diff options
44 files changed, 438 insertions, 119 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index fc74640d4..37056a1ce 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -22,7 +22,7 @@ _Describe the bug_ | |||
22 | 22 | ||
23 | _Steps to reproduce the behavior_ | 23 | _Steps to reproduce the behavior_ |
24 | 24 | ||
25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent | 25 | 1. Run in bash `LC_ALL=C firejail /path/to/program` (`LC_ALL=C` to get a consistent |
26 | output in English that can be understood by everybody) | 26 | output in English that can be understood by everybody) |
27 | 2. Click on '....' | 27 | 2. Click on '....' |
28 | 3. Scroll down to '....' | 28 | 3. Scroll down to '....' |
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index f390e87d1..72ba685b5 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -44,7 +44,7 @@ jobs: | |||
44 | timeout-minutes: 10 | 44 | timeout-minutes: 10 |
45 | steps: | 45 | steps: |
46 | - name: Harden Runner | 46 | - name: Harden Runner |
47 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 47 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
48 | with: | 48 | with: |
49 | egress-policy: block | 49 | egress-policy: block |
50 | allowed-endpoints: > | 50 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d53044cad..b4ae7a2e9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | timeout-minutes: 10 | 60 | timeout-minutes: 10 |
61 | steps: | 61 | steps: |
62 | - name: Harden Runner | 62 | - name: Harden Runner |
63 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 63 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
64 | with: | 64 | with: |
65 | egress-policy: block | 65 | egress-policy: block |
66 | allowed-endpoints: > | 66 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 2a479c546..c41c67798 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -46,7 +46,7 @@ jobs: | |||
46 | timeout-minutes: 10 | 46 | timeout-minutes: 10 |
47 | steps: | 47 | steps: |
48 | - name: Harden Runner | 48 | - name: Harden Runner |
49 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 49 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
50 | with: | 50 | with: |
51 | egress-policy: block | 51 | egress-policy: block |
52 | allowed-endpoints: > | 52 | allowed-endpoints: > |
@@ -79,7 +79,7 @@ jobs: | |||
79 | timeout-minutes: 10 | 79 | timeout-minutes: 10 |
80 | steps: | 80 | steps: |
81 | - name: Harden Runner | 81 | - name: Harden Runner |
82 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 82 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
83 | with: | 83 | with: |
84 | egress-policy: block | 84 | egress-policy: block |
85 | allowed-endpoints: > | 85 | allowed-endpoints: > |
@@ -109,7 +109,7 @@ jobs: | |||
109 | timeout-minutes: 10 | 109 | timeout-minutes: 10 |
110 | steps: | 110 | steps: |
111 | - name: Harden Runner | 111 | - name: Harden Runner |
112 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 112 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
113 | with: | 113 | with: |
114 | egress-policy: block | 114 | egress-policy: block |
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | 143 | ||
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 146 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
147 | with: | 147 | with: |
148 | disable-sudo: true | 148 | disable-sudo: true |
149 | egress-policy: block | 149 | egress-policy: block |
@@ -161,7 +161,7 @@ jobs: | |||
161 | 161 | ||
162 | # Initializes the CodeQL tools for scanning. | 162 | # Initializes the CodeQL tools for scanning. |
163 | - name: Initialize CodeQL | 163 | - name: Initialize CodeQL |
164 | uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 | 164 | uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f |
165 | with: | 165 | with: |
166 | languages: cpp | 166 | languages: cpp |
167 | 167 | ||
@@ -172,4 +172,4 @@ jobs: | |||
172 | run: make -j "$(nproc)" | 172 | run: make -j "$(nproc)" |
173 | 173 | ||
174 | - name: Perform CodeQL Analysis | 174 | - name: Perform CodeQL Analysis |
175 | uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 | 175 | uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 5bff9328e..a7974a994 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -33,7 +33,7 @@ jobs: | |||
33 | 33 | ||
34 | steps: | 34 | steps: |
35 | - name: Harden Runner | 35 | - name: Harden Runner |
36 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 36 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
37 | with: | 37 | with: |
38 | disable-sudo: true | 38 | disable-sudo: true |
39 | egress-policy: block | 39 | egress-policy: block |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 73b7d9c67..0bb67e05e 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | 31 | ||
32 | steps: | 32 | steps: |
33 | - name: Harden Runner | 33 | - name: Harden Runner |
34 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 34 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
35 | with: | 35 | with: |
36 | disable-sudo: true | 36 | disable-sudo: true |
37 | egress-policy: block | 37 | egress-policy: block |
@@ -51,9 +51,9 @@ jobs: | |||
51 | 51 | ||
52 | # Initializes the CodeQL tools for scanning. | 52 | # Initializes the CodeQL tools for scanning. |
53 | - name: Initialize CodeQL | 53 | - name: Initialize CodeQL |
54 | uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 | 54 | uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f |
55 | with: | 55 | with: |
56 | languages: python | 56 | languages: python |
57 | 57 | ||
58 | - name: Perform CodeQL Analysis | 58 | - name: Perform CodeQL Analysis |
59 | uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 | 59 | uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index fe88dc5a9..1e8486bd7 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -24,7 +24,7 @@ jobs: | |||
24 | timeout-minutes: 5 | 24 | timeout-minutes: 5 |
25 | steps: | 25 | steps: |
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 27 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
28 | with: | 28 | with: |
29 | egress-policy: block | 29 | egress-policy: block |
30 | allowed-endpoints: > | 30 | allowed-endpoints: > |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 12e8d2dac..ea9890b5e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -54,7 +54,7 @@ jobs: | |||
54 | SHELL: /bin/bash | 54 | SHELL: /bin/bash |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 57 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -103,7 +103,7 @@ jobs: | |||
103 | SHELL: /bin/bash | 103 | SHELL: /bin/bash |
104 | steps: | 104 | steps: |
105 | - name: Harden Runner | 105 | - name: Harden Runner |
106 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 106 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
107 | with: | 107 | with: |
108 | egress-policy: block | 108 | egress-policy: block |
109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | SHELL: /bin/bash | 143 | SHELL: /bin/bash |
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 146 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
147 | with: | 147 | with: |
148 | egress-policy: block | 148 | egress-policy: block |
149 | allowed-endpoints: > | 149 | allowed-endpoints: > |
@@ -183,7 +183,7 @@ jobs: | |||
183 | SHELL: /bin/bash | 183 | SHELL: /bin/bash |
184 | steps: | 184 | steps: |
185 | - name: Harden Runner | 185 | - name: Harden Runner |
186 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 186 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
187 | with: | 187 | with: |
188 | egress-policy: block | 188 | egress-policy: block |
189 | allowed-endpoints: > | 189 | allowed-endpoints: > |
@@ -225,7 +225,7 @@ jobs: | |||
225 | SHELL: /bin/bash | 225 | SHELL: /bin/bash |
226 | steps: | 226 | steps: |
227 | - name: Harden Runner | 227 | - name: Harden Runner |
228 | uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | 228 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 |
229 | with: | 229 | with: |
