aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* ci: re-enable sort.pyLibravatar Kelvin M. Klann2023-11-26
| | | | | | | | | | | | | | | | | | It was disabled on commit df6ea884f ("merges, disable sort.py in profile checks temporarely, two more private-etc profiles", 2023-02-14). Currently all profiles are sorted and there are no ongoing `private-etc` changes, so it should be safe to re-enable. Note that the script is useful to catch sorting issues not only in `private-etc` but also in other commands, such as `seccomp`[1] [2]. This is a follow-up to #6070. Relates to #5610. [1] https://github.com/netblue30/firejail/pull/6066#discussion_r1372055800 [2] https://github.com/netblue30/firejail/pull/6067#discussion_r1372027243
* lutris.profile: fix seccomp argumentsLibravatar Kelvin M. Klann2023-11-25
| | | | | | | I accidentally removed the `!` when sorting the arguments in #6067. This amends commit fbba03790 ("lutris.profile: allow more syscalls", 2023-10-24) / PR #6067.
* mergesLibravatar netblue302023-11-24
|
* Merge pull request #6087 from chestnykh/issue-6006Libravatar netblue302023-11-24
|\ | | | | Lookup xauth in PATH.
| * Lookup xauth in PATH.Libravatar Dmitry Chestnykh2023-11-19
| | | | | | | | | | | | | | Don't use hardcoded `/usr/bin/xauth`, iterate over directories inside PATH instead. This fixes https://github.com/netblue30/firejail/issues/6006
* | Merge pull request #6070 from kmk3/sort-py-csortLibravatar netblue302023-11-24
|\ \ | | | | | | build: sort.py: use case-sensitive sorting
| * | build: sort.py: use case-sensitive sortingLibravatar Kelvin M. Klann2023-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To match how things are sorted elsewhere, such as with `noblacklist` / `whitelist` lines (vertically) in profiles and in ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c. This makes the order in `private-etc` always be groups (`@group`), then uppercase paths, then lowercase paths. Example from etc/profile-m-z/softmaker-common.profile: private-etc @tls-ca,SoftMaker,fstab Note that this does not affect a significant amount of profiles; most changes are in `private-bin` / `private-lib` lines and in `private-etc` lines for newer profiles that do not use groups. This is partly due to commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05) replacing `X11` with `@x11` in `private-etc` lines and then commit 0f996ea4d ("private-etc: groups modified", 2023-02-05) removing `Trolltech.conf` from `private-etc` lines and using case-sensitive sorting in them. Relates to #5610.
* | | Merge pull request #6067 from nutta-git/patch-2Libravatar netblue302023-11-24
|\ \ \ | | | | | | | | lutris.profile: allow more syscalls
| * | | lutris.profile: allow more syscallsLibravatar duevo2023-11-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work. journalctl did list `process_vm_readv` when a game was running, but it didn't crash the game. Fixes #6035.
* | | | Merge pull request #6066 from nutta-git/patch-1Libravatar netblue302023-11-24
|\ \ \ \ | | | | | | | | | | steam.profile: allow process_vm_readv syscall
| * | | | steam.profile: allow process_vm_readv syscallLibravatar duevo2023-10-31
| |/ / / | | | | | | | | | | | | | | | | | | | | EA Origin (game launcher) won't launch without this. See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
* | | | Merge pull request #5957 from gerasiov/fcopy-fix-size-calculationLibravatar netblue302023-11-24
|\ \ \ \ | | | | | | | | | | fcopy: Use lstat when copy directory.
| * | | | fcopy: Use lstat when copy directory.Libravatar Alexander Gerasiov2023-08-14
| | | | | | | | | | | | | | | | | | | | When copying directories use lstat when reading info about source files.
* | | | | Fix displaying of large file sizes. (#6086)Libravatar Dmitriy Chestnykh2023-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | The most generic way is to use `intmax_t` because we dont't know what is the "parent" type of `off_t`. This fixes https://github.com/netblue30/firejail/issues/5982 .
