and v2 appimage packages in test/appimage | 1067 | - Leafppad type v1 and v2 appimage packages in test/appimage |
1049 | - GitHub/Travis CI integration | 1068 | - GitHub/Travis CI integration |
1069 | Simo Piiroinen (https://github.com/spiiroin) | ||
1070 | - Jolla/SailfishOS patches | ||
1071 | - fix startup race condition for /run/firejail directory | ||
1050 | sinkuu (https://github.com/sinkuu) | 1072 | sinkuu (https://github.com/sinkuu) |
1051 | - blacklisting kwalletd | 1073 | - blacklisting kwalletd |
1052 | - fix symlink invocation for programs placing symlinks in $PATH | 1074 | - fix symlink invocation for programs placing symlinks in $PATH |
1053 | Simo Piiroinen (https://github.com/spiiroin) | ||
1054 | - Jolla/SailfishOS patches | ||
1055 | slowpeek (https://github.com/slowpeek) | 1075 | slowpeek (https://github.com/slowpeek) |
1056 | - refine appimage example in docs | 1076 | - refine appimage example in docs |
1057 | - allow resolution of .local names with avahi-daemon in the apparmor profile | 1077 | - allow resolution of .local names with avahi-daemon in the apparmor profile |
@@ -1059,6 +1079,9 @@ slowpeek (https://github.com/slowpeek) | |||
1059 | - make appimage examples consistent with --appimage option short description | 1079 | - make appimage examples consistent with --appimage option short description |
1060 | - blacklist google-drive-ocamlfuse config | 1080 | - blacklist google-drive-ocamlfuse config |
1061 | - blacklist sendgmail config | 1081 | - blacklist sendgmail config |
1082 | Shahriar Heidrich (https://github.com/smheidrich) | ||
1083 | - fix manpages | ||
1084 | - fix i3 profile and disable-programs.profile | ||
1062 | smitsohu (https://github.com/smitsohu) | 1085 | smitsohu (https://github.com/smitsohu) |
1063 | - read-only kde4 services directory | 1086 | - read-only kde4 services directory |
1064 | - enhanced mediathekview profile | 1087 | - enhanced mediathekview profile |
@@ -1187,6 +1210,8 @@ Tomasz Jan Góralczyk (https://github.com/tjg) | |||
1187 | - fixed Steam profile | 1210 | - fixed Steam profile |
1188 | Tomi Leppänen (https://github.com/Tomin1) | 1211 | Tomi Leppänen (https://github.com/Tomin1) |
1189 | - Jolla/SailfishOS patches | 1212 | - Jolla/SailfishOS patches |
1213 | Tobias Schmidl (https://github.com/schtobia) | ||
1214 | - added profile for webui-aria2 | ||
1190 | Topi Miettinen (https://github.com/topimiettinen) | 1215 | Topi Miettinen (https://github.com/topimiettinen) |
1191 | - improved seccomp printing | 1216 | - improved seccomp printing |
1192 | - improve mount handling, fix /run/user handling | 1217 | - improve mount handling, fix /run/user handling |
@@ -1201,6 +1226,8 @@ Ted Robertson (https://github.com/tredondo) | |||
1201 | - various documentation fixes | 1226 | - various documentation fixes |
1202 | - blacklist Exodus wallet | 1227 | - blacklist Exodus wallet |
1203 | - blacklist monero-project directory | 1228 | - blacklist monero-project directory |
1229 | tools200ms (https://github.com/tools200ms) | ||
1230 | - fixed allow-ssh.inc | ||
1204 | Tus1688 (https://github.com/Tus1688) | 1231 | Tus1688 (https://github.com/Tus1688) |
1205 | - added neovim profile | 1232 | - added neovim profile |
1206 | user1024 (user1024@tut.by) | 1233 | user1024 (user1024@tut.by) |
@@ -17,7 +17,9 @@ firejail (0.9.73) baseline; urgency=low | |||
17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 | 17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 |
18 | #6228 #6260 #6302 #6305) | 18 | #6228 #6260 #6302 #6305) |
19 | * feature: add support for comm, coredump, and prctl procevents in firemon | 19 | * feature: add support for comm, coredump, and prctl procevents in firemon |
20 | (#6414 #6415) | ||
20 | * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) | 21 | * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) |
22 | * feature: fshaper.sh: support tc on NixOS (#6426 #6431) | ||
21 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 23 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
