| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency with mkdeb.sh.
Note: The default arguments and support for argument overriding was
added to to mkrpm.sh on commit 3d97332fd ("Add configure options when
building rpm (#3422)", 2020-05-19).
The support for appending arguments was added to mkdeb.sh on commit
9a0fbbd71 ("mkdeb.sh.in: pass remaining arguments to ./configure",
2022-05-13) / PR #5154.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build on Alpine fails due to `__u32` not being defined. It seems
that musl itself does not define it, so linux/types.h would have to be
included (for example, by including linux/landlock.h).
Error from `build_src_package`[1]:
make -C src/firejail/
make[1]: Entering directory '/builds/Firejail/firejail_ci/src/firejail'
gcc [...] -DMOD_DIR='"src/firejail"' [...] -c appimage.c -o appimage.o
In file included from appimage.c:23:
firejail.h:977:17: error: unknown type name '__u32'
977 | int ll_restrict(__u32 flags);
| ^~~~~
make[1]: Leaving directory '/builds/Firejail/firejail_ci/src/firejail'
make[1]: *** [../../src/prog.mk:16: appimage.o] Error 1
make: *** [Makefile:58: src/firejail/firejail] Error 2
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
[1] https://gitlab.com/Firejail/firejail_ci/-/jobs/5729692038
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Print everything to stderr (to ensure that the messages are shown in
order)
* Print debug messages at the beginning of most functions
* Include the function name and access flags used
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
curl supports several locations for the rc file according to its man
page:
[...]
When curl is invoked, it (unless -q, --disable is used) checks for a
default config file and uses it if found, even when -K, --config is
used. The default config file is checked for in the following places in
this order:
1) "$CURL_HOME/.curlrc"
2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0)
3) "$HOME/.curlrc"
[...]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes Fractal 5 not opening on Void Linux due to it failing to
access "/usr/share/fractal/resources.gresource".
Fixes #6119.
Reported-by: @mhmdana
Suggested-by: @rusty-snake
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.8 to 2.22.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/407ffafae6a767df3e0230c3df91b6443ae8df75...c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions with `...` as the first parameter appear to be unsupported in
older versions of gcc, as they fail to compile. Examples:
Error from gcc 9.5.0-1ubuntu1~16.04.sav1 on Ubuntu 16.04:
[...]
In file included from appimage.c:23:
firejail.h:981:27: error: ISO C requires a named argument before ‘...’
981 | static inline int ll_read(...) { return 0; }
| ^~~
Warning from gcc 13.2.1-3 on Artix Linux:
$ ./configure --disable-landlock >/dev/null && make clean >/dev/null &&
make EXTRA_CFLAGS+='-std=c99 -Wpedantic -Wno-error'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.73"' -DMOD_DIR='"src/firejail"' [...]
In file included from appimage.c:23:
firejail.h:982:27: warning: ISO C requires a named argument before ‘...’ before C2X [-Wpedantic]
982 | static inline int ll_read(...) { return 0; }
| ^~~
Fixes #6115.
Relates to #6078.
|
|
|
|
|
| |
Geary uses bubblewrap now.
Fixes #6103.
|
|
|
|
|
|
|
| |
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new landlock entry is parsed from a profile, the first entry in
the `cfg.lprofile` list is being set as the next/second entry and the
new entry is being set as the first entry in the list, so all entries
are being processed from last to first.
This commit makes the behavior of ll_add_profile() match the one from
profile_add() in src/firejail/profile.c so that the entries are
processed in the same order that they are parsed.
This amends commit b94cc754a ("landlock: apply rules in sandbox before
app start", 2023-10-26) / PR #6078.
|
|
|
|
|
| |
This amends commit 520508d5b ("landlock: avoid parsing landlock commands
twice", 2023-11-02) / PR #6078.
|
|
|
|
|
|
|
|
| |
To avoid confusion, only return a new ruleset and let the caller set the
global one.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
|
|
| |
For consistency with the other functions that have no paramters.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
|
|
|
|
| |
Fix formatting and wrong/outdated information.
This amends commit 6d0559de7 ("landlock: update README.md, small fix in
man firejal; update profile stats in README.md", 2023-12-04).
Relates to #6078.
|
|
|
|
|
|
| |
Originally from PR #5359.
Relates to #6078.
|
|
|
|
| |
in README.md
|
| |
|
|\
| |
| | |
feature: add Landlock support
|
| |
| |
| |
| |
| | |
And ignore landlock-related commands if Landlock is unsupported at
runtime.
|
| | |
|
| |
| |
| |
| | |
Apply rules in the sandbox thread before the application is started.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| | |
|
|\ \
| | |
| | | |
ci: re-enable sort.py
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It was disabled on commit df6ea884f ("merges, disable sort.py in profile
checks temporarely, two more private-etc profiles", 2023-02-14).
Currently all profiles are sorted and there are no ongoing `private-etc`
changes, so it should be safe to re-enable.
Note that the script is useful to catch sorting issues not only in
`private-etc` but also in other commands, such as `seccomp`[1] [2].
This is a follow-up to #6070.
Relates to #5610.
[1] https://github.com/netblue30/firejail/pull/6066#discussion_r1372055800
[2] https://github.com/netblue30/firejail/pull/6067#discussion_r1372027243
|
|\ \ \
| | | |
| | | | |
lutris.profile: allow mangohud
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
Similarly to steam.profile (see #4864).
Fixes #6106.
|
|\ \ \
| | | |
| | | | |
feature: expand simple macros in more commands
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This includes macros such as `${HOME}` and `${RUNUSER}`.
Commands:
* --chroot=
* --netfilter=
* --netfilter6=
* --trace=
Closes #6032.
Reported-by: @michelesr
|
|\ \ \
| | | |
| | | | |
feature: firecfg: add firecfg.d & add ignore command
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].
It prevents firecfg from creating a symlink for the given program.
Also, document the paths used and the config file syntax.
Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.
Closes #2097.
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As suggested by @WhyNotHugo[1].
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Instead of using asprintf + free.
Also, use LIBDIR instead of hardcoded "/usr/lib" for fzenity.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* fix inconsistent indentation/braces
* add missing free
|
| | | |
| | | |
| | | |
| | | | |
Relates to #5982 #6006 #6057 #6059 #6070 #6086 #6087.
|
| |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 2.22.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/66b90a5db151a8042fa97405c6cf843bbe433f7b...407ffafae6a767df3e0230c3df91b6443ae8df75)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I accidentally removed the `!` when sorting the arguments in #6067.
This amends commit fbba03790 ("lutris.profile: allow more syscalls",
2023-10-24) / PR #6067.
|
| | | |
|
|\ \ \
| | | |
| | | | |
Lookup xauth in PATH.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Don't use hardcoded `/usr/bin/xauth`,
iterate over directories inside PATH instead.
This fixes https://github.com/netblue30/firejail/issues/6006
|
|\ \ \ \
| | | | |
| | | | | |
build: sort.py: use case-sensitive sorting
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
lutris.profile: allow more syscalls
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work.
journalctl did list `process_vm_readv` when a game was running, but it
didn't crash the game.
Fixes #6035.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
steam.profile: allow process_vm_readv syscall
|