| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build currently fails if gcov support is enabled:
$ pacman -Q gcc
gcc 11.1.0-1
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
[...]
netstats.c: In function ‘netstats’:
netstats.c:250:25: warning: implicit declaration of function ‘__gcov_flush’; did you mean ‘__gcov_dump’? [-Wimplicit-function-declaration]
250 | __gcov_flush();
| ^~~~~~~~~~~~
| __gcov_dump
[...]
/usr/bin/ld: netstats.o: in function `netstats':
/tmp/firejail-git/src/firejail-git/src/firemon/netstats.c:250: undefined reference to `__gcov_flush'
[...]
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firemon] Error 1
make: *** [Makefile:42: src/firemon/firemon] Error 2
[...]
This happens because __gcov_flush was removed on gcc 11.1.0[1] [2] [3].
See the following gcc commits:
* d39f7dc8d5 ("Do locking for __gcov_dump and __gcov_reset as well.")
* c0532db47d ("Use __gcov_dump and __gcov_reset in execv and fork context.")
* 811b7636cb ("Remove __gcov_flush.")
Its implementation did the following[4]:
__gcov_lock ();
__gcov_dump_int ();
__gcov_reset_int ();
__gcov_unlock ();
As hinted in the commit messages above, the function is no longer needed
because locking is now done inside each of __gcov_dump and __gcov_reset.
So add an implementation of __gcov_flush (on a new gcov_wrapper.h file)
for gcc >= 11.1.0, which just calls __gcov_dump and then __gcov_reset.
Commands used to search and replace:
$ git grep -Flz '#include <gcov.h>' -- '*.c' |
xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\`sed 's|<gcov\\.h>|\"../include/gcov_wrapper.h\"|' '{}'\`\" >'{}'"
Note: This is the continuation of commit 31557e9c7 ("gcov: add missing
gcov.h includes") / PR #4360.
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d39f7dc8d558ca31a661b02d08ff090ce65e6652
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=c0532db47d092430f8e8f497b2dc53343527bb13
[3] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
[4] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libgcc/libgcov-interface.c;h=855e8612018d1c9caf90396a3271337aaefdb9b3#l86
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following "implicit declaration" warning (13 occurrences in
total) when building with gcov support:
$ pacman -Q gcc10
gcc10 1:10.2.0-3
$ CC=gcc-10 && export CC
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
appimage.c: In function ‘appimage_set’:
appimage.c:140:2: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
140 | __gcov_flush();
| ^~~~~~~~~~~~
interface.c: In function ‘print_sandbox’:
interface.c:149:3: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
149 | __gcov_flush();
| ^~~~~~~~~~~~
netstats.c: In function ‘netstats’:
netstats.c:246:4: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
246 | __gcov_flush();
| ^~~~~~~~~~~~
[...]
Note: The commands above were executed from makepkg, while building
firejail-git from the AUR.
Note2: gcc-10 was used because the build fails with the current gcc
version (11.1.0) on Artix Linux. The failure happens because
__gcov_flush was removed on gcc 11.1.0[1]; this will be addressed later.
Note3: The following command helped find the affected files:
$ git grep -Fl __gcov -- src
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* mcomix
* Create mcomix.profile
* tightening
* fixes
* comment
|
|/
|
|
| |
PR #4349
|
|\
| |
| | |
Update weechat.profile
|
| |
| |
| |
| |
| | |
remove whitespace to comply with the profile template
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
| |
| | |
weechat needs access to `/usr/share/weechat` if you have any global scripts installed. The directory is empty by default, so there is no additional risk here.
|
|\ \
| | |
| | | |
Update w3m.profile
|
| | |
| | |
| | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |/ |
|
|\ \
| | |
| | | |
creating qcomicbook profile
|
| | | |
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Misc hardening + refactoring
|
| | |
| | |
| | |
| | |
| | | |
always access files under control of the user
with effective user id of the user
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
just in case users decide to remove them
completely from the sandbox, by means of
private-etc or whitelist
|
|/ / |
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
* tightening zathura profile
* sort
|
| |
|
|
|
|
| |
[skip ci]
|
| |
|
|
|
|
| |
like it is declared in the man page itself and referenced by other pages.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create googler-common.profile
* Create googler.profile
* Create ddgr.profile
* Update firecfg.config
* sort fix
* space
* space
* tightening
* comment
* fix comment
* fix private-etc and ${DOWNLOADS}
* fix sort
* redundant ${DOWNLOADS}
|
|\
| |
| | |
cmdline.c: optionally quote the resulting command line
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If we were launched by sshd, do not add extra quotes to the command
line. This is because if firejail is a login shell, sshd will launch
firejail thusly:
* argv[0]: /path/to/firejail
* argv[1]: -c
* argv[2]: user's command to execute
For example, if the user executed "ssh othernode echo hello world",
argv[2] will be "echo hello world". Firejail will then add *extra*
quotes to it, resulting in argv[2] becoming "'echo hello world' "
(without the "", of course). The user's shell (e.g., bash) will see
the extra single quotes and will not split the token into multiple
tokens. The shell will be unable to find an executable or intrinsic
named "echo hello world ", so it will fail.
This commit changes the above behavior if firejail is launched by
sshd. In that case, firejail will *not* add the extra single quotes
around argv[2]. Specifically: all the tokens still end up in argv[2],
but there's no *extra* quotes around argv[2], so the shell will split
argv[2] into multiple tokens (if necessary). In the above example,
argv[2] will be "echo hello world" (without the ""), which will be
split. The shell will then look for an intrinsic or executable named
"echo", which will succeed, and "hello world" will ultimately be
emitted.
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| | |
|
|\ \
| | |
| | | |
add firejail.config switch for private-{bin,etc,opt,srv}
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Curerently sys.argv is accessed without checks, resulting in an
IndexError:
```
Traceback (most recent call last):
File "/home/rusty-snake/Projects/firejail/contrib/jail_prober.py", line 205, in <module>
main()
File "/home/rusty-snake/Projects/firejail/contrib/jail_prober.py", line 170, in main
profile_path = sys.argv[1]
IndexError: list index out of range
```
This commit catches this IndexError and prints a more helpfull message
instaed:
```
USAGE: jail_prober.py <PROFILE-PATH> <PROGRAM>
```
|
|\ \ \
| | | |
| | | | |
jail_prober: enable absolut include directives
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The header of profile.template define this order:
IGNORES
NOBLACKLISTS
ALLOW INCLUDES
BLACKLISTS
DISABLE INCLUDES
|
| | | |
| | | |
| | | |
| | | | |
closes #4324
|
| | | | |
|
| | | | |
|