22 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 24 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
23 | from containing only digits (#5578 #5741) | 25 | from containing only digits (#5578 #5741) |
@@ -32,7 +34,6 @@ firejail (0.9.73) baseline; urgency=low | |||
32 | * modif: drop deprecated 'shell' option references (#5894) | 34 | * modif: drop deprecated 'shell' option references (#5894) |
33 | * modif: keep pipewire group unless nosound is used (#5992 #5993) | 35 | * modif: keep pipewire group unless nosound is used (#5992 #5993) |
34 | * modif: fcopy: Use lstat when copying directory (#5957) | 36 | * modif: fcopy: Use lstat when copying directory (#5957) |
35 | * modif: populate /run/firejail while holding flock (#6307) | ||
36 | * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) | 37 | * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) |
37 | * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) | 38 | * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) |
38 | * removal: LTS and FIRETUNNEL support | 39 | * removal: LTS and FIRETUNNEL support |
@@ -43,8 +44,10 @@ firejail (0.9.73) baseline; urgency=low | |||
43 | (#5965 #5976) | 44 | (#5965 #5976) |
44 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 | 45 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 |
45 | #6086) | 46 | #6086) |
47 | * bugfix: fix startup race condition for /run/firejail directory (#6307) | ||
46 | * bugfix: fix various resource leaks (#6367) | 48 | * bugfix: fix various resource leaks (#6367) |
47 | * bugfix: profstats: fix restrict-namespaces max count (#6369) | 49 | * bugfix: profstats: fix restrict-namespaces max count (#6369) |
50 | * bugfix: remove --noautopulse from --help and zsh comp (#6401) | ||
48 | * build: auto-generate syntax files (#5627) | 51 | * build: auto-generate syntax files (#5627) |
49 | * build: mark all phony targets as such (#5637) | 52 | * build: mark all phony targets as such (#5637) |
50 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 53 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
@@ -55,8 +58,7 @@ firejail (0.9.73) baseline; urgency=low | |||
55 | * build: disable all built-in implicit make rules (#5864) | 58 | * build: disable all built-in implicit make rules (#5864) |
56 | * build: organize and standardize make vars and targets (#5866) | 59 | * build: organize and standardize make vars and targets (#5866) |
57 | * build: fix seccomp filters and man pages always being rebuilt when running | 60 | * build: fix seccomp filters and man pages always being rebuilt when running |
58 | make | 61 | make (#5156 #5898) |
59 | * build: simplify code related to man pages (#5898) | ||
60 | * build: fix hardcoded make & remove unnecessary distclean targets (#5911) | 62 | * build: fix hardcoded make & remove unnecessary distclean targets (#5911) |
61 | * build: dist and asc improvements (#5916) | 63 | * build: dist and asc improvements (#5916) |
62 | * build: fix some shellcheck issues & use config.sh in more scripts (#5927) | 64 | * build: fix some shellcheck issues & use config.sh in more scripts (#5927) |
@@ -80,6 +82,7 @@ firejail (0.9.73) baseline; urgency=low | |||
80 | * build: remove clean dependency from cppcheck targets (#6343) | 82 | * build: remove clean dependency from cppcheck targets (#6343) |
81 | * build: allow overriding common tools (#6354) | 83 | * build: allow overriding common tools (#6354) |
82 | * build: standardize install commands (#6366) | 84 | * build: standardize install commands (#6366) |
85 | * build: improve reliability/portability of date command usage (#6403 #6404) | ||
83 | * ci: always update the package db before installing packages (#5742) | 86 | * ci: always update the package db before installing packages (#5742) |
84 | * ci: fix codeql unable to download its own bundle (#5783) | 87 | * ci: fix codeql unable to download its own bundle (#5783) |
85 | * ci: split configure/build/install commands on gitlab (#5784) | 88 | * ci: split configure/build/install commands on gitlab (#5784) |
@@ -109,6 +112,8 @@ firejail (0.9.73) baseline; urgency=low | |||
109 | #6359) | 112 | #6359) |
