| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid a stat() call for each affected target and also potentially speed
up parallel builds.
From the GNU make manual[1]:
> Phony targets are also useful in conjunction with recursive
> invocations of make (see Recursive Use of make). In this situation
> the makefile will often contain a variable which lists a number of
> sub-directories to be built.
[...]
> The implicit rule search (see Implicit Rules) is skipped for .PHONY
> targets. This is why declaring a target as .PHONY is good for
> performance, even if you are not worried about the actual file
> existing.
Commands used to search, replace and cleanup:
$ find -type f -name '*Makefile.in' -exec sed -i.bak \
-e 's/^all:/.PHONY: all\nall:/' \
-e 's/^clean:/.PHONY: clean\nclean:/' \
-e 's/^distclean:/.PHONY: distclean\ndistclean:/' '{}' +
$ find -type f -name '*Makefile.in.bak' -exec rm '{}' +
[1]: https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html
|
| |
|
|
|
|
|
|
|
|
| |
With a fun little script:
$ git ls-files -z -- '*Makefile*' |
xargs -0 -I '{}' sh -c \
"test -s '{}' && printf '%s\n' \"\`git stripspace <'{}'\`\" >'{}'"
|
| |
|
| |
|
|\
| |
| | |
fix protocol list
|
| | |
|
| |
| |
| | |
Due to https://github.com/netblue30/firejail/commit/5d88ee8957dc38a52c36f71b91c786dbec9d4ec9 we should provide an override option here IMO.
|
| |
| |
| | |
Now that https://github.com/netblue30/firejail/commit/5d88ee8957dc38a52c36f71b91c786dbec9d4ec9 introduces new protocol list behaviour, we need to add an ignore here due to the redirect to transmission-common.profile. See https://github.com/netblue30/firejail/issues/4017 for clarification.
|
|\ \
| | |
| | | |
Force nnp compile time
|
| | |
| | |
| | |
| | |
| | |
| | | |
The current message misses the info that nnp and nogroups is applied
too. The new mentions nnp too, but is very long. If anyone has a better
wording, say it.
|
|/ /
| |
| |
| | |
This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
- RELNOTS: protocol now accumulates
- fix #3978 -- Android Studio: cannot create the directory
Unresolved:
> google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too,
> so we should consider to add additional blacklists for ~/.config/Google/*.
- marker.profile: allow ${DOCUMENTS}
- profile.template: add bluetooth protocol
- profile.template: add DBus portal note
- firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile
see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Allow changing protocol list after initial set
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Firejail uses set-once logic for "protocol" list. This makes it
impossible to accumulate list of allowed protocols from multiple
include files.
Use profile_list_augment() for maintaining list of protocols. This
implicitly means protocols can be added/removed via any number of
command line options / profile configuration files.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A lot of profile options deal with manipulating strings containing
comma separated list of things, using several strains of similar but
not exactly the same code, duplicated for the purposes of processing
command line arguments and parsing configuration files.
Having utility functions available for handling such list strings can
make higher level logic shorter, cleaner and function in more uniform
manner.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
|\ \
| |/
|/| |
Add --mkdir and --mkfile command line options for firejail
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Profile files are defined as a means to "pass several command line
arguments to firejail" but apparently for example mkdir and mkfile
options are available in context of profile files, but can't be
specified directly from command line.
Add support for -mkdir and --mkfile options so that executing:
firejail --mkdir=${HOME}/directory/path\
--whitelist=${HOME}/directory/path
behaves similarly as having profile file content:
mkdir ${HOME}/directory/path
whitelist ${HOME}/directory/path
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
|
|
| |
Thx to @rusty-snake for spotting this.
|
|\
| |
| | |
add new profile for gget
|
| | |
|
| | |
|
|/ |
|
|\
| |
| | |
fix firecfg links in restrictive sandboxes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
firejail symbolic link redirection currently depends
on a shell, but in restrictive sandboxes there
might be no execute permission, or private-lib might
have removed necessary libraries, or seccomp might
block required syscalls ...
Fix this by forcing --shell=none.
closes #3911
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
musl stdlib (Alpine Linux) doesn't know about canonicalize_file_name,
replace with equivalent realpath calls
|
| | |
|
|\ \
| | |
| | | |
add PATH_FCOPY to private-lib automatically
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
restore 45304621a6c600d8e30e98bfbef05149caaf56c5, but now run
fldd as root user. This became necessary because in the meantime
read permission on helper executables was removed.
Puts infrastructure in place to add other helper binaries to
private-lib as well, should the need arise.
|
|\ \
| | |
| | | |
Upstreaming a set of fixes from Sailfish's packaging
|
| | |
| | |
| | |
| | |
| | |
| | | |
Check that the directory exists before attempting to mount it.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Lacking linefeed chars cause messages to get concatenated.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Firejail uses file bind-mounts to filter /etc/passwd and /etc/group
content. If private-etc is used, these mounts are left underneath
the /etc directory mount and this seems to be causing problems in
devices with older kernels: attempts to modify passwd or group
data fails with EBUSY.
Make it possible to perform fs_private_dir_list() actions in two
separate phases.
Undo the file mounts in /etc before mounting private-etc content.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
These have little consequences as the tool exits anyway,
but fs_copydir() leaks memory on success path and check()
on failure path.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When constructing sandbox fs, /etc/mtab which is symlink to
/proc/self/mounts gets resolved as /proc/PID/mounts. Where
PID is not the pid of the process that is going to get
executed in the firejail -> the result is broken/unaccessible
symlink from the application point of view.
Use /proc/self/xxx type symlink target if it resolves similarly
as the /proc/PID/xxx type would at the time of mapping.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
|\ \ \
| | | |
| | | | |
signal-desktop.profile: fix typo of disable-xdg.profile
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Added on commit f4f676745 ("Refactor electron.profile and electron based
programs (#3807)").
This appears to be the only instance of that:
$ grep -Fnr 'include-xdg' etc
etc/profile-m-z/signal-desktop.profile:9:ignore include-xdg.inc
Simply fixing the typo would enable xdg dirs for the first time since
the aforementioned commit. But, as talked with @rusty-snake[1], since
there has been no negative feedback, and since it's a whitelisting
profile, just remove the affected line instead.
Credits go to syntax highlighting on vim.
[1]: https://github.com/netblue30/firejail/pull/4001
|
|\ \ \ \
| | | | |
| | | | | |
Minor fixes for vmware
|
| | | | | |
|