aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* Merge pull request #6104 from kmk3/ci-enable-sort-pyLibravatar netblue302023-12-04
|\ | | | | ci: re-enable sort.py
| * ci: re-enable sort.pyLibravatar Kelvin M. Klann2023-11-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was disabled on commit df6ea884f ("merges, disable sort.py in profile checks temporarely, two more private-etc profiles", 2023-02-14). Currently all profiles are sorted and there are no ongoing `private-etc` changes, so it should be safe to re-enable. Note that the script is useful to catch sorting issues not only in `private-etc` but also in other commands, such as `seccomp`[1] [2]. This is a follow-up to #6070. Relates to #5610. [1] https://github.com/netblue30/firejail/pull/6066#discussion_r1372055800 [2] https://github.com/netblue30/firejail/pull/6067#discussion_r1372027243
* | Merge pull request #6107 from kmk3/lutris-allow-mangohudLibravatar netblue302023-12-04
|\ \ | | | | | | lutris.profile: allow mangohud
| * | lutris.profile: allow mangohudLibravatar Kelvin M. Klann2023-11-27
| |/ | | | | | | | | | | Similarly to steam.profile (see #4864). Fixes #6106.
* | Merge pull request #6109 from kmk3/netfilter-expand-macrosLibravatar netblue302023-12-04
|\ \ | | | | | | feature: expand simple macros in more commands
| * | feature: expand simple macros in more commandsLibravatar Kelvin M. Klann2023-11-27
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | This includes macros such as `${HOME}` and `${RUNUSER}`. Commands: * --chroot= * --netfilter= * --netfilter6= * --trace= Closes #6032. Reported-by: @michelesr
* | Merge pull request #5876 from kmk3/firecfg-add-confdir-ignoreLibravatar netblue302023-12-04
|\ \ | | | | | | feature: firecfg: add firecfg.d & add ignore command
| * | firecfg: add ignore command and docsLibravatar Kelvin M. Klann2023-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes #2097. [1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
| * | firecfg: parse config files in /etc/firejail/firecfg.dLibravatar Kelvin M. Klann2023-08-04
| | | | | | | | | | | | | | | | | | As suggested by @WhyNotHugo[1]. [1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
| * | firecfg: turn constant strings into constantsLibravatar Kelvin M. Klann2023-08-04
| | | | | | | | | | | | | | | | | | Instead of using asprintf + free. Also, use LIBDIR instead of hardcoded "/usr/lib" for fzenity.
| * | firecfg: fix missing free and formattingLibravatar Kelvin M. Klann2023-08-04
| | | | | | | | | | | | | | | | | | | | | Changes: * fix inconsistent indentation/braces * add missing free
* | | RELNOTES: add modif, bugfix, build and contrib itemsLibravatar Kelvin M. Klann2023-11-27
| | | | | | | | | | | | Relates to #5982 #6006 #6057 #6059 #6070 #6086 #6087.
* | | build(deps): bump github/codeql-action from 2.22.7 to 2.22.8Libravatar dependabot[bot]2023-11-27
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 2.22.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/66b90a5db151a8042fa97405c6cf843bbe433f7b...407ffafae6a767df3e0230c3df91b6443ae8df75) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | lutris.profile: fix seccomp argumentsLibravatar Kelvin M. Klann2023-11-25
| | | | | | | | | | | | | | I accidentally removed the `!` when sorting the arguments in #6067. This amends commit fbba03790 ("lutris.profile: allow more syscalls", 2023-10-24) / PR #6067.
* | mergesLibravatar netblue302023-11-24
| |
* | Merge pull request #6087 from chestnykh/issue-6006Libravatar netblue302023-11-24
|\ \ | | | | | | Lookup xauth in PATH.
