| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.2 to 4.1.4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...0ad4b8fadaa221de15dcec353f45205ec38ea70b)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
| |
Signed-off-by: Tavi <tavi@divested.dev>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
landlock.h may not be available on the system (such as with older
versions of Linux API headers), so only try to include it if
`HAVE_LANDLOCK` is defined.
This fixes the following error from `build_debian_package` (which uses
`debian:buster`) on GitLab CI[1]:
$ ./mkdeb.sh --enable-fatal-warnings
[...]
gcc [...] -c ../../src/firejail/landlock.c -o ../../src/firejail/landlock.o
../../src/firejail/landlock.c:22:10: fatal error: linux/landlock.h: No such file or directory
#include <linux/landlock.h>
^~~~~~~~~~~~~~~~~~
compilation terminated.
This amends commit a05ae97af ("landlock: amend empty functions and
comments", 2024-04-08) / PR #6305.
Relates to #6078.
[1] https://gitlab.com/Firejail/firejail_ci/-/jobs/6743161059
|
| |
|
|
|
|
|
|
| |
Fix sorting and improve comments.
See etc/templates/profile.template.
This amends commit 4c5f55899 ("several kids programs", 2024-04-29).
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
(#6322)
|
| | |
| |
| |
| |
| |
| |
| | |
Newly-released audacity 3.5 supports cloud-saving and remote backup
features:
- https://www.audacityteam.org/blog/audacity-3-5/
- https://support.audacityteam.org/additional-resources/changelog/audacity-3.5#cloud-project-saving
|
| | |
| |
| |
| | |
Relates to #6302 #6305 #6307 #6308 #6309.
|
| | |\
| | |
| | | |
modif: populate /run/firejail while holding flock
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There are reports of firejail sandboxed applications occasionally
taking a long time (12 seconds) to start up. When this happens, it
affects all sandboxed applications until the device is rebooted.
The reason for the slowdown seems to be a timing hazard in the way
remounts under /run/firejail are handled. This gets triggered when
multiple firejail processes are launched in parallel as part of user
session bring up and results in some, dozens, hundreds, or even
thousands of stray /run/firejail/xxx mounts. The amount of mount
points then affects every mount operation that is done during sandbox
filesystem construction.
To stop this from happening, arrange it so that only one firejail
process at time is inspecting and/or modifying mountpoints under
/run/firejail by doing:
1. Create /run/firejail directory (without locking)
2. Create and obtain a lock for /run/firejail/firejail-run.lock
3. Setup files, directories and mounts under /run/firejail
4. Release /run/firejail/firejail-run.lock
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Centralize flock handling in preproc.c
* Add debug and error logging
* Abort if anything fails
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | |/
| |
| |
| | |
To enable using them outside of src/firejail/main.c.
|
| | | |
|
| |/ |
|
| |
|
|
|
| |
The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3).
Fixes #6308.
|
| |
|
| |
https://github.com/axel-download-accelerator/axel
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This amends commit 29da82d08 ("private-etc: kdiff3, gzip, gunzip, tar
etc", 2023-02-10).
This is causing CI to fail, as "index.html" has nothing to do with
gzip.exp[1]:
##[group]Run make test-sysutils
make test-sysutils
shell: /usr/bin/bash -e {0}
env:
SHELL: /bin/bash
##[endgroup]
make -C test sysutils
make[1]: Entering directory '/home/runner/work/firejail/firejail/test'
cd sysutils && ./sysutils.sh 2>&1 | tee sysutils.log
/usr/bin/gzip
TESTING: gzip
spawn /bin/bash
rm index.html*
runner@fv-az1391-790:~/work/firejail/firejail/test/sysutils$ rm index.html*
rm: cannot remove 'index.html*': No such file or directory
runner@fv-az1391-790:~/work/firejail/firejail/test/sysutils$
<irejail gzip -c ../../mkdeb.sh | firejail gunzip -c
TESTING ERROR 1
[1] https://github.com/netblue30/firejail/actions/runs/8739405468/job/23982517624:
|
| |\
| |
| | |
docs: warn about limitations of landlock
|
| | |
| |
| |
| |
| |
| | |
And mark it as experimental.
