| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
New profile: gnome-boxes
|
| | |/ / |
|
| |\ \ \
| |_|/
|/| | |
multimc: instances not running, because of missing permissions
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When starting an instance, in the logs, a failed attempt to load the lwjgl
library is shown and the game doesn't run.
The library is in the /tmp directory. The reason for this appears to
be, in the lwjgl source code, the shared library loading function,
extracts in the temporary directory and continues from there.
This is fixed by whitelisting.
The reason for adding "ignore noexec /tmp" as well, is that without it, the game
can't run, even if the directory is whitelisted. It seems the library needs
to be loaded from /tmp.
A second error for a failed attempt to access /home/user/.cache/JNA is also
shown in the logs. This is also fixed by whitelisting.
|
| |\ \ \
| |_|/
|/| | |
build: allow overriding certain tools & sync targets with CI
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Use --status-bugs in the scan-build target to exit with an error if
bugs are found
* Call the make target in the CI job
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Use the same command from the cppcheck CI job in the cppcheck target
* Add cppcheck-old target based on the cppcheck_old CI job
* Call the make targets in CI to avoid duplicating the commands
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow overriding the following tools at configure-time and build-time:
* codespell
* cppcheck
* gawk
* scan-build
For example, instead of hardcoding `gawk`, enable overriding it at
configure-time with:
./configure GAWK=/path/to/gawk
To override it for a single `make` invocation:
make GAWK=/path/to/gawk
Also, add default values for the programs that are not found (rather
than leaving the variables empty), to make error messages clearer when
trying to run them:
$ make CPPCHECK= cppcheck-old
[...]
force --error-exitcode=1 --enable=warning,performance .
make: force: No such file or directory
$ make CPPCHECK=cppcheck cppcheck-old
[...]
cppcheck --force --error-exitcode=1 --enable=warning,performance .
make: cppcheck: No such file or directory
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.24.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/379614612a29c9e28f31f39a59013eb8012a51f0...47b3d888fe66b639e431abf22ebca059152f1eea)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| |
| |
| | |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
| |\ \
| |/
|/| |
build: move errExit macro into inline function
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move most of the `errExit` macro into a new `_errExit` inline function
and use the former just to forward arguments to the latter.
This reduces the noise in the build output when using `-fanalyzer`, as
it causes the `errExit` macro to stop being expanded.
For example, the complete output of the following warning in
src/firejail/dbus.c is reduced from 243 lines to 141 lines (a ~41%
reduction):
$ pacman -Q gcc
gcc 13.2.1-5
$ ./configure --enable-apparmor --enable-analyzer >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/dbus.c: In function ‘dbus_proxy_start’:
../../src/firejail/dbus.c:311:36: warning: leak of file descriptor ‘dup2(output_fd, 1)’ [CWE-775] [-Wanalyzer-fd-leak]
311 | if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
[...]
‘dbus_create_user_dir’: event 5
|
|../../src/firejail/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (5) ...to here
../../src/firejail/dbus.c:239:17: note: in expansion of macro ‘errExit’
| 239 | errExit("asprintf");
| | ^~~~~~~
[...]
Relates to #6190.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.0 to 3.24.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/e8893c57a1f3a2b659b6b55564fdfdbbd2982911...379614612a29c9e28f31f39a59013eb8012a51f0)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
|
| |\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Profile for Electron Cash
|
| | | | |
|
| | | | |
|
| |\ \ \
| |_|/
|/| | |
Profile for RawTherapee
|
| | |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently it is the only part of the build that prints to stderr on a
normal build, which makes it harder to keep just the warnings and errors
in the output:
$ ./configure >/dev/null && make clean >/dev/null &&
make -j "$(nproc)" >/dev/null
static ip map: input 5998, output 2490
Added on commit f3774678f ("compress static ip map for fnettrace at
compile time", 2023-07-06).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Misc: This was noticed on #6203.