230 | egress-policy: block | 230 | egress-policy: block |
231 | allowed-endpoints: > | 231 | allowed-endpoints: > |
@@ -2,12 +2,19 @@ | |||
2 | ROOT = . | 2 | ROOT = . |
3 | -include config.mk | 3 | -include config.mk |
4 | 4 | ||
5 | # Default programs | 5 | # Default programs (in configure.ac). |
6 | CC ?= cc | 6 | CC ?= cc |
7 | CODESPELL ?= codespell | 7 | CODESPELL ?= codespell |
8 | CPPCHECK ?= cppcheck | 8 | CPPCHECK ?= cppcheck |
9 | GAWK ?= gawk | 9 | GAWK ?= gawk |
10 | GZIP ?= gzip | ||
10 | SCAN_BUILD ?= scan-build | 11 | SCAN_BUILD ?= scan-build |
12 | STRIP ?= strip | ||
13 | TAR ?= tar | ||
14 | |||
15 | # Default programs (not in configure.ac). | ||
16 | INSTALL ?= install | ||
17 | RM ?= rm -f | ||
11 | 18 | ||
12 | ifneq ($(HAVE_MAN),no) | 19 | ifneq ($(HAVE_MAN),no) |
13 | MAN_TARGET = man | 20 | MAN_TARGET = man |
@@ -71,7 +78,7 @@ $(MYDIRS): | |||
71 | 78 | ||
72 | .PHONY: strip | 79 | .PHONY: strip |
73 | strip: all | 80 | strip: all |
74 | strip $(ALL_ITEMS) | 81 | $(STRIP) $(ALL_ITEMS) |
75 | 82 | ||
76 | .PHONY: filters | 83 | .PHONY: filters |
77 | filters: $(SECCOMP_FILTERS) | 84 | filters: $(SECCOMP_FILTERS) |
@@ -183,115 +190,119 @@ clean: | |||
183 | done | 190 | done |
184 | $(MAKE) -C src/man clean | 191 | $(MAKE) -C src/man clean |
185 | $(MAKE) -C test clean | 192 | $(MAKE) -C test clean |
186 | rm -f $(SECCOMP_FILTERS) | 193 | $(RM) $(SECCOMP_FILTERS) |
187 | rm -f $(SYNTAX_FILES) | 194 | $(RM) $(SYNTAX_FILES) |
188 | rm -fr ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz | 195 | $(RM) -r ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz |
189 | rm -f ./$(TARNAME)*.deb | 196 | $(RM) ./$(TARNAME)*.deb |
190 | rm -f ./$(TARNAME)*.rpm | 197 | $(RM) ./$(TARNAME)*.rpm |
191 | 198 | ||
192 | .PHONY: distclean | 199 | .PHONY: distclean |
193 | distclean: clean | 200 | distclean: clean |
194 | rm -fr autom4te.cache config.log config.mk config.sh config.status | 201 | $(RM) -r autom4te.cache config.log config.mk config.sh config.status |
195 | 202 | ||
196 | .PHONY: install | 203 | .PHONY: install |
197 | install: all config.mk | 204 | install: all config.mk |
198 | # firejail executable | 205 | # firejail executable |
199 | install -m 0755 -d $(DESTDIR)$(bindir) | 206 | $(INSTALL) -m 0755 -d $(DESTDIR)$(bindir) |
200 | install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir) | 207 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firejail/firejail |
201 | ifeq ($(HAVE_SUID),-DHAVE_SUID) | 208 | ifeq ($(HAVE_SUID),-DHAVE_SUID) |
202 | chmod u+s $(DESTDIR)$(bindir)/firejail | 209 | chmod u+s $(DESTDIR)$(bindir)/firejail |
203 | endif | 210 | endif |
204 | # firemon executable | 211 | # firemon executable |
205 | install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) | 212 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firemon/firemon |
206 | # firecfg executable | 213 | # firecfg executable |
207 | install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) | 214 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firecfg/firecfg |
208 | # jailcheck executable | 215 | # jailcheck executable |
209 | install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) | 216 | $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/jailcheck/jailcheck |
210 | # libraries and plugins | 217 | # libraries and plugins |
211 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 218 | $(INSTALL) -m 0755 -d $(DESTDIR)$(libdir)/firejail |
212 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh | 219 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh |
213 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) | 220 | $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) |
214 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 221 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
215 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats | 222 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats |
216 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup | 223 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup |
217 | # plugins w/o read permission (non-dumpable) | 224 | # plugins w/o read permission (non-dumpable) |
218 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 225 | $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
219 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh | 226 | $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh |
220 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map | 227 | $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map |
221 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 228 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
222 | # contrib scripts | 229 | # contrib scripts |
223 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 230 | $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
224 | # vim syntax | 231 | # vim syntax |
225 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 232 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |
226 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 233 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect contrib/vim/ftdetect/firejail.vim |
227 | install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 234 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
228 | install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 235 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax contrib/syntax/files/firejail.vim |
229 | # gtksourceview language-specs | 236 | # gtksourceview language-specs |
230 | install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | 237 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs |
231 | install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | 238 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs contrib/syntax/files/firejail-profile.lang |
232 | endif | 239 | endif |
233 | # documents | 240 | # documents |
234 | install -m 0755 -d $(DESTDIR)$(docdir) | 241 | $(INSTALL) -m 0755 -d $(DESTDIR)$(docdir) |
235 | install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* | 242 | $(INSTALL) -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* |
236 | # profiles and settings | 243 | # profiles and settings |
237 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail | 244 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail |
238 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d | 245 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d |
239 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 246 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
240 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config | 247 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config |
241 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 248 | sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \ |
249 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \ | ||
250 | fi" | ||
242 | ifeq ($(HAVE_IDS),-DHAVE_IDS) | 251 | ifeq ($(HAVE_IDS),-DHAVE_IDS) |
243 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config | 252 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config |
244 | endif | 253 | endif |
245 | ifeq ($(BUSYBOX_WORKAROUND),yes) | 254 | ifeq ($(BUSYBOX_WORKAROUND),yes) |
246 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc | 255 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc |
247 | endif | 256 | endif |
248 | ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | 257 | ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) |
249 | # install apparmor profile | 258 | # install apparmor profile |
250 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" | 259 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d |
251 | install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d | 260 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/firejail-default |
252 | # install apparmor profile customization file | 261 | # install apparmor profile customization file |
