| Commit message (Collapse) | Author | Age |
| |
|
|\ |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/17573ee1cc1b9d061760f3a006fc4aac4f944fd5...32dc499307d133bb5085bae78498c0ac2cf762d5)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/18bf8ad2ca49c14cbb28b91346d626ccfb00c518...c8454efe5d0bdefd25384362fe217428ca277d57)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|/ |
|
|
|
| |
Co-authored-by: pirate486743186 <>
|
| |
|
|
|
|
| |
Relates to #5674 #5677.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit 375468008 ("docs: remove indents on
top-level lists and tables", 2023-02-01) from PR #5674.
Commands used to undo the changes:
$ f=.github/pull_request_template.md; \
git show 3754680087~1:"$f" >"$f"
I had assumed that a blank line after a list item would end the list
(and so I was confused by the amount of indentation used), but that is
apparently not the case. See the file rendered before/after the
commit[1] [2].
Relates to #2784.
Reported by @rusty-snake[3].
[1] https://github.com/netblue30/firejail/blob/f5d8d8cc7af8f8816c47623515babcefceb7e22f/.github/pull_request_template.md
[2] https://github.com/netblue30/firejail/blob/37546800876d977d77cc86d9b307f8cfa714c1dd/.github/pull_request_template.md
[3] https://github.com/netblue30/firejail/pull/5674#discussion_r1117892922
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As pointed out by @rusty-snake[1]:
> I think this is intentional to test if firejail can parse commands
> with leading spaces.
This amends commit b406b2420 ("tests: Fix mixed space/tabs indentation",
2023-02-19) / PR #5674.
Note: This is the only profile in test/ that the commit changed:
$ git show --pretty= --name-only b406b2420 -- test/
test/fs/private-whitelist.exp
test/network/firemon-route.exp
test/profiles/test2.profile
[1] https://github.com/netblue30/firejail/pull/5674#discussion_r1117891957
|
|\ |
|
| |\
| | |
| | | |
New profile: parsecd
|
| | | |
|
| | | |
|
| |\ \
| | | |
| | | | |
build: Fix whitespace and add .editorconfig
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Commands used to list the file extensions used in the project:
$ git ls-files | sed -En 's/.*(\.[^.]+)$/\1/p' |
LC_ALL=C sort | uniq -c
For rules that are more specific to a given directory, put a dedicated
.editorconfig file in it.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* Fix spaces being used for indentation in some lines in C
* Remove leading spaces before some goto labels
* Remove leading spaces before the start of some multiline comments
* Change leading spaces to tabs in some multiline macros
* Add missing asterisk to some multiline comments (to match other
multiline comments and because they are false positives in the
commands below)
Note: Leading spaces can be used for alignment (such as in function
parameters and function arguments in C) and for line continuation (such
as in long commands in shell scripts). However, in the above changes
the leading spaces are used for other reasons and do not seem to fit
with the style used.
Commands used to search for errors:
$ git grep -In '^ [^*]' | grep -E -v \
-e '(COPYING|README|RELNOTES|configure(.ac)?):' \
-e '^[^:]+.(md|yml|py):' -e '(bash|zsh)_completion/' \
-e '^contrib/syntax/' -e '^etc/templates/.*\.txt:' -e '^m4/' \
-e '^platform/debian/' -e '^src/man/.*\.txt:' \
-e '.*mkrpm.sh:' -e '.*extract_errnos.sh:'
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Almost all of the shell scripts in the repository use tabs for
indentation (or have no indentation at all):
$ git grep -Il '^\t' -- '*.sh' | wc -l
19
$ git grep -Il '^ ' -- '*.sh' | wc -l
5
$ git grep -IL '^[ \t]' -- '*.sh' | wc -l
25
So do the same in the few shell scripts that currently use spaces for
indentation.
Except for the following file:
* platform/rpm/mkrpm.sh
Not sure if it's following a packaging-specific scheme, so just fix the
one indentation inconsistency in it and otherwise leave it as is for
now.
Command used to search for shell scripts using spaces for indentation:
$ git grep -In '^ ' -- '*.sh'
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Command used to find the errors:
$ git grep -I '^ [^*]' -- test/
Misc: All of the affected files were added in 2016.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To match the common usage; see for example src/firejail/firejail.h.
Added on commit 960b4daba ("add tool to dump seccomp filters",
2020-02-17).
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This appears to be the only C file in the repository that uses spaces
for indentation.
Commands used to check for the above:
$ git grep '^ ' -- '*.c' '*.h'
Commands used to search and replace:
$ f=test/filters/namespaces.c; printf '%s\n' \
"$(sed 's/ /\t/g' "$f")" >"$f"
Note: The mmap call was aligned manually.
