aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* mkdir/mkfile man pagesLibravatar netblue302021-02-26
|
* Merge pull request #4009 from Tomin1/protocol_list_improvementsLibravatar netblue302021-02-26
|\ | | | | Allow changing protocol list after initial set
| * Allow changing "protocol" list after initial setLibravatar Simo Piiroinen2021-02-25
| | | | | | | | | | | | | | | | | | | | | | | | | | Firejail uses set-once logic for "protocol" list. This makes it impossible to accumulate list of allowed protocols from multiple include files. Use profile_list_augment() for maintaining list of protocols. This implicitly means protocols can be added/removed via any number of command line options / profile configuration files. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
| * Add utility functions for handling comma separated listsLibravatar Simo Piiroinen2021-02-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A lot of profile options deal with manipulating strings containing comma separated list of things, using several strains of similar but not exactly the same code, duplicated for the purposes of processing command line arguments and parsing configuration files. Having utility functions available for handling such list strings can make higher level logic shorter, cleaner and function in more uniform manner. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* | Merge pull request #4010 from Tomin1/mkdir_and_mkfile_optionsLibravatar netblue302021-02-26
|\ \ | |/ |/| Add --mkdir and --mkfile command line options for firejail
| * Add --mkdir and --mkfile command line options for firejailLibravatar Simo Piiroinen2021-02-25
|/ | | | | | | | | | | | | | | | | | Profile files are defined as a means to "pass several command line arguments to firejail" but apparently for example mkdir and mkfile options are available in context of profile files, but can't be specified directly from command line. Add support for -mkdir and --mkfile options so that executing: firejail --mkdir=${HOME}/directory/path\ --whitelist=${HOME}/directory/path behaves similarly as having profile file content: mkdir ${HOME}/directory/path whitelist ${HOME}/directory/path Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* fix spacing in gget.profileLibravatar glitsj162021-02-25
| | | Thx to @rusty-snake for spotting this.
* Merge pull request #4008 from glitsj16/ggetLibravatar glitsj162021-02-25
|\ | | | | add new profile for gget
| * Create gget.profileLibravatar glitsj162021-02-25
| |
| * add ggetLibravatar glitsj162021-02-25
| |
| * add ggetLibravatar glitsj162021-02-25
|/
* Merge pull request #4007 from smitsohu/privatelib5Libravatar netblue302021-02-25
|\ | | | | fix firecfg links in restrictive sandboxes
| * fix firecfg links in restrictive sandboxesLibravatar smitsohu2021-02-25
| | | | | | | | | | | | | | | | | | | | | | | | firejail symbolic link redirection currently depends on a shell, but in restrictive sandboxes there might be no execute permission, or private-lib might have removed necessary libraries, or seccomp might block required syscalls ... Fix this by forcing --shell=none. closes #3911
| * cleanupLibravatar smitsohu2021-02-25
| |
* | Fixup 0e31d020, torbrowser-launcher missing pathLibravatar Tad2021-02-24
| |
* | cleanupLibravatar smitsohu2021-02-25
| |
* | private-lib: minor simplificationLibravatar smitsohu2021-02-25
| |
* | musl fix (#3998)Libravatar smitsohu2021-02-25
| | | | | | | | | | musl stdlib (Alpine Linux) doesn't know about canonicalize_file_name, replace with equivalent realpath calls
* | fcopy: fixes for old compilers, cppcheck fixes (#3998)Libravatar netblue302021-02-24
| |
* | Merge pull request #4004 from smitsohu/privatelib4Libravatar netblue302021-02-24
|\ \ | | | | | | add PATH_FCOPY to private-lib automatically
| * | add PATH_FCOPY to private-lib automaticallyLibravatar smitsohu2021-02-24
| |/ | | | | | | | | | | | | | | | | restore 45304621a6c600d8e30e98bfbef05149caaf56c5, but now run fldd as root user. This became necessary because in the meantime read permission on helper executables was removed. Puts infrastructure in place to add other helper binaries to private-lib as well, should the need arise.
