| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.7.1 to 2.8.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/a4aa98b93cab29d9b1101a6143fb8bce00e2eac4...f086349bfa2bd1361f7909c78558e816508cdc10)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.5 to 3.25.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b7cec7526559c32f1616476ff32d17ba4c59b2d6...f079b8493333aace61c81488f8bd40919487bd9f)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |\
| |
| | |
build: allow overriding common tools
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Just in case the value is not defined in config.mk and `make` is first
executed from another directory (such as in src/man) instead of the root
directory.
This amends commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
|
| | |
| |
| |
| |
| | |
Based on the entries in etc/profile-m-z/makepkg.profile.
This fixes #6352.
|
| |/
|
|
|
|
|
|
| |
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
|
| | |
|
| |
|
|
| |
Relates to #6338.
|
| |
|
|
| |
Relates to #6339 #6342 #6343.
|
| |
|
|
|
|
|
|
|
|
| |
Cleaning does not appear to make a difference; the same amount of files
is checked with/without cleaning.
Environment: cppcheck 2.12.0-3 on Artix Linux.
Added on commit 4e22add64 ("llvm scan", 2015-11-29).
This is a follow-up to #6222.
|
| |\
| |
| | |
build: add strip target and simplify install targets
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Leave just the "install" and "install-strip" targets.
See commit 099925e18 ("added install-strip, make install now without
strip.", 2015-09-10) / PR #60 and commit 0215cbc02 ("make install, make
install-strip", 2015-09-11).
|
| | |
| |
| |
| |
| | |
Move the strip invocation into its own target to allow stripping
binaries without having to run the "realinstall" target.
|
| |\ \
| | |
| | | |
build: sort.py: use -i by default and add -n
|
| | | |
| | |
| | |
| | | |
Support "--" to end options and fail if an unknown option is given.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Overwrite in-place by default (`-i`) and add `-n` to override it.
This restores the previous default behavior (from 0.9.72), for the sake
of being consistent with all previous versions and because it's more
likely to be the desired behavior in most cases.
This amends commit aa08aa132 ("build: sort.py: add and require -i to
edit in-place (#6290)", 2024-03-25).
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.4 to 3.25.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ccf74c947955fd1cf117aef6a0e4e66191ef6f61...b7cec7526559c32f1616476ff32d17ba4c59b2d6)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is currently only used for GitHub Actions. The ones used in this
project rarely ever contain notable changes in their changelogs (in a
way that would cause a noticeable difference in our CI).
Also, there are weeks when most/all of the PR/commit activity is from
dependabot PRs being opened/merged. For example, see the output of the
following command:
git log --no-decorate --oneline 9a0db13e12..bef085035
So change the checks from weekly to monthly to reduce the noise.
Additionally, bump `open-pull-requests-limit` to 4, as it seems that we
only have 4 dependencies:
$ git grep 'uses:' -- .github/ | sed -E 's/.*(uses: .*)@.*/\1/' |
LC_ALL=C sort -u
uses: actions/checkout
uses: github/codeql-action/analyze
uses: github/codeql-action/init
uses: step-security/harden-runner
This should ensure that PRs can be opened against all of them when the
dependabot check is run.
|
| | |
| |
| |
| |
| |
| | |
Description: Tauri-based IRC client inspired by HexChat.
https://nhexirc.com/
https://github.com/nhexirc/nhex
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.3 to 3.25.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/d39d31e687223d841ef683f52467bd88e9b21c14...ccf74c947955fd1cf117aef6a0e4e66191ef6f61)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
| |
Update comment to account for camera-based motion trackers.
Fixes an issue with https://github.com/markx86/opentrack-launcher, where
video input devices won't show up unless novideo is removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The profile currently does not include disable-common nor makes
`${HOME}` read-only, so the program can simply write to ~/.bashrc
directly[1].
disable-common.inc was commented due to it apparently breaking bwrap.
As discovered by @glitsj16, it seems that allowing the bwrap binary is
enough to make it work (and that apparmor breaks loupe)[2].
So disable apparmor, allow bwrap and include disable-common.inc, plus
other hardening by @glitsj16.