Added on commit 5116c1ced ("testing", 2022-12-24).
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
And the surrounding paragraphs.
Relates to #2784.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes all of the "space before tab in indent" errors raised by git:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD |
grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c
72 space before tab in indent.
Commands used to find the errors:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD
$ git grep -In "$(printf '\t') "
Note: Unlike "space before tab in indent", the reverse ("space after tab
in indent") is not reported by git. That is because spaces could be
intentionally used for alignment or line continuation, but in some cases
they are being used for indentation together with tabs and in others the
formatting is misaligned. The second command was used to help find and
fix these other issues.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Git currently correctly detects them as binary; the changes are done to
avoid depending on the auto-detection and also for documentation.
Commands used to list all of the files that git detects as non-text
files:
$ git ls-files --eol | grep -e 'i/-text' -e 'w/-text'
i/-text w/-text attr/text=auto eol=lf etc-fixes/seccomp-join-bug/eecf35c-backports.zip
i/-text w/-text attr/text=auto eol=lf test/appimage/Leafpad-0.8.17-x86_64.AppImage
i/-text w/-text attr/text=auto eol=lf test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage
i/-text w/-text attr/text=auto eol=lf test/filters/memwrexe
i/-text w/-text attr/text=auto eol=lf test/filters/memwrexe-32
i/-text w/-text attr/text=auto eol=lf test/filters/namespaces
i/-text w/-text attr/text=auto eol=lf test/filters/namespaces-32
Note: The committed seccomp filters do not have a file extension, so
ignore them for now.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This should make it easier to avoid whitespace errors, as long as the
editor used supports it (either natively or through a plugin).
See the editorconfig website for the editors that support it:
* https://editorconfig.org
Note: All text files appear to already be using LF and UTF-8 (or ASCII):
$ git ls-files --eol | grep -v -e '^i/lf w/lf' \
-e 'i/none w/none' -e 'i/-text w/-text'
i/ w/ attr/text=auto eol=lf ci/check/profiles/sort.py
$ git ls-files -z | xargs -0 file -i -h | sed 's/[^:]*: *//' |
grep -v -e 'charset=binary' -e 'charset=us-ascii' |
LC_ALL=C sort | uniq -c
1 text/html; charset=utf-8
2 text/plain; charset=utf-8
1 text/x-c; charset=utf-8
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Commands used to search and replace:
$ git grep -Ilz '[[:blank:]]$' |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed -E \
's/[[:blank:]]+$//' '{}')\" >'{}'"
This fixes all of the "trailing whitespace" errors raised by git:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD |
grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c
72 space before tab in indent.
4 trailing whitespace.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Commands used to search and replace:
$ git grep -Ilz '.' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(cat '{}')\" >'{}'"
The above commands ensure that there is exaclty 1 line terminator at EOF
(rather than 0 or more than 1) on all non-empty text files.
This fixes all of the "new blank line at EOF" errors raised by git:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD |
grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c
21 new blank line at EOF.
72 space before tab in indent.
4 trailing whitespace.
|
| |\ \ \
| | | | |
| | | | | |
Print the argument when failing with "too long arguments"
|
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Also, s/arguments/argument/ since the message refers to one specific
argument.
Relates to commit 0d06369a8 ("Make env/arg sanity check failure messages
more useful", 2021-11-10) / PR #4676.
Relates to #5676.
|
|/ / / |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create qpdf.profile and redirects
qpdf (CLI) provides PDF metadata cleaning.
See privacy-handbuch.de[1] for details.
The site offers pdf-meta-clean.sh[2], which works very well with
firejailed qpdf.
[1] https://www.privacy-handbuch.de/handbuch_43a.htm
[2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh
* RELNOTES: add qpdf and redirects to new profiles section
* firecfg.config: add qpdf and redirects
* qpdf: use 'seccomp socket' instead of 'protocol unix'
See https://github.com/netblue30/firejail/issues/639. Thanks @rusty-snake in code review.
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Arch Linux got systemd v253:
https://github.com/archlinux/svntogit-packages/commit/05d0aedb2b83a2e1ba07cab47205772f82cb4814
It adds a few new files we should blacklist in `disable-common.inc`:
- /etc/credstore
- /etc/credstore.encrypted
- /run/credentials/systemd-sysctl.service
- /run/credentials/systemd-sysusers.service
- /run/credentials/systemd-tmpfiles-setup.service
- /run/credentials/systemd-tmpfiles-setup-dev.service
|
| |
| |
| |
| | |
Relates to #5667 #5668.
|
|\ \
| | |
| | | |
docs: selinux.c: Split Copyright notice & use same license as upstream
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The upstream file is licensed under the LGPLv2.1+ and it uses an SPDX
license identifier rather than an LGPL license notice[1].
