| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
| |
Fractal 7 (and possibly earlier) stores messages and key material in
${XDG_DATA_DIR}/fractal which defaults to ~/.local/share/fractal.
Lack of access causes it to be unable to load messages offline and
de- or encrypt messages even when online without sharing keys again.
|
| |
|
|
|
|
|
|
|
|
| |
It is apparently used by the (widely used) "Fancy" plugin, which
"Renders HTML e-mail using the WebKit library".
https://www.claws-mail.org/plugins.php
Relates to #6377.
Note: etc/profile-a-l/email-common.profile contains `private-cache`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently hashcat needs access to this device for hardware acceleration
on AMD gpus and `private-dev` currently breaks that (see #6364).
It seems to be used by the "amdgpu" and "amdkfd" Linux kernel drivers
and as with /dev/dri/renderD128, this file is owned by the "render"
group.
Relevant udev rules from /usr/lib/udev/rules.d/50-udev-default.rules:
SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="0666"
SUBSYSTEM=="kfd", GROUP="render", MODE="0666"
SUBSYSTEM=="accel", GROUP="render", MODE="0666"
Environment: udev 255.6-1 on Artix Linux.
Reported-by: @schrotthaufen
|
| |
|
| |
Fixes #6377.
|
| |
|
|
|
| |
Added on commit 2453f0ecf ("email-common.profile: allow clamav plugin
for claws-mail", 2023-03-07) / PR #5719.
|
| |
|
|
|
|
| |
We still see lots of issue reports where the user runs `firejail foo`
and ends up running foo's sandbox twice (due to firecfg's symlink
precedence). Try to improve the situation by explicitly using absolute
paths in the 'steps to reproduce' section.
|
| |
|
| |
Relates to #6364.
|
| |
|
|
| |
Relates to #6352 #6353 #6354 #6358 #6359 #6361 #6366 #6367 #6369.
|
| |\
| |
| | |
build: standardize install commands
|
| | |
| |
| |
| | |
For increased consistency and readability.
|
| | |
| |
| |
| | |
For increased consistency and readability.
|
| | |
| |
| |
| |
| | |
Just try to install them, as is done in the other `$(INSTALL) -d`
commands.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Remove / after `$(DESTDIR)`
* Remove useless -c
* Use 0755 instead of 755
* Use -d after -m
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
|
| | |
| |
| |
| |
| |
| |
| | |
The command below already installs it.
Added on commit 926790411 ("add basic Firejail support to AppArmor base
abstraction (#3226)", 2021-10-21) / PR #4628.
|
| | |
| |
| |
| |
| |
| |
| | |
And remove the extraneous semicolon at the end of the command string.
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
|
| | |
| |
| | |
Fixes #6358.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Description: Standalone Discord client.
https://armcord.app/
https://github.com/NextWork123/ArmCord
Requested in https://github.com/netblue30/firejail/issues/1139#issuecomment-2140174880.
|
| | |
| |
| | |
Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
|
| |/
|
|
|
| |
Fix memory and descriptor leaks.
Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.7.1 to 2.8.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/a4aa98b93cab29d9b1101a6143fb8bce00e2eac4...f086349bfa2bd1361f7909c78558e816508cdc10)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.5 to 3.25.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b7cec7526559c32f1616476ff32d17ba4c59b2d6...f079b8493333aace61c81488f8bd40919487bd9f)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |\
| |
| | |
build: allow overriding common tools
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Just in case the value is not defined in config.mk and `make` is first
executed from another directory (such as in src/man) instead of the root
directory.
This amends commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
|
| | |
| |
| |
| |
| | |
Based on the entries in etc/profile-m-z/makepkg.profile.
This fixes #6352.
|
| |/
|
|
|
|
|
|
| |
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
|
| | |
|
| |
|
|
| |
Relates to #6338.
|
| |
|
|
| |
Relates to #6339 #6342 #6343.
|
| |
|
|
|
|
|
|
|
|
| |
Cleaning does not appear to make a difference; the same amount of files
is checked with/without cleaning.
Environment: cppcheck 2.12.0-3 on Artix Linux.
Added on commit 4e22add64 ("llvm scan", 2015-11-29).
This is a follow-up to #6222.
|
| |\
| |
| | |
build: add strip target and simplify install targets
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Leave just the "install" and "install-strip" targets.
See commit 099925e18 ("added install-strip, make install now without
strip.", 2015-09-10) / PR #60 and commit 0215cbc02 ("make install, make
install-strip", 2015-09-11).
|
| | |
| |
| |
| |
| | |
Move the strip invocation into its own target to allow stripping
binaries without having to run the "realinstall" target.
|
| |\ \
| | |
| | | |
build: sort.py: use -i by default and add -n
|
| | | |
| | |
| | |
| | | |
Support "--" to end options and fail if an unknown option is given.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Overwrite in-place by default (`-i`) and add `-n` to override it.
This restores the previous default behavior (from 0.9.72), for the sake
of being consistent with all previous versions and because it's more
likely to be the desired behavior in most cases.
This amends commit aa08aa132 ("build: sort.py: add and require -i to
edit in-place (#6290)", 2024-03-25).
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.4 to 3.25.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ccf74c947955fd1cf117aef6a0e4e66191ef6f61...b7cec7526559c32f1616476ff32d17ba4c59b2d6)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is currently only used for GitHub Actions. The ones used in this
project rarely ever contain notable changes in their changelogs (in a
way that would cause a noticeable difference in our CI).
Also, there are weeks when most/all of the PR/commit activity is from
dependabot PRs being opened/merged. For example, see the output of the
following command:
git log --no-decorate --oneline 9a0db13e12..bef085035
So change the checks from weekly to monthly to reduce the noise.
Additionally, bump `open-pull-requests-limit` to 4, as it seems that we
only have 4 dependencies:
$ git grep 'uses:' -- .github/ | sed -E 's/.*(uses: .*)@.*/\1/' |
LC_ALL=C sort -u
uses: actions/checkout
uses: github/codeql-action/analyze
uses: github/codeql-action/init
uses: step-security/harden-runner
This should ensure that PRs can be opened against all of them when the
dependabot check is run.
|
| | |
| |
| |
| |
| |
| | |
Description: Tauri-based IRC client inspired by HexChat.
https://nhexirc.com/
https://github.com/nhexirc/nhex
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.3 to 3.25.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/d39d31e687223d841ef683f52467bd88e9b21c14...ccf74c947955fd1cf117aef6a0e4e66191ef6f61)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
| |
Update comment to account for camera-based motion trackers.
Fixes an issue with https://github.com/markx86/opentrack-launcher, where
video input devices won't show up unless novideo is removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The profile currently does not include disable-common nor makes
`${HOME}` read-only, so the program can simply write to ~/.bashrc
directly[1].
disable-common.inc was commented due to it apparently breaking bwrap.
As discovered by @glitsj16, it seems that allowing the bwrap binary is
enough to make it work (and that apparmor breaks loupe)[2].
So disable apparmor, allow bwrap and include disable-common.inc, plus
other hardening by @glitsj16.
This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) /
PR #6327.
[1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865
[2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
|
| |
|
|
|
|
|
| |
This amends commit bf5a99360 ("landlock: add support for PATH macro",
2023-12-22).
Relates to #6078.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* profiles: hexchat: hardenings
* profiles: hexchat: allow lua/downloads and harden
Allow more paths and add some extra options to harden the profile.
We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.
Consulted resources:
- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/
|
dependabot[bot]
Felix Pehla
glitsj16
Kelvin M. Klann
Dieter Plaetinck
Shahriar Heidrich
Ilya Pankratov
duevo