aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* landlock: use PATH macro in landlock-common.inc (#6260)Libravatar Kelvin M. Klann2024-03-08
| | | | | | | | | | | To reduce duplication. Support for it was added on commit bf5a99360 ("landlock: add support for PATH macro", 2023-12-22). See also commit 19e108248 ("landlock: expand simple macros in commands", 2023-11-11) / PR #6125. Relates to #6078.
* firecfg.config: add floorp (#6263)Libravatar D357R0Y3R2024-03-08
|
* profiles: remove blacklisting of qt5ct/qt6ct paths (#6266)Libravatar glitsj162024-03-06
| | | | | | | | Blacklisting qt5ct/qt6ct configuration and data paths breaks styling in all apps that use them. This was working as expected before #6249 and #6250, so remove the blacklisting.
* New profile: green-recoder.profile (#6237)Libravatar glitsj162024-03-05
| | | | | | | Simple screen recorder for Linux desktop, supports Wayland & Xorg. https://github.com/dvershinin/green-recorder https://aur.archlinux.org/packages/green-recorder https://aur.archlinux.org/packages/green-recorder-git
* disable-programs.inc: blacklist /tmp/lwjgl_*Libravatar Kelvin M. Klann2024-03-05
| | | | | | | Fix `noblacklist` entry without an equivalent `blacklist` entry. Added on commit 1a2e8ab85 ("multimc: instances not running, because of missing permissions", 2024-02-19) / PR #6216.
* ssh: whitelist gcr-ssh-agent unix socket (#6258)Libravatar Michele Sorcinelli2024-03-05
| | | | | | | | | Since gnome-keyring 1.46, the ssh-agent functionality has been removed and gcr-ssh-agent is the recommended alternative. Source: - https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67 - https://wiki.archlinux.org/title/GNOME/Keyring#SSH_keys
* archiver-common: add mkinitcpio support to private-etc (#5656)Libravatar glitsj162024-03-05
| | | | | | | | | | | | | | | | | mkinitcpio (used to generate initramfs images) supports several compression formats: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/blob/master/mkinitcpio.conf#L54-L64. On Arch Linux (based distributions) at least this implies the supported archivers to have access to mkinitcpio-related files under /etc. This was no problem before 29da82d added `private-etc` to `archivers-common.profile`. This adds the now needed extra private-etc items to archiver-common.profile, for mkinitcpio's supported compressors (which seem to be at least cpio, gzip and zstd). Relates to #5610.
* archivers: drop private-etc now that it's in archiver-common (#5655)Libravatar glitsj162024-03-05
| | | | | | | | Commit 29da82d added `private-etc` to `archiver-common.profile`. To avoid doubled options this PR removes it from archiver profiles which already had it. Relates to #5610.
* iagno: ordering fixes (#5681)Libravatar glitsj162024-03-05
|
* New profile: qt6ct (#6250)Libravatar glitsj162024-03-05
|
* New profile: qt5ct (#6249)Libravatar glitsj162024-03-05
|
* New profiles: lz4 and redirects (#6241)Libravatar glitsj162024-03-05
|
* gnome-boxes: deny access to /usr/libexec (#6239)Libravatar glitsj162024-03-05
|
* virt-manager: deny access to /usr/libexec (#6238)Libravatar glitsj162024-03-05
|
* makepkg: fix ordering (#6265)Libravatar glitsj162024-03-05
|
* build(deps): bump github/codeql-action from 3.24.5 to 3.24.6Libravatar dependabot[bot]2024-03-04
| | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.5 to 3.24.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/47b3d888fe66b639e431abf22ebca059152f1eea...8a470fddafa5cbb6266ee11b37ef4d8aae19c571) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* Add quiet to enchant-2, it has a cliLibravatar rusty-snake2024-03-03
|
* RELNOTES: add feature and build itemsLibravatar Kelvin M. Klann2024-03-01
| | | | Relates to #6217 #6222 #6228 #6230.
