| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To try to fix the following errors[1] [2]:
runner@fv-az298-480:~/work/firejail/firejail/test/utils$
<irejail --build wget --output-document=~ debian.org
[...]
Resolving www.debian.org (www.debian.org)... 128.31.0.62
Connecting to www.debian.org (www.debian.org)|128.31.0.62|:443... connected.
TESTING ERROR 13
runner@fv-az305-745:~/work/firejail/firejail/test/sysutils$
<ysutils$ firejail --ignore=quiet wget -q debian.org
[...]
Child process initialized in 106.89 ms
TESTING ERROR 2
[1] https://github.com/netblue30/firejail/actions/runs/5996420917/job/16278071977?pr=5979
[2] https://github.com/netblue30/firejail/actions/runs/5996420917/job/16278071219?pr=5979
|
|
|
|
|
|
| |
Commit 3077b2d1f blacklists `${PATH}/patch` in disable-devel.inc[1]. We
need to noblacklist it in the profiles that need it.
[1] https://github.com/netblue30/firejail/commit/3077b2d1ff6c6e26a83487ae460985157b5c61fd
|
|
|
|
|
|
|
|
| |
Which also blacklists ~/.cargo.
Note that ~/.rustup is the only `${HOME}` entry in disable-devel.inc.
Added on commit 8d9b12d1c ("New profiles + fixes + hardening",
2020-09-14).
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was broken likely due to `private-dev` being added to default.profile
on commit 307dad542 ("adding private-tmp and private-dev to
default.profile", 2023-08-20).
So ignore `private-dev` in the test and make sure to run the tests when
default.profile changes.
This amends commit 75cefd5b1 ("tests: fix error when /dev/kmsg is
missing", 2023-08-21).
|
|
|
|
|
| |
`dh_*` and `fakeroot` can be used when building .deb packages; they are
not part of autoconf/automake.
|
|
|
|
| |
And fix a few inconsistent comments.
|
|
|
|
|
|
| |
As of commit 96beb3358, `fakeroot` is blacklisted in disable-common.inc,
which may break makepkg and other build-related tools; cfr [1].
[1] https://github.com/netblue30/firejail/commit/96beb3358c430a5e470ce02fd64ffc3f7fc23706#r125237349.
|
|
|
|
| |
Relates to #5942 #5955 #5956 #5960.
|
|\
| |
| | |
ci: whitelist paths, reorganize workflows & speed-up tests
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Considering the most recent runs, this reduces the total amount of time
it takes to run the tests from about 9-10 minutes to about 3 minutes.
Note: Which jobs are split is mostly determined by how long each test
takes.
For example, this is the time each test step took in a run of
`build_and_test` (10m17s total for the job) on commit bfcf8bc31 ("Merge
pull request #5956 from kmk3/build-fix-dep-syntax", 2023-08-14)[1]:
* 17s test-seccomp-extra
* 1s test-firecfg
* 16s test-capabilities
* 6s test-apparmor
* 10s test-appimage
* 10s test-chroot
* 41s test-sysutils
* 24s test-private-etc
* 40s test-profiles
* 4s test-fcopy
* 2s test-fnetfilter
* 98s test-fs
* 103s test-utils
* 57s test-environment
* 69s test-network
[1]: https://github.com/netblue30/firejail/actions/runs/5860927500/job/15890009169
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move scan-build, cppcheck and CodeQL (cpp).
This is similar to build-extra.yml, but for jobs that check for issues
in the code rather than checking for build failures.
Note: As this deletes codeql-analysis.yml, its configuration also has to
be deleted in the GitHub web UI to prevent it from warning about the
file being missing:
* Security -> Code scanning -> Tool status -> (Setup Types) CodeQL ->
(Configurations) language:python -> Delete configuration
Misc: The above was clarified by @topimiettinen[1].
[1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643
|
| |
| |
| |
| |
| |
| |
| | |
Do so when the output of the given job is not important.
For example, when the output of another job can be used for debugging
build-related issues.
|
| |
| |
| |
| |
| | |
Testing takes significantly longer than building, so this makes the
default build check faster.
|
| |
| |
| |
| | |
All of the current workflows are used for CI.
|
| |
| |
| |
| | |
Only run the CodeQL Python analysis if a .py file is changed.
|
| |
| |
| |
| |
| | |
Note: When generating a new workflow, the permissions do not have
comments anymore.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, replace `paths-ignore` with `paths`.
This should reduce the number of unnecessary workflow executions and the
frequency at which paths are changed. It also reduces the overall
number of paths used.
Also, add the missing ci/printenv.sh to the path whitelists.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And limit the output of `diff` in the test to avoid logging thousands of
lines of a hexdump.