253 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" | 262 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/local |
254 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" | 263 | sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default ]; then \ |
264 | $(INSTALL) -m 0644 etc/apparmor/firejail-local $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default; \ | ||
265 | fi" | ||
255 | # install apparmor base abstraction drop-in | 266 | # install apparmor base abstraction drop-in |
256 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;" | 267 | $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d |
257 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;" | 268 | $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d etc/apparmor/firejail-base |
258 | install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d | ||
259 | endif | 269 | endif |
260 | ifneq ($(HAVE_MAN),no) | 270 | ifneq ($(HAVE_MAN),no) |
261 | # man pages | 271 | # man pages |
262 | install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 | 272 | $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man1 |
263 | install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/ | 273 | $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man1 $(MANPAGES1_GZ) |
264 | install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/ | 274 | $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man5 |
275 | $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man5 $(MANPAGES5_GZ) | ||
265 | endif | 276 | endif |
266 | # bash completion | 277 | # bash completion |
267 | install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions | 278 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions |
268 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 279 | $(INSTALL) -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
269 | install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 280 | $(INSTALL) -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
270 | install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 281 | $(INSTALL) -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
271 | # zsh completion | 282 | # zsh completion |
272 | install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions | 283 | $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions |
273 | install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ | 284 | $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/zsh/site-functions src/zsh_completion/_firejail |
274 | 285 | ||
275 | .PHONY: install-strip | 286 | .PHONY: install-strip |
276 | install-strip: strip install | 287 | install-strip: strip install |
277 | 288 | ||
278 | .PHONY: uninstall | 289 | .PHONY: uninstall |
279 | uninstall: config.mk | 290 | uninstall: config.mk |
280 | rm -f $(DESTDIR)$(bindir)/firejail | 291 | $(RM) $(DESTDIR)$(bindir)/firejail |
281 | rm -f $(DESTDIR)$(bindir)/firemon | 292 | $(RM) $(DESTDIR)$(bindir)/firemon |
282 | rm -f $(DESTDIR)$(bindir)/firecfg | 293 | $(RM) $(DESTDIR)$(bindir)/firecfg |
283 | rm -f $(DESTDIR)$(bindir)/jailcheck | 294 | $(RM) $(DESTDIR)$(bindir)/jailcheck |
284 | rm -fr $(DESTDIR)$(libdir)/firejail | 295 | $(RM) -r $(DESTDIR)$(libdir)/firejail |
285 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 296 | $(RM) -r $(DESTDIR)$(datarootdir)/doc/firejail |
286 | rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ))) | 297 | $(RM) $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ))) |
287 | rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ))) | 298 | $(RM) $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ))) |
288 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 299 | $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
289 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 300 | $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
290 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 301 | $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
291 | rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail | 302 | $(RM) $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail |
292 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim | 303 | $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim |
293 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim | 304 | $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim |
294 | rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang | 305 | $(RM) $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang |
295 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 306 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
296 | 307 | ||
297 | # Note: Keep this list in sync with `paths` in .github/workflows/build.yml. | 308 | # Note: Keep this list in sync with `paths` in .github/workflows/build.yml. |
@@ -336,9 +347,9 @@ dist: clean config.mk | |||
336 | mkdir -p $(TARNAME)-$(VERSION)/test | 347 | mkdir -p $(TARNAME)-$(VERSION)/test |
337 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) | 348 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) |
338 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test | 349 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test |
339 | rm -rf $(TARNAME)-$(VERSION)/src/tools | 350 | $(RM) -r $(TARNAME)-$(VERSION)/src/tools |
340 | tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION) | 351 | $(TAR) -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION) |
341 | rm -fr $(TARNAME)-$(VERSION) | 352 | $(RM) -r $(TARNAME)-$(VERSION) |
342 | 353 | ||
343 | .PHONY: asc | 354 | .PHONY: asc |
344 | asc: config.sh | 355 | asc: config.sh |
@@ -40,6 +40,8 @@ firejail (0.9.73) baseline; urgency=low | |||
40 | (#5965 #5976) | 40 | (#5965 #5976) |
41 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 | 41 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 |
42 | #6086) | 42 | #6086) |
43 | * bugfix: fix various resource leaks (#6367) | ||
44 | * bugfix: profstats: fix restrict-namespaces max count (#6369) | ||
43 | * build: auto-generate syntax files (#5627) | 45 | * build: auto-generate syntax files (#5627) |
44 | * build: mark all phony targets as such (#5637) | 46 | * build: mark all phony targets as such (#5637) |
45 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 47 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
@@ -73,6 +75,8 @@ firejail (0.9.73) baseline; urgency=low | |||
73 | * build: sort.py: add -i/-n/-- options (#6290 #6339) | 75 | * build: sort.py: add -i/-n/-- options (#6290 #6339) |
74 | * build: add strip target and simplify install targets (#6342) | 76 | * build: add strip target and simplify install targets (#6342) |
75 | * build: remove clean dependency from cppcheck targets (#6343) | 77 | * build: remove clean dependency from cppcheck targets (#6343) |
78 | * build: allow overriding common tools (#6354) | ||
79 | * build: standardize install commands (#6366) | ||
76 | * ci: always update the package db before installing packages (#5742) | 80 | * ci: always update the package db before installing packages (#5742) |
77 | * ci: fix codeql unable to download its own bundle (#5783) | 81 | * ci: fix codeql unable to download its own bundle (#5783) |
78 | * ci: split configure/build/install commands on gitlab (#5784) | 82 | * ci: split configure/build/install commands on gitlab (#5784) |
@@ -98,6 +102,8 @@ firejail (0.9.73) baseline; urgency=low | |||
98 | * docs: fix typos (#5693) | 102 | * docs: fix typos (#5693) |
99 | * docs: markdown formatting and misc improvements (#5757) | 103 | * docs: markdown formatting and misc improvements (#5757) |
100 | * docs: add uninstall instructions to README.md (#5812) | 104 | * docs: add uninstall instructions to README.md (#5812) |
105 | * docs: add precedence info to manpage & fix noblacklist example (#6358 | ||
106 | #6359) | ||
101 | * legal: selinux.c: Split Copyright notice & use same license as upstream | 107 | * legal: selinux.c: Split Copyright notice & use same license as upstream |
102 | (#5667) | 108 | (#5667) |
