diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 24 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codespell.yml | 40 | ||||
-rw-r--r-- | Makefile | 11 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rwxr-xr-x | contrib/jail_prober.py | 4 | ||||
-rw-r--r-- | etc/profile-a-l/kwin_x11.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/tvbrowser.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/twitch.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/youtube.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/youtubemusic-nativefier.profile | 2 |
12 files changed, 64 insertions, 33 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 0f7ddb466..3fc71a299 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -13,6 +13,7 @@ on: | |||
13 | - .github/pull_request_template.md | 13 | - .github/pull_request_template.md |
14 | - .github/workflows/build.yml | 14 | - .github/workflows/build.yml |
15 | - .github/workflows/codeql-analysis.yml | 15 | - .github/workflows/codeql-analysis.yml |
16 | - .github/workflows/codespell.yml | ||
16 | - .github/workflows/profile-checks.yml | 17 | - .github/workflows/profile-checks.yml |
17 | - .gitignore | 18 | - .gitignore |
18 | - .gitlab-ci.yml | 19 | - .gitlab-ci.yml |
@@ -35,6 +36,7 @@ on: | |||
35 | - .github/pull_request_template.md | 36 | - .github/pull_request_template.md |
36 | - .github/workflows/build.yml | 37 | - .github/workflows/build.yml |
37 | - .github/workflows/codeql-analysis.yml | 38 | - .github/workflows/codeql-analysis.yml |
39 | - .github/workflows/codespell.yml | ||
38 | - .github/workflows/profile-checks.yml | 40 | - .github/workflows/profile-checks.yml |
39 | - .gitignore | 41 | - .gitignore |
40 | - .gitlab-ci.yml | 42 | - .gitlab-ci.yml |
@@ -163,25 +165,3 @@ jobs: | |||
163 | - run: cppcheck --version | 165 | - run: cppcheck --version |
164 | - name: cppcheck | 166 | - name: cppcheck |
165 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 167 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
166 | codespell: | ||
167 | runs-on: ubuntu-22.04 | ||
168 | steps: | ||
169 | - name: Harden Runner | ||
170 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
171 | with: | ||
172 | egress-policy: block | ||
173 | allowed-endpoints: > | ||
174 | archive.ubuntu.com:80 | ||
175 | azure.archive.ubuntu.com:80 | ||
176 | github.com:443 | ||
177 | packages.microsoft.com:443 | ||
178 | ppa.launchpadcontent.net:443 | ||
179 | security.ubuntu.com:80 | ||
180 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
181 | - name: update package information | ||
182 | run: sudo apt-get update -qy | ||
183 | - name: install dependencies | ||
184 | run: sudo apt-get install -qy codespell | ||
185 | - run: codespell --version | ||
186 | - name: codespell | ||
187 | run: make codespell | ||
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cb2c15759..489ed4335 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -9,6 +9,7 @@ on: | |||
9 | - .github/pull_request_template.md | 9 | - .github/pull_request_template.md |
10 | - .github/workflows/build-extra.yml | 10 | - .github/workflows/build-extra.yml |
11 | - .github/workflows/codeql-analysis.yml | 11 | - .github/workflows/codeql-analysis.yml |
12 | - .github/workflows/codespell.yml | ||
12 | - .github/workflows/profile-checks.yml | 13 | - .github/workflows/profile-checks.yml |
13 | - .gitignore | 14 | - .gitignore |
14 | - .gitlab-ci.yml | 15 | - .gitlab-ci.yml |
@@ -26,6 +27,7 @@ on: | |||
26 | - .github/pull_request_template.md | 27 | - .github/pull_request_template.md |
27 | - .github/workflows/build-extra.yml | 28 | - .github/workflows/build-extra.yml |
28 | - .github/workflows/codeql-analysis.yml | 29 | - .github/workflows/codeql-analysis.yml |
30 | - .github/workflows/codespell.yml | ||
29 | - .github/workflows/profile-checks.yml | 31 | - .github/workflows/profile-checks.yml |
30 | - .gitignore | 32 | - .gitignore |
