| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.5 to 3.24.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/47b3d888fe66b639e431abf22ebca059152f1eea...8a470fddafa5cbb6266ee11b37ef4d8aae19c571)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
| |
Relates to #6217 #6222 #6228 #6230.
|
| |
|
|\
| |
| | |
build: reduce hardcoding and inconsistencies
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For consistency and to make it clearer where jobs differ (for example,
to see where `--enable-analyzer` is used).
Changes:
* Always use --prefix=/usr and --enable-fatal-warnings (except in the
Alpine job due to current warnings; see #6224)
* Use the same argument order
Note: mkdeb.sh and platform/rpm/mkrpm.sh already pass `--prefix=/usr` to
./configure.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently the number of make jobs used for the default build target are
hardcoded and the value used varies across files.
For consistency (and potentially better performance), use
`make -j "$(nproc)"` everywhere that `make -j` is currently used.
Kind of relates to commit 500d8f2d6 ("ci: run make in parallel where
applicable", 2023-08-14) / PR #5960.
|
| |
| |
| |
| | |
Line-wrap the file and sort ./configure arguments.
|
| |
| |
| |
| |
| | |
Format it for readability and update the descriptions to match the
current jobs.
|
| |
| |
| |
| |
| | |
To make it easier to compare and edit the main apt-based jobs in
.gitlab-ci.yml.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
test/ also contains source code and cppcheck checks it:
$ make cppcheck | grep 'Checking test/'
Checking test/appimage/main.c ...
Checking test/chroot/unchroot.c ...
Checking test/filters/namespaces.c ...
Checking test/seccomp-extra/memwrexe.c ...
So make sure that it is included in the CI trigger paths.
|
| |
| |
| |
| | |
Sync the build and build-clang jobs.
|
| |
| |
| |
| |
| |
| |
| | |
To reduce hardcoding.
Note that this reduces duplication but the value is still hardcoded in
the job; it is not sourced from TARNAME in config.mk.
|
| |
| |
| |
| |
| |
| |
| | |
To reduce TARNAME hardcoding.
Added on commit 6a89ab023 ("ci: run firejail --version after
build/install", 2022-05-16) / PR #5148.
|
| |
| |
| |
| | |
To reduce TARNAME hardcoding.
|
|\ \
| | |
| | | |
Profile for Ledger Live desktop app
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
/opt/ledger-live installation currently sits at 345 MiB, so I decided to
whitelist it instead of using private-opt ledger-live, in case future
installations grow in size.
Not using private-dev was the only way I managed to get my USB wallet to
work.
|
|\ \
| | |
| | | |
landlock: use "landlock.fs." prefix in filesystem commands
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
|
| |/
| |
| |
| | |
Relates to #6078.
|
|\ \
| | |
| | | |
New profile: virt-manager
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
New profile: gnome-boxes
|
| |/ / |
|
|\ \ \
| |_|/
|/| | |
multimc: instances not running, because of missing permissions
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When starting an instance, in the logs, a failed attempt to load the lwjgl
library is shown and the game doesn't run.
The library is in the /tmp directory. The reason for this appears to
be, in the lwjgl source code, the shared library loading function,
extracts in the temporary directory and continues from there.
This is fixed by whitelisting.
The reason for adding "ignore noexec /tmp" as well, is that without it, the game
can't run, even if the directory is whitelisted. It seems the library needs
to be loaded from /tmp.
A second error for a failed attempt to access /home/user/.cache/JNA is also
shown in the logs. This is also fixed by whitelisting.
|
|\ \ \
| |_|/
|/| | |
build: allow overriding certain tools & sync targets with CI
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Use --status-bugs in the scan-build target to exit with an error if
bugs are found
* Call the make target in the CI job
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Use the same command from the cppcheck CI job in the cppcheck target
* Add cppcheck-old target based on the cppcheck_old CI job
* Call the make targets in CI to avoid duplicating the commands
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow overriding the following tools at configure-time and build-time:
* codespell
* cppcheck
* gawk
* scan-build
For example, instead of hardcoding `gawk`, enable overriding it at
configure-time with:
./configure GAWK=/path/to/gawk
To override it for a single `make` invocation:
make GAWK=/path/to/gawk
Also, add default values for the programs that are not found (rather
than leaving the variables empty), to make error messages clearer when
trying to run them:
$ make CPPCHECK= cppcheck-old
[...]
force --error-exitcode=1 --enable=warning,performance .
make: force: No such file or directory
$ make CPPCHECK=cppcheck cppcheck-old
[...]
cppcheck --force --error-exitcode=1 --enable=warning,performance .
make: cppcheck: No such file or directory
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.24.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/379614612a29c9e28f31f39a59013eb8012a51f0...47b3d888fe66b639e431abf22ebca059152f1eea)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
| |
| |
| | |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
|\ \
| |/
|/| |
build: move errExit macro into inline function
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move most of the `errExit` macro into a new `_errExit` inline function
and use the former just to forward arguments to the latter.
This reduces the noise in the build output when using `-fanalyzer`, as
it causes the `errExit` macro to stop being expanded.
For example, the complete output of the following warning in
src/firejail/dbus.c is reduced from 243 lines to 141 lines (a ~41%
reduction):
$ pacman -Q gcc
gcc 13.2.1-5
$ ./configure --enable-apparmor --enable-analyzer >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/dbus.c: In function ‘dbus_proxy_start’:
../../src/firejail/dbus.c:311:36: warning: leak of file descriptor ‘dup2(output_fd, 1)’ [CWE-775] [-Wanalyzer-fd-leak]
311 | if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
[...]
‘dbus_create_user_dir’: event 5
|
|../../src/firejail/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (5) ...to here
../../src/firejail/dbus.c:239:17: note: in expansion of macro ‘errExit’
| 239 | errExit("asprintf");
| | ^~~~~~~
[...]
Relates to #6190.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.0 to 3.24.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/e8893c57a1f3a2b659b6b55564fdfdbbd2982911...379614612a29c9e28f31f39a59013eb8012a51f0)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Profile for Electron Cash
|
| | | |
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Profile for RawTherapee
|
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently it is the only part of the build that prints to stderr on a
normal build, which makes it harder to keep just the warnings and errors
in the output:
$ ./configure >/dev/null && make clean >/dev/null &&
make -j "$(nproc)" >/dev/null
static ip map: input 5998, output 2490
Added on commit f3774678f ("compress static ip map for fnettrace at
compile time", 2023-07-06).
|