| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |\ \
| | |
| | | |
gnome-keyring: harden and add gnome-keyring-daemon.profile
|
| | | | |
|
| | | |
| | |
| | |
| | | |
And use it as the base for the existing gnome-keyring.profile.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Relates to #6195 #6196 #6200.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
build: mkrpm.sh improvements
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
They are not being properly forwarded to mkrpm.sh (which re-runs
./configure before the actual build), so just remove them for now.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To abort the build if any error occurs.
See also commit 7d9db8355 ("fail build if any step in the script fails",
2019-06-21).
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
To make the CI logs more informative, as currently nothing from the
build itself is shown.
Added on commit d684d9988 ("Fix mkrpm.sh", 2016-02-16) / PR #297.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recently (as of Landlock ABI 4), the `handled_access_net` field was
added to the `landlock_ruleset_attr` struct in the Linux kernel (in
linux/landlock.h). In src/firejail/landlock.c, that field is not being
set in the struct (as we currently do not use it) before passing it to
the `landlock_create_full_ruleset` syscall, so it is likely to contain
random garbage when used, resulting in the syscall returning EINVAL:
$ firejail --debug --profile=/etc/firejail/landlock-common.inc \
--landlock.enforce true
[...]
ll_is_supported: Detected Landlock ABI version 4
ll_restrict: Starting Landlock restrict
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
[...]
Not enforcing Landlock
So ensure that all structs in src/firejail/landlock.c are initialized to
0 before using them.
Note: Arch has recently (2024-01-31) updated the linux-api-headers
package from version 6.4-1 to 6.7-1[1]. The former version is not affected
(as it does not contain the extra struct field in linux/landlock.h),
while the latter is.
Fixes #6195.
Relates to #6078.
[1] https://gitlab.archlinux.org/archlinux/packaging/packages/linux-api-headers/-/commit/b4223b0c2bfba54c26acc4dc289415b81b15989f
Reported-by: @curiosityseeker
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to certain variables not being declared:
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/kmk3/firejail_ci'
error: run ./configure to generate config.mk
[...]
rm -f contrib/syntax/files/example [...]
rm -fr - -.tar.xz
rm: invalid option -- '.'
Try 'rm --help' for more information.
make[1]: *** [Makefile:175: clean] Error 1
This amends commit 8a783cdc2 ("build: use TARNAME and remove more paths
on clean", 2023-07-29) / PR #6186.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to test/compile/compile.sh not being able to source config.mk (which is
created by ./configure):
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/Firejail/firejail_ci'
error: run ./configure to generate config.mk
[...]
cd compile && ./compile.sh --clean
./compile.sh: line 15: ./../../config.sh: No such file or directory
make[2]: *** [Makefile:24: clean] Error 1
This amends commit 152a21f15 ("build: simplify clean target",
2023-07-29) / PR #6186.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make the error message format in `ll_create_full_ruleset` match the
other ones in landlock.c.
This amends commit 01a9ddbbe ("landlock: improve logs for debugging",
2023-11-08).
Misc: This was noticed on #6195.
Relates to #6078.
|
| | |
| |
| |
| |
| |
| |
| | |
This amends commit bf5a99360 ("landlock: add support for PATH macro",
2023-12-22).
Relates to #6078.
|
| | |
| |
| |
| | |
Relates to #6172 #6178 #6184 #6186 #6187.
|
| |\ \
| | |
| | | |
landlock: split .special into .makeipc and .makedev
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.2 to 3.24.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b7bf0a3ed3ecfa44160715d7c442788f65f0f923...e8893c57a1f3a2b659b6b55564fdfdbbd2982911)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/eb238b55efaa70779f274895e782ed17c84f2895...63c24ba6bd7ba022e95695ff85de572c04a18142)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |\ \ \
| | | |
| | | | |
build: improve main clean target
|
| | | | |
| | | |
| | | |
| | | | |
Instead of `firejail-*.tar.xz`, to match `*.deb` and `*.rpm`.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | | |
Move some clean commands into more relevant makefiles.
