| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
Added on commit d1acb31c9 ("compile time: enable LTS", 2021-02-28).
It only needs to be called once for each variable. See the configure
script diff and the previous commit ("configure*: Move AC_SUBST calls to
more obvious places").
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These macros should always be called regardless of the intended value of
each variable, as even if e.g.: no --enable-apparmor flag is given, the
configure script still has to substitute `@HAVE_APPARMOR@` with blank in
the relevant files.
Something similar is already being done for HAVE_OVERLAYFS since commit
fb9f2a5fb ("disabled overlayfs, fixes pending; added video channels to
README* files", 2021-02-06).
Note that each AC_SUBST is not immediately converted into search/replace
code when generating the configure script. It appears that the
variables are handled only after parsing all of configure.ac (or until a
specific command is found), as all arguments passed to every AC_SUBST
call are defined at once on the `ac_subst_vars` list. The actual
substitutions are also done all at once (while iterating through the
list) and that happens much later in the script (see both occurrences of
`ac_subs_vars` on the current script).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For increased safety and consistency. In addition, this should make it
clearer where each argument starts and ends.
See also the following item from autoconf NEWS[1]:
> * Noteworthy changes in release 2.70 (2020-12-08) [stable]
[...]
> *** Many macros have become pickier about argument quotation.
>
> If you get a shell syntax error from your generated configure
> script, or seemingly impossible misbehavior (e.g. entire blocks of
> the configure script not getting executed), check first that all
> macro arguments are properly quoted. The “M4 Quotation” section of
> the manual explains how to quote macro arguments properly.
>
> It is unfortunately not possible for autoupdate to correct
> quotation errors.
[1] https://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=blob;f=NEWS;h=ba418d1af5da752de77a2c388f9af56f8f1bf6a4;hb=97fbc5c184acc6fa591ad094eae86917f03459fa
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Square brackets are used as quotes in autoconf.
From Section 8.1.1, Active Characters of the Autoconf manual[1]:
> To fully understand where proper quotation is important, you first
> need to know what the special characters are in Autoconf: ‘#’
> introduces a comment inside which no macro expansion is performed, ‘,’
> separates arguments, ‘[’ and ‘]’ are the quotes themselves, ‘(’ and
> ‘)’ (which M4 tries to match by pairs), and finally ‘$’ inside a macro
> definition.
[1] https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.70/autoconf.html#Active-Characters
|
|
|
|
|
|
| |
Command used to find them:
grep ' "$' configure.ac
|
|
|
|
|
|
|
|
|
|
|
| |
For increased consistency and readability.
This restores the spaces removed on commit bf81cd6ad ("configure.ac: run
autoupdate to fix autoconf warning") / PR #4316.
Command used to check for the lack of whitespace:
grep ',[^ ]' configure.ac
|
| |
|
|\
| |
| | |
Update firejail-local for Brave + ipfs
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Added `quiet` to some CLI profiles
|
| |\ \ |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Consider nosound and novideo when keeping groups & misc refactors
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Even when `nogroups` is not used, avoid keeping the audio and video
groups when `nosound` and `novideo` are used, respectively.
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
Relates to #4603.
|
| | | | |
| | | | |
| | | | |
| | | | | |
Check if new_groups already is full before trying to add to it.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Move the logic from clean_supplementary_groups into the following new
functions:
* find_group
* copy_group_ifcont
These will be reused later.
Misc: The latter function's signature is based on getgrouplist(2), which
is used on clean_supplementary_groups.
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Added on commit 137985136 ("Baseline firejail 0.9.28", 2015-08-08). See
also commit ad6bb83fa ("consolidate makefiles", 2018-03-31).
It is not used anywhere. And it looks like it has never been used
anywhere:
$ git log --oneline -Gpthread.h 137985136..master
$
Issue mentioned by @rusty-snake:
https://github.com/netblue30/firejail/issues/4642#issuecomment-955795463
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This amends commit b5de1d0f9 ("Fix inconsistent descriptions of
machine-id option").
Relates to #4689.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix inconsistent descriptions of machine-id option
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Some places say that it "preserves" the file and other places say that
it "spoofs" the file. Based on the fs_machineid function on
src/firejail/fs_etc.c, the latter one is correct.
This amends commit d0cc960c9 ("spoof machine-id", 2016-12-05).
Fixes #4689.
Reported-by: @svc88
|
|/ / / /
| | | |
| | | |
| | | | |
Relates to #4669.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Update RELNOTES and README.md
- disable-common.inc
- blacklist ${HOME}/.local/share/ibus-typing-booster
- blacklist /run/timeshift (closes #4660)
- fix audacity.profile (closes #4659)
|
| | | | |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
deterministic-shutdown option
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add OpenStego profile
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
update yt-dlp.profile
|
| |/ / / / /
| | | | | |
| | | | | | |
ffprobe used for embedding images in difficult cases.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
disable-common.inc: fix paths of slock and physlock
|
| |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Added on commit f0adf06c3 ("disable-common.inc: more SUID", 2021-11-09).
Relates to #4668.
|
|/ / / / / |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Make env/arg sanity check failure messages more useful
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This change doesn't alter any checks, but it gives more specific
errors when a sanity check of env vars or argv does not pass, which
can point to limits to raise or at least give us better detailed bug
reports.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://github.com/netblue30/firejail/issues/3678
Bug: https://github.com/netblue30/firejail/issues/3851
Bug: https://github.com/netblue30/firejail/issues/4633
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix TOCTOU/CodeQL CWE-367 warnings (easy ones + fs.c)
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Relates to #4503.
|
| | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This should fix all such warnings on the following files:
* src/fids/main.c
* src/firejail/seccomp.c
Misc: Besides the above reason, these are some of the more
straightforward TOCTOU warning fixes and they are done without any
additional refactor commits, so that's the reason for "easy ones".
List of TOCTOU warnings:
https://github.com/netblue30/firejail/security/code-scanning?query=id%3Acpp%2Ftoctou-race-condition
See https://cwe.mitre.org/data/definitions/367.html
Relates to #4503.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Relocate firecfg.config to /etc/firejail/
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap. Also fixed some
firecfg.cfg -> firecfg.config references.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://github.com/netblue30/firejail/issues/408
Bug: https://github.com/netblue30/firejail/issues/2097
Bug: https://github.com/netblue30/firejail/issues/2829
Bug: https://github.com/netblue30/firejail/issues/3665
|
|\ \ \ \ \ \ \
| |_|_|/ / / /
|/| | | | | | |
more ssh fixes
|
| | | | | | |
| | | | | | |
| | | | | | | |
Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
|