| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
| |
Remove the newer #6390 item as it is already on the list, remove the
older #6307 item (modif) and sort the new #6307 item (bugfix).
This amends commit 9ebecd00d ("readme/relnotes update", 2024-07-13).
|
| |
|
|
|
|
|
|
|
|
| |
This command is deprecated and may be confused for a hardening option.
This amends commit 5a612029b ("rename noautopulse to keep-config-pulse",
2021-05-13) / PR #4278.
This is a follow-up to #6390.
|
|
|
|
| |
Relates to #6372 #6379 #6380 #6382 #6387 #6390 #6398.
|
|
|
|
|
|
|
|
| |
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
|
|
|
|
| |
Format and sort items in the private-bin, private-dev and private-etc
sections.
|
|
|
|
|
|
|
|
|
|
| |
The `@sound` group currently only contains paths related to alsa and
pulseaudio.
This amends commit 02d37680c ("private-etc rework: file groups moved to
src/include/etc_groups.h, new groups added", 2023-01-25).
Relates to #5610 #6400.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/f086349bfa2bd1361f7909c78558e816508cdc10...17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.7 to 3.25.11.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f079b8493333aace61c81488f8bd40919487bd9f...b611370bb5703a7efb587f9d136a52ea24c5c38c)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
|
|
| |
Fractal 7 (and possibly earlier) stores messages and key material in
${XDG_DATA_DIR}/fractal which defaults to ~/.local/share/fractal.
Lack of access causes it to be unable to load messages offline and
de- or encrypt messages even when online without sharing keys again.
|
|
|
|
|
|
|
|
|
|
| |
It is apparently used by the (widely used) "Fancy" plugin, which
"Renders HTML e-mail using the WebKit library".
https://www.claws-mail.org/plugins.php
Relates to #6377.
Note: etc/profile-a-l/email-common.profile contains `private-cache`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently hashcat needs access to this device for hardware acceleration
on AMD gpus and `private-dev` currently breaks that (see #6364).
It seems to be used by the "amdgpu" and "amdkfd" Linux kernel drivers
and as with /dev/dri/renderD128, this file is owned by the "render"
group.
Relevant udev rules from /usr/lib/udev/rules.d/50-udev-default.rules:
SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="0666"
SUBSYSTEM=="kfd", GROUP="render", MODE="0666"
SUBSYSTEM=="accel", GROUP="render", MODE="0666"
Environment: udev 255.6-1 on Artix Linux.
Reported-by: @schrotthaufen
|
|
|
| |
Fixes #6377.
|
|
|
|
|
| |
Added on commit 2453f0ecf ("email-common.profile: allow clamav plugin
for claws-mail", 2023-03-07) / PR #5719.
|
|
|
|
|
|
| |
We still see lots of issue reports where the user runs `firejail foo`
and ends up running foo's sandbox twice (due to firecfg's symlink
precedence). Try to improve the situation by explicitly using absolute
paths in the 'steps to reproduce' section.
|
|
|
| |
Relates to #6364.
|
|
|
|
| |
Relates to #6352 #6353 #6354 #6358 #6359 #6361 #6366 #6367 #6369.
|
|\
| |
| | |
build: standardize install commands
|
| |
| |
| |
| | |
For increased consistency and readability.
|
| |
| |
| |
| | |
For increased consistency and readability.
|
| |
| |
| |
| |
| | |
Just try to install them, as is done in the other `$(INSTALL) -d`
commands.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Remove / after `$(DESTDIR)`
* Remove useless -c
* Use 0755 instead of 755
* Use -d after -m
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
|
| |
| |
| |
| |
| |
| |
| | |
The command below already installs it.
Added on commit 926790411 ("add basic Firejail support to AppArmor base
abstraction (#3226)", 2021-10-21) / PR #4628.
|
| |
| |
| |
| |
| |
| |
| | |
And remove the extraneous semicolon at the end of the command string.
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
|
| |
| |
| | |
Fixes #6358.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
|
| |
| |
| |
| |
| |
| |
| |
| | |
Description: Standalone Discord client.
https://armcord.app/
https://github.com/NextWork123/ArmCord
Requested in https://github.com/netblue30/firejail/issues/1139#issuecomment-2140174880.
|
| |
| |
| | |
Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
|
|/
|
|
|
| |
Fix memory and descriptor leaks.
Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.7.1 to 2.8.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/a4aa98b93cab29d9b1101a6143fb8bce00e2eac4...f086349bfa2bd1361f7909c78558e816508cdc10)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.5 to 3.25.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b7cec7526559c32f1616476ff32d17ba4c59b2d6...f079b8493333aace61c81488f8bd40919487bd9f)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|\
| |
| | |
build: allow overriding common tools
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Just in case the value is not defined in config.mk and `make` is first
executed from another directory (such as in src/man) instead of the root
directory.
This amends commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
|
| |
| |
| |
| |
| | |
Based on the entries in etc/profile-m-z/makepkg.profile.
This fixes #6352.
|
|/
|
|
|
|
|
|
| |
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
|
| |
|
|
|
|
| |
Relates to #6338.
|
|
|
|
| |
Relates to #6339 #6342 #6343.
|
|
|
|
|
|
|
|
|
|
| |
Cleaning does not appear to make a difference; the same amount of files
is checked with/without cleaning.
Environment: cppcheck 2.12.0-3 on Artix Linux.
Added on commit 4e22add64 ("llvm scan", 2015-11-29).
This is a follow-up to #6222.
|
|\
| |
| | |
build: add strip target and simplify install targets
|
| |
| |
| |
| |
| |
| |
| |
| | |
Leave just the "install" and "install-strip" targets.
See commit 099925e18 ("added install-strip, make install now without
strip.", 2015-09-10) / PR #60 and commit 0215cbc02 ("make install, make
install-strip", 2015-09-11).
|
| |
| |
| |
| |
| | |
Move the strip invocation into its own target to allow stripping
binaries without having to run the "realinstall" target.
|
|\ \
| | |
| | | |
build: sort.py: use -i by default and add -n
|
| | |
| | |
| | |
| | | |
Support "--" to end options and fail if an unknown option is given.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Overwrite in-place by default (`-i`) and add `-n` to override it.
This restores the previous default behavior (from 0.9.72), for the sake
of being consistent with all previous versions and because it's more
likely to be the desired behavior in most cases.
This amends commit aa08aa132 ("build: sort.py: add and require -i to
edit in-place (#6290)", 2024-03-25).
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.4 to 3.25.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ccf74c947955fd1cf117aef6a0e4e66191ef6f61...b7cec7526559c32f1616476ff32d17ba4c59b2d6)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|