103 | * profiles: qutebrowser: fix links not opening in the existing instance | 109 | * profiles: qutebrowser: fix links not opening in the existing instance |
@@ -122,6 +128,8 @@ firejail (0.9.73) baseline; urgency=low | |||
122 | * profiles: add allow-php.inc to profile.template (#6299) | 128 | * profiles: add allow-php.inc to profile.template (#6299) |
123 | * profiles: clarify and add opengl-game to profile.template (#6300) | 129 | * profiles: clarify and add opengl-game to profile.template (#6300) |
124 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) | 130 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) |
131 | * profiles: libreoffice: support signing documents with GPG (#6352 #6353) | ||
132 | * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) | ||
125 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater | 133 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
126 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 | 134 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
127 | 135 | ||
diff --git a/config.mk.in b/config.mk.in index a7f66fbb5..812573a14 100644 --- a/config.mk.in +++ b/config.mk.in | |||
@@ -78,7 +78,10 @@ CC=@CC@ | |||
78 | CODESPELL=@CODESPELL@ | 78 | CODESPELL=@CODESPELL@ |
79 | CPPCHECK=@CPPCHECK@ | 79 | CPPCHECK=@CPPCHECK@ |
80 | GAWK=@GAWK@ | 80 | GAWK=@GAWK@ |
81 | GZIP=@GZIP@ | ||
81 | SCAN_BUILD=@SCAN_BUILD@ | 82 | SCAN_BUILD=@SCAN_BUILD@ |
83 | STRIP=@STRIP@ | ||
84 | TAR=@TAR@ | ||
82 | 85 | ||
83 | CFLAGS=@CFLAGS@ | 86 | CFLAGS=@CFLAGS@ |
84 | CPPFLAGS=@CPPFLAGS@ | 87 | CPPFLAGS=@CPPFLAGS@ |
@@ -682,7 +682,10 @@ PKG_CONFIG | |||
682 | HAVE_APPARMOR | 682 | HAVE_APPARMOR |
683 | HAVE_IDS | 683 | HAVE_IDS |
684 | DEPS_CFLAGS | 684 | DEPS_CFLAGS |
685 | TAR | ||
686 | STRIP | ||
685 | SCAN_BUILD | 687 | SCAN_BUILD |
688 | GZIP | ||
686 | GAWK | 689 | GAWK |
687 | CPPCHECK | 690 | CPPCHECK |
688 | CODESPELL | 691 | CODESPELL |
@@ -3414,6 +3417,53 @@ fi | |||
3414 | test -n "$GAWK" && break | 3417 | test -n "$GAWK" && break |
3415 | done | 3418 | done |
3416 | 3419 | ||
3420 | for ac_prog in gzip | ||
3421 | do | ||
3422 | # Extract the first word of "$ac_prog", so it can be a program name with args. | ||
3423 | set dummy $ac_prog; ac_word=$2 | ||
3424 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3425 | printf %s "checking for $ac_word... " >&6; } | ||
3426 | if test ${ac_cv_prog_GZIP+y} | ||
3427 | then : | ||
3428 | printf %s "(cached) " >&6 | ||
3429 | else $as_nop | ||
3430 | if test -n "$GZIP"; then | ||
3431 | ac_cv_prog_GZIP="$GZIP" # Let the user override the test. | ||
3432 | else | ||
3433 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3434 | for as_dir in $PATH | ||
3435 | do | ||
3436 | IFS=$as_save_IFS | ||
3437 | case $as_dir in #((( | ||
3438 | '') as_dir=./ ;; | ||
3439 | */) ;; | ||
3440 | *) as_dir=$as_dir/ ;; | ||
3441 | esac | ||
3442 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3443 | if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then | ||
3444 | ac_cv_prog_GZIP="$ac_prog" | ||
3445 | printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 | ||
3446 | break 2 | ||
3447 | fi | ||
3448 | done | ||
3449 | done | ||
3450 | IFS=$as_save_IFS | ||
3451 | |||
3452 | fi | ||
3453 | fi | ||
3454 | GZIP=$ac_cv_prog_GZIP | ||
3455 | if test -n "$GZIP"; then | ||
3456 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GZIP" >&5 | ||
3457 | printf "%s\n" "$GZIP" >&6; } | ||
3458 | else | ||
3459 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3460 | printf "%s\n" "no" >&6; } | ||
3461 | fi | ||
3462 | |||
3463 | |||
3464 | test -n "$GZIP" && break | ||
3465 | done | ||
3466 | |||
3417 | for ac_prog in scan-build | 3467 | for ac_prog in scan-build |
3418 | do | 3468 | do |
3419 | # Extract the first word of "$ac_prog", so it can be a program name with args. | 3469 | # Extract the first word of "$ac_prog", so it can be a program name with args. |
@@ -3461,6 +3511,100 @@ fi | |||
3461 | test -n "$SCAN_BUILD" && break | 3511 | test -n "$SCAN_BUILD" && break |
3462 | done | 3512 | done |
3463 | 3513 | ||
3514 | for ac_prog in strip | ||
3515 | do | ||
3516 | # Extract the first word of "$ac_prog", so it can be a program name with args. | ||
3517 | set dummy $ac_prog; ac_word=$2 | ||
3518 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3519 | printf %s "checking for $ac_word... " >&6; } | ||
3520 | if test ${ac_cv_prog_STRIP+y} | ||
3521 | then : | ||
3522 | printf %s "(cached) " >&6 | ||
3523 | else $as_nop | ||
3524 | if test -n "$STRIP"; then | ||
3525 | ac_cv_prog_STRIP="$STRIP" # Let the user override the test. | ||
3526 | else | ||
3527 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3528 | for as_dir in $PATH | ||
3529 | do | ||
3530 | IFS=$as_save_IFS | ||
3531 | case $as_dir in #((( | ||
3532 | '') as_dir=./ ;; | ||
3533 | */) ;; | ||
3534 | *) as_dir=$as_dir/ ;; | ||
3535 | esac | ||
3536 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3537 | if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then | ||
3538 | ac_cv_prog_STRIP="$ac_prog" | ||
3539 | printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 | ||
3540 | break 2 | ||
3541 | fi | ||
3542 | done | ||
3543 | done | ||
3544 | IFS=$as_save_IFS | ||
3545 | |||
3546 | fi | ||
3547 | fi | ||
3548 | STRIP=$ac_cv_prog_STRIP | ||
3549 | if test -n "$STRIP"; then | ||
3550 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 | ||
3551 | printf "%s\n" "$STRIP" >&6; } | ||
3552 | else | ||
3553 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3554 | printf "%s\n" "no" >&6; } | ||
3555 | fi | ||
3556 | |||
3557 | |||
3558 | test -n "$STRIP" && break | ||
3559 | done | ||
3560 | |||
3561 | for ac_prog in tar | ||
3562 | do | ||
3563 | # Extract the first word of "$ac_prog", so it can be a program name with args. | ||
3564 | set dummy $ac_prog; ac_word=$2 | ||
3565 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3566 | printf %s "checking for $ac_word... " >&6; } | ||
3567 | if test ${ac_cv_prog_TAR+y} | ||
3568 | then : | ||
3569 | printf %s "(cached) " >&6 | ||
3570 | else $as_nop | ||
3571 | if test -n "$TAR"; then | ||
3572 | ac_cv_prog_TAR="$TAR" # Let the user override the test. | ||
3573 | else | ||
3574 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3575 | for as_dir in $PATH | ||
3576 | do | ||
3577 | IFS=$as_save_IFS | ||
3578 | case $as_dir in #((( | ||
3579 | '') as_dir=./ ;; | ||
3580 | */) ;; | ||
3581 | *) as_dir=$as_dir/ ;; | ||
3582 | esac | ||
3583 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3584 | if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then | ||
3585 | ac_cv_prog_TAR="$ac_prog" | ||
3586 | printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 | ||
3587 | break 2 | ||
3588 | fi | ||
3589 | done | ||
3590 | done | ||
3591 | IFS=$as_save_IFS | ||
3592 | |||
3593 | fi | ||
3594 | fi | ||
3595 | TAR=$ac_cv_prog_TAR | ||
3596 | if test -n "$TAR"; then | ||
3597 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TAR" >&5 | ||
3598 | printf "%s\n" "$TAR" >&6; } | ||
3599 | else | ||
3600 | { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3601 | printf "%s\n" "no" >&6; } | ||
3602 | fi | ||
3603 | |||
3604 | |||
3605 | test -n "$TAR" && break | ||
3606 | done | ||
3607 | |||
3464 | 3608 | ||
3465 | DEPS_CFLAGS="" | 3609 | DEPS_CFLAGS="" |
3466 | 3610 | ||
diff --git a/configure.ac b/configure.ac index 73bd334f8..3701b7b4c 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -22,7 +22,10 @@ AC_PROG_CC | |||
22 | AC_CHECK_PROGS([CODESPELL], [codespell]) | 22 | AC_CHECK_PROGS([CODESPELL], [codespell]) |
23 | AC_CHECK_PROGS([CPPCHECK], [cppcheck]) | 23 | AC_CHECK_PROGS([CPPCHECK], [cppcheck]) |
24 | AC_CHECK_PROGS([GAWK], [gawk]) | 24 | AC_CHECK_PROGS([GAWK], [gawk]) |
25 | AC_CHECK_PROGS([GZIP], [gzip]) | ||
25 | AC_CHECK_PROGS([SCAN_BUILD], [scan-build]) | 26 | AC_CHECK_PROGS([SCAN_BUILD], [scan-build]) |
27 | AC_CHECK_PROGS([STRIP], [strip]) | ||
28 | AC_CHECK_PROGS([TAR], [tar]) | ||
