diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 24 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 8 | ||||
-rw-r--r-- | .github/workflows/codespell.yml | 40 | ||||
-rw-r--r-- | Makefile | 11 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rwxr-xr-x | contrib/jail_prober.py | 4 | ||||
-rw-r--r-- | etc/profile-a-l/gmpc.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/kwin_x11.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/mpDris2.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/mpd.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/tvbrowser.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/twitch.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/youtube.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/youtubemusic-nativefier.profile | 2 |
15 files changed, 78 insertions, 38 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 0f7ddb466..3fc71a299 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -13,6 +13,7 @@ on: | |||
13 | - .github/pull_request_template.md | 13 | - .github/pull_request_template.md |
14 | - .github/workflows/build.yml | 14 | - .github/workflows/build.yml |
15 | - .github/workflows/codeql-analysis.yml | 15 | - .github/workflows/codeql-analysis.yml |
16 | - .github/workflows/codespell.yml | ||
16 | - .github/workflows/profile-checks.yml | 17 | - .github/workflows/profile-checks.yml |
17 | - .gitignore | 18 | - .gitignore |
18 | - .gitlab-ci.yml | 19 | - .gitlab-ci.yml |
@@ -35,6 +36,7 @@ on: | |||
35 | - .github/pull_request_template.md | 36 | - .github/pull_request_template.md |
36 | - .github/workflows/build.yml | 37 | - .github/workflows/build.yml |
37 | - .github/workflows/codeql-analysis.yml | 38 | - .github/workflows/codeql-analysis.yml |
39 | - .github/workflows/codespell.yml | ||
38 | - .github/workflows/profile-checks.yml | 40 | - .github/workflows/profile-checks.yml |
39 | - .gitignore | 41 | - .gitignore |
40 | - .gitlab-ci.yml | 42 | - .gitlab-ci.yml |
@@ -163,25 +165,3 @@ jobs: | |||
163 | - run: cppcheck --version | 165 | - run: cppcheck --version |
164 | - name: cppcheck | 166 | - name: cppcheck |
165 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 167 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
166 | codespell: | ||
167 | runs-on: ubuntu-22.04 | ||
168 | steps: | ||
169 | - name: Harden Runner | ||
170 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
171 | with: | ||
172 | egress-policy: block | ||
173 | allowed-endpoints: > | ||
174 | archive.ubuntu.com:80 | ||
175 | azure.archive.ubuntu.com:80 | ||
176 | github.com:443 | ||
177 | packages.microsoft.com:443 | ||
178 | ppa.launchpadcontent.net:443 | ||
179 | security.ubuntu.com:80 | ||
180 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
181 | - name: update package information | ||
182 | run: sudo apt-get update -qy | ||
183 | - name: install dependencies | ||
184 | run: sudo apt-get install -qy codespell | ||
185 | - run: codespell --version | ||
186 | - name: codespell | ||
187 | run: make codespell | ||
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cb2c15759..489ed4335 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -9,6 +9,7 @@ on: | |||
9 | - .github/pull_request_template.md | 9 | - .github/pull_request_template.md |
10 | - .github/workflows/build-extra.yml | 10 | - .github/workflows/build-extra.yml |
11 | - .github/workflows/codeql-analysis.yml | 11 | - .github/workflows/codeql-analysis.yml |
12 | - .github/workflows/codespell.yml | ||
12 | - .github/workflows/profile-checks.yml | 13 | - .github/workflows/profile-checks.yml |
13 | - .gitignore | 14 | - .gitignore |
14 | - .gitlab-ci.yml | 15 | - .gitlab-ci.yml |
@@ -26,6 +27,7 @@ on: | |||
26 | - .github/pull_request_template.md | 27 | - .github/pull_request_template.md |
27 | - .github/workflows/build-extra.yml | 28 | - .github/workflows/build-extra.yml |
28 | - .github/workflows/codeql-analysis.yml | 29 | - .github/workflows/codeql-analysis.yml |
30 | - .github/workflows/codespell.yml | ||
29 | - .github/workflows/profile-checks.yml | 31 | - .github/workflows/profile-checks.yml |
30 | - .gitignore | 32 | - .gitignore |
31 | - .gitlab-ci.yml | 33 | - .gitlab-ci.yml |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0f9c0f740..344090cfd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -18,6 +18,7 @@ on: | |||
18 | - .github/pull_request_template.md | 18 | - .github/pull_request_template.md |
19 | - .github/workflows/build-extra.yml | 19 | - .github/workflows/build-extra.yml |
20 | - .github/workflows/build.yml | 20 | - .github/workflows/build.yml |
21 | - .github/workflows/codespell.yml | ||
21 | - .github/workflows/profile-checks.yml | 22 | - .github/workflows/profile-checks.yml |
22 | - .gitignore | 23 | - .gitignore |
23 | - .gitlab-ci.yml | 24 | - .gitlab-ci.yml |
@@ -40,6 +41,7 @@ on: | |||
40 | - .github/pull_request_template.md | 41 | - .github/pull_request_template.md |
41 | - .github/workflows/build-extra.yml | 42 | - .github/workflows/build-extra.yml |
42 | - .github/workflows/build.yml | 43 | - .github/workflows/build.yml |