110 | * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) | 113 | * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) |
111 | * docs: man: format and sort some private- items (#6398) | 114 | * docs: man: format and sort some private- items (#6398) |
115 | * docs: man: improve blacklist/whitelist examples with spaces (#6425) | ||
116 | * docs: add build_issue.md issue template (#6423) | ||
112 | * legal: selinux.c: Split Copyright notice & use same license as upstream | 117 | * legal: selinux.c: Split Copyright notice & use same license as upstream |
113 | (#5667) | 118 | (#5667) |
114 | * profiles: qutebrowser: fix links not opening in the existing instance | 119 | * profiles: qutebrowser: fix links not opening in the existing instance |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 14f7d8cf7..faae99543 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -171,6 +171,10 @@ blacklist ${RUNUSER}/gsconnect | |||
171 | blacklist ${RUNUSER}/i3/ipc-socket.* | 171 | blacklist ${RUNUSER}/i3/ipc-socket.* |
172 | blacklist /tmp/i3-*/ipc-socket.* | 172 | blacklist /tmp/i3-*/ipc-socket.* |
173 | 173 | ||
174 | # sway IPC socket (allows arbitrary shell script execution) | ||
175 | blacklist ${RUNUSER}/sway-ipc.* | ||
176 | blacklist /tmp/sway-ipc.* | ||
177 | |||
174 | # systemd | 178 | # systemd |
175 | blacklist ${HOME}/.config/systemd | 179 | blacklist ${HOME}/.config/systemd |
176 | blacklist ${HOME}/.local/share/systemd | 180 | blacklist ${HOME}/.local/share/systemd |
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile index 8b70756ba..6217af780 100644 --- a/etc/profile-a-l/abrowser.profile +++ b/etc/profile-a-l/abrowser.profile | |||
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser | |||
14 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
15 | whitelist /usr/share/abrowser | 15 | whitelist /usr/share/abrowser |
16 | 16 | ||
17 | # private-etc must first be enabled in firefox-common.profile | 17 | private-etc abrowser |
18 | #private-etc abrowser | ||
19 | 18 | ||
20 | # Redirect | 19 | # Redirect |
21 | include firefox-common.profile | 20 | include firefox-common.profile |
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index 7d2fe143c..f5595274e 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile | |||
@@ -19,8 +19,7 @@ seccomp | |||
19 | ignore seccomp | 19 | ignore seccomp |
20 | 20 | ||
21 | #private-bin basilisk | 21 | #private-bin basilisk |
22 | # private-etc must first be enabled in firefox-common.profile | 22 | private-etc basilisk |
23 | #private-etc basilisk | ||
24 | #private-opt basilisk | 23 | #private-opt basilisk |
25 | 24 | ||
26 | restrict-namespaces | 25 | restrict-namespaces |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index e596ec9d2..7afccf5cd 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf | |||
59 | dbus-user.talk org.freedesktop.Tracker1 | 59 | dbus-user.talk org.freedesktop.Tracker1 |
60 | dbus-system none | 60 | dbus-system none |
61 | 61 | ||
62 | env WEBKIT_FORCE_SANDBOX=0 | 62 | # Warning: Disabling the webkit sandbox may be needed to make firejail work |
63 | # with webkit2gtk, but this is not recommended (see #2995). | ||
64 | # Add the following line to bijiben.local at your own risk: | ||
65 | #env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 | ||
63 | restrict-namespaces | 66 | restrict-namespaces |
diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile new file mode 100644 index 000000000..4c1994c50 --- /dev/null +++ b/etc/profile-a-l/bitwarden-desktop.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for bitwarden-desktop | ||
2 | # Description: A secure and free password manager for all of your devices | ||
3 | # This file is overwritten after every install/update. | ||
4 | # Persistent local customisations | ||
5 | include bitwarden-desktop.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include bitwarden.profile | ||
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 1572ca572..9ed48b02d 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -6,13 +6,13 @@ include bitwarden.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include whitelist-usr-share-common.inc | ||
