| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | | |
| | | | |
| | | | |
| | | | | |
Check if new_groups already is full before trying to add to it.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Move the logic from clean_supplementary_groups into the following new
functions:
* find_group
* copy_group_ifcont
These will be reused later.
Misc: The latter function's signature is based on getgrouplist(2), which
is used on clean_supplementary_groups.
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Added on commit 137985136 ("Baseline firejail 0.9.28", 2015-08-08). See
also commit ad6bb83fa ("consolidate makefiles", 2018-03-31).
It is not used anywhere. And it looks like it has never been used
anywhere:
$ git log --oneline -Gpthread.h 137985136..master
$
Issue mentioned by @rusty-snake:
https://github.com/netblue30/firejail/issues/4642#issuecomment-955795463
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This amends commit b5de1d0f9 ("Fix inconsistent descriptions of
machine-id option").
Relates to #4689.
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Fix inconsistent descriptions of machine-id option
|
| | | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Some places say that it "preserves" the file and other places say that
it "spoofs" the file. Based on the fs_machineid function on
src/firejail/fs_etc.c, the latter one is correct.
This amends commit d0cc960c9 ("spoof machine-id", 2016-12-05).
Fixes #4689.
Reported-by: @svc88
|
| |/ / / /
| | | |
| | | |
| | | | |
Relates to #4669.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Update RELNOTES and README.md
- disable-common.inc
- blacklist ${HOME}/.local/share/ibus-typing-booster
- blacklist /run/timeshift (closes #4660)
- fix audacity.profile (closes #4659)
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
deterministic-shutdown option
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Add OpenStego profile
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
update yt-dlp.profile
|
| | |/ / / / /
| | | | | |
| | | | | | |
ffprobe used for embedding images in difficult cases.
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
disable-common.inc: fix paths of slock and physlock
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Added on commit f0adf06c3 ("disable-common.inc: more SUID", 2021-11-09).
Relates to #4668.
|
| |/ / / / / |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Make env/arg sanity check failure messages more useful
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This change doesn't alter any checks, but it gives more specific
errors when a sanity check of env vars or argv does not pass, which
can point to limits to raise or at least give us better detailed bug
reports.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://github.com/netblue30/firejail/issues/3678
Bug: https://github.com/netblue30/firejail/issues/3851
Bug: https://github.com/netblue30/firejail/issues/4633
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix TOCTOU/CodeQL CWE-367 warnings (easy ones + fs.c)
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Relates to #4503.
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This should fix all such warnings on the following files:
* src/fids/main.c
* src/firejail/seccomp.c
Misc: Besides the above reason, these are some of the more
straightforward TOCTOU warning fixes and they are done without any
additional refactor commits, so that's the reason for "easy ones".
List of TOCTOU warnings:
https://github.com/netblue30/firejail/security/code-scanning?query=id%3Acpp%2Ftoctou-race-condition
See https://cwe.mitre.org/data/definitions/367.html
Relates to #4503.
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Relocate firecfg.config to /etc/firejail/
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap. Also fixed some
firecfg.cfg -> firecfg.config references.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://github.com/netblue30/firejail/issues/408
Bug: https://github.com/netblue30/firejail/issues/2097
Bug: https://github.com/netblue30/firejail/issues/2829
Bug: https://github.com/netblue30/firejail/issues/3665
|
| |\ \ \ \ \ \ \
| |_|_|/ / / /
|/| | | | | | |
more ssh fixes
|
| | | | | | | |
| | | | | | |
| | | | | | | |
Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
NOTE: there are several other profiles touching /usr/libexec, so untill someone on Fedora can shed some light on what files are installed under /usr/libexec, I only blacklisted ssh-keysign. I'll pick this up tomorrow, a bit pressed for time in the non-digital worlds...
|
| | | | | | | |
| | | | | | |
| | | | | | | |
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
|
| | | | | | | |
| | | | | | |
| | | | | | | |
Counterpart fix for changes in allow-ssh.inc.
|
| |/ / / / / /
| | | | | |
| | | | | | |
After seeing https://github.com/netblue30/firejail/commit/9a81078ddbbb4215d06f7d1861481ece05ebda99 it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths.
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| |/ / / / / |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Fix shellcheck warnings
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Note: This does not modify the configure script, which is a source of a
lot of the remaining shellcheck warnings, because it comes from autoconf
and so it makes little sense to try to fix it here.
Also, it does not modify the scripts in contrib, because they possibly
are maintained at some other place. Similarly with the other scripts
that don't appear to be called from any of the makefiles.
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
As the upstream AppArmor base abstraction does not
contain references to paths in /run/firejail/mnt/oroot
there is not much point to have them in our drop-in
|
| | | | | | | |
|
| | | | | | | |
|
Kelvin M. Klann
smitsohu
netblue30
rusty-snake
Jan Sonntag
pirate486743186
Hank Leininger
glitsj16
a1346054
Reiner Herrmann