| Commit message (Collapse) | Author | Age |
| |
|
|\
| |
| | |
Add a profile for Flatseal
|
|/ |
|
|\
| |
| | |
etc/profile-a-l/display.profile: additions needed on Gentoo
|
|/
|
|
|
|
|
|
|
|
|
| |
Various .so's are needed to allow execution, /etc/ImageMagick-7/ is
needed for various policy XML files, and /usr/$(libdir)/ImageMagick-x.y.z/
is needed in order to have access to decoders.
Tested on Gentoo; I don't know if other distros put the relevant bits
in different paths.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
|
|\
| |
| | |
profstats cleanup
|
| | |
|
|\ \
| |/
|/| |
goldendict: whitelist path to documentation and locales
|
|/ |
|
|\
| |
| | |
additional electron blacklists
|
| | |
|
| |
| |
| | |
As suggested in https://github.com/netblue30/firejail/pull/4727#discussion_r759402234.
|
| | |
|
|/ |
|
|\ |
|
| |\
| | |
| | | |
Keep some groups regardless of nogroups and restore nogroups on nvidia
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`nogroups` should not have been causing issues with rendering on nvidia
since commit 623e68216 ("temporary fix for nvidia/nogroups/noroot issue
(#3644, #841)", 2020-10-02) and commit cb460c32c ("more nvidia (#3644)",
2020-10-03), which had made it a no-op on nvidia. And the handling of
the "render" and "video" groups are independent to the handling of
`nogroups` now; see the previous 3 commits.
Commits which introduced the comments on each profile:
* kodi.profile: commit ce462b6b1 ("fix #3501", 2020-07-16)
* mpsyt.profile: commit e17b48fca ("new profile mpsyt.profile",
2018-11-28)
* mpv.profile: commit cc7c48983 ("Document #1945", 2018-07-25)
* steam.profile: commit d6f8169dd ("steam fixes; #841, #3267",
2020-03-15)
Commands used to find the comments:
git grep -i nvidia -- etc/profile-* | grep -v private-etc
Relates to #4632.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Remove workaround from commit 623e68216 ("temporary fix for
nvidia/nogroups/noroot issue (#3644, #841)", 2020-10-02) and from commit
cb460c32c ("more nvidia (#3644)", 2020-10-03).
The handling of the "render" and "video" groups is separate from
`nogroups` now, so disabling `nogroups` on nvidia shouldn't be necessary
anymore. See the previous 2 commits for details.
See also the discussion on PR #4632.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Mappings of command -> group that this commit adds:
* no3d -> render
* noprinters -> lp
* nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3])
* noinput -> input
Mappings that were considered but that are not added:
* notv -> ? (unknown group)
* nou2f -> ? (devices are apparently owned by root; see #4603)
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
See the previous commit ("Keep audio and video groups regardless of
nogroups") for details.
Relates to #2042 and #4632.
[1] https://wiki.debian.org/SystemGroups
[2] https://api.gentoo.org/uid-gid.txt
[3] https://wiki.archlinux.org/title/Users_and_groups
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently, on systems that use seat managers that do not implement
seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is
used. This happens because without ACLs, access to the audio devices in
/dev is controlled by the standard group permissions and the "audio"
group is always dropped when `nogroups` is used. This patch makes the
"audio" and "video" groups be dropped if and only if `noaudio` and
`novideo` are in effect, respectively (and independently of `nogroups`).
See #4603 and the linked issues/discussions for details.
Note: This is a continuation of commit ea564eb74 ("Consider nosound and
novideo when keeping groups") / PR #4632.
Relates to #2042 and #4531.
|
| |\ \
| | | |
| | | | |
Add blacklist to disable-programs
|
| | | | |
|
|/ / / |
|
| | | |
|
|/ /
| |
| |
| | |
development
|
|\ \
| | |
| | | |
Configure improvements2
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Added on commit 8d8686af2 ("Make installation of contrib scripts
configurable", 2017-04-13).