And according to the GNU project, the LGPLv2.1+ is compatible with both
the GPLv2 (with the result being GPLv2) and the GPLv3 (with the result
being GPLv3), though the reverse (GPL -> LGPL) does not apply[2] [3].
This means that if we make changes that are only available under the
GPLv2, systemd would be unable to copy them back and release the result
under the LGPLv2.1 without being in violation of the GPLv2.
So replace the GPL license notice with the SPDX license identifier of
the upstream file ("LGPL-2.1-or-later"), to make it easier to share
changes between both projects.
See also the following systemd commits[4] [5] [6] [7]:
* 53e1b68390 ("Add SPDX license identifiers to source files under the
LGPL", 2017-11-18)
* db9ecf0501 ("license: LGPL-2.1+ -> LGPL-2.1-or-later", 2020-11-09)
[1] https://github.com/systemd/systemd/blob/254d1313ae5a69c08c9b93032aaaf3d6083cfc07/src/shared/selinux-util.c
[2] https://www.gnu.org/licenses/license-list.en.html#LGPLv2.1
[3] https://www.gnu.org/licenses/license-compatibility.html
[4] https://github.com/systemd/systemd/commit/53e1b683907c2f12330f00feb9630150196f064d
[5] https://github.com/systemd/systemd/pull/7386
[6] https://github.com/systemd/systemd/commit/db9ecf050165fd1033c6f81485917e229c4be537
[7] https://github.com/systemd/systemd/pull/17548
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes firejail's Copyright notice match the ones in basically
every other file, which simplifies updating the Copyright years.
selinux.c was added on commit 1ad2d54c0 ("Add support for SELinux
labeling", 2020-02-18) and it claims to be "from systemd
selinux-util.c".
As for systemd's Copyright notice, the current version of that file on
the systemd project does not have any[1].
The first commit in the systemd repository is from 2009[2] and the file
was copied in 2020 (and does not seem to have been synced since), so set
the years in its Copyright notice to 2009-2020.
Since there is no Copyright notice (and no author) in the upstream file,
list "The systemd Authors" in the Copyright notice.
See also systemd commit 0c69794138 ("tree-wide: remove Lennart's
copyright lines", 2018-06-12)[3] [4].
[1] https://github.com/systemd/systemd/blob/254d1313ae5a69c08c9b93032aaaf3d6083cfc07/src/shared/selinux-util.c
[2] https://github.com/systemd/systemd/commit/6091827530d6dd43479d6709fb6e9f745c11e900
[3] https://github.com/systemd/systemd/commit/0c697941389b7379c4471bc0a067ede02814bc57
[4] https://github.com/systemd/systemd/pull/9274
|
|\ \ \
| | | |
| | | | |
build: deb: enable apparmor by default & remove deb-apparmor
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The official .deb package is always built with apparmor support, so use
`--enable-apparmor` in mkdeb.sh and remove the "deb-apparmor" target in
order to reduce redundancy.
Note that custom configure options may be specified by calling
./mkdeb.sh directly.
For example, to build the .deb package without apparmor support, instead
of running `make deb`, the following commands can be used:
make dist
./mkdeb.sh --disable-apparmor
Also, change the `build_apparmor` GitLab CI job into
`build_no_apparmor`, which is intended to check that building without
apparmor still works.
Note: This commit makes the resulting .deb package not have an
"-apparmor" suffix (see `EXTRA_VERSION` in mkdeb.sh), to avoid
redundancy (as having apparmor support becomes the default).
Misc: This is a follow-up to #5654.
Relates to #5154 #5176 #5547.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The "deb" target depends on the "dist" target, which creates an archive
from DISTFILES.
The arguments to ./configure are misleading, as they do not affect the
archive that is used by `make deb`. That is the case because the
configure output files (config.mk and config.sh) are not copied into the
dist archive, only their input files (config.mk.in and config.sh.in).
In order to affect the .deb package, the configure arguments have to be
passed to mkdeb.sh, which then forwards them to ./configure itself.
Note: This does not apply to the rpm-based jobs, as `make rpms` uses the
files directly rather than using the dist archive.
Relates to #5154.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In the `build_and_test` job, to match the common usage.
Added on commit 300efec35 ("let github CI run tests", 2020-10-24).
|
| | | | |
|
| | | | |
|
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make it "2014-2023", which is the same as in basically every other file
that has the same Copyright author.
This kind of amends commit b408b20c7 ("gcov: fix build failure with gcc
11.1.0", 2021-06-15) / PR #4376.
This is a follow-up to #5664.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes #5639.
qutebrowser: drop apparmor
Suggested in PR review.
|