| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When constructing sandbox fs, /etc/mtab which is symlink to
/proc/self/mounts gets resolved as /proc/PID/mounts. Where
PID is not the pid of the process that is going to get
executed in the firejail -> the result is broken/unaccessible
symlink from the application point of view.
Use /proc/self/xxx type symlink target if it resolves similarly
as the /proc/PID/xxx type would at the time of mapping.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | |
|
| |\
| |
| | |
contrib/firejail-welcome.sh: fix copyright year
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Append the current year rather than replace the previous one.
This amends commit 2609e5cf0 ("copyright update").
Commands that helped catch this:
$ git show --pretty='' 2609e5cf0 | sed -n 's/^-.*Copyright //p' |
LC_ALL=C sort | uniq
(C) 2014-2020 Firejail Authors
(C) 2014-2020 Firejail Authors (see README file for more details)
(C) 2020 Firejail Authors
(C) 2020 Firejail and systemd authors
(c) 2019,2020 rusty-snake
$ git show --pretty='' 2609e5cf0 | sed -n 's/^+.*Copyright //p' |
LC_ALL=C sort | uniq
(C) 2014-2021 Firejail Authors
(C) 2014-2021 Firejail Authors (see README file for more details)
(C) 2020-2021 Firejail Authors
(C) 2020-2021 Firejail and systemd authors
(C) 2021 Firejail Authors
(c) 2019-2021 rusty-snake
|
| |\ \
| | |
| | | |
fixes for profile.template
|
| | | |
| | |
| | | |
See https://github.com/netblue30/firejail/pull/3993/files/660bc3435b43e32d156d9bb5bee2dbad2f84cf36#r577366805.
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Sort.py updates
|
| | | | |
| | | |
| | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
fix private-bin in jitsi-meet-desktop
|
| |/ / / / |
|
| |\ \ \ \
| |_|/ /
|/| | | |
Follow-up fixes for torbrowser-launcher
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | | |
See https://github.com/netblue30/firejail/pull/3990#discussion_r576404417.
|
| | | | |
| | | |
| | | | |
The final profile in the include chain - torbrowser-launcher.profile - already includes globals.local. Unless there's some kind of potential race condition that needs to be avoided by changing this 'logic' we should avoid doubled includes.
|
| | | | |
| | | |
| | | | |
The final profile in the include chain - torbrowser-launcher.profile - already includes globals.local. Unless there's some kind of potential race condition that needs to be avoided by changing this 'logic' we should avoid doubled includes.
|
| | | | |
| | | |
| | | | |
Follow up for https://github.com/netblue30/firejail/pull/3988. We need to allow access to torbrowser-launcher executables installed under ${HOME}. Thanks @rusty-snake and @Vincent43 for motivational input.
|
| | | | | |
|
| | | | | |
|
| | |_|/
|/| |
| | |
| | |
| | | |
as no length checks are performed any more on environment variables,
remove obsoleted code
|
| |/ / |
|
| |\ \ |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Fixes: #3986
|
| |/ / |
|
| | | |
|
| |\ \
| |/
|/| |
add apparmor to torbrowser-launcher
|
| |/ |
|
| |\
| |
| | |
Add first version of zsh completion
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Don't have duplicate descriptions and put = signs where they belong to
zsh completion function now dynamically adjusts for options (e.g. no --apparmor option without AppArmor configured)
No EXTRA_CFLAGS for cpp
Found main.c which does the argument processing. Moved some arguments into the correct #ifdef blocks
Profile selection now much better
Not more cpp. Using preproc.awk instead.
Updated bash firejail command completion to add profiles
ignore bash and zsh dynamically created completion scripts
Moved bash/zsh completions out of ALL_ITEMS to fix make install
Cleanup
|
| | |
| |
| |
| | |
Added on commit 64505c744 ("fix SHA1 issue when signing the realease").
|
| | |
| |
| |
| |
| | |
readability/making it more obvious buffers
are properly initialized
|
| | | |
|
| | |
| |
| |
| |
| | |
the check was introduced some time ago in fs_x11(), but
fs_chroot() does the same thing and needs it as well
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit bd1819a8641e0eeae016846b28a41e625bcc215b, reversing
changes made to 807af3dce05786f10747cc0938cc98af484c8e97.
The hole PR looks like a single crap, it is not even syntactically
correct. Has anyone at least started kmail with this profile before it
was merged? See #3979, thanks @creideiki for reporting.
> First, there are syntax errors. Several mkdir lines have file names containing asterisks.
> This gives the following error:
>
> Error: "${HOME}/.cache/akonadi*" is an invalid filename: rejected character: "*"
>
> I am not sure what they intend to do, but whatever it is it's not working.
> Especially confusing is the line
>
> mkdir /tmp/akonadi-*
>
> Yes, Akonadi creates a directory in /tmp, but its name is random and seems to have been created
> using mkstemp(3) or similar. I'm not sure how Firejail is supposed to be able to pre-create it.
>
> Removing the asterisks makes Firejail at least accept the profile syntactically and try to run
> the program.
It is rejected by syntax. Has anyone tested?
> At startup, Firejail now prints the following warning:
>
> ***
> *** Warning: cannot whitelist ${DOCUMENTS} directory
> *** Any file saved in this directory will be lost when the sandbox is closed.
> ***
Why was 'include disable-xdg.inc' added together with 'whitelist ${DOCUMENTS}', but
no 'nobalcklist ${DOCUMENTS}'? It can not work.
> The actual error is that PostgreSQL needs access to /usr/lib64/postgresql-13/ in order to run.
> Adding the following line to kmail.profile fixes that:
>
> whitelist /usr/share/postgresql*
Again, has anyone thested this?
> The next problem is this message on the console:
>
> kf.config.core: Couldn't write "/home/creideiki/.config/kmail2rc" . Disk full?
>
> Which may have something to do with the profile creating a directory with that name:
>
> mkdir ${HOME}/.config/kmail2rc
>
> when it's supposed to be a file:
>
> $ stat ~/.config/kmail2rc
> File: /home/creideiki/.config/kmail2rc
> Size: 24660 Blocks: 56 IO Block: 4096 regular file
Has anyone tested this or is this just a blind copy of the noblacklist
from above with noblacklist replaced by mkdir?
> However, the error message
>
> kf.config.core: Couldn't write "/home/creideiki/.config/kmail2rc" . Disk full?
>
> still appears.
Looks like #1793. HAS ANYONE TESTED THIS PROFILE??!
> Finally, when exiting KMail, it crashes with a SIGSEGV:
>
> *** KMail got signal 11 (Exiting)
> *** Dead letters dumped.
> KCrash: crashing... crashRecursionCounter = 2
> KCrash: Application Name = kmail path = /usr/bin pid = 20
> KCrash: Arguments: /usr/bin/kmail
Has any...
> I tried restoring an older kmail.profile, from commit 319f2dc, and it has none of the above problems.
... I give up asking if anyone tested this.
> Given the multitude of problems with commit 5532fbd, I'd suggest reverting it until it can be fixed.
Yes, definitely.
|
| | |
| |
| |
| |
| |
| |
| | |
With the recent changes to environment variable handling, it should be
safe to always allow empty variables.
Closes: #3965
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
add support for faccessat2 syscall
|
| | | | |
|
| | | | |
|
| | | | |
|
Simo Piiroinen
smitsohu
glitsj16
Kelvin M. Klann
rusty-snake
startx2017
netblue30
Reiner Herrmann
Harald Kubota
Topi Miettinen