11 | |||
12 | ignore noexec /tmp | 9 | ignore noexec /tmp |
13 | 10 | ||
14 | noblacklist ${HOME}/.config/Bitwarden | 11 | noblacklist ${HOME}/.config/Bitwarden |
15 | 12 | ||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
16 | include disable-shell.inc | 16 | include disable-shell.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/Bitwarden | 18 | mkdir ${HOME}/.config/Bitwarden |
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 05e1a69f1..6218dbbe8 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile | |||
@@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser | |||
26 | 26 | ||
27 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). | 27 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). |
28 | #private-bin dbus-launch,dbus-send,cachy-browser,sh | 28 | #private-bin dbus-launch,dbus-send,cachy-browser,sh |
29 | # Add the next line to your cachy-browser.local to enable private-etc. | 29 | private-etc cachy-browser |
30 | # Note: private-etc must first be enabled in firefox-common.local. | ||
31 | #private-etc cachy-browser | ||
32 | 30 | ||
33 | dbus-user filter | 31 | dbus-user filter |
34 | dbus-user.own org.mozilla.cachybrowser.* | 32 | dbus-user.own org.mozilla.cachybrowser.* |
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile index d0bf9797e..bded735a9 100644 --- a/etc/profile-a-l/cliqz.profile +++ b/etc/profile-a-l/cliqz.profile | |||
@@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz | |||
17 | whitelist ${HOME}/.config/cliqz | 17 | whitelist ${HOME}/.config/cliqz |
18 | whitelist /usr/share/cliqz | 18 | whitelist /usr/share/cliqz |
19 | 19 | ||
20 | # private-etc must first be enabled in firefox-common.profile | 20 | private-etc cliqz |
21 | #private-etc cliqz | ||
22 | 21 | ||
23 | # Redirect | 22 | # Redirect |
24 | include firefox-common.profile | 23 | include firefox-common.profile |
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index c7a42e0eb..173c5b4a5 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile | |||
@@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios | |||
16 | whitelist /usr/share/cyberfox | 16 | whitelist /usr/share/cyberfox |
17 | 17 | ||
18 | #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which | 18 | #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
19 | # private-etc must first be enabled in firefox-common.profile | 19 | private-etc cyberfox |
20 | #private-etc cyberfox | ||
21 | 20 | ||
22 | # Redirect | 21 | # Redirect |
23 | include firefox-common.profile | 22 | include firefox-common.profile |
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 75338eb6d..e11134616 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet | |||
12 | include allow-python2.inc | 12 | include allow-python2.inc |
13 | include allow-python3.inc | 13 | include allow-python3.inc |
14 | 14 | ||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/d-feet | 15 | mkdir ${HOME}/.config/d-feet |
24 | whitelist ${HOME}/.config/d-feet | 16 | whitelist ${HOME}/.config/d-feet |
25 | whitelist /usr/share/d-feet | 17 | whitelist /usr/share/d-feet |
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | 18 | ||
31 | apparmor | 19 | # breaks on Ubuntu |
32 | caps.drop all | 20 | ignore net none |
33 | ipc-namespace | ||
34 | #net none # breaks on Ubuntu | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | noinput | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | 21 | ||
48 | disable-mnt | ||
49 | private-bin d-feet,python* | 22 | private-bin d-feet,python* |
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc dbus-1 | ||
53 | private-tmp | ||
54 | 23 | ||
55 | #memory-deny-write-execute # breaks on Arch (see issue #1803) | 24 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
56 | restrict-namespaces | 25 | |
26 | # Redirect | ||
27 | include dbus-debug-common.profile | ||
diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile index 9ff429ecb..2c9ef52cb 100644 --- a/etc/profile-a-l/d-spy.profile +++ b/etc/profile-a-l/d-spy.profile | |||