Relates to #6078.
|
| |\ \
| | |
| | | |
gnome-keyring: harden and add gnome-keyring-daemon.profile
|
| | | | |
|
| | | |
| | |
| | |
| | | |
And use it as the base for the existing gnome-keyring.profile.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Relates to #6195 #6196 #6200.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
build: mkrpm.sh improvements
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
They are not being properly forwarded to mkrpm.sh (which re-runs
./configure before the actual build), so just remove them for now.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To abort the build if any error occurs.
See also commit 7d9db8355 ("fail build if any step in the script fails",
2019-06-21).
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
To make the CI logs more informative, as currently nothing from the
build itself is shown.
Added on commit d684d9988 ("Fix mkrpm.sh", 2016-02-16) / PR #297.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recently (as of Landlock ABI 4), the `handled_access_net` field was
added to the `landlock_ruleset_attr` struct in the Linux kernel (in
linux/landlock.h). In src/firejail/landlock.c, that field is not being
set in the struct (as we currently do not use it) before passing it to
the `landlock_create_full_ruleset` syscall, so it is likely to contain
random garbage when used, resulting in the syscall returning EINVAL:
$ firejail --debug --profile=/etc/firejail/landlock-common.inc \
--landlock.enforce true
[...]
ll_is_supported: Detected Landlock ABI version 4
ll_restrict: Starting Landlock restrict
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
[...]
Not enforcing Landlock
So ensure that all structs in src/firejail/landlock.c are initialized to
0 before using them.
Note: Arch has recently (2024-01-31) updated the linux-api-headers
package from version 6.4-1 to 6.7-1[1]. The former version is not affected
(as it does not contain the extra struct field in linux/landlock.h),
while the latter is.
Fixes #6195.
Relates to #6078.
[1] https://gitlab.archlinux.org/archlinux/packaging/packages/linux-api-headers/-/commit/b4223b0c2bfba54c26acc4dc289415b81b15989f
Reported-by: @curiosityseeker
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to certain variables not being declared:
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/kmk3/firejail_ci'
error: run ./configure to generate config.mk
[...]
rm -f contrib/syntax/files/example [...]
rm -fr - -.tar.xz
rm: invalid option -- '.'
Try 'rm --help' for more information.
make[1]: *** [Makefile:175: clean] Error 1
This amends commit 8a783cdc2 ("build: use TARNAME and remove more paths
on clean", 2023-07-29) / PR #6186.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to test/compile/compile.sh not being able to source config.mk (which is
created by ./configure):
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/Firejail/firejail_ci'
error: run ./configure to generate config.mk
[...]
cd compile && ./compile.sh --clean
./compile.sh: line 15: ./../../config.sh: No such file or directory
make[2]: *** [Makefile:24: clean] Error 1
This amends commit 152a21f15 ("build: simplify clean target",
2023-07-29) / PR #6186.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make the error message format in `ll_create_full_ruleset` match the
other ones in landlock.c.
This amends commit 01a9ddbbe ("landlock: improve logs for debugging",
2023-11-08).
Misc: This was noticed on #6195.
Relates to #6078.
|
| | |
| |
| |
| |
| |
| |
| | |
This amends commit bf5a99360 ("landlock: add support for PATH macro",
2023-12-22).
Relates to #6078.
|
| | |
| |
| |
| | |
Relates to #6172 #6178 #6184 #6186 #6187.
|
| |\ \
| | |
| | | |
landlock: split .special into .makeipc and .makedev
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.2 to 3.24.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b7bf0a3ed3ecfa44160715d7c442788f65f0f923...e8893c57a1f3a2b659b6b55564fdfdbbd2982911)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/eb238b55efaa70779f274895e782ed17c84f2895...63c24ba6bd7ba022e95695ff85de572c04a18142)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |\ \ \
| | | |
| | | | |
build: improve main clean target
|
| | | | |
| | | |
| | | |
| | | | |
Instead of `firejail-*.tar.xz`, to match `*.deb` and `*.rpm`.
|
glitsj16
netblue30
powerjungle
Kelvin M. Klann
dependabot[bot]
Fidel Ramos