26 | 29 | ||
27 | DEPS_CFLAGS="" | 30 | DEPS_CFLAGS="" |
28 | AC_SUBST([DEPS_CFLAGS]) | 31 | AC_SUBST([DEPS_CFLAGS]) |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 55aabbc73..14f7d8cf7 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo | |||
167 | blacklist ${RUNUSER}/gnome-shell | 167 | blacklist ${RUNUSER}/gnome-shell |
168 | blacklist ${RUNUSER}/gsconnect | 168 | blacklist ${RUNUSER}/gsconnect |
169 | 169 | ||
170 | # i3 IPC socket (allows arbitrary shell script execution) | ||
171 | blacklist ${RUNUSER}/i3/ipc-socket.* | ||
172 | blacklist /tmp/i3-*/ipc-socket.* | ||
173 | |||
170 | # systemd | 174 | # systemd |
171 | blacklist ${HOME}/.config/systemd | 175 | blacklist ${HOME}/.config/systemd |
172 | blacklist ${HOME}/.local/share/systemd | 176 | blacklist ${HOME}/.local/share/systemd |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f638e1d97..a856e81f4 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -140,6 +140,7 @@ blacklist ${HOME}/.cache/google-chrome-beta | |||
140 | blacklist ${HOME}/.cache/google-chrome-unstable | 140 | blacklist ${HOME}/.cache/google-chrome-unstable |
141 | blacklist ${HOME}/.cache/gradio | 141 | blacklist ${HOME}/.cache/gradio |
142 | blacklist ${HOME}/.cache/gummi | 142 | blacklist ${HOME}/.cache/gummi |
143 | blacklist ${HOME}/.cache/hashcat | ||
143 | blacklist ${HOME}/.cache/icedove | 144 | blacklist ${HOME}/.cache/icedove |
144 | blacklist ${HOME}/.cache/inkscape | 145 | blacklist ${HOME}/.cache/inkscape |
145 | blacklist ${HOME}/.cache/inox | 146 | blacklist ${HOME}/.cache/inox |
@@ -259,6 +260,7 @@ blacklist ${HOME}/.clonk | |||
259 | blacklist ${HOME}/.config/0ad | 260 | blacklist ${HOME}/.config/0ad |
260 | blacklist ${HOME}/.config/1Password | 261 | blacklist ${HOME}/.config/1Password |
261 | blacklist ${HOME}/.config/2048-qt | 262 | blacklist ${HOME}/.config/2048-qt |
263 | blacklist ${HOME}/.config/ArmCord | ||
262 | blacklist ${HOME}/.config/Atom | 264 | blacklist ${HOME}/.config/Atom |
263 | blacklist ${HOME}/.config/Audaciousrc | 265 | blacklist ${HOME}/.config/Audaciousrc |
264 | blacklist ${HOME}/.config/Authenticator | 266 | blacklist ${HOME}/.config/Authenticator |
@@ -973,6 +975,7 @@ blacklist ${HOME}/.local/share/gnote | |||
973 | blacklist ${HOME}/.local/share/godot | 975 | blacklist ${HOME}/.local/share/godot |
974 | blacklist ${HOME}/.local/share/gradio | 976 | blacklist ${HOME}/.local/share/gradio |
975 | blacklist ${HOME}/.local/share/gwenview | 977 | blacklist ${HOME}/.local/share/gwenview |
978 | blacklist ${HOME}/.local/share/hashcat | ||
976 | blacklist ${HOME}/.local/share/i2p | 979 | blacklist ${HOME}/.local/share/i2p |
977 | blacklist ${HOME}/.local/share/io.github.lainsce.Notejot | 980 | blacklist ${HOME}/.local/share/io.github.lainsce.Notejot |
978 | blacklist ${HOME}/.local/share/jami | 981 | blacklist ${HOME}/.local/share/jami |
@@ -1250,11 +1253,13 @@ blacklist ${HOME}/yt-dlp.conf | |||
1250 | blacklist ${HOME}/yt-dlp.conf.txt | 1253 | blacklist ${HOME}/yt-dlp.conf.txt |
1251 | blacklist ${RUNUSER}/*firefox* | 1254 | blacklist ${RUNUSER}/*firefox* |
1252 | blacklist ${RUNUSER}/akonadi | 1255 | blacklist ${RUNUSER}/akonadi |
1256 | blacklist ${RUNUSER}/i3 | ||
1253 | blacklist ${RUNUSER}/psd/*firefox* | 1257 | blacklist ${RUNUSER}/psd/*firefox* |
1254 | blacklist ${RUNUSER}/qutebrowser | 1258 | blacklist ${RUNUSER}/qutebrowser |
1255 | blacklist /etc/ssmtp | 1259 | blacklist /etc/ssmtp |
1256 | blacklist /tmp/.wine-* | 1260 | blacklist /tmp/.wine-* |
1257 | blacklist /tmp/akonadi-* | 1261 | blacklist /tmp/akonadi-* |
1262 | blacklist /tmp/i3-* | ||
1258 | blacklist /tmp/lwjgl_* | 1263 | blacklist /tmp/lwjgl_* |
1259 | blacklist /var/games/nethack | 1264 | blacklist /var/games/nethack |
1260 | blacklist /var/games/slashem | 1265 | blacklist /var/games/slashem |
diff --git a/etc/profile-a-l/armcord.profile b/etc/profile-a-l/armcord.profile new file mode 100644 index 000000000..470e0dee0 --- /dev/null +++ b/etc/profile-a-l/armcord.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for armcord | ||
2 | # Description: Standalone Discord client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include armcord.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Modules might depend on nodejs. | ||
10 | # Add the below lines to your armcord.local if you need this. | ||
11 | # Allow node (disabled by disable-interpreters.inc) | ||
12 | #include allow-nodejs.inc | ||
13 | #private-bin node | ||
14 | |||
15 | # The lines below are needed to find the default Firefox profile name, to allow | ||
16 | # opening links in an existing instance of Firefox (note that it still fails if | ||
17 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
18 | noblacklist ${HOME}/.mozilla | ||
19 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
20 | |||
21 | noblacklist ${HOME}/.config/ArmCord | ||
22 | |||
23 | mkdir ${HOME}/.config/ArmCord | ||
24 | whitelist ${HOME}/.config/ArmCord | ||
25 | whitelist /opt/armcord | ||
26 | whitelist /usr/share/armcord | ||
27 | |||
28 | ignore novideo | ||
29 | private-bin armcord | ||
30 | |||
31 | dbus-user filter | ||
32 | dbus-user.talk org.freedesktop.Notifications | ||
33 | # Allow D-Bus communication with Firefox for opening links | ||
34 | dbus-user.talk org.mozilla.* | ||
35 | ignore dbus-user none | ||
36 | |||
37 | join-or-start armcord | ||
38 | |||
39 | # Redirect | ||
40 | include electron-common.profile | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 53db480a4..14497bba9 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -6,6 +6,11 @@ include claws-mail.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: If you use things like claws-mail's "fancy" (html rendering) plugin and | ||
10 | # the X11 window freezes, 'no3d' is likely the cause. In which case, try | ||
11 | # adding the following line to claws-mail.local: | ||
12 | #ignore no3d | ||
13 | |||
9 | noblacklist ${HOME}/.claws-mail | 14 | noblacklist ${HOME}/.claws-mail |
10 | 15 | ||
11 | mkdir ${HOME}/.claws-mail | 16 | mkdir ${HOME}/.claws-mail |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 2929d6a75..42971ecae 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -52,7 +52,7 @@ whitelist ${RUNUSER}/gnupg | |||
52 | whitelist /usr/share/bogofilter | 52 | whitelist /usr/share/bogofilter |
53 | whitelist /usr/share/gnupg | 53 | whitelist /usr/share/gnupg |
54 | whitelist /usr/share/gnupg2 | 54 | whitelist /usr/share/gnupg2 |
55 | whitelist /var/lib/clamav | 55 | whitelist /var/lib/clamav |
56 | whitelist /var/mail | 56 | whitelist /var/mail |
57 | whitelist /var/spool/mail | 57 | whitelist /var/spool/mail |
58 | include whitelist-common.inc | 58 | include whitelist-common.inc |
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile index e5b0a06af..b4e0d53f3 100644 --- a/etc/profile-a-l/hashcat.profile +++ b/etc/profile-a-l/hashcat.profile | |||
@@ -9,7 +9,9 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | 11 | ||
12 | noblacklist ${HOME}/.cache/hashcat | ||
12 | noblacklist ${HOME}/.hashcat | 13 | noblacklist ${HOME}/.hashcat |
14 | noblacklist ${HOME}/.local/share/hashcat | ||
13 | noblacklist /usr/include | 15 | noblacklist /usr/include |
14 | noblacklist ${DOCUMENTS} | 16 | noblacklist ${DOCUMENTS} |
15 | 17 | ||
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index 2268072ef..412e31762 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile | |||
@@ -8,6 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | # all applications started in i3 will run in this profile | 9 | # all applications started in i3 will run in this profile |
10 | noblacklist ${HOME}/.config/i3 | 10 | noblacklist ${HOME}/.config/i3 |
11 | noblacklist ${RUNUSER}/i3 | ||
12 | noblacklist ${RUNUSER}/i3/ipc-socket.* | ||
13 | noblacklist /tmp/i3-* | ||
14 | noblacklist /tmp/i3-*/ipc-socket.* | ||
11 | include disable-common.inc | 15 | include disable-common.inc |
12 | 16 | ||