@@ -6,43 +6,7 @@ include d-spy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-proc.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | noinput | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin d-spy | 9 | private-bin d-spy |
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc dbus-1 | ||
45 | private-tmp | ||
46 | 10 | ||
47 | read-only ${HOME} | 11 | # Redirect |
48 | restrict-namespaces | 12 | include dbus-debug-common.profile |
diff --git a/etc/profile-a-l/dbus-debug-common.profile b/etc/profile-a-l/dbus-debug-common.profile new file mode 100644 index 000000000..0ef060f3a --- /dev/null +++ b/etc/profile-a-l/dbus-debug-common.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for dbus-debug-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include dbus-debug-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-proc.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | noinput | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | seccomp.block-secondary | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc dbus-1 | ||
46 | private-tmp | ||
47 | |||
48 | read-only ${HOME} | ||
49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dtui.profile b/etc/profile-a-l/dtui.profile new file mode 100644 index 000000000..b85ae451b --- /dev/null +++ b/etc/profile-a-l/dtui.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for dtui | ||
2 | # Description: TUI D-Bus debugger | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include dtui.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin dtui | ||
11 | |||
12 | memory-deny-write-execute | ||
13 | |||
14 | # Redirect | ||
15 | include dbus-debug-common.profile | ||
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 1af2884b6..52a439c48 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element | |||
14 | mkdir ${HOME}/.config/Element | 14 | mkdir ${HOME}/.config/Element |
15 | whitelist ${HOME}/.config/Element | 15 | whitelist ${HOME}/.config/Element |
16 | whitelist /opt/Element | 16 | whitelist /opt/Element |
17 | whitelist /usr/share/element | ||
17 | 18 | ||
18 | dbus-user filter | 19 | dbus-user filter |
19 | dbus-user.talk org.freedesktop.Notifications | 20 | dbus-user.talk org.freedesktop.Notifications |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index ccc2dc7f6..5e3d0983d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -92,8 +92,7 @@ include allow-python3.inc | |||
92 | #private-bin keepassxc-proxy | 92 | #private-bin keepassxc-proxy |
93 | 93 | ||
94 | # Flash plugin | 94 | # Flash plugin |
95 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | 95 | private-etc adobe |
96 | #private-etc adobe | ||
97 | 96 | ||
98 | # ff2mpv | 97 | # ff2mpv |
99 | #ignore noexec ${HOME} | 98 | #ignore noexec ${HOME} |
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile index b0a42fb77..19bda5454 100644 --- a/etc/profile-a-l/icecat.profile +++ b/etc/profile-a-l/icecat.profile | |||
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat | |||
14 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
15 | whitelist /usr/share/icecat | 15 | whitelist /usr/share/icecat |
16 | 16 | ||
17 | # private-etc must first be enabled in firefox-common.profile | 17 | private-etc icecat |
18 | #private-etc icecat | ||
19 | 18 | ||
20 | # Redirect | 19 | # Redirect |
21 | include firefox-common.profile | 20 | include firefox-common.profile |
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile index badd2648a..d6a925a77 100644 --- a/etc/profile-a-l/iceweasel.profile +++ b/etc/profile-a-l/iceweasel.profile | |||
@@ -6,8 +6,7 @@ include iceweasel.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # private-etc must first be enabled in firefox-common.profile | 9 | private-etc iceweasel |
10 | #private-etc iceweasel | ||
11 | 10 | ||
12 | # Redirect | 11 | # Redirect |
13 | include firefox.profile | 12 | include firefox.profile |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 65a4a3787..8db82d364 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -27,9 +27,7 @@ whitelist /usr/share/librewolf | |||
