firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	microsoft-edge-{dev,beta}: replaced private-opt by whitelist #5307	Quentin RETORNAZ	2022-08-11
\|
*	microsoft-edge.profile: rewrite profile for stable channel	Quentin RETORNAZ	2022-08-11
\| \| \| \| \| \|	* replaced private-opt by whitelist #5307 * added stable channel config dirs to disable-programs.inc
*	fix(audacity): !5281 sharedlib bug on Arch/Fedora (#5300)	Christopher Morrow	2022-08-10
\| \| \| \| \| \| \| \| \| \| \|	* fix(audacity): !5281 sharedlib bug on Arch/Fedora removed `private-bin` line from audacity profile as it appears to block access to shared libraries needed to start audacity on some distributions. Relates to github issue #5281 * fix(audacity): Disabling apparmor and reenabling private-bin
*	Merge pull request #5299 from pirate486743186/description-makepkg	Kelvin M. Klann	2022-08-10
\|\ \| \| \| \|	makepkg: add description
\| *	makepkg.profile: add description	pirate486743186	2022-08-10
\| \|
* \|	new profile: gdu (#5289)	glitsj16	2022-08-09
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* add gdu to 'new profiles' section * Create gdu.profile * add gdu to firecfg * harden gdu sandbox * fix protocol * simulate empty protocol in gdu * more user-friendly gdu sandboxing
* \|	build(deps): bump github/codeql-action from 2.1.17 to 2.1.18	dependabot[bot]	2022-08-08
\|/ \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.17 to 2.1.18. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0c670bbf0414f39666df6ce8e718ec5662c21e03...2ca79b6fa8d3ec278944088b4aa5f46912db5d63) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
*	build(deps): bump github/codeql-action from 2.1.16 to 2.1.17	dependabot[bot]	2022-08-03
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.16 to 2.1.17. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3e7e3b32d0fb8283594bb0a76cc60a00918b0969...0c670bbf0414f39666df6ce8e718ec5662c21e03) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
*	RELNOTES: add build and ci items	Kelvin M. Klann	2022-08-01
\| \| \| \|	Relates to #5248 #5249 #5251.
*	RELNOTES: add feature: Warn when encountering EIO during remount	Kelvin M. Klann	2022-08-01
\| \| \| \|	Relates to #5240 #5242.
*	Merge pull request #5259 from smitsohu/ns	smitsohu	2022-07-31
\|\ \| \| \| \|	introduce new option restrict-namespaces
\| *	introduce new option restrict-namespaces	smitsohu	2022-07-23
\| \|
\| *	protocol filter: add x32 ABI handling	smitsohu	2022-07-19
\| \|
* \|	Merge pull request #5271 from smitsohu/nnp	smitsohu	2022-07-31
\|\ \ \| \| \| \| \| \|	improve force-nonewprivs security guarantees
\| * \|	improve force-nonewprivs security guarantees	smitsohu	2022-07-24
\| \| \|
* \| \|	Merge pull request #5251 from kmk3/build-add-autoconf-comment	smitsohu	2022-07-31
\|\ \ \ \| \| \| \| \| \| \| \|	build: add autoconf auto-generation comment to input files
\| * \| \|	build: add autoconf auto-generation comment to input files	Kelvin M. Klann	2022-07-16
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	To note on the output files that they are generated and to clarify how they are generated. From the manual of GNU Autoconf (version 2.69): > -- Variable: configure_input > A comment saying that the file was generated automatically by > 'configure' and giving the name of the input file. 'AC_OUTPUT' > adds a comment line containing this variable to the top of every > makefile it creates. For other files, you should reference this > variable in a comment at the top of each input file. For > example, an input shell script should begin like this: > > #!/bin/sh > # @configure_input@ > > The presence of that line also reminds people editing the file > that it needs to be processed by 'configure' in order to be used. Resulting output on config.mk: # config.mk. Generated from config.mk.in by configure. Relates to #5140.
* \| \| \|	Merge pull request #5249 from kmk3/ci-ignore-git-paths	smitsohu	2022-07-31
\|\ \ \ \ \| \| \| \| \| \| \| \| \| \|	ci: ignore git-related paths and the project license
\| * \| \| \|	ci: ignore git-related paths and the project license	Kelvin M. Klann	2022-07-12
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Add the following paths to the ignore lists: - .git-blame-ignore-revs - .gitignore - COPYING To avoid running CI unnecessarily. Commands used to show only the root files: $ git ls-files \| grep -v / Misc: I noticed the missing paths on #5248.
* \| \| \| \|	Merge pull request #5248 from kmk3/build-gitignore-distdir	smitsohu	2022-07-31
\|\ \ \ \ \ \| \| \| \| \| \| \| \| \| \| \| \|	build: add dist build directory to .gitignore
\| * \| \| \| \|	build: add dist build directory to .gitignore	Kelvin M. Klann	2022-07-12
\| \|/ / / / \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Ignore it only on the repository root path, as a directory that matches `firejail-` could eventually be added. Note that the dist archive is already ignored since commit da6b131c3 ("chore(.gitignore) ignore built packages", 2018-01-15) / PR #1733. Example paths: build dir: firejail-0.9.71/ * archive: firejail-0.9.71.tar.xz See `$(NAME)-$(VERSION)` and `$(NAME)-$(VERSION).tar.xz` in the "dist" target on the root Makefile.