31 | - .gitlab-ci.yml | 33 | - .gitlab-ci.yml |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a66266e30..344090cfd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -18,6 +18,7 @@ on: | |||
18 | - .github/pull_request_template.md | 18 | - .github/pull_request_template.md |
19 | - .github/workflows/build-extra.yml | 19 | - .github/workflows/build-extra.yml |
20 | - .github/workflows/build.yml | 20 | - .github/workflows/build.yml |
21 | - .github/workflows/codespell.yml | ||
21 | - .github/workflows/profile-checks.yml | 22 | - .github/workflows/profile-checks.yml |
22 | - .gitignore | 23 | - .gitignore |
23 | - .gitlab-ci.yml | 24 | - .gitlab-ci.yml |
@@ -40,6 +41,7 @@ on: | |||
40 | - .github/pull_request_template.md | 41 | - .github/pull_request_template.md |
41 | - .github/workflows/build-extra.yml | 42 | - .github/workflows/build-extra.yml |
42 | - .github/workflows/build.yml | 43 | - .github/workflows/build.yml |
44 | - .github/workflows/codespell.yml | ||
43 | - .github/workflows/profile-checks.yml | 45 | - .github/workflows/profile-checks.yml |
44 | - .gitignore | 46 | - .gitignore |
45 | - .gitlab-ci.yml | 47 | - .gitlab-ci.yml |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 000000000..e39755dbd --- /dev/null +++ b/.github/workflows/codespell.yml | |||
@@ -0,0 +1,40 @@ | |||
1 | name: Codespell | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths-ignore: | ||
6 | - 'm4/**' | ||
7 | - COPYING | ||
8 | pull_request: | ||
9 | paths-ignore: | ||
10 | - 'm4/**' | ||
11 | - COPYING | ||
12 | |||
13 | permissions: # added using https://github.com/step-security/secure-workflows | ||
14 | contents: read | ||
15 | |||
16 | jobs: | ||
17 | codespell: | ||
18 | runs-on: ubuntu-22.04 | ||
19 | steps: | ||
20 | - name: Harden Runner | ||
21 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
22 | with: | ||
23 | egress-policy: block | ||
24 | allowed-endpoints: > | ||
25 | archive.ubuntu.com:80 | ||
26 | azure.archive.ubuntu.com:80 | ||
27 | github.com:443 | ||
28 | packages.microsoft.com:443 | ||
29 | ppa.launchpadcontent.net:443 | ||
30 | security.ubuntu.com:80 | ||
31 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
32 | - name: update package information | ||
33 | run: sudo apt-get update -qy | ||
34 | - name: install dependencies | ||
35 | run: sudo apt-get install -qy codespell | ||
36 | - name: configure | ||
37 | run: ./configure || (cat config.log; exit 1) | ||
38 | - run: codespell --version | ||
39 | - name: codespell | ||
40 | run: make codespell | ||
@@ -366,9 +366,16 @@ cppcheck: clean | |||
366 | scan-build: clean | 366 | scan-build: clean |
367 | scan-build $(MAKE) | 367 | scan-build $(MAKE) |
368 | 368 | ||
369 | # TODO: Old codespell versions (such as v2.1.0 in CI) have issues with | ||
370 | # contrib/syscalls.sh | ||
369 | .PHONY: codespell | 371 | .PHONY: codespell |
370 | codespell: clean | 372 | codespell: |
371 | codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test | 373 | @printf 'Running %s...\n' $@ |
374 | @codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \ | ||
375 | -S *.gz,*.o,*.so \ | ||
376 | -S COPYING,m4 \ | ||
377 | -S ./contrib/syscalls.sh \ | ||
378 | . | ||
372 | 379 | ||
373 | .PHONY: print-env | 380 | .PHONY: print-env |
374 | print-env: | 381 | print-env: |
@@ -363,7 +363,7 @@ firejail (0.9.62) baseline; urgency=low | |||
363 | * whitelisting /usr/share in a large number of profiles | 363 | * whitelisting /usr/share in a large number of profiles |
364 | * new scripts in contrib: gdb-firejail.sh and sort.py | 364 | * new scripts in contrib: gdb-firejail.sh and sort.py |
365 | * enhancement: whitelist /usr/share in some profiles | 365 | * enhancement: whitelist /usr/share in some profiles |
366 | * added signal mediation ot apparmor profile | 366 | * added signal mediation to apparmor profile |
367 | * new conditions: HAS_X11, HAS_NET | 367 | * new conditions: HAS_X11, HAS_NET |
368 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks | 368 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks |
