aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
* | | | Merge pull request #4316 from kmk3/configure-improvementsLibravatar netblue302021-05-29
|\ \ \ \ | | | | | | | | | | Configure improvements
| * | | | configure*: use cat instead of many echoesLibravatar Kelvin M. Klann2021-05-28
| | | | | | | | | | | | | | | | | | | | For simplicity and increased portability.
| * | | | configure.ac: run autoupdate to fix autoconf warningLibravatar Kelvin M. Klann2021-05-28
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following warning: $ autoconf configure.ac:306: warning: AC_OUTPUT should be used without arguments. configure.ac:306: You should run autoupdate. Environment: $ grep '^NAME' /etc/os-release NAME="Artix Linux" $ pacman -Q autoconf autoconf 2.71-1 Though keep `AC_PREREQ` at 2.68 (released on 2010-09-23[1]), as version 2.71 (which autoupdate automatically bumps to) is rather recent (released on 2021-01-28[2]) and the changes do not appear to require a version bump, as on `AC_INIT` it only adds some quotes, and the rest of the changes are consistent with the autoconf 2.68 manual. From Section 18.4, Obsolete Macros[3]: > — Macro: AC_OUTPUT ([file]..., [extra-cmds], [init-cmds]) > > The use of AC_OUTPUT with arguments is deprecated. This obsoleted > interface is equivalent to: > > AC_CONFIG_FILES(file...) > AC_CONFIG_COMMANDS([default], > extra-cmds, init-cmds) > AC_OUTPUT > > See AC_CONFIG_FILES, AC_CONFIG_COMMANDS, and AC_OUTPUT. Note: The usage of the above format has been present since the inception of configure.ac, on commit 137985136 ("Baseline firejail 0.9.28"). Misc: This is a continuation of #4293. [1] https://lists.gnu.org/archive/html/info-gnu/2010-09/msg00013.html [2] https://lists.gnu.org/archive/html/autoconf/2021-01/msg00126.html [3] https://www.gnu.org/software/autoconf/manual/autoconf-2.68/html_node/Obsolete-Macros.html#index-AC_005fOUTPUT-2058
* | | | Fix #3823 -- Unable to start hexchat with firejailLibravatar rusty-snake2021-05-29
| | | |
* | | | fix crash during --shutdonwLibravatar netblue302021-05-29
| | | |
* | | | disable home dir whitelists when --private is presentLibravatar netblue302021-05-29
| |/ / |/| |
* | | [minor] gunzip profile broken (#4317)Libravatar pirate4867431862021-05-29
|/ / | | | | | | | | * ignore include disable-shell.inc * allow-bin-sh.inc
* | reorganizing youtube-viewers (#4128)Libravatar pirate4867431862021-05-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create youtube-viewers-common.profile * reorganising youtube viewers * rm globals * reorganise youtube viewers * adding pipe-viewer * adding gtk-pipe-viewer * xterm and youtube-dl cache * sort * Update youtube-viewers-common.profile * quiet * quiet * quiet * Update firecfg.config * rm vlc * rm invalid binary * noinput * rm whitelist-runuser-common.inc * rm whitelist-runuser-common.inc * rm whitelist-runuser-common.inc * whitelist-runuser-common.inc
* | Merge pull request #4307 from slowpeek/masterLibravatar Reiner Herrmann2021-05-28
|\ \ | | | | | | Refine appimage example in docs
| * | Refine appimage example in docsLibravatar slowpeek2021-05-26
| | |
* | | default gw fix - #4306Libravatar netblue302021-05-27
| | |
* | | remove dophin from firecfg.configLibravatar netblue302021-05-26
|/ /
* | deprecated follow-symlink-as-user from firejail.configLibravatar netblue302021-05-26
| |
* | fix firejail startup raceLibravatar smitsohu2021-05-24
| | | | | | | | | | | | | | | | sandboxes can race to create RUN_RO_FILE in shared memory similiar to #1013 regression from 825ac9cdc38c4285584e69d6f29102b149914dfe
* | Merge pull request #4302 from smitsohu/whitelist2Libravatar smitsohu2021-05-23
|\ \ | | | | | | Whitelist2 follow-up
| * | whitelist testing (#4229, #4297, #4300)Libravatar smitsohu2021-05-23
| | |
| * | whitelist: following up #4229Libravatar smitsohu2021-05-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | besides some cosmetic tweaks, fixes --whitelist=/a/b where /a/b is a symbolic link to /a/c/d and c is the user home directory: create path as user and not as root. (going forward, a better and more comprehensive fix would be to prevent all mount point traversals in whitelist_mkpath, but it will take a bit of time to implement)
* | | Merge pull request #4300 from netblue30/gcc11Libravatar smitsohu2021-05-23
|\ \ \ | | | | | | | | CI: build with GCC 11
| * | | CI: build with GCC 11Libravatar Reiner Herrmann2021-05-23