13 | caps.drop all | 17 | caps.drop all |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index d7144d8c3..f9e018a33 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -9,6 +9,16 @@ include globals.local | |||
9 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
10 | noblacklist ${HOME}/.config/libreoffice | 10 | noblacklist ${HOME}/.config/libreoffice |
11 | 11 | ||
12 | # libreoffice can sign documents with GPG | ||
13 | noblacklist ${HOME}/.gnupg | ||
14 | read-only ${HOME}/.gnupg/trustdb.gpg | ||
15 | read-only ${HOME}/.gnupg/pubring.kbx | ||
16 | blacklist ${HOME}/.gnupg/crls.d | ||
17 | blacklist ${HOME}/.gnupg/openpgp-revocs.d | ||
18 | blacklist ${HOME}/.gnupg/private-keys-v1.d | ||
19 | blacklist ${HOME}/.gnupg/pubring.kbx~ | ||
20 | blacklist ${HOME}/.gnupg/random_seed | ||
21 | |||
12 | # libreoffice uses java for some functionality. | 22 | # libreoffice uses java for some functionality. |
13 | # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. | 23 | # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. |
14 | # Allow java (blacklisted by disable-devel.inc) | 24 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index 7d0e01d98..c2e4999ea 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -15,6 +15,8 @@ | |||
15 | 15 | ||
16 | noblacklist /sys/fs | 16 | noblacklist /sys/fs |
17 | noblacklist /sys/module | 17 | noblacklist /sys/module |
18 | nowhitelist /sys/module/nvidia* | ||
19 | ignore read-only /sys/module/nvidia* | ||
18 | 20 | ||
19 | allow-debuggers | 21 | allow-debuggers |
20 | allusers | 22 | allusers |
diff --git a/src/bash_completion/Makefile b/src/bash_completion/Makefile index c7ef6afc6..c06323f64 100644 --- a/src/bash_completion/Makefile +++ b/src/bash_completion/Makefile | |||
@@ -2,14 +2,17 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | GAWK ?= gawk | ||
6 | RM ?= rm -f | ||
7 | |||
5 | .PHONY: all | 8 | .PHONY: all |
6 | all: firejail.bash_completion | 9 | all: firejail.bash_completion |
7 | 10 | ||
8 | firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk | 11 | firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk |
9 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | 12 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp |
10 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 13 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
11 | rm $@.tmp | 14 | $(RM) $@.tmp |
12 | 15 | ||
13 | .PHONY: clean | 16 | .PHONY: clean |
14 | clean: | 17 | clean: |
15 | rm -fr firejail.bash_completion | 18 | $(RM) -r firejail.bash_completion |
diff --git a/src/fids/main.c b/src/fids/main.c index 92b6468f3..415694f1e 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) { | |||
106 | } | 106 | } |
107 | else { | 107 | else { |
108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | 108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); |
109 | close(fd); | ||
110 | mmapped = 1; | 109 | mmapped = 1; |
111 | } | 110 | } |
111 | close(fd); | ||
112 | 112 | ||
113 | unsigned char checksum[KEY_SIZE / 8]; | 113 | unsigned char checksum[KEY_SIZE / 8]; |
114 | blake2b(checksum, sizeof(checksum), content, size); | 114 | blake2b(checksum, sizeof(checksum), content, size); |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 1895e437b..8c21757ab 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) { | |||
300 | 300 | ||
301 | if (stat(outname, &sb) == 0) { | 301 | if (stat(outname, &sb) == 0) { |
302 | printf(" %s skipped: file exists\n", filename); | 302 | printf(" %s skipped: file exists\n", filename); |
303 | free(outname); | ||
303 | if (change_exec) | 304 | if (change_exec) |
304 | free(change_exec); | 305 | free(change_exec); |
305 | continue; | 306 | continue; |
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) { | |||
308 | FILE *fpin = fopen(filename, "r"); | 309 | FILE *fpin = fopen(filename, "r"); |
309 | if (!fpin) { | 310 | if (!fpin) { |
310 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); | 311 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); |
312 | free(outname); | ||
311 | if (change_exec) | 313 | if (change_exec) |
312 | free(change_exec); | 314 | free(change_exec); |
313 | continue; | 315 | continue; |
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) { | |||
317 | if (!fpout) { | 319 | if (!fpout) { |
318 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); | 320 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); |
319 | fclose(fpin); | 321 | fclose(fpin); |
322 | free(outname); | ||
320 | if (change_exec) | 323 | if (change_exec) |
321 | free(change_exec); | 324 | free(change_exec); |
322 | continue; | 325 | continue; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index b6eb06d65..8d0a30521 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -63,6 +63,7 @@ arduino | |||
63 | aria2c | 63 | aria2c |
64 | ark | 64 | ark |
65 | arm | 65 | arm |
66 | armcord | ||
66 | artha | 67 | artha |
67 | assogiate | 68 | assogiate |
68 | asunder | 69 | asunder |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index db130afd3..cbfcc90ed 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) { | |||
198 | 198 | ||
199 | fclose(fp); | 199 | fclose(fp); |
200 | } | 200 | } |
201 | |||
202 | free(fname); | ||
201 | } | 203 | } |
202 | 204 | ||
203 | static void write_bandwidth_file(pid_t pid) { | 205 | static void write_bandwidth_file(pid_t pid) { |
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) { | |||
217 | ptr = ptr->next; | 219 | ptr = ptr->next; |
218 | } | 220 | } |
219 | fclose(fp); | 221 | fclose(fp); |
222 | free(fname); | ||
220 | } | 223 | } |
221 | else | 224 | else |
222 | goto errout; | 225 | goto errout; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cdad5e220..abef85515 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) { | |||
743 | 743 | ||
744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
746 | { // allow user access to some directories in /sys/ by specifying 'noblacklist' option | 746 | |
747 | profile_add("blacklist /sys/fs"); | 747 | // Soft-block some paths in /sys/ (can be undone in profiles). |
748 | profile_add("blacklist /sys/fs"); | ||
749 | |||
750 | // Hardware acceleration with the nvidia proprietary driver may fail | ||
751 | // without access to these paths (see #6372). | ||
752 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
753 | profile_add("whitelist /sys/module/nvidia*"); | ||
754 | profile_add("read-only /sys/module/nvidia*"); | ||
755 | } | ||
756 | else { | ||
748 | profile_add("blacklist /sys/module"); | 757 | profile_add("blacklist /sys/module"); |
749 | } | 758 | } |
759 | |||
750 | disable_file(BLACKLIST_FILE, "/sys/power"); | 760 | disable_file(BLACKLIST_FILE, "/sys/power"); |
751 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 761 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
752 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 762 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index fa88bbe12..e8e486f12 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -52,7 +52,8 @@ typedef struct { | |||
52 | 52 | ||
53 | static DevEntry dev[] = { | 53 | static DevEntry dev[] = { |
54 | {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device | 54 | {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device |
55 | {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d device | 55 | {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d devices |
56 | {"/dev/kfd", RUN_DEV_DIR "/kfd", DEV_3D}, | ||
56 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D}, | 57 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D}, |
57 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D}, | 58 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D}, |
58 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D}, | 59 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D}, |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 7c3f3835b..9d9832c15 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -67,8 +67,10 @@ static void skel(const char *homedir) { | |||