* mergesLibravatar netblue302024-02-29
|
* Merge pull request #6230 from kmk3/build-reduce-inconsistenciesLibravatar netblue302024-02-29
|\ | | | | build: reduce hardcoding and inconsistencies
| * build: standardize ./configure argumentsLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | For consistency and to make it clearer where jobs differ (for example, to see where `--enable-analyzer` is used). Changes: * Always use --prefix=/usr and --enable-fatal-warnings (except in the Alpine job due to current warnings; see #6224) * Use the same argument order Note: mkdeb.sh and platform/rpm/mkrpm.sh already pass `--prefix=/usr` to ./configure.
| * build: standardize parallel make argumentsLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | | | | | | | | | | | | | Currently the number of make jobs used for the default build target are hardcoded and the value used varies across files. For consistency (and potentially better performance), use `make -j "$(nproc)"` everywhere that `make -j` is currently used. Kind of relates to commit 500d8f2d6 ("ci: run make in parallel where applicable", 2023-08-14) / PR #5960.
| * build: format gcov.shLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | Line-wrap the file and sort ./configure arguments.
| * ci: update top-level comment in .gitlab-ci.ymlLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | Format it for readability and update the descriptions to match the current jobs.
| * ci: move build_no_apparmor job near other similar jobsLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | To make it easier to compare and edit the main apt-based jobs in .gitlab-ci.yml.
| * ci: run check-c.yml on any C code changeLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | | | | | | | | | | | | | | | test/ also contains source code and cppcheck checks it: $ make cppcheck | grep 'Checking test/' Checking test/appimage/main.c ... Checking test/chroot/unchroot.c ... Checking test/filters/namespaces.c ... Checking test/seccomp-extra/memwrexe.c ... So make sure that it is included in the CI trigger paths.
| * ci: remove unnecessary dependencies and endpointsLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | Sync the build and build-clang jobs.
| * ci: add and use PKGNAME variable in in debian_ciLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | | | | | To reduce hardcoding. Note that this reduces duplication but the value is still hardcoded in the job; it is not sourced from TARNAME in config.mk.
| * build: add print-version target and use in CILibravatar Kelvin M. Klann2024-02-29
| | | | | | | | | | | | | | To reduce TARNAME hardcoding. Added on commit 6a89ab023 ("ci: run firejail --version after build/install", 2022-05-16) / PR #5148.
| * build: use generic wildcard on package installLibravatar Kelvin M. Klann2024-02-29
| | | | | | | | To reduce TARNAME hardcoding.
* | Merge pull request #6219 from haplo/ledger-live-desktopLibravatar netblue302024-02-29
|\ \ | | | | | | Profile for Ledger Live desktop app
| * | Profile for ledger-live-desktopLibravatar Fidel Ramos2024-02-28
| |/ | | | | | | | | | | | | | | | | /opt/ledger-live installation currently sits at 345 MiB, so I decided to whitelist it instead of using private-opt ledger-live, in case future installations grow in size. Not using private-dev was the only way I managed to get my USB wallet to work.
* | Merge pull request #6228 from kmk3/landlock-add-fsLibravatar netblue302024-02-29
|\ \ | | | | | | landlock: use "landlock.fs." prefix in filesystem commands
| * | landlock: use "landlock.fs." prefix in filesystem commandsLibravatar Kelvin M. Klann2024-02-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since Landlock ABI v4 it is possible to restrict actions related to the network and potentially more areas will be added in the future. So use `landlock.fs.` as the prefix in the current filesystem-related commands (and later `landlock.net.` for the network-related commands) to keep them organized and to match what is used in the kernel. Examples of filesystem and network access flags: * `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file. * `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content. * `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port. * `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a remote port. Relates to #6078.
| * | landlock: add _fs prefix to filesystem functionsLibravatar Kelvin M. Klann2024-02-27
| |/ | | | | | | Relates to #6078.
* | Merge pull request #6227 from glitsj16/virt-managerLibravatar netblue302024-02-29
|\ \ | | | | | | New profile: virt-manager
| * | Create virt-manager.profileLibravatar glitsj162024-02-27
| | |
| * | disable-programs.inc: add virt-manager supportLibravatar glitsj162024-02-27
| | |
* | | Merge pull request #6226 from glitsj16/gnome-boxesLibravatar netblue302024-02-29
|\ \ \ | | | | | | | | New profile: gnome-boxes
| * | | Create gnome-boxes.profileLibravatar glitsj162024-02-27
| |/ /
* | | Merge pull request #6216 from powerjungle/masterLibravatar netblue302024-02-29
|\ \ \ | |_|/ |/| | multimc: instances not running, because of missing permissions
| * | multimc: instances not running, because of missing permissionsLibravatar powerjungle2024-02-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When starting an instance, in the logs, a failed attempt to load the lwjgl library is shown and the game doesn't run. The library is in the /tmp directory. The reason for this appears to be, in the lwjgl source code, the shared library loading function, extracts in the temporary directory and continues from there. This is fixed by whitelisting. The reason for adding "ignore noexec /tmp" as well, is that without it, the game can't run, even if the directory is whitelisted. It seems the library needs to be loaded from /tmp. A second error for a failed attempt to access /home/user/.cache/JNA is also shown in the logs. This is also fixed by whitelisting.