This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) /
PR #6327.
[1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865
[2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
|
| |
|
|
|
|
|
| |
This amends commit bf5a99360 ("landlock: add support for PATH macro",
2023-12-22).
Relates to #6078.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* profiles: hexchat: hardenings
* profiles: hexchat: allow lua/downloads and harden
Allow more paths and add some extra options to harden the profile.
We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.
Consulted resources:
- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.7.0 to 2.7.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/63c24ba6bd7ba022e95695ff85de572c04a18142...a4aa98b93cab29d9b1101a6143fb8bce00e2eac4)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Description: D-Bus debugger for GNOME
https://gitlab.gnome.org/GNOME/d-spy
From [1]:
> D-Feet is no longer maintained. Please use d-spy
[1] https://wiki.gnome.org/Apps/DFeet
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.10 to 3.25.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/4355270be187e1b672a7a1c7c7bae5afdc1ab94a...d39d31e687223d841ef683f52467bd88e9b21c14)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.2 to 4.1.4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...0ad4b8fadaa221de15dcec353f45205ec38ea70b)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
| |
Signed-off-by: Tavi <tavi@divested.dev>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
landlock.h may not be available on the system (such as with older
versions of Linux API headers), so only try to include it if
`HAVE_LANDLOCK` is defined.
This fixes the following error from `build_debian_package` (which uses
`debian:buster`) on GitLab CI[1]:
$ ./mkdeb.sh --enable-fatal-warnings
[...]
gcc [...] -c ../../src/firejail/landlock.c -o ../../src/firejail/landlock.o
../../src/firejail/landlock.c:22:10: fatal error: linux/landlock.h: No such file or directory
#include <linux/landlock.h>
^~~~~~~~~~~~~~~~~~
compilation terminated.
This amends commit a05ae97af ("landlock: amend empty functions and
comments", 2024-04-08) / PR #6305.
Relates to #6078.
[1] https://gitlab.com/Firejail/firejail_ci/-/jobs/6743161059
|
| |
|
|
|
|
|
|
| |
Fix sorting and improve comments.
See etc/templates/profile.template.
This amends commit 4c5f55899 ("several kids programs", 2024-04-29).
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
(#6322)
|
| | |
| |
| |
| |
| |
| |
| | |
Newly-released audacity 3.5 supports cloud-saving and remote backup
features:
- https://www.audacityteam.org/blog/audacity-3-5/
- https://support.audacityteam.org/additional-resources/changelog/audacity-3.5#cloud-project-saving
|
| | |
| |
| |
| | |
Relates to #6302 #6305 #6307 #6308 #6309.
|
| | |\
| | |
| | | |
modif: populate /run/firejail while holding flock
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There are reports of firejail sandboxed applications occasionally
taking a long time (12 seconds) to start up. When this happens, it
affects all sandboxed applications until the device is rebooted.
The reason for the slowdown seems to be a timing hazard in the way
remounts under /run/firejail are handled. This gets triggered when
multiple firejail processes are launched in parallel as part of user
session bring up and results in some, dozens, hundreds, or even
thousands of stray /run/firejail/xxx mounts. The amount of mount
points then affects every mount operation that is done during sandbox
filesystem construction.
To stop this from happening, arrange it so that only one firejail
process at time is inspecting and/or modifying mountpoints under
/run/firejail by doing:
1. Create /run/firejail directory (without locking)
2. Create and obtain a lock for /run/firejail/firejail-run.lock
3. Setup files, directories and mounts under /run/firejail
4. Release /run/firejail/firejail-run.lock
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Centralize flock handling in preproc.c
* Add debug and error logging
* Abort if anything fails
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | |/
| |
| |
| | |
To enable using them outside of src/firejail/main.c.
|
| | | |
|
| |/ |
|
| |
|
|
|
| |
The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3).
Fixes #6308.
|
| |
|
| |
https://github.com/axel-download-accelerator/axel
|
dependabot[bot]
Kelvin M. Klann
glitsj16
duevo
Tavi
netblue30
Simo Piiroinen
tools200ms