67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) | 67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) |
68 | errExit("asprintf"); | 68 | errExit("asprintf"); |
69 | // don't copy it if we already have the file | 69 | // don't copy it if we already have the file |
70 | if (access(fname, F_OK) == 0) | 70 | if (access(fname, F_OK) == 0) { |
71 | free(fname); | ||
71 | return; | 72 | return; |
73 | } | ||
72 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 74 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
73 | fprintf(stderr, "Error: invalid %s file\n", fname); | 75 | fprintf(stderr, "Error: invalid %s file\n", fname); |
74 | exit(1); | 76 | exit(1); |
@@ -91,8 +93,10 @@ static void skel(const char *homedir) { | |||
91 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) | 93 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) |
92 | errExit("asprintf"); | 94 | errExit("asprintf"); |
93 | // don't copy it if we already have the file | 95 | // don't copy it if we already have the file |
94 | if (access(fname, F_OK) == 0) | 96 | if (access(fname, F_OK) == 0) { |
97 | free(fname); | ||
95 | return; | 98 | return; |
99 | } | ||
96 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 100 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
97 | fprintf(stderr, "Error: invalid %s file\n", fname); | 101 | fprintf(stderr, "Error: invalid %s file\n", fname); |
98 | exit(1); | 102 | exit(1); |
@@ -115,8 +119,10 @@ static void skel(const char *homedir) { | |||
115 | if (asprintf(&fname, "%s/.bashrc", homedir) == -1) | 119 | if (asprintf(&fname, "%s/.bashrc", homedir) == -1) |
116 | errExit("asprintf"); | 120 | errExit("asprintf"); |
117 | // don't copy it if we already have the file | 121 | // don't copy it if we already have the file |
118 | if (access(fname, F_OK) == 0) | 122 | if (access(fname, F_OK) == 0) { |
123 | free(fname); | ||
119 | return; | 124 | return; |
125 | } | ||
120 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 126 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
121 | fprintf(stderr, "Error: invalid %s file\n", fname); | 127 | fprintf(stderr, "Error: invalid %s file\n", fname); |
122 | exit(1); | 128 | exit(1); |
diff --git a/src/firejail/ids.c b/src/firejail/ids.c index 40bbe6d02..0759a205d 100644 --- a/src/firejail/ids.c +++ b/src/firejail/ids.c | |||
@@ -42,6 +42,7 @@ static void ids_init(void) { | |||
42 | if (dup(fd) != STDOUT_FILENO) | 42 | if (dup(fd) != STDOUT_FILENO) |
43 | errExit("dup"); | 43 | errExit("dup"); |
44 | close(fd); | 44 | close(fd); |
45 | free(fname); | ||
45 | 46 | ||
46 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); | 47 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); |
47 | } | 48 | } |
@@ -63,6 +64,7 @@ static void ids_check(void) { | |||
63 | if (dup(fd) != STDIN_FILENO) | 64 | if (dup(fd) != STDIN_FILENO) |
64 | errExit("dup"); | 65 | errExit("dup"); |
65 | close(fd); | 66 | close(fd); |
67 | free(fname); | ||
66 | 68 | ||
67 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); | 69 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); |
68 | } | 70 | } |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index cb078b580..4bd0ba459 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) { | |||
122 | // mode and ownership | 122 | // mode and ownership |
123 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 123 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
124 | fclose(fp); | 124 | fclose(fp); |
125 | free(fname); | ||
125 | } | 126 | } |
126 | 127 | ||
127 | 128 | ||
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) { | |||
141 | // mode and ownership | 142 | // mode and ownership |
142 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 143 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
143 | fclose(fp); | 144 | fclose(fp); |
145 | free(fname); | ||
144 | } | 146 | } |
145 | 147 | ||
146 | void set_profile_run_file(pid_t pid, const char *fname) { | 148 | void set_profile_run_file(pid_t pid, const char *fname) { |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 323133f8d..5d7c244b1 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) { | |||
1392 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); | 1392 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); |
1393 | exit(1); | 1393 | exit(1); |
1394 | } | 1394 | } |
1395 | free(name); | ||
1395 | 1396 | ||
1396 | // join the namespace | 1397 | // join the namespace |
1397 | EUID_ROOT(); | 1398 | EUID_ROOT(); |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 39dc38ec9..e70174b1e 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) { | |||
152 | struct stat s; | 152 | struct stat s; |
153 | if (stat(name, &s) == -1) { | 153 | if (stat(name, &s) == -1) { |
154 | // the sandbox doesn't have a --net= option, don't print | 154 | // the sandbox doesn't have a --net= option, don't print |
155 | free(name); | ||
155 | if (cmd) | 156 | if (cmd) |
156 | free(cmd); | 157 | free(cmd); |
157 | return; | 158 | return; |
158 | } | 159 | } |
160 | free(name); | ||
159 | 161 | ||
160 | // pid | 162 | // pid |
161 | char pidstr[11]; | 163 | char pidstr[11]; |
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c index 50c51839b..5fbcb5a15 100644 --- a/src/jailcheck/access.c +++ b/src/jailcheck/access.c | |||
@@ -80,10 +80,13 @@ void access_setup(const char *directory) { | |||
80 | FILE *fp = fopen(test_file, "w"); | 80 | FILE *fp = fopen(test_file, "w"); |
81 | if (!fp) { | 81 | if (!fp) { |
82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | 82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); |
83 | free(test_file); | ||
84 | free(path); | ||
83 | return; | 85 | return; |
84 | } | 86 | } |
85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | 87 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); |
86 | fclose(fp); | 88 | fclose(fp); |
89 | free(path); | ||
87 | int rv = chown(test_file, user_uid, user_gid); | 90 | int rv = chown(test_file, user_uid, user_gid); |
88 | if (rv) | 91 | if (rv) |
89 | errExit("chown"); | 92 | errExit("chown"); |
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index 37234c648..e5657135d 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -55,6 +55,7 @@ void noexec_setup(void) { | |||
55 | execfile_len = s.st_size; | 55 | execfile_len = s.st_size; |
56 | close(fd); | 56 | close(fd); |
57 | } | 57 | } |
58 | free(self); | ||
58 | } | 59 | } |
59 | } | 60 | } |
60 | 61 | ||
@@ -110,4 +111,5 @@ void noexec_test(const char *path) { | |||
110 | wait(&status); | 111 | wait(&status); |
111 | int rv = unlink(fname); | 112 | int rv = unlink(fname); |
112 | (void) rv; | 113 | (void) rv; |
114 | free(fname); | ||
113 | } | 115 | } |
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c index d4bfd1923..348efc784 100644 --- a/src/jailcheck/virtual.c +++ b/src/jailcheck/virtual.c | |||
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) { | |||
49 | FILE *fp = fopen(test_file, "w"); | 49 | FILE *fp = fopen(test_file, "w"); |
50 | if (!fp) { | 50 | if (!fp) { |
51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | 51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); |
52 | free(test_file); | ||
52 | return; | 53 | return; |
53 | } | 54 | } |
54 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | 55 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); |
diff --git a/src/man/Makefile b/src/man/Makefile index 1c1fd49a5..767920e2b 100644 --- a/src/man/Makefile +++ b/src/man/Makefile | |||
@@ -2,6 +2,10 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | GAWK ?= gawk | ||
6 | GZIP ?= gzip | ||
7 | RM ?= rm -f | ||
8 | |||
5 | MOD_DIR := $(ROOT)/src/man | 9 | MOD_DIR := $(ROOT)/src/man |
6 | MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in)) | 10 | MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in)) |
7 | MANPAGES_GZ := $(MANPAGES_IN:.in=.gz) | 11 | MANPAGES_GZ := $(MANPAGES_IN:.in=.gz) |
@@ -19,8 +23,8 @@ $(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk | |||