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fix the following CodeQL warning (CWE-253)[1]:
> Rule ID: cpp/incorrectly-checked-scanf
> The result of scanf is only checked against 0, but it can also return
> EOF.
> Functions in the scanf family return either EOF (a negative value) in
> case of IO failure, or the number of items successfully read from the
> input. Consequently, a simple check that the return value is nonzero
> is not enough.
>
> Recommendation
>
> Ensure that all uses of scanf check the return value against the
> expected number of arguments rather than just against zero.
Note: The affected code portions attempt to read values from /etc/passwd
and /etc/group, so invalid input seems unlikely to be the case. Either
way, the changes make the checks in question more consistent with
similar sscanf return value checks in the rest of the code.
Added on commit 4f003daec ("prevent leaking user information by
modifying /home directory, /etc/passwd and /etc/group", 2015-11-19).
[1] https://github.com/netblue30/firejail/security/code-scanning/32
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
So that they fail early instead of letting them run indefinitely when
there are problems with the CI infrastructure.
Use 5 minutes for the jobs that usually complete in under a minute
(check-profiles and codespell) and 10 minutes for the rest (most jobs
usually take 1-3 minutes).
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Recent versions of geeqie[1] use a Lua interpreter, like the one
currently in Arch Linux (2.2).
Without this fix it fails with:
/usr/bin/geeqie: error while loading shared libraries: liblua.so.5.4: [...]
[1] https://www.geeqie.org/
|
| | | |
| | |
| | |
| | |
| | | |
Add common Lua include to crawl.profile (Dungeon Crawl Stone Soup) to
allow Lua libraries, as both the ncurses and tiles executables are
dynamically linked to Lua.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Warnings:
$ make codespell
Running codespell...
./README:757: Manuel ==> Manual
./RELNOTES:269: relpaced ==> replaced
./src/firecfg/desktop_files.c:60: diectory ==> directory
./platform/debian/control.i386:11: namepaces ==> namespaces
./platform/debian/control.amd64:11: namepaces ==> namespaces
make: *** [Makefile:383: codespell] Error 65
$ codespell --version
2.2.6
|
| |/ /
| |
| |
| |
| | |
This amends commit e665769f5 ("build: automatically generate header
dependencies", 2023-07-05) / PR #6164.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`). Including messages from firejail in the
output may break the parsing, so remove them.
Fixes #6171.
Reported-by: @kmille
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike the rest of the normal startup output (which goes to stderr), the
version number is being printed to stdout, which makes it harder to
ignore all of firejail's output. Example:
$ firejail --noprofile /usr/bin/true --version 2>/dev/null
firejail version 0.9.73
true (GNU coreutils) 9.4
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Jim Meyering.
So make the normal startup version output go to stderr and keep the
other occurrences (such as in `firejail --version`) going to stdout, to
make it easier to grep things in the output.
Added on commit f019f0ec3 ("Print version on startup for
firejail/firecfg", 2023-05-11) / PR #5829.
Reported by @rusty-snake[1].
[1] https://github.com/netblue30/firejail/issues/6171#issuecomment-1912768721
|
| |
|
|
| |
Relates to #5269 #6164.
|
| |\
| |
| | |
build: automatically generate header dependencies
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of manually specifying which source files depend on which
headers, use compiler flags to automatically generate depfiles (.d),
which declare the correct header (make) dependencies for each source
file (.c).
Use `-MMD` (which ignores system headers) to generate the dependencies
and `-MP` to prevent make from complaining when a header file is removed
while it is listed as a dependency in a depfile.
If depfiles exist, just include them. If not, make each object file
(.o) unconditionally depend on all header files in its source directory
and in src/include, to ensure that rebuilds are done when needed. The
latter case applies to the first build after `make clean` (which would
build everything anyway) and when the compiler does not support
generating depfiles.
Note that both gcc and clang have supported these options for a long
time.
Misc: This depends on the changes from commit 5b1bd33c7 ("build: use
full paths on compile/link targets", 2023-07-02) / PR #6158 to avoid
issues with make dependency tracking.
