| Commit message (Collapse) | Author | Age |
|
|
| |
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.12 to 3.23.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/012739e5082ff0c22ca6d6ab32e07c36df03c4a4...e5f05b81d5b6ff8cfa111c80c22c5fd02a384118)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To ensure that it includes luajit paths as well:
* /usr/share/lua
* /usr/share/luajit-2.1
And remove all entries of the same path without the wildcard, to avoid
redundancy.
Misc: The wildcard entries were added on commit 56b60dfd0 ("additional
Lua blacklisting (#3246)", 2020-02-24) and the entries without the
wildcard were partially removed on commit 721a984a5 ("Fix Lua in
disable-interpreters.inc", 2020-02-24).
This is a follow-up to #6128.
Reported-by: @pirate486743186
|
|
|
|
|
| |
Added on commit 2d8ff695a ("WIP: Blacklist common programming
interpreters. (#1837)", 2018-04-02).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.11 to 3.22.12.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b374143c1149a9115d881581d29b8390bbcbb59c...012739e5082ff0c22ca6d6ab32e07c36df03c4a4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
| |
Relates to #2097 #5876 #6032 #6078 #6109 #6115 #6125.
|
|
|
| |
gropdf (`man -Tpdf`) needs Perl (see #6142).
|
|
|
|
| |
Relates to #6104 #6126.
|
|
|
|
|
|
|
| |
Reverted by commit 8f33e7284 ("Revert "Lookup xauth in PATH."",
2023-12-13) / PR #6129.
Relates to #6006 #6087.
|
|
|
|
|
|
|
| |
For consistency; see the RELNOTES of version 0.9.68.
Added on commit db09546f2 ("remove LTS and FIRETUNNEL support",
2023-12-23).
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Revert "Lookup xauth in PATH."
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 407c05ebefe23e725f858b6170b3e52659e044a2.
If --private-lib is used (and firejail is configured with
--enable-private-lib), the following error occurs:
$ firejail --quiet --noprofile --private-lib true
firejail: fs_lib.c:56: find_in_path: Assertion `geteuid() != 0' failed.
Error: proc 10000 cannot sync with peer: unexpected EOF
Peer 10001 unexpectedly killed (Segmentation fault)
Given that it causes an uid assertion failure, the logic appears to not
be correct and the current behavior may be unsafe, so for now revert
that commit until the issue is properly addressed.
Relates to #6006 #6087.
Fixes #6113.
|
|\ \
| | |
| | | |
mpv: whitelist /usr/share/mpv
|
| |/
| |
| |
| |
| |
| | |
Use case: You install scripts in `/usr/share/mpv` but they remain
inactive. You then symlink them to `/etc/mpv` to activate them if you
want.
|
|\ \
| | |
| | | |
build: mkrpm.sh: append instead of override configure args
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For consistency with mkdeb.sh.
Note: The default arguments and support for argument overriding was
added to to mkrpm.sh on commit 3d97332fd ("Add configure options when
building rpm (#3422)", 2020-05-19).
The support for appending arguments was added to mkdeb.sh on commit
9a0fbbd71 ("mkdeb.sh.in: pass remaining arguments to ./configure",
2022-05-13) / PR #5154.
|
|\ \
| | |
| | | |
landlock: move commands into profile and add landlock.enforce
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Avoid checking if Landlock is supported in ll_add_profile(), as it may
result in a warning being printed in ll_is_supported() in the next
commit.
Relates to #6078.
|
| | |
| | |
| | |
| | | |
Relates to #6078.
|
| |/
| |
| |
| |
| |
| |
| | |
This includes macros such as `${HOME}` and `${RUNUSER}`, but not
`${PATH}`, which may expand to multiple strings.