19 | # foo.1.gz: foo.1 | 23 | # foo.1.gz: foo.1 |
20 | $(MOD_DIR)/%.gz: $(MOD_DIR)/% | 24 | $(MOD_DIR)/%.gz: $(MOD_DIR)/% |
21 | @printf 'Generating %s from %s\n' $@ $< | 25 | @printf 'Generating %s from %s\n' $@ $< |
22 | @rm -f $@ | 26 | @$(RM) $@ |
23 | @gzip -n9 $< | 27 | @$(GZIP) -n9 $< |
24 | 28 | ||
25 | .PHONY: clean | 29 | .PHONY: clean |
26 | clean:; rm -f *.1 *.5 *.gz | 30 | clean:; $(RM) *.1 *.5 *.gz |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 87bd6fcc2..fa2329d67 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -95,7 +95,12 @@ $ firejail [OPTIONS] # starting the program specified in $SHELL, | |||
95 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 95 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
96 | .PP | 96 | .PP |
97 | # sudo firejail [OPTIONS] /etc/init.d/nginx start | 97 | # sudo firejail [OPTIONS] /etc/init.d/nginx start |
98 | 98 | .PP | |
99 | When an option is specified multiple times (whether in a profile, on the | ||
100 | command line, or both) or conflicts with a related option, the | ||
101 | precedence/behavior is option-specific and usually documented in the | ||
102 | \fBOPTIONS\fR section below. Note that an option specified in a profile can | ||
103 | generally be disabled on the command line using \fB--ignore\fR. | ||
99 | .SH OPTIONS | 104 | .SH OPTIONS |
100 | .TP | 105 | .TP |
101 | \fB\-\- | 106 | \fB\-\- |
@@ -1729,6 +1734,16 @@ See --keep-config-pulse. | |||
1729 | Disable blacklist for this directory or file. | 1734 | Disable blacklist for this directory or file. |
1730 | .br | 1735 | .br |
1731 | 1736 | ||
1737 | Note that blacklist entries containing ${PATH} can not currently be partially | ||
1738 | disabled for individual expanded paths. Only the whole unexpanded path | ||
1739 | including ${PATH} can be disabled, which then applies to all expansions. | ||
1740 | This limitation does not apply to expansions of other variables or wildcards. | ||
1741 | For details, see | ||
1742 | .UR https://github.com/netblue30/firejail/issues/6360 | ||
1743 | #6360 | ||
1744 | .UE | ||
1745 | .br | ||
1746 | |||
1732 | .br | 1747 | .br |
1733 | Example: | 1748 | Example: |
1734 | .br | 1749 | .br |
@@ -1744,6 +1759,14 @@ $ exit | |||
1744 | .br | 1759 | .br |
1745 | $ firejail --noblacklist=/bin/nc | 1760 | $ firejail --noblacklist=/bin/nc |
1746 | .br | 1761 | .br |
1762 | bash: /bin/nc: Permission denied | ||
1763 | .br | ||
1764 | $ exit | ||
1765 | .br | ||
1766 | |||
1767 | .br | ||
1768 | $ firejail --noblacklist='${PATH}/nc' | ||
1769 | .br | ||
1747 | $ nc dict.org 2628 | 1770 | $ nc dict.org 2628 |
1748 | .br | 1771 | .br |
1749 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 1772 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
diff --git a/src/profstats/main.c b/src/profstats/main.c index ad27bfe79..10eee3c4b 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -344,7 +344,7 @@ int main(int argc, char **argv) { | |||
344 | if (cnt_seccomp > (seccomp + 1)) | 344 | if (cnt_seccomp > (seccomp + 1)) |
345 | cnt_seccomp = seccomp + 1; | 345 | cnt_seccomp = seccomp + 1; |
346 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | 346 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) |
347 | cnt_seccomp = restrict_namespaces + 1; | 347 | cnt_restrict_namespaces = restrict_namespaces + 1; |
348 | if (cnt_dbus_user_none > (dbususernone + 1)) | 348 | if (cnt_dbus_user_none > (dbususernone + 1)) |
349 | cnt_dbus_user_none = dbususernone + 1; | 349 | cnt_dbus_user_none = dbususernone + 1; |
350 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | 350 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
diff --git a/src/prog.mk b/src/prog.mk index a639e87fc..3e89a6ba8 100644 --- a/src/prog.mk +++ b/src/prog.mk | |||
@@ -5,6 +5,9 @@ | |||
5 | # The includer should probably define PROG and TARGET and may also want to | 5 | # The includer should probably define PROG and TARGET and may also want to |
6 | # define EXTRA_OBJS and extend CLEANFILES. | 6 | # define EXTRA_OBJS and extend CLEANFILES. |
7 | 7 | ||
8 | CC ?= cc | ||
9 | RM ?= rm -f | ||
10 | |||
8 | HDRS := | 11 | HDRS := |
9 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) | 12 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) |
10 | OBJS := $(SRCS:.c=.o) | 13 | OBJS := $(SRCS:.c=.o) |
@@ -25,4 +28,4 @@ $(PROG): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk | |||
25 | $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) $(LIBS) | 28 | $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) $(LIBS) |
26 | 29 | ||
27 | .PHONY: clean | 30 | .PHONY: clean |
28 | clean:; rm -fr $(PROG) $(CLEANFILES) | 31 | clean:; $(RM) -r $(PROG) $(CLEANFILES) |
@@ -5,6 +5,9 @@ | |||
5 | # The includer should probably define SO and TARGET and may also want to define | 5 | # The includer should probably define SO and TARGET and may also want to define |
6 | # EXTRA_OBJS and extend CLEANFILES. | 6 | # EXTRA_OBJS and extend CLEANFILES. |
7 | 7 | ||
8 | CC ?= cc | ||
9 | RM ?= rm -f | ||
10 | |||
8 | HDRS := | 11 | HDRS := |
9 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) | 12 | SRCS := $(sort $(wildcard $(MOD_DIR)/*.c)) |
10 | OBJS := $(SRCS:.c=.o) | 13 | OBJS := $(SRCS:.c=.o) |
@@ -25,4 +28,4 @@ $(SO): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk | |||
25 | $(CC) $(SO_LDFLAGS) -shared $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) -ldl | 28 | $(CC) $(SO_LDFLAGS) -shared $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) -ldl |
26 | 29 | ||
27 | .PHONY: clean | 30 | .PHONY: clean |
28 | clean:; rm -fr $(SO) $(CLEANFILES) | 31 | clean:; $(RM) -r $(SO) $(CLEANFILES) |
diff --git a/src/zsh_completion/Makefile b/src/zsh_completion/Makefile index e964d39ec..cbc476a73 100644 --- a/src/zsh_completion/Makefile +++ b/src/zsh_completion/Makefile | |||
@@ -2,14 +2,17 @@ | |||
2 | ROOT = ../.. | 2 | ROOT = ../.. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | GAWK ?= gawk | ||
6 | RM ?= rm -f | ||
7 | |||
5 | .PHONY: all | 8 | .PHONY: all |
6 | all: _firejail | 9 | all: _firejail |
7 | 10 | ||
8 | _firejail: _firejail.in $(ROOT)/config.mk | 11 | _firejail: _firejail.in $(ROOT)/config.mk |
9 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | 12 | $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp |
10 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 13 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
11 | rm $@.tmp | 14 | $(RM) $@.tmp |
12 | 15 | ||
13 | .PHONY: clean | 16 | .PHONY: clean |
14 | clean: | 17 | clean: |
15 | rm -fr _firejail | 18 | $(RM) -r _firejail |
diff --git a/test/Makefile b/test/Makefile index 52fada86c..89855d082 100644 --- a/test/Makefile +++ b/test/Makefile | |||
@@ -2,6 +2,8 @@ | |||
2 | ROOT = .. | 2 | ROOT = .. |
3 | -include $(ROOT)/config.mk | 3 | -include $(ROOT)/config.mk |
4 | 4 | ||
5 | RM ?= rm -f | ||
6 | |||
5 | TESTS=$(patsubst %/,%,$(wildcard */)) | 7 | TESTS=$(patsubst %/,%,$(wildcard */)) |
6 | 8 | ||
7 | .PHONY: $(TESTS) | 9 | .PHONY: $(TESTS) |
@@ -11,14 +13,14 @@ $(TESTS): | |||
11 | 13 | ||
12 | .PHONY: clean | 14 | .PHONY: clean |
13 | clean: | 15 | clean: |
14 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | 16 | for test in $(TESTS); do $(RM) "$$test/$$test.log"; done |
15 | rm -fr environment/-testdir | 17 | $(RM) -r environment/-testdir |
16 | rm -f environment/index.html* | 18 | $(RM) environment/index.html* |
17 | rm -f environment/logfile* | 19 | $(RM) environment/logfile* |
18 | rm -f environment/wget-log* | 20 | $(RM) environment/wget-log* |
19 | rm -f sysutils/firejail_t* | 21 | $(RM) sysutils/firejail_t* |
20 | rm -f utils/firejail-test-file* | 22 | $(RM) utils/firejail-test-file* |
21 | rm -f utils/index.html* | 23 | $(RM) utils/index.html* |
22 | rm -f utils/lstesting | 24 | $(RM) utils/lstesting |
23 | rm -f utils/wget-log | 25 | $(RM) utils/wget-log |
24 | cd compile && (./compile.sh --clean || true) | 26 | cd compile && (./compile.sh --clean || true) |