* | Merge pull request #3998 from Tomin1/first_fixesLibravatar netblue302021-02-24
|\ \ | | | | | | Upstreaming a set of fixes from Sailfish's packaging
| * | Add checks to fs_private_dir_mountLibravatar Tomi Leppänen2021-02-22
| | | | | | | | | | | | | | | | | | Check that the directory exists before attempting to mount it. Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
| * | Add missing linefeeds in stderr loggingLibravatar Simo Piiroinen2021-02-22
| | | | | | | | | | | | | | | | | | | | | Lacking linefeed chars cause messages to get concatenated. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
| * | sandbox: Do not leave file mounts underneath private-etcLibravatar Simo Piiroinen2021-02-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Firejail uses file bind-mounts to filter /etc/passwd and /etc/group content. If private-etc is used, these mounts are left underneath the /etc directory mount and this seems to be causing problems in devices with older kernels: attempts to modify passwd or group data fails with EBUSY. Make it possible to perform fs_private_dir_list() actions in two separate phases. Undo the file mounts in /etc before mounting private-etc content. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
| * | fcopy: Fix memory leaksLibravatar Simo Piiroinen2021-02-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | These have little consequences as the tool exits anyway, but fs_copydir() leaks memory on success path and check() on failure path. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
| * | Fix symlinks that go though /proc/selfLibravatar Simo Piiroinen2021-02-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When constructing sandbox fs, /etc/mtab which is symlink to /proc/self/mounts gets resolved as /proc/PID/mounts. Where PID is not the pid of the process that is going to get executed in the firejail -> the result is broken/unaccessible symlink from the application point of view. Use /proc/self/xxx type symlink target if it resolves similarly as the /proc/PID/xxx type would at the time of mapping. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* | | Merge pull request #4001 from kmk3/fix-signal-xdg-ignoreLibravatar netblue302021-02-24
|\ \ \ | | | | | | | | signal-desktop.profile: fix typo of disable-xdg.profile
| * | | signal-desktop.profile: fix typo of disable-xdg.profileLibravatar Kelvin M. Klann2021-02-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added on commit f4f676745 ("Refactor electron.profile and electron based programs (#3807)"). This appears to be the only instance of that: $ grep -Fnr 'include-xdg' etc etc/profile-m-z/signal-desktop.profile:9:ignore include-xdg.inc Simply fixing the typo would enable xdg dirs for the first time since the aforementioned commit. But, as talked with @rusty-snake[1], since there has been no negative feedback, and since it's a whitelisting profile, just remove the affected line instead. Credits go to syntax highlighting on vim. [1]: https://github.com/netblue30/firejail/pull/4001
* | | | Merge pull request #4003 from Neo00001/masterLibravatar netblue302021-02-24
|\ \ \ \ | | | | | | | | | | Minor fixes for vmware
| * | | | Update firecfg.configLibravatar Neo000012021-02-23
| | | | |
| * | | | Create vmware-workstation.profileLibravatar Neo000012021-02-23
| | | | |
| * | | | Create vmware-player.profileLibravatar Neo000012021-02-23
| | | | |
* | | | | Merge pull request #4002 from kmk3/ipcalc-misc-fixesLibravatar netblue302021-02-24
|\ \ \ \ \ | | | | | | | | | | | | ipcalc: misc fixes
| * | | | | ipcalc.profile: move allow include to proper placeLibravatar Kelvin M. Klann2021-02-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And add missing allow include comment. See etc/templates/profile.template.
| * | | | | ipcalc-ng.profile: fix double globals.local includeLibravatar Kelvin M. Klann2021-02-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And add missing redirect comment. See etc/templates/redirect_alias-profile.template.
* | | | | | update man profileLibravatar netblue302021-02-24
| | | | | |
* | | | | | Merge pull request #4005 from glitsj16/lzopLibravatar glitsj162021-02-24
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | new profile: lzop
| * | | | | new profile: lzopLibravatar glitsj162021-02-24
| | | | | |
| * | | | | add lzopLibravatar glitsj162021-02-24
| | | | | |
| * | | | | Create lzop.profileLibravatar glitsj162021-02-24
|/ / / / /
* | / / / jailtest fixLibravatar smitsohu2021-02-23
| |/ / / |/| | |
* | | | Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302021-02-23
|\ \ \ \
| * | | | dosbox fixLibravatar netblue302021-02-22
| |/ / /
* | | | jailtestLibravatar netblue302021-02-23
| | | |
* | | | hardening ssh, torLibravatar netblue302021-02-23
|/ / /
* | | more calibre profilesLibravatar netblue302021-02-22
| | |
* | | Fix patch-util not having access to libdl.so (#4000)Libravatar zupatisc2021-02-22
| | | | | | | | | | | | | | | | | | | | | * Fix patch-util not having access to libdl.so * Update etc/profile-m-z/patch.profile Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
* | | build: include jailtest in rpmLibravatar Reiner Herrmann2021-02-21
| | |
* | | apparmor capabilities fixLibravatar netblue302021-02-21
|/ /
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 01:25:17 +0000