* | | | | build(deps): bump step-security/harden-runner from 2.6.0 to 2.6.1Libravatar dependabot[bot]2023-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/1b05615854632b887b69ae1be8cbefe72d3ae423...eb238b55efaa70779f274895e782ed17c84f2895) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | build(deps): bump github/codeql-action from 2.22.5 to 2.22.7Libravatar dependabot[bot]2023-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/74483a38d39275f33fcff5f35b679b5ca4a26a99...66b90a5db151a8042fa97405c6cf843bbe433f7b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | profiles: whitelist alternative data directory for tesseractLibravatar Reiner Herrmann2023-11-18
| |_|_|/ |/| | | | | | | | | | | on Debian the data is in /usr/share/tesseract-ocr/
* | | | New profile: tiny-rdm (#6083)Libravatar glitsj162023-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * disable-programs.inc: add support for tiny-rdm * Create tiny-rdm.profile * firecfg.config: add support for tiny-rdm
* | | | clamtk: fix scanning (#6074)Libravatar glitsj162023-11-02
| | | |
* | | | freshclam: fix .local include (#6075)Libravatar glitsj162023-11-02
| | | |
* | | | build(deps): bump github/codeql-action from 2.22.4 to 2.22.5Libravatar dependabot[bot]2023-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/49abf0ba24d0b7953cb586944e918a0b92074c80...74483a38d39275f33fcff5f35b679b5ca4a26a99) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | ci: run printenv.sh on codespell.ymlLibravatar Kelvin M. Klann2023-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | It's the only workflow missing it. See commit 339d395fb ("ci: print env-related settings in each job", 2023-04-22) / PR #5802.
* | | | discord.profile: allow /usr/share/discord (#6072)Libravatar veloute2023-10-29
| |_|/ |/| | | | | | | | | | | | | | | | | discord_arch_electron[1] stores its files in /usr/share/discord, rather than the usual /opt/discord. [1] https://aur.archlinux.org/packages/discord_arch_electron
* | | sort.py: fix missing/duplicated commands in usageLibravatar Kelvin M. Klann2023-10-25
| | |
* | | profiles: Extend node stack support for pnpm (#6063)Libravatar glitsj162023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | * nodejs-common: add pnpm support * disable-programs.inc: add pnpm support * Create pnpm.profile * Create pnpx.profile
* | | Merge pull request #6064 from kmk3/profiles-dedup-dc-dpLibravatar Kelvin M. Klann2023-10-24
|\ \ \ | |_|/ |/| | disable-programs.inc: remove duplicated entries
| * | disable-programs.inc: remove duplicated entriesLibravatar Kelvin M. Klann2023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They are already present in disable-common.inc. Added in the following commits: * 6bf6d5ed5 ("updated program files", 2016-12-02) / PR #951 * 49280197c ("various hardening (#3394)", 2020-05-02) * 2e2c2327f ("profiles: support more msmtp configuration paths (#6060)", 2023-10-22) Misc: This was noticed on PR #6060.
| * | profiles: centralize gnome-boxes blacklisting in dcLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | They are currently spread over disable-common.inc and disable-programs.inc. Added on commit 6f7ab41e4 ("blacklist gnome-boxes user files (VM-Images)", 2019-10-13) and commit 49280197c ("various hardening (#3394)", 2020-05-02).
* | | enabled nettraces by default in the main build - you would need to be root ↵landlock-splitLibravatar netblue302023-10-24
| | | | | | | | | | | | to run these options
* | | build(deps): bump github/codeql-action from 2.22.3 to 2.22.4Libravatar dependabot[bot]2023-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.3 to 2.22.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0116bc2df50751f9724a2e35ef1f24d22f90e4e1...49abf0ba24d0b7953cb586944e918a0b92074c80) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | build(deps): bump actions/checkout from 4.1.0 to 4.1.1Libravatar dependabot[bot]2023-10-23
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | profiles: support more msmtp configuration paths (#6060)Libravatar glitsj162023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since version 1.8.6 msmtp supports per-user configuration at either ~/.msmtprc (already supported by firejail) or `$XDG_CONFIG_HOME/msmtp/config`. System-wide support can be placed at /etc/msmtprc. This adds the missing paths to the relevant .inc and .profile files. Note that `blacklist ${HOME}/.msmtprc` is present on both disable-common.inc and disable-programs.inc, so the new paths are added to both files. References: https://wiki.archlinux.org/title/Msmtp#Basic_setup https://marlam.de/msmtp/msmtp.html#Configuration-files
* | contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6059)Libravatar mammo02023-10-22
| | | | | | | | | | | | | | | | The `mimetypes` property contains the section `text/plain`. This causes for example the Gnome Editor to recognize every simple text file as a firejail profile file. See this issue: https://gitlab.gnome.org/GNOME/gnome-text-editor/-/issues/612 Fixes #6057.