Remove redundant argument to AS_IF and make it look more like the other
nearby AS_IF calls.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
See commit 15d793838 ("Try to fix #2310 -- Can't create run directory
without suid-root", 2021-05-13) / PR #4273.
It is the only "HAVE_" option whose value is set by if/else on a
makefile. Also, it is set in different places to either "yes", "no",
blank or "-DHAVE_SUID". Set the value only on configure.ac and only to
either blank or to "-DHAVE_SUID".
Misc: The `ifeq ($(HAVE_SUID),-DHAVE_SUID)` comparison that this adds is
based on the existing `ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)`
comparison on Makefile.in.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Added on commit d1acb31c9 ("compile time: enable LTS", 2021-02-28).
It only needs to be called once for each variable. See the configure
script diff and the previous commit ("configure*: Move AC_SUBST calls to
more obvious places").
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
These macros should always be called regardless of the intended value of
each variable, as even if e.g.: no --enable-apparmor flag is given, the
configure script still has to substitute `@HAVE_APPARMOR@` with blank in
the relevant files.
Something similar is already being done for HAVE_OVERLAYFS since commit
fb9f2a5fb ("disabled overlayfs, fixes pending; added video channels to
README* files", 2021-02-06).
Note that each AC_SUBST is not immediately converted into search/replace
code when generating the configure script. It appears that the
variables are handled only after parsing all of configure.ac (or until a
specific command is found), as all arguments passed to every AC_SUBST
call are defined at once on the `ac_subst_vars` list. The actual
substitutions are also done all at once (while iterating through the
list) and that happens much later in the script (see both occurrences of
`ac_subs_vars` on the current script).
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For increased safety and consistency. In addition, this should make it
clearer where each argument starts and ends.
See also the following item from autoconf NEWS[1]:
> * Noteworthy changes in release 2.70 (2020-12-08) [stable]
[...]
> *** Many macros have become pickier about argument quotation.
>
> If you get a shell syntax error from your generated configure
> script, or seemingly impossible misbehavior (e.g. entire blocks of
> the configure script not getting executed), check first that all
> macro arguments are properly quoted. The “M4 Quotation” section of
> the manual explains how to quote macro arguments properly.
>
> It is unfortunately not possible for autoupdate to correct
> quotation errors.
[1] https://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=blob;f=NEWS;h=ba418d1af5da752de77a2c388f9af56f8f1bf6a4;hb=97fbc5c184acc6fa591ad094eae86917f03459fa
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Square brackets are used as quotes in autoconf.
From Section 8.1.1, Active Characters of the Autoconf manual[1]:
> To fully understand where proper quotation is important, you first
> need to know what the special characters are in Autoconf: ‘#’
> introduces a comment inside which no macro expansion is performed, ‘,’
> separates arguments, ‘[’ and ‘]’ are the quotes themselves, ‘(’ and
> ‘)’ (which M4 tries to match by pairs), and finally ‘$’ inside a macro
> definition.
[1] https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.70/autoconf.html#Active-Characters
|
| | |
| | |
| | |
| | |
| | |
| | | |
Command used to find them:
grep ' "$' configure.ac
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For increased consistency and readability.
This restores the spaces removed on commit bf81cd6ad ("configure.ac: run
autoupdate to fix autoconf warning") / PR #4316.
Command used to check for the lack of whitespace:
grep ',[^ ]' configure.ac
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Update firejail-local for Brave + ipfs
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Added `quiet` to some CLI profiles
|
| |\ \ |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Consider nosound and novideo when keeping groups & misc refactors
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Even when `nogroups` is not used, avoid keeping the audio and video
groups when `nosound` and `novideo` are used, respectively.
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
Relates to #4603.
|
| | | | |
| | | | |
| | | | |
| | | | | |
Check if new_groups already is full before trying to add to it.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Move the logic from clean_supplementary_groups into the following new
functions:
* find_group
* copy_group_ifcont
These will be reused later.
Misc: The latter function's signature is based on getgrouplist(2), which
is used on clean_supplementary_groups.
|