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | this fixes a new false positive memory leak (#4297), but unfortunately opens a few new false positives (#4274). therefore let it ignore memleak checks for now, until the detection is a bit more stable in GCC. Fixes: #4274, #4297
* | | Merge pull request #4293 from kmk3/configure-fix-portabilityLibravatar Reiner Herrmann2021-05-22
|\ \ \ | | | | | | | | configure*: fix build with non-bash /bin/sh
| * | | configure*: fix build with non-bash /bin/shLibravatar Kelvin M. Klann2021-05-22
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The configure script happens to work if /bin/sh supports the non-POSIX "+=" operator (e.g.: bash) and fails otherwise (e.g.: dash). This usage first appeared on configure.ac on commit 66a476419 ("gcov support"), which is from 2016. If the --enable-apparmor flag is passed to ./configure (which is the default on Arch Linux), running `make` fails due to the missing -lapparmor LDFLAG. Thus, building firejail-git from the AUR does not work if /bin/sh is e.g.: dash. Errors when running the build commands below from makepkg: $ ./configure --prefix=/usr --enable-apparmor >/dev/null ./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found ./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found ./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found ./configure: 3518: EXTRA_CFLAGS+= : not found $ make >/dev/null /usr/bin/ld: apparmor.o: in function `apparmor_test': /tmp/firejail-git/src/firejail-git/src/jailcheck/apparmor.c:28: undefined reference to `aa_gettaskcon' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: jailcheck] Error 1 make: *** [Makefile:42: src/jailcheck/jailcheck] Error 2 make: *** Waiting for unfinished jobs.... /usr/bin/ld: apparmor.o: in function `print_apparmor': /tmp/firejail-git/src/firejail-git/src/firemon/apparmor.c:28: undefined reference to `aa_gettaskcon' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firemon] Error 1 make: *** [Makefile:42: src/firemon/firemon] Error 2 /usr/bin/ld: join.o: in function `extract_apparmor': /tmp/firejail-git/src/firejail-git/src/firejail/join.c:65: undefined reference to `aa_is_enabled' /usr/bin/ld: sandbox.o: in function `set_apparmor': /tmp/firejail-git/src/firejail-git/src/firejail/sandbox.c:133: undefined reference to `aa_change_onexec' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firejail] Error 1 make: *** [Makefile:42: src/firejail/firejail] Error 2 Without the apparmor flag, the CFLAGS related to HAVE_SPECTRE do not get applied either, but `make` does not error out, so the problem is harder to detect in this case. Diff comparing the output of `./configure 2>&1` when running without and then with this patch: $ git --no-pager diff --no-index configure_current.log configure_patch.log diff --git a/configure_current.log b/configure_patch.log index f5e814f..099d836 100644 --- a/configure_current.log +++ b/configure_patch.log @@ -10,12 +10,9 @@ checking for gcc option to accept ISO C89... none needed checking for a BSD-compatible install... /usr/bin/install -c checking for ranlib... ranlib checking whether C compiler accepts -mindirect-branch=thunk... yes -./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found checking whether C compiler accepts -mretpoline... no checking whether C compiler accepts -fstack-clash-protection... yes -./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found checking whether C compiler accepts -fstack-protector-strong... yes -./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for gawk... yes @@ -88,7 +85,7 @@ Configuration options: busybox workaround: no Spectre compiler patch: yes EXTRA_LDFLAGS: - EXTRA_CFLAGS: + EXTRA_CFLAGS: -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong fatal warnings: Gcov instrumentation: Install contrib scripts: yes
* | | support trailing comments on profile linesLibravatar netblue302021-05-21
| | |
* | | --buid fixesLibravatar netblue302021-05-20
| | |
* | | add support for cargo toml/non-toml files (#4286)Libravatar glitsj162021-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add support for cargo toml/non-toml files * add support for cargo toml/non-toml files * use globbing to blacklist Rust files See https://github.com/netblue30/firejail/pull/4286#issuecomment-845318446. * use globbing to blacklist cargo/Rust files See https://github.com/netblue30/firejail/pull/4286#issuecomment-845318446.