Likely broken by commit 3077b2d1f ("update disable-devel.inc",
2023-08-22)[1].
[1] https://github.com/netblue30/firejail/actions/runs/5945120115/job/16123622451
|
| | |
|
| | |
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This partially reverts commit d94f54736 ("disable all ssh utilities in
disable-common.inc", 2023-08-20).
Certain files in ~/.ssh are only used by sshd (not by ssh), so always
blacklist them.
Also, ssh itself does not need write access to the configuration files,
so make them read-only by default.
For details, see commit 2ec3f3a96 ("disable-common.inc: add missing
openssh paths", 2021-01-09) / PR #3885.
Cc: @netblue30
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is breaking test-fs in CI since at least commit f37cd57cd ("disable
all /bin/dpkg* programs in disable-common.inc", 2023-08-20)[1].
[1] https://github.com/netblue30/firejail/actions/runs/5918495917/job/16062400120
|
|/ / |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
|\
| |
| | |
build: add missing makefile dep & syntax improvements
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
|
| |
| |
| |
| | |
Relates to #5627.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make the non-phony targets that are defined in the root Makefile depend
on it, to ensure that they get re-generated if their recipes change.
Note that these targets are generated nearly instantly, so this should
not noticeably affect rebuild times.
Relates to #5627.
|
|\ \
| | |
| | | |
build: codespell improvements
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Ignore only third-party/vendored files (such as license files and files
in m4/).
And ignore more words to fix the following errors:
$ make codespell
Running codespell...
./README:484: als ==> also
./README:646: Shotcut ==> Shortcut
./RELNOTES:516: als ==> also
./etc/inc/disable-common.inc:506: chage ==> change, charge
./etc/apparmor/firejail-default:35: readby ==> read, read by
./etc/apparmor/firejail-default:36: readby ==> read, read by
./etc/profile-a-l/als.profile:1: als ==> also
./etc/profile-a-l/als.profile:5: als ==> also
make: *** [Makefile:374: codespell] Error 65
$ codespell --version
2.2.5
|
| | |
| | |
| | |
| | |
| | | |
Since it runs through make, the target may depend on variables that are
defined by ./configure (such as the ones in config.mk).
|
| | |
| | |
| | |
| | |
| | | |
Split the spellchecking job from the build-related jobs to make
debugging easier.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It works just fine without it (at least for the files in src/).
Note that by default codespell does not warn about binary files ("The
default mask is 34"):
$ make -j "$(nproc)" >/dev/null
$ make codespell
codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test
$ codespell --version
2.2.5
$ codespell --help
[...]
-q QUIET_LEVEL, --quiet-level QUIET_LEVEL
bitmask that allows suppressing messages:
- 0: print all messages.
- 1: disable warnings about wrong encoding.
- 2: disable warnings about binary files.
- 4: omit warnings about automatic fixes that were
disabled in the dictionary.
- 8: don't print anything for non-automatic fixes.
- 16: don't print the list of fixed files.
- 32: don't print configuration files.
As usual with bitmasks, these levels can be combined;
e.g. use 3 for levels 1+2, 7 for 1+2+4, 23 for
1+2+4+16, etc. The default mask is 34.
Also, note that adding many ignore patterns (such as all of the ones in
.gitignore) makes it slower than letting codespell find and skip binary
files by itself. So just add the most common ones, which do not
noticeably change how fast codespell runs either but they do reduce the
noise when running with `-q 0`.
Homepage: https://github.com/codespell-project/codespell
Added on commit d78fc96ee ("codespell github action", 2023-03-05).
|
| |/
| |
| |
| |
| |
| | |
Found by simply running `codespell .`.
Environment: codespell 2.2.5-2 on Artix Linux.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.2 to 2.21.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0ba4244466797eb048eb91a6cd43d5c03ca8bd05...5b6282e01c62d02e720b81eb8a51204f527c3624)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|/
|
|
|
| |
mpDris2 brings MPRIS2 support to MPD:
https://github.com/eonpatapon/mpDris2
|
|
|
|
|
|
|
| |
Change the old .txt paths into the new .in paths.
This amends commit 76bd5ad0f ("build: simplify code related to man
pages", 2023-07-12) / PR #5898.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following errors:
$ make clean
[...]
cd test/compile; ./compile.sh --clean; cd ../..
./compile.sh: line 55: TARNAME: command not found
./compile.sh: line 55: VERSION: command not found
This amends commit 200f389ed ("build: use config.sh in more scripts",
2023-07-28) / PR #5927.
|
|\
| |
| | |
build(deps): Update step-security/harden-runner and update allowed endpoints
|
| |
| |
| |
| | |
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
|
|/
|
|
| |
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
|