| * | Lookup xauth in PATH.Libravatar Dmitry Chestnykh2023-11-19
| | | | | | | | | | | | | | | | | | | | | Don't use hardcoded `/usr/bin/xauth`, iterate over directories inside PATH instead. This fixes https://github.com/netblue30/firejail/issues/6006
* | | Merge pull request #6070 from kmk3/sort-py-csortLibravatar netblue302023-11-24
|\ \ \ | | | | | | | | build: sort.py: use case-sensitive sorting
| * | | build: sort.py: use case-sensitive sortingLibravatar Kelvin M. Klann2023-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To match how things are sorted elsewhere, such as with `noblacklist` / `whitelist` lines (vertically) in profiles and in ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c. This makes the order in `private-etc` always be groups (`@group`), then uppercase paths, then lowercase paths. Example from etc/profile-m-z/softmaker-common.profile: private-etc @tls-ca,SoftMaker,fstab Note that this does not affect a significant amount of profiles; most changes are in `private-bin` / `private-lib` lines and in `private-etc` lines for newer profiles that do not use groups. This is partly due to commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05) replacing `X11` with `@x11` in `private-etc` lines and then commit 0f996ea4d ("private-etc: groups modified", 2023-02-05) removing `Trolltech.conf` from `private-etc` lines and using case-sensitive sorting in them. Relates to #5610.
* | | | Merge pull request #6067 from nutta-git/patch-2Libravatar netblue302023-11-24
|\ \ \ \ | | | | | | | | | | lutris.profile: allow more syscalls
| * | | | lutris.profile: allow more syscallsLibravatar duevo2023-11-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work. journalctl did list `process_vm_readv` when a game was running, but it didn't crash the game. Fixes #6035.
* | | | | Merge pull request #6066 from nutta-git/patch-1Libravatar netblue302023-11-24
|\ \ \ \ \ | | | | | | | | | | | | steam.profile: allow process_vm_readv syscall
| * | | | | steam.profile: allow process_vm_readv syscallLibravatar duevo2023-10-31
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | EA Origin (game launcher) won't launch without this. See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
* | | | | Merge pull request #5957 from gerasiov/fcopy-fix-size-calculationLibravatar netblue302023-11-24
|\ \ \ \ \ | | | | | | | | | | | | fcopy: Use lstat when copy directory.
| * | | | | fcopy: Use lstat when copy directory.Libravatar Alexander Gerasiov2023-08-14
| | | | | | | | | | | | | | | | | | | | | | | | When copying directories use lstat when reading info about source files.
* | | | | | Fix displaying of large file sizes. (#6086)Libravatar Dmitriy Chestnykh2023-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The most generic way is to use `intmax_t` because we dont't know what is the "parent" type of `off_t`. This fixes https://github.com/netblue30/firejail/issues/5982 .
* | | | | | build(deps): bump step-security/harden-runner from 2.6.0 to 2.6.1Libravatar dependabot[bot]2023-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/1b05615854632b887b69ae1be8cbefe72d3ae423...eb238b55efaa70779f274895e782ed17c84f2895) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | | build(deps): bump github/codeql-action from 2.22.5 to 2.22.7Libravatar dependabot[bot]2023-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/74483a38d39275f33fcff5f35b679b5ca4a26a99...66b90a5db151a8042fa97405c6cf843bbe433f7b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | | profiles: whitelist alternative data directory for tesseractLibravatar Reiner Herrmann2023-11-18
| |_|_|/ / |/| | | | | | | | | | | | | | on Debian the data is in /usr/share/tesseract-ocr/
* | | | | New profile: tiny-rdm (#6083)Libravatar glitsj162023-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * disable-programs.inc: add support for tiny-rdm * Create tiny-rdm.profile * firecfg.config: add support for tiny-rdm
* | | | | clamtk: fix scanning (#6074)Libravatar glitsj162023-11-02
| | | | |
* | | | | freshclam: fix .local include (#6075)Libravatar glitsj162023-11-02
| | | | |
* | | | | build(deps): bump github/codeql-action from 2.22.4 to 2.22.5Libravatar dependabot[bot]2023-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/49abf0ba24d0b7953cb586944e918a0b92074c80...74483a38d39275f33fcff5f35b679b5ca4a26a99) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | ci: run printenv.sh on codespell.ymlLibravatar Kelvin M. Klann2023-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's the only workflow missing it. See commit 339d395fb ("ci: print env-related settings in each job", 2023-04-22) / PR #5802.