* | | fixes for eb30ce5 (new profiles) (#4291)Libravatar glitsj162021-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fix blobby * fix funnyboat * fix librecad * drop doubled netfilter entree in blobby * drop unneeded include in funnyboat
* | | new profilesLibravatar netblue302021-05-20
| | |
* | | jailtest -> jailcheck (#4268)Libravatar netblue302021-05-18
| | |
* | | readme, etcLibravatar netblue302021-05-18
| | |
* | | Merge pull request #4273 from rusty-snake/fix-2310Libravatar netblue302021-05-18
|\ \ \ | | | | | | | | Try to fix #2310 -- Can't create run directory without suid-root
| * | | Try to fix #2310 -- Can't create run directory without suid-rootLibravatar rusty-snake2021-05-14
| | | |
* | | | Merge pull request #4283 from RandomVoid/fix_lutris_profileLibravatar netblue302021-05-18
|\ \ \ \ | | | | | | | | | | Fix Lutris profile
| * | | | Fix running games with enabled Feral GameMode in LutrisLibravatar RandomVoid2021-05-16
| | | | |
| * | | | Fix Lutris won't start without access to ldconfigLibravatar RandomVoid2021-05-16
| | | | |
* | | | | Merge pull request #4284 from rusty-snake/add-cargo.profileLibravatar netblue302021-05-18
|\ \ \ \ \ | | | | | | | | | | | | Add cargo.profile
| * | | | | Harden cargo.profileLibravatar rusty-snake2021-05-17
| | | | | |
| * | | | | Add cargo.profileLibravatar rusty-snake2021-05-16
| | | | | |
* | | | | | Merge pull request #4229 from smitsohu/whitelist2Libravatar netblue302021-05-18
|\ \ \ \ \ \ | | |_|_|/ / | |/| | | / | |_|_|_|/ |/| | | | Whitelist2
| * | | | add /run whitelist supportLibravatar smitsohu2021-05-08
| | | | |
| * | | | tweakLibravatar smitsohu2021-05-08
| | | | |
| * | | | add support for arbitrary whitelist directoriesLibravatar smitsohu2021-05-03
| | | | |
| * | | | introduce safer_openat functionLibravatar smitsohu2021-05-03
| | | | |
| * | | | enhance clean_pathname functionLibravatar smitsohu2021-05-03
| | | | |
* | | | | Fix #4282 -- Unable to open X display when running firejail chromium commandLibravatar rusty-snake2021-05-16
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: SDDM uses $XDG_RUNTIME_DIR/<UUID> as Xauthority. In my tests (Fedora 32 KDE spin IIRC) it used /tmp/... so it was irrelevant for wruc. So the Xauthority file created by SDDM sems to depend on distro, version, config, …. Future alternatives to this long, ugly line would be a ${XAUTHORITY} macro or a private-run-user option.
* | | | Merge pull request #4278 from kmk3/rename-noautopulseLibravatar Kelvin M. Klann2021-05-16
|\ \ \ \ | | | | | | | | | | rename noautopulse to keep-config-pulse
| * | | | rename arg_noautopulse var to arg_keep_config_pulseLibravatar Kelvin M. Klann2021-05-14
| | | | |
| * | | | rename noautopulse to keep-config-pulseLibravatar Kelvin M. Klann2021-05-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: * add the keep-config-pulse option * make noautopulse an alias for keep-config-pulse * deprecate the noautopulse option * misc: fix indentation of --keep-dev-shm on src/firejail/usage.c Even though noautopulse is not intended for hardening, it looks like it is, because it starts with "no", just like no3d, noroot, etc). In fact, it is the only "no" option that differs in such a way. And it has been accidentally misused as such before; see PR #4269 and commit e4beaeaa8 ("drop noautopulse from agetpkg"). So effectively rename it to keep-config-pulse in order to avoid confusion. This is similar to the keep-var-tmp and keep-dev-shm options, which are used to "leave a path alone", just like noautopulse. Note: The changes on this patch are based on the ones from commit 617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854. See #4269 for the discussion.
* | | | | O_CLOEXEC follow-upLibravatar smitsohu2021-05-16
| | | | |
* | | | | utmp follow-upLibravatar smitsohu2021-05-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Cosmetics, align RUN_UTMP_FILE open flags with others in 825ac9cdc38c4285584e69d6f29102b149914dfe Fix fslogger
* | | | | fix firemon signal handler - #4274Libravatar smitsohu2021-05-16
| | | | |
* | | | | fix utmp error messageLibravatar smitsohu2021-05-16
| | | | |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 05:26:58 +0000