369 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder | 369 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder |
@@ -758,7 +758,7 @@ firejail (0.9.44.4) baseline; urgency=low | |||
758 | 758 | ||
759 | firejail (0.9.44.2) baseline; urgency=low | 759 | firejail (0.9.44.2) baseline; urgency=low |
760 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) | 760 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) |
761 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | 761 | * security: TOCTOU exploit for --get and --put found by Daniel Hodson |
762 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) | 762 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) |
763 | * security: several security enhancements | 763 | * security: several security enhancements |
764 | * bugfix: crashing VLC by pressing Ctrl-O | 764 | * bugfix: crashing VLC by pressing Ctrl-O |
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py index fcfe90eb7..070079e09 100755 --- a/contrib/jail_prober.py +++ b/contrib/jail_prober.py | |||
@@ -151,8 +151,8 @@ def run_firejail(program, all_args): | |||
151 | if arg: | 151 | if arg: |
152 | myargs.insert(-1, arg) | 152 | myargs.insert(-1, arg) |
153 | subprocess.call(myargs) | 153 | subprocess.call(myargs) |
154 | ans = input('Did %s run correctly? [y]/n ' % program) | 154 | answer = input('Did %s run correctly? [y]/n ' % program) |
155 | if ans in ['n', 'N']: | 155 | if answer in ['n', 'N']: |
156 | bad_args.append(arg) | 156 | bad_args.append(arg) |
157 | elif arg: | 157 | elif arg: |
158 | good_args.insert(-1, arg) | 158 | good_args.insert(-1, arg) |
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 589811643..da430377e 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -5,7 +5,7 @@ include kwin_x11.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # fix automatical kwin_x11 sandboxing: | 8 | # fix automatic kwin_x11 sandboxing: |
9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment | 9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/kwin | 11 | noblacklist ${HOME}/.cache/kwin |
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile index 518dc95c7..16162f989 100644 --- a/etc/profile-m-z/tvbrowser.profile +++ b/etc/profile-m-z/tvbrowser.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for tvbrowser | 1 | # Firejail profile for tvbrowser |
2 | # Description: java tv programm form tvbrowser.org | 2 | # Description: java tv program form tvbrowser.org |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include tvbrowser.local | 5 | include tvbrowser.local |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index d53acdaf7..e2b8de12b 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for twitch | 1 | # Firejail profile for twitch |
2 | # Description: Unofficial electron based desktop warpper for Twitch | 2 | # Description: Unofficial electron based desktop wrapper for Twitch |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include twitch.local | 5 | include twitch.local |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index 4d1e9a063..bee309986 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for youtube | 1 | # Firejail profile for youtube |
2 | # Description: Unofficial electron based desktop warpper for YouTube | 2 | # Description: Unofficial electron based desktop wrapper for YouTube |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include youtube.local | 5 | include youtube.local |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index cfee8c426..d1bc4d5a2 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for youtubemusic-nativefier | 1 | # Firejail profile for youtubemusic-nativefier |
2 | # Description: Unofficial electron based desktop warpper for YouTube Music | 2 | # Description: Unofficial electron based desktop wrapper for YouTube Music |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include youtube.local | 5 | include youtube.local |