27 | 27 | ||
28 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). | 28 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). |
29 | #private-bin dbus-launch,dbus-send,librewolf,sh | 29 | #private-bin dbus-launch,dbus-send,librewolf,sh |
30 | # Add the next line to your librewolf.local to enable private-etc. | 30 | private-etc librewolf |
31 | # Note: private-etc must first be enabled in firefox-common.local. | ||
32 | #private-etc librewolf | ||
33 | 31 | ||
34 | dbus-user filter | 32 | dbus-user filter |
35 | dbus-user.own io.gitlab.librewolf.* | 33 | dbus-user.own io.gitlab.librewolf.* |
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 9f4990246..645510124 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -58,7 +58,7 @@ protocol unix | |||
58 | seccomp | 58 | seccomp |
59 | tracelog | 59 | tracelog |
60 | 60 | ||
61 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar | 61 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,ps2pdf,unar,unrar |
62 | private-dev | 62 | private-dev |
63 | private-etc @x11,cups | 63 | private-etc @x11,cups |
64 | # on KDE we need access to the real /tmp for data exchange with email clients | 64 | # on KDE we need access to the real /tmp for data exchange with email clients |
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 8917a9bc5..8e1a5daf5 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile | |||
@@ -21,8 +21,7 @@ seccomp | |||
21 | ignore seccomp | 21 | ignore seccomp |
22 | 22 | ||
23 | #private-bin palemoon | 23 | #private-bin palemoon |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | private-etc palemoon |
25 | #private-etc palemoon | ||
26 | 25 | ||
27 | restrict-namespaces | 26 | restrict-namespaces |
28 | ignore restrict-namespaces | 27 | ignore restrict-namespaces |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 62efa28db..1c4d85ea0 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -19,7 +19,8 @@ include disable-exec.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/gcr/ssh | 21 | whitelist ${RUNUSER}/gcr/ssh |
22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | 22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup |
23 | whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup | ||
23 | whitelist ${RUNUSER}/keyring/ssh | 24 | whitelist ${RUNUSER}/keyring/ssh |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-runuser-common.inc | 26 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index f71905150..b7f90f6ad 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile | |||
@@ -10,6 +10,10 @@ include globals.local | |||
10 | noblacklist ${HOME}/.config/sway | 10 | noblacklist ${HOME}/.config/sway |
11 | # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway | 11 | # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway |
12 | noblacklist ${HOME}/.config/i3 | 12 | noblacklist ${HOME}/.config/i3 |
13 | # allow creation of IPC socket | ||
14 | noblacklist ${RUNUSER}/sway-ipc.* | ||
15 | noblacklist /tmp/sway-ipc.* | ||
16 | |||
13 | include disable-common.inc | 17 | include disable-common.inc |
14 | 18 | ||
15 | caps.drop all | 19 | caps.drop all |
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index bf6f45e41..cf2fced64 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile | |||
@@ -21,9 +21,7 @@ whitelist /usr/share/waterfox | |||
21 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 21 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
22 | # Add the next line to your waterfox.local to enable private-bin. | 22 | # Add the next line to your waterfox.local to enable private-bin. |
23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which | 23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which |
24 | # Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be | 24 | private-etc waterfox |
25 | # enabled in your firefox-common.local. | ||
26 | #private-etc waterfox | ||
27 | 25 | ||
28 | # Redirect | 26 | # Redirect |
29 | include firefox-common.profile | 27 | include firefox-common.profile |