* | RELNOTES: reword profiles itemLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | | | | For extra clarity. Relates to #5987.
* | RELNOTES: add profile itemsLibravatar Kelvin M. Klann2023-10-18
| | | | | | | | | | | | | | | | These profile-related changes seem significant enough to warrant entries, as #6021 adds some guidance on the use of private-opt and #5987 standardizes the format of commented code in all profiles. Relates to #5987 #6021.
* | RELNOTES: add ci itemLibravatar Kelvin M. Klann2023-10-18
| | | | | | | | Relates to #6026.
* | profiles: exchange private-opt with a whitelist (#6021)Libravatar glitsj162023-10-18
| | | | | | | | | | | | | | | | | | | | | | | | | | * profiles: drop private-opt (existing whitelist) * profiles: replace private-opt with whitelist In most profiles. Kept private-opt for enpass (~85MB), mate-dictionary (<20MB), minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't check: xmr-stak. * docs: note potential issues with private-opt
* | steam.profile: Allow Baba Is You (#6054)Libravatar Frostbyte46642023-10-16
| |
* | build(deps): bump github/codeql-action from 2.22.0 to 2.22.3Libravatar dependabot[bot]2023-10-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.0 to 2.22.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2cb752a87e96af96708ab57187ab6372ee1973ab...0116bc2df50751f9724a2e35ef1f24d22f90e4e1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | ssmtp: allow (SUID) binary (#6052)Libravatar glitsj162023-10-15
| |
* | disable-common.inc: more SUID binaries (#6051)Libravatar glitsj162023-10-15
| |
* | Merge pull request #6049 from kmk3/dc-add-more-suidLibravatar Kelvin M. Klann2023-10-15
|\ \ | | | | | | disable-common.inc: add more suid programs
| * | disable-common.inc: add more suid programsLibravatar Kelvin M. Klann2023-10-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Programs: $ pacman -Qo fusermount3 groupmems mount.cifs wall write /usr/bin/fusermount3 is owned by fuse3 3.16.1-1 /usr/bin/groupmems is owned by shadow 4.14.0-4 /usr/bin/mount.cifs is owned by cifs-utils 7.0-3 /usr/bin/wall is owned by util-linux 2.39.2-1 /usr/bin/write is owned by util-linux 2.39.2-1
| * | disable-common.inc: sort suid sectionLibravatar Kelvin M. Klann2023-10-11
|/ /
* | pavucontrol-qt: fix broken whitelisting in ${HOME} (#6045)Libravatar glitsj162023-10-09
| |
* | build(deps): bump github/codeql-action from 2.21.9 to 2.22.0Libravatar dependabot[bot]2023-10-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.9 to 2.22.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ddccb873888234080b77e9bc2d4764d5ccaaccf9...2cb752a87e96af96708ab57187ab6372ee1973ab) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | build(deps): bump step-security/harden-runner from 2.5.1 to 2.6.0Libravatar dependabot[bot]2023-10-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/8ca2b8b2ece13480cda6dacd3511b49857a23c09...1b05615854632b887b69ae1be8cbefe72d3ae423) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | tshark: CLI hardening (#6040)Libravatar glitsj162023-10-07
| |
* | New profile: termshark (#6039)Libravatar glitsj162023-10-07
| | | | | | | | | | | | | | * Create termshark.profile * firecfg.config: add termshark support * termshark: CLI hardening
* | wireshark: fix access to dumpcap (#6038)Libravatar glitsj162023-10-07
| |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 14:15:01 +0000