* \| \| \| \|	update m4 macro from autoconf-archive (2022.02.11)	Reiner Herrmann	2022-07-31
\| \| \| \| \|
* \| \| \| \|	Merge pull request #5275 from netblue30/ci_ubuntu_2204	Reiner Herrmann	2022-07-30
\|\ \ \ \ \ \| \| \| \| \| \| \| \| \| \| \| \|	CI: bump ubuntu to 22.04 and use newer compilers / analyzers
\| * \| \| \| \|	CI: keep old cppcheck job and ignore two files in new job that take too long ↵	Reiner Herrmann	2022-07-30
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	to check
\| * \| \| \| \|	CI: bump ubuntu to 22.04 and use newer compilers / analyzers	Reiner Herrmann	2022-07-30
\| \| \| \| \| \|
\| * \| \| \| \|	tests: disable calling curl in dns test, as systemd-resolved is used on CI ↵	Reiner Herrmann	2022-07-30
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	runner
\| * \| \| \| \|	tests: try curl instead of wget for tracing dns resolution	Reiner Herrmann	2022-07-30
\| \| \| \| \| \|
\| * \| \| \| \|	tests: add alternative message for skipping test	Reiner Herrmann	2022-07-30
\| \| \| \| \| \|
\| * \| \| \| \|	tests: drop checking for hosts file in trace test	Reiner Herrmann	2022-07-30
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	firejail is no longer detecting that /etc/hosts is getting opened. in strace it can still be seen that the file is opened via syscall, but on C library layer (which firejail is tracing) it's probably implemented differently now.
\| * \| \| \| \|	CI: fix wrong matching for test errors	Reiner Herrmann	2022-07-30
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	grep was returning non-zero exit code if it did NOT find the error marker, and zero if it did.
\| * \| \| \| \|	Make list of paths const to fix a false positive of gcc analyzer	Reiner Herrmann	2022-07-30
\| \| \| \| \| \|
\| * \| \| \| \|	zero-initialize two variables	Reiner Herrmann	2022-07-30
\| \| \| \| \| \|
\| * \| \| \| \|	CI: build all jobs with apparmor / selinux to cover more code	Reiner Herrmann	2022-07-30
\|/ / / / /
* \| \| \| \|	Deny Tor related profiles access to /sys/class/net	Tad	2022-07-23
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This directory contains the MAC address for connections available Tested working with torbrowser-launcher and onionshare Signed-off-by: Tad <tad@spotco.us>
* \| \| \| \|	viewnior.profile: allow accessing its /usr/share directory (#5270)	NetSysFire	2022-07-23
\| \|_\|/ / \|/\| \| \|
* \| \| \|	build(deps): bump github/codeql-action from 2.1.15 to 2.1.16	dependabot[bot]	2022-07-22
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.15 to 2.1.16. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3f62b754e23e0dd60f91b744033e1dc1654c0ec6...3e7e3b32d0fb8283594bb0a76cc60a00918b0969) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* \| \| \|	apparmor cleanup	smitsohu	2022-07-20
\| \|_\|/ \|/\| \|
* \| \|	remmina.profile: allow python3 (#5253)	NetSysFire	2022-07-17
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* remmina.profile: allow python * Update etc/profile-m-z/remmina.profile Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* \| \|	refresh syscall groups (#5188)	smitsohu	2022-07-17
\| \|/ \|/\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	now covers syscalls up to including process_madvise (440) group assignment was blindly copied from systemd: https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305 the only exception is close_range, which was added to both @basic-io and @file-system this commit adds the following syscalls to the default blacklist: pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
* \|	refresh and sort syscall tables	smitsohu	2022-07-15
\|/ \| \| \| \| \|	produced using commands documented in src/lib/syscall.c: awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
*	RELNOTES: add build items (plus commands)	Kelvin M. Klann	2022-07-12
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The following leverages the fact that when using a normal merge (as opposed to "rebase and merge" or "squash and merge") on GitHub, the pull request number is put in the commit message title and the title of the PR is added to the commit message body. Commands used to find and print the items for the RELNOTES: $ git log --grep='^build:' --merges --reverse --pretty='%s %b' 0.9.70.. \| sed -E -n 's/Merge pull request (#[0-9]+) from [^ ]+ (.)/ \2 (\1)/p' * build: deduplicate configure-time vars into new config files (#5140) * build: fix file mode of shell scripts (644 -> 755) (#5206) * build: reduce autoconf input files from 32 to 2 (#5219) Commands used to generate the message below: $ git log --grep='^build:' --merges --reverse --pretty='%s %b' 0.9.70.. \| sed -E -n 's/Merge pull request (#[0-9]+)./\1/p' \| sort \| tr '\n' ' ' \| sed -E 's/^(.) /Relates to \1./' Relates to #5140 #5206 #5219. Relates to #5140 #5206 #5219.
*	tweaks	smitsohu	2022-07-12
\|
*	always assert runfile mode and ownership	smitsohu	2022-07-12
\|
*	minor sandbox lock improvements	smitsohu	2022-07-11
\|
*	cleanup	smitsohu	2022-07-11
\|
*	remove dependency on sendfile syscall	smitsohu	2022-07-11
\|
*	simplify put option	smitsohu	2022-07-11
\| \| \| \| \|	copy using file descriptors, similar to implementation of get option
*	aria2c.profile: add comment to winetricks workaround	Kelvin M. Klann	2022-07-11
\| \| \| \| \| \| \| \|	As a reminder to create a profile for winetricks instead of allowing access to its paths to programs used by winetricks (see #5238). Added on commit 0ec1c66b5 ("aria2c.profile: allow access to ~/.cache/winetricks") / PR #5238.
*	testing fix	netblue30	2022-07-10
\|
*	Merge pull request #5242 from alkim0/master	netblue30	2022-07-10
\|\ \| \| \| \|	Warn when encountering EIO during remount