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 306212f85..430934df2 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -19,6 +19,7 @@ ignore dbus-system none | |||
19 | noblacklist ${HOME}/.config/zoom.conf | 19 | noblacklist ${HOME}/.config/zoom.conf |
20 | noblacklist ${HOME}/.config/zoomus.conf | 20 | noblacklist ${HOME}/.config/zoomus.conf |
21 | noblacklist ${HOME}/.zoom | 21 | noblacklist ${HOME}/.zoom |
22 | noblacklist ${DOCUMENTS} | ||
22 | 23 | ||
23 | nowhitelist ${DOWNLOADS} | 24 | nowhitelist ${DOWNLOADS} |
24 | 25 | ||
@@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom | |||
26 | mkfile ${HOME}/.config/zoom.conf | 27 | mkfile ${HOME}/.config/zoom.conf |
27 | mkfile ${HOME}/.config/zoomus.conf | 28 | mkfile ${HOME}/.config/zoomus.conf |
28 | mkdir ${HOME}/.zoom | 29 | mkdir ${HOME}/.zoom |
30 | mkdir ${HOME}/Documents/Zoom | ||
29 | whitelist ${HOME}/.cache/zoom | 31 | whitelist ${HOME}/.cache/zoom |
30 | whitelist ${HOME}/.config/zoom.conf | 32 | whitelist ${HOME}/.config/zoom.conf |
31 | whitelist ${HOME}/.config/zoomus.conf | 33 | whitelist ${HOME}/.config/zoomus.conf |
32 | whitelist ${HOME}/.zoom | 34 | whitelist ${HOME}/.zoom |
35 | whitelist ${HOME}/Documents/Zoom | ||
33 | 36 | ||
34 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 | 37 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 |
35 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 38 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8d0a30521..08170bee6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -97,10 +97,11 @@ basilisk | |||
97 | bcompare | 97 | bcompare |
98 | beaker | 98 | beaker |
99 | bibletime | 99 | bibletime |
100 | bijiben | 100 | #bijiben # webkit2gtk-4.x requires bwrap (see #3647) |
101 | bitcoin-qt | 101 | bitcoin-qt |
102 | bitlbee | 102 | bitlbee |
103 | bitwarden | 103 | bitwarden |
104 | bitwarden-desktop | ||
104 | bleachbit | 105 | bleachbit |
105 | blender | 106 | blender |
106 | blender-2.8 | 107 | blender-2.8 |
@@ -227,6 +228,7 @@ dragon | |||
227 | drawio | 228 | drawio |
228 | drill | 229 | drill |
229 | dropbox | 230 | dropbox |
231 | dtui | ||
230 | easystroke | 232 | easystroke |
231 | ebook-convert | 233 | ebook-convert |
232 | ebook-edit | 234 | ebook-edit |
@@ -824,7 +826,7 @@ soffice | |||
824 | sol | 826 | sol |
825 | sound-juicer | 827 | sound-juicer |
826 | soundconverter | 828 | soundconverter |
827 | spectacle | 829 | #spectacle # may be broken on wayland (see #5127) |
828 | spectral | 830 | spectral |
829 | spotify | 831 | spotify |
830 | sqlitebrowser | 832 | sqlitebrowser |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 773596213..01a7330fd 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -189,7 +189,6 @@ static const char *const usage_str = | |||
189 | " --noroot - install a user namespace with only the current user.\n" | 189 | " --noroot - install a user namespace with only the current user.\n" |
190 | #endif | 190 | #endif |
191 | " --nosound - disable sound system.\n" | 191 | " --nosound - disable sound system.\n" |
192 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | ||
193 | " --novideo - disable video devices.\n" | 192 | " --novideo - disable video devices.\n" |
194 | " --notpm - disable TPM devices.\n" | 193 | " --notpm - disable TPM devices.\n" |
195 | " --nou2f - disable U2F devices.\n" | 194 | " --nou2f - disable U2F devices.\n" |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 430730374..1a6f23919 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -396,6 +396,8 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
396 | sprintf(lineptr, " sid "); | 396 | sprintf(lineptr, " sid "); |
397 | break; | 397 | break; |
398 | 398 | ||
399 | // Note: PROC_EVENT_COREDUMP only exists since Linux 3.10 (see #6414). | ||
400 | #ifdef PROC_EVENT_COREDUMP | ||
399 | case PROC_EVENT_COREDUMP: | 401 | case PROC_EVENT_COREDUMP: |
400 | pid = proc_ev->event_data.coredump.process_tgid; | 402 | pid = proc_ev->event_data.coredump.process_tgid; |
401 | #ifdef DEBUG_PRCTL | 403 | #ifdef DEBUG_PRCTL |
@@ -403,6 +405,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
403 | #endif | 405 | #endif |