* | | Merge pull request #6222 from kmk3/build-override-toolsLibravatar Kelvin M. Klann2024-02-28
|\ \ \ | |_|/ |/| | build: allow overriding certain tools & sync targets with CI
| * | build: sync scan-build target with CILibravatar Kelvin M. Klann2024-02-24
| | | | | | | | | | | | | | | | | | | | | | | | Changes: * Use --status-bugs in the scan-build target to exit with an error if bugs are found * Call the make target in the CI job
| * | build: sync cppcheck targets with CILibravatar Kelvin M. Klann2024-02-24
| | | | | | | | | | | | | | | | | | | | | | | | Changes: * Use the same command from the cppcheck CI job in the cppcheck target * Add cppcheck-old target based on the cppcheck_old CI job * Call the make targets in CI to avoid duplicating the commands
| * | build: allow overriding certain toolsLibravatar Kelvin M. Klann2024-02-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow overriding the following tools at configure-time and build-time: * codespell * cppcheck * gawk * scan-build For example, instead of hardcoding `gawk`, enable overriding it at configure-time with: ./configure GAWK=/path/to/gawk To override it for a single `make` invocation: make GAWK=/path/to/gawk Also, add default values for the programs that are not found (rather than leaving the variables empty), to make error messages clearer when trying to run them: $ make CPPCHECK= cppcheck-old [...] force --error-exitcode=1 --enable=warning,performance . make: force: No such file or directory $ make CPPCHECK=cppcheck cppcheck-old [...] cppcheck --force --error-exitcode=1 --enable=warning,performance . make: cppcheck: No such file or directory
* | | build(deps): bump github/codeql-action from 3.24.3 to 3.24.5Libravatar dependabot[bot]2024-02-26
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.24.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/379614612a29c9e28f31f39a59013eb8012a51f0...47b3d888fe66b639e431abf22ebca059152f1eea) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | profiles: drop paths already in wusc (#6218)Libravatar glitsj162024-02-23
| | | | | | | | Drop paths present in etc/inc/whitelist-usr-share-common.inc from profiles that include it.
* | Merge pull request #6217 from kmk3/build-errexit-funcLibravatar Kelvin M. Klann2024-02-23
|\ \ | |/ |/| build: move errExit macro into inline function
| * build: move errExit macro into inline functionLibravatar Kelvin M. Klann2024-02-19
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move most of the `errExit` macro into a new `_errExit` inline function and use the former just to forward arguments to the latter. This reduces the noise in the build output when using `-fanalyzer`, as it causes the `errExit` macro to stop being expanded. For example, the complete output of the following warning in src/firejail/dbus.c is reduced from 243 lines to 141 lines (a ~41% reduction): $ pacman -Q gcc gcc 13.2.1-5 $ ./configure --enable-apparmor --enable-analyzer >/dev/null && make clean >/dev/null && make >/dev/null [...] ../../src/firejail/dbus.c: In function ‘dbus_proxy_start’: ../../src/firejail/dbus.c:311:36: warning: leak of file descriptor ‘dup2(output_fd, 1)’ [CWE-775] [-Wanalyzer-fd-leak] 311 | if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO) [...] ‘dbus_create_user_dir’: event 5 | |../../src/firejail/../include/common.h:42:25: | 42 | #define errExit(msg) do { \ | | ^ | | | | | (5) ...to here ../../src/firejail/dbus.c:239:17: note: in expansion of macro ‘errExit’ | 239 | errExit("asprintf"); | | ^~~~~~~ [...] Relates to #6190.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-02 10:26:38 +0000