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.1 to 3.23.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0b21cf2492b6b02c465a3e5d7c473717ad7721ba...b7bf0a3ed3ecfa44160715d7c442788f65f0f923)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.0 to 3.23.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/e5f05b81d5b6ff8cfa111c80c22c5fd02a384118...0b21cf2492b6b02c465a3e5d7c473717ad7721ba)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
| |
Relates to #5245 #6153 #6158 #6159.
|
| |\
| |
| | |
build: use full paths on compile/link targets
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes the compile commands clearer when building in parallel (with
`make -j`) and ensures that `__FILE__` includes the full build-time path
(relative to the root of the repository) whenever it is referenced, such
as in failed assert() messages (currently the full path is only shown in
errExit() messages). Example:
Before:
firejail: main.c:100: main: Assertion `1 == 2' failed.
Error src/firecfg/main.c:100: main: malloc: Cannot allocate memory
After:
firejail: ../../src/firejail/main.c:100: main: Assertion `1 == 2' failed.
Error ../../src/firecfg/main.c:100: main: malloc: Cannot allocate memory
Commands used to search and replace:
$ git grep -Ilz '^MOD_DIR =' -- '*Makefile' | xargs -0 -I '{}' \
sh -c "printf '%s\n' \"\$(sed -E \
-e 's|^MOD_DIR = src/(.*)|MOD = \\1\\nMOD_DIR = \$(ROOT)/src/\$(MOD)|' \
-e 's:^(PROG|SO) = [^.]+(\.so)?$:\\1 = \$(MOD_DIR)/\$(MOD)\2:' \
'{}')\" >'{}'"
$ git grep -Ilz '^HDRS :=' -- '*.mk' | xargs -0 -I '{}' \
sh -c "printf '%s\n' \"\$(sed -E \
-e 's|wildcard (\*\..)|wildcard \$(MOD_DIR)/\\1|' '{}')\" >'{}'"
Note: config.mk.in, src/fnettrace/Makefile and src/include/common.h were
edited manually.
This is a follow-up to #5871.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make it more similar to the assert() message format for consistency.
Example:
Before:
firejail: main.c:100: main: Assertion `1 == 2' failed.
Error src/firecfg/main.c:100 main(): malloc: Cannot allocate memory
After:
firejail: main.c:100: main: Assertion `1 == 2' failed.
Error src/firecfg/main.c:100: main: malloc: Cannot allocate memory
This amends commit b963fe41a ("Improve errExit error messages",
2023-06-16) / PR #5871.
|
| |\ \
| | |
| | | |
build: use CPPFLAGS instead of INCLUDE in compile targets
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With this, CFLAGS and CPPFLAGS are used when compiling and LDFLAGS when
linking, just like in the built-in GNU make rules. From `make -p`:
COMPILE.c = $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c
LINK.c = $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH)
LINK.o = $(CC) $(LDFLAGS) $(TARGET_ARCH)
Note: It is unclear where the `INCLUDE` variable comes from; it is not
documented in autoconf nor GNU make and automake (which itself is not
used in this repository) only mentions `INCLUDES`:
`INCLUDES`
This does the same job as `AM_CPPFLAGS` (or any per-target
`_CPPFLAGS` variable if it is used). It is an older name for
the same functionality. This variable is deprecated; we
suggest using `AM_CPPFLAGS` and per-target `_CPPFLAGS` instead.
Environment: automake 1.16.5-2 and GNU make 4.4.1 on Artix Linux.
See also commit 671c3f249 ("build: actually set LDFLAGS and LIBS in
makefiles", 2022-11-30) / PR #5504.
|
| |\ \
| | |
| | | |
firecfg: use ignorelist also for .profile/.desktop files
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Closes #5245.
Relates to #5876.
|
| | | |
| | |
| | |
| | | |
And make it const.
|
glitsj16
Kelvin M. Klann
dependabot[bot]
Fidel Ramos
luca0N!