404 | sprintf(lineptr, " coredump "); | 406 | sprintf(lineptr, " coredump "); |
405 | break; | 407 | break; |
408 | #endif /* PROC_EVENT_COREDUMP */ | ||
406 | 409 | ||
407 | case PROC_EVENT_COMM: | 410 | case PROC_EVENT_COMM: |
408 | pid = proc_ev->event_data.comm.process_tgid; | 411 | pid = proc_ev->event_data.comm.process_tgid; |
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index cd2bf79bf..16a2485bf 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh | |||
@@ -3,13 +3,9 @@ | |||
3 | # Copyright (C) 2014-2024 Firejail Authors | 3 | # Copyright (C) 2014-2024 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | TCFILE="" | 6 | TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)" |
7 | if [ -x "/usr/sbin/tc" ]; then | 7 | if [ -z "$TCFILE" ]; then |
8 | TCFILE="/usr/sbin/tc" | 8 | echo "Error: traffic control utility (tc) not found" |
9 | elif [ -x "/sbin/tc" ]; then | ||
10 | TCFILE="/sbin/tc"; | ||
11 | else | ||
12 | echo "Error: traffic control utility (tc) not found"; | ||
13 | exit 1 | 9 | exit 1 |
14 | fi | 10 | fi |
15 | 11 | ||
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index f14eb6ec0..4edb0902e 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -207,7 +207,7 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | |||
207 | .br | 207 | .br |
208 | $ firejail \-\-blacklist=~/.mozilla | 208 | $ firejail \-\-blacklist=~/.mozilla |
209 | .br | 209 | .br |
210 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | 210 | $ firejail \-\-blacklist="/home/username/My Virtual Machines" |
211 | .br | 211 | .br |
212 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | 212 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines |
213 | .TP | 213 | .TP |
@@ -3143,7 +3143,9 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | |||
3143 | .br | 3143 | .br |
3144 | $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null | 3144 | $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null |
3145 | .br | 3145 | .br |
3146 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 3146 | $ firejail \-\-whitelist="/home/username/My Virtual Machines" |
3147 | .br | ||
3148 | $ firejail \-\-whitelist=/home/username/My\\ Virtual\\ Machines | ||
3147 | .br | 3149 | .br |
3148 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | 3150 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* |
3149 | 3151 | ||
diff --git a/src/man/mkman.sh b/src/man/mkman.sh index 00c4ffe72..d854b6537 100755 --- a/src/man/mkman.sh +++ b/src/man/mkman.sh | |||
@@ -5,8 +5,15 @@ | |||
5 | 5 | ||
6 | set -e | 6 | set -e |
7 | 7 | ||
8 | MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" | 8 | test -z "$SOURCE_DATE_EPOCH" && SOURCE_DATE_EPOCH="$(date +%s)" |
9 | YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" | 9 | |
10 | format='+%b %Y' | ||
11 | date="$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "$format" 2>/dev/null || | ||
12 | LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "$format" 2>/dev/null || | ||
13 | LC_ALL=C date -u "$format")" | ||
14 | |||
15 | MONTH="$(printf '%s\n' "$date" | cut -f 1 -d ' ')" | ||
16 | YEAR="$(printf '%s\n' "$date" | cut -f 2 -d ' ')" | ||
10 | 17 | ||
11 | sed \ | 18 | sed \ |
12 | -e "s/VERSION/$1/g" \ | 19 | -e "s/VERSION/$1/g" \ |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 633f41ade..ecfe2ffdf 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -124,7 +124,6 @@ _firejail_args=( | |||
124 | # many would enjoy getting a list from -20..20 | 124 | # many would enjoy getting a list from -20..20 |
125 | '--nice=-[set nice value]: :(1 10 15 20)' | 125 | '--nice=-[set nice value]: :(1 10 15 20)' |
126 | '--no3d[disable 3D hardware acceleration]' | 126 | '--no3d[disable 3D hardware acceleration]' |
127 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
128 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | 127 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
129 | '--nodbus[disable D-Bus access]' | 128 | '--nodbus[disable D-Bus access]' |
130 | '--nodvd[disable DVD and audio CD devices]' | 129 | '--nodvd[disable DVD and audio CD devices]' |