44 | - .github/workflows/codespell.yml | ||
43 | - .github/workflows/profile-checks.yml | 45 | - .github/workflows/profile-checks.yml |
44 | - .gitignore | 46 | - .gitignore |
45 | - .gitlab-ci.yml | 47 | - .gitlab-ci.yml |
@@ -95,7 +97,7 @@ jobs: | |||
95 | 97 | ||
96 | # Initializes the CodeQL tools for scanning. | 98 | # Initializes the CodeQL tools for scanning. |
97 | - name: Initialize CodeQL | 99 | - name: Initialize CodeQL |
98 | uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | 100 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 |
99 | with: | 101 | with: |
100 | languages: ${{ matrix.language }} | 102 | languages: ${{ matrix.language }} |
101 | # If you wish to specify custom queries, you can do so here or in a config file. | 103 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -106,7 +108,7 @@ jobs: | |||
106 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 108 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
107 | # If this step fails, then you should remove it and run the build manually (see below) | 109 | # If this step fails, then you should remove it and run the build manually (see below) |
108 | - name: Autobuild | 110 | - name: Autobuild |
109 | uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | 111 | uses: github/codeql-action/autobuild@5b6282e01c62d02e720b81eb8a51204f527c3624 |
110 | 112 | ||
111 | # âšī¸ Command-line programs to run using the OS shell. | 113 | # âšī¸ Command-line programs to run using the OS shell. |
112 | # đ https://git.io/JvXDl | 114 | # đ https://git.io/JvXDl |
@@ -120,4 +122,4 @@ jobs: | |||
120 | # make release | 122 | # make release |
121 | 123 | ||
122 | - name: Perform CodeQL Analysis | 124 | - name: Perform CodeQL Analysis |
123 | uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | 125 | uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 000000000..e39755dbd --- /dev/null +++ b/.github/workflows/codespell.yml | |||
@@ -0,0 +1,40 @@ | |||
1 | name: Codespell | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths-ignore: | ||
6 | - 'm4/**' | ||
7 | - COPYING | ||
8 | pull_request: | ||
9 | paths-ignore: | ||
10 | - 'm4/**' | ||
11 | - COPYING | ||
12 | |||
13 | permissions: # added using https://github.com/step-security/secure-workflows | ||
14 | contents: read | ||
15 | |||
16 | jobs: | ||
17 | codespell: | ||
18 | runs-on: ubuntu-22.04 | ||
19 | steps: | ||
20 | - name: Harden Runner | ||
21 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
22 | with: | ||
23 | egress-policy: block | ||
24 | allowed-endpoints: > | ||
25 | archive.ubuntu.com:80 | ||
26 | azure.archive.ubuntu.com:80 | ||
27 | github.com:443 | ||
28 | packages.microsoft.com:443 | ||
29 | ppa.launchpadcontent.net:443 | ||
30 | security.ubuntu.com:80 | ||
31 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
32 | - name: update package information | ||
33 | run: sudo apt-get update -qy | ||
34 | - name: install dependencies | ||
35 | run: sudo apt-get install -qy codespell | ||
36 | - name: configure | ||
37 | run: ./configure || (cat config.log; exit 1) | ||
38 | - run: codespell --version | ||
39 | - name: codespell | ||
40 | run: make codespell | ||
@@ -373,9 +373,16 @@ cppcheck: clean | |||
373 | scan-build: clean | 373 | scan-build: clean |
374 | scan-build $(MAKE) | 374 | scan-build $(MAKE) |
375 | 375 | ||
376 | # TODO: Old codespell versions (such as v2.1.0 in CI) have issues with | ||
377 | # contrib/syscalls.sh | ||
376 | .PHONY: codespell | 378 | .PHONY: codespell |
377 | codespell: clean | 379 | codespell: |
378 | codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test | 380 | @printf 'Running %s...\n' $@ |
381 | @codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \ | ||
382 | -S *.gz,*.o,*.so \ | ||
383 | -S COPYING,m4 \ | ||
384 | -S ./contrib/syscalls.sh \ | ||
385 | . | ||
379 | 386 | ||
380 | .PHONY: print-env | 387 | .PHONY: print-env |
381 | print-env: | 388 | print-env: |
@@ -363,7 +363,7 @@ firejail (0.9.62) baseline; urgency=low | |||
363 | * whitelisting /usr/share in a large number of profiles | 363 | * whitelisting /usr/share in a large number of profiles |
364 | * new scripts in contrib: gdb-firejail.sh and sort.py | 364 | * new scripts in contrib: gdb-firejail.sh and sort.py |
365 | * enhancement: whitelist /usr/share in some profiles | 365 | * enhancement: whitelist /usr/share in some profiles |
366 | * added signal mediation ot apparmor profile | 366 | * added signal mediation to apparmor profile |
367 | * new conditions: HAS_X11, HAS_NET | 367 | * new conditions: HAS_X11, HAS_NET |
368 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks | 368 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks |
369 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder | 369 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder |
@@ -758,7 +758,7 @@ firejail (0.9.44.4) baseline; urgency=low | |||
758 | 758 | ||
759 | firejail (0.9.44.2) baseline; urgency=low | 759 | firejail (0.9.44.2) baseline; urgency=low |