* | | | | discord.profile: allow /usr/share/discord (#6072)Libravatar veloute2023-10-29
| |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | discord_arch_electron[1] stores its files in /usr/share/discord, rather than the usual /opt/discord. [1] https://aur.archlinux.org/packages/discord_arch_electron
* | | | sort.py: fix missing/duplicated commands in usageLibravatar Kelvin M. Klann2023-10-25
| | | |
* | | | profiles: Extend node stack support for pnpm (#6063)Libravatar glitsj162023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * nodejs-common: add pnpm support * disable-programs.inc: add pnpm support * Create pnpm.profile * Create pnpx.profile
* | | | Merge pull request #6064 from kmk3/profiles-dedup-dc-dpLibravatar Kelvin M. Klann2023-10-24
|\ \ \ \ | |_|/ / |/| | | disable-programs.inc: remove duplicated entries
| * | | disable-programs.inc: remove duplicated entriesLibravatar Kelvin M. Klann2023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They are already present in disable-common.inc. Added in the following commits: * 6bf6d5ed5 ("updated program files", 2016-12-02) / PR #951 * 49280197c ("various hardening (#3394)", 2020-05-02) * 2e2c2327f ("profiles: support more msmtp configuration paths (#6060)", 2023-10-22) Misc: This was noticed on PR #6060.
| * | | profiles: centralize gnome-boxes blacklisting in dcLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They are currently spread over disable-common.inc and disable-programs.inc. Added on commit 6f7ab41e4 ("blacklist gnome-boxes user files (VM-Images)", 2019-10-13) and commit 49280197c ("various hardening (#3394)", 2020-05-02).
* | | | enabled nettraces by default in the main build - you would need to be root ↵landlock-splitLibravatar netblue302023-10-24
| | | | | | | | | | | | | | | | to run these options
* | | | build(deps): bump github/codeql-action from 2.22.3 to 2.22.4Libravatar dependabot[bot]2023-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.3 to 2.22.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0116bc2df50751f9724a2e35ef1f24d22f90e4e1...49abf0ba24d0b7953cb586944e918a0b92074c80) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | build(deps): bump actions/checkout from 4.1.0 to 4.1.1Libravatar dependabot[bot]2023-10-23
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | profiles: support more msmtp configuration paths (#6060)Libravatar glitsj162023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since version 1.8.6 msmtp supports per-user configuration at either ~/.msmtprc (already supported by firejail) or `$XDG_CONFIG_HOME/msmtp/config`. System-wide support can be placed at /etc/msmtprc. This adds the missing paths to the relevant .inc and .profile files. Note that `blacklist ${HOME}/.msmtprc` is present on both disable-common.inc and disable-programs.inc, so the new paths are added to both files. References: https://wiki.archlinux.org/title/Msmtp#Basic_setup https://marlam.de/msmtp/msmtp.html#Configuration-files
* | | contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6059)Libravatar mammo02023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | The `mimetypes` property contains the section `text/plain`. This causes for example the Gnome Editor to recognize every simple text file as a firejail profile file. See this issue: https://gitlab.gnome.org/GNOME/gnome-text-editor/-/issues/612 Fixes #6057.
* | | RELNOTES: reword profiles itemLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | | | | | | | | | | For extra clarity. Relates to #5987.
* | | RELNOTES: add profile itemsLibravatar Kelvin M. Klann2023-10-18
| | | | | | | | | | | | | | | | | | | | | | | | These profile-related changes seem significant enough to warrant entries, as #6021 adds some guidance on the use of private-opt and #5987 standardizes the format of commented code in all profiles. Relates to #5987 #6021.
* | | RELNOTES: add ci itemLibravatar Kelvin M. Klann2023-10-18
| | | | | | | | | | | | Relates to #6026.
* | | profiles: exchange private-opt with a whitelist (#6021)Libravatar glitsj162023-10-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * profiles: drop private-opt (existing whitelist) * profiles: replace private-opt with whitelist In most profiles. Kept private-opt for enpass (~85MB), mate-dictionary (<20MB), minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't check: xmr-stak. * docs: note potential issues with private-opt
* | | steam.profile: Allow Baba Is You (#6054)Libravatar Frostbyte46642023-10-16
| | |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 12:12:29 +0000