Relates to #6078.
|
|\ \
| | |
| | | |
minecraft-launcher.profile: allow keyring access
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.9 to 3.22.11.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2...b374143c1149a9115d881581d29b8390bbcbb59c)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Some plugins may require it[1]:
error: os_dlopen([...]): libluajit-5.1.so.2: [...]: Permission denied
warning: Module '/usr//lib/obs-plugins/frontend-tools.so' not loaded
[1] https://github.com/netblue30/firejail/issues/6130#issue-2040800338
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The build on Alpine fails due to `__u32` not being defined. It seems
that musl itself does not define it, so linux/types.h would have to be
included (for example, by including linux/landlock.h).
Error from `build_src_package`[1]:
make -C src/firejail/
make[1]: Entering directory '/builds/Firejail/firejail_ci/src/firejail'
gcc [...] -DMOD_DIR='"src/firejail"' [...] -c appimage.c -o appimage.o
In file included from appimage.c:23:
firejail.h:977:17: error: unknown type name '__u32'
977 | int ll_restrict(__u32 flags);
| ^~~~~
make[1]: Leaving directory '/builds/Firejail/firejail_ci/src/firejail'
make[1]: *** [../../src/prog.mk:16: appimage.o] Error 1
make: *** [Makefile:58: src/firejail/firejail] Error 2
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
[1] https://gitlab.com/Firejail/firejail_ci/-/jobs/5729692038
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Print everything to stderr (to ensure that the messages are shown in
order)
* Print debug messages at the beginning of most functions
* Include the function name and access flags used
Relates to #6078.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
curl supports several locations for the rc file according to its man
page:
[...]
When curl is invoked, it (unless -q, --disable is used) checks for a
default config file and uses it if found, even when -K, --config is
used. The default config file is checked for in the following places in
this order:
1) "$CURL_HOME/.curlrc"
2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0)
3) "$HOME/.curlrc"
[...]
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes Fractal 5 not opening on Void Linux due to it failing to
access "/usr/share/fractal/resources.gresource".
Fixes #6119.
Reported-by: @mhmdana
Suggested-by: @rusty-snake
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.8 to 2.22.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/407ffafae6a767df3e0230c3df91b6443ae8df75...c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions with `...` as the first parameter appear to be unsupported in
older versions of gcc, as they fail to compile. Examples:
Error from gcc 9.5.0-1ubuntu1~16.04.sav1 on Ubuntu 16.04:
[...]
In file included from appimage.c:23:
firejail.h:981:27: error: ISO C requires a named argument before ‘...’
981 | static inline int ll_read(...) { return 0; }
| ^~~
Warning from gcc 13.2.1-3 on Artix Linux:
$ ./configure --disable-landlock >/dev/null && make clean >/dev/null &&
make EXTRA_CFLAGS+='-std=c99 -Wpedantic -Wno-error'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.73"' -DMOD_DIR='"src/firejail"' [...]
In file included from appimage.c:23:
firejail.h:982:27: warning: ISO C requires a named argument before ‘...’ before C2X [-Wpedantic]
982 | static inline int ll_read(...) { return 0; }
| ^~~
Fixes #6115.
Relates to #6078.
|
|
|
|
|
| |
Geary uses bubblewrap now.
Fixes #6103.
|
|
|
|
|
|
|
| |
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new landlock entry is parsed from a profile, the first entry in
the `cfg.lprofile` list is being set as the next/second entry and the
new entry is being set as the first entry in the list, so all entries
are being processed from last to first.
This commit makes the behavior of ll_add_profile() match the one from
profile_add() in src/firejail/profile.c so that the entries are
processed in the same order that they are parsed.
This amends commit b94cc754a ("landlock: apply rules in sandbox before
app start", 2023-10-26) / PR #6078.
|
|
|
|
|
| |
This amends commit 520508d5b ("landlock: avoid parsing landlock commands
twice", 2023-11-02) / PR #6078.
|
|
|
|
|
|
|
|
| |
To avoid confusion, only return a new ruleset and let the caller set the
global one.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
|
|
| |
For consistency with the other functions that have no paramters.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
|
|
|
|
| |
Fix formatting and wrong/outdated information.
This amends commit 6d0559de7 ("landlock: update README.md, small fix in
man firejal; update profile stats in README.md", 2023-12-04).
Relates to #6078.
|