760 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) | 760 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) |
761 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | 761 | * security: TOCTOU exploit for --get and --put found by Daniel Hodson |
762 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) | 762 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) |
763 | * security: several security enhancements | 763 | * security: several security enhancements |
764 | * bugfix: crashing VLC by pressing Ctrl-O | 764 | * bugfix: crashing VLC by pressing Ctrl-O |
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py index fcfe90eb7..070079e09 100755 --- a/contrib/jail_prober.py +++ b/contrib/jail_prober.py | |||
@@ -151,8 +151,8 @@ def run_firejail(program, all_args): | |||
151 | if arg: | 151 | if arg: |
152 | myargs.insert(-1, arg) | 152 | myargs.insert(-1, arg) |
153 | subprocess.call(myargs) | 153 | subprocess.call(myargs) |
154 | ans = input('Did %s run correctly? [y]/n ' % program) | 154 | answer = input('Did %s run correctly? [y]/n ' % program) |
155 | if ans in ['n', 'N']: | 155 | if answer in ['n', 'N']: |
156 | bad_args.append(arg) | 156 | bad_args.append(arg) |
157 | elif arg: | 157 | elif arg: |
158 | good_args.insert(-1, arg) | 158 | good_args.insert(-1, arg) |
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index f3e045000..8c20f7398 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -47,8 +47,9 @@ private-etc | |||
47 | private-tmp | 47 | private-tmp |
48 | writable-run-user | 48 | writable-run-user |
49 | 49 | ||
50 | # dbus-user none | 50 | dbus-user filter |
51 | # dbus-system none | 51 | dbus-user.talk org.mpris.MediaPlayer2.mpd |
52 | dbus-system none | ||
52 | 53 | ||
53 | # memory-deny-write-execute - breaks on Arch | 54 | # memory-deny-write-execute - breaks on Arch |
54 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 589811643..da430377e 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -5,7 +5,7 @@ include kwin_x11.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # fix automatical kwin_x11 sandboxing: | 8 | # fix automatic kwin_x11 sandboxing: |
9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment | 9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/kwin | 11 | noblacklist ${HOME}/.cache/kwin |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index a9631733c..86359426b 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -52,6 +52,10 @@ private-etc | |||
52 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | 52 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user filter | ||
56 | dbus-user.own org.mpris.MediaPlayer2.mpd | ||
57 | dbus-system none | ||
58 | |||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 59 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
56 | 60 | ||
57 | read-only ${HOME} | 61 | read-only ${HOME} |
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile index d1c4bd24f..6bf881faf 100644 --- a/etc/profile-m-z/mpd.profile +++ b/etc/profile-m-z/mpd.profile | |||
@@ -41,4 +41,8 @@ private-cache | |||
41 | private-dev | 41 | private-dev |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user filter | ||
45 | dbus-user.talk org.mpris.MediaPlayer2.mpd | ||
46 | dbus-system none | ||
47 | |||
44 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile index 518dc95c7..16162f989 100644 --- a/etc/profile-m-z/tvbrowser.profile +++ b/etc/profile-m-z/tvbrowser.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for tvbrowser | 1 | # Firejail profile for tvbrowser |
2 | # Description: java tv programm form tvbrowser.org | 2 | # Description: java tv program form tvbrowser.org |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include tvbrowser.local | 5 | include tvbrowser.local |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index d53acdaf7..e2b8de12b 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for twitch | 1 | # Firejail profile for twitch |
2 | # Description: Unofficial electron based desktop warpper for Twitch | 2 | # Description: Unofficial electron based desktop wrapper for Twitch |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include twitch.local | 5 | include twitch.local |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index 4d1e9a063..bee309986 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for youtube | 1 | # Firejail profile for youtube |
2 | # Description: Unofficial electron based desktop warpper for YouTube | 2 | # Description: Unofficial electron based desktop wrapper for YouTube |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include youtube.local | 5 | include youtube.local |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index cfee8c426..d1bc4d5a2 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for youtubemusic-nativefier | 1 | # Firejail profile for youtubemusic-nativefier |
2 | # Description: Unofficial electron based desktop warpper for YouTube Music | 2 | # Description: Unofficial electron based desktop wrapper for YouTube Music |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include youtube.local | 5 | include youtube.local |