Relates to #6078.
|
| |\ \
| | |
| | | |
landlock: amend empty functions and comments
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Always declare public landlock functions, regardless of
`HAVE_LANDLOCK`
* Make the other public landlock functions (besides `ll_add_profile`)
also be empty when `HAVE_LANDLOCK` is not defined
* Clarify related comments
This amends commit 8259f66e1 ("landlock fix for old kernel versions",
2024-04-06).
For clarity, landlock-common.inc is included by default.profile and the
issue that the aforementioned commit fixes is that if profile.c is built
without the part that parses landlock commands (that is, when
`HAVE_LANDLOCK` is not defined), using default.profile would cause
firejail to abort due to "invalid lines".
Note that the issue would only occur when firejail is built with an
older kernel (or with --disable-landlock), not when simply running on an
older kernel.
See also commit b02a7a337 ("landlock: remove empty functions",
2023-12-07).
Relates to #6078.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Remove ffmpeg from private-bin
* Allow download folder
* It needs an editor to allow editing the config, so I put in nano; sh
and uname are used for launching nano
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.9 to 3.24.10.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/1b1aada464948af03b950897e5eb522f92603cc2...4355270be187e1b672a7a1c7c7bae5afdc1ab94a)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |/ |
|
| |
|
|
| |
Relates to #6298 #6299 #6300.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
With this, all `etc/inc/allow-*` files are listed in profile.template.
The explanation is based on a comment by @rusty-snake[1].
Relates to #4071.
This is a follow-up to #6299.
[1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
|
| |
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Note: It is not currently included in any profile.
Added on commit 89f30f1f2 ("Create allow-php.inc", 2020-01-25).
This is a follow-up to #6298.
|
| |
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Relates to #3866 #5881.
|
| |
|
|
| |
Relates to #5601 #5618.
|
| |
|
|
| |
Relates to #5717 #6049 #6051 #6052.
|
| |
|
|
| |
Relates to #5953 #5957.
|
| |
|
|
| |
Relates to #6289 #6294.
|
| | |
|
| |
|
|
|
| |
Description: GitHub's official command-line tool.
https://github.com/cli/cli
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections. That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.
Also, keep the old include as a redirect to the new one for now to avoid
breakage.
Commands used to search and replace:
git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
git grep -Ilz 'disable-X11' -- etc | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #4462 #4854 #6070 #6289.
This is a follow-up to #6286.
|
| |
|
|
|
| |
See etc/templates/profile.template.
This is a follow-up to #6286.
|
| |
|
|
| |
Relates to #5686 #5700 #5702 #5735 #5763 #5794 #5946 #6218.
|
| |
|
|
| |
Relates to #6257 #6282 #6283 #6286 #6290.
|
| |
|
|
|
|
|
|
|
|
| |
Similarly to `sed -i` and `perl -i`.
This allows checking if sort.py correctly sorts the relevant lines in a
profile without having to overwrite it, which makes debugging and
testing easier (for example, in #6261).
Note: If it finds items that are not sorted, it still sorts them, prints
the diff and returns an error.
|
| |
|
|
|
|
| |
Add a common profile to deduplicate entries and make qemu-related
profiles redirect to it.
Relates to #6255.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.7 to 3.24.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/3ab4101902695724f9365a384f86c1074d94e18c...1b1aada464948af03b950897e5eb522f92603cc2)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
| |
I recently set up KDE connect and plasma-browser-integration for firefox
(Linux Mint 21.2) and needed this line in addition to the ones mentioned
in the profile. Found it via running `firejail
--profile=/etc/firejail/firefox.profile --dbus-user.log firefox`, trying
to send links to device, and seeing what events get logged.
|
| |\
| |
| | |
profiles: replace x11 socket blacklist with disable-X11.inc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to #4462 #4854.
|
| | |
| |
| |
| |
| |
| |
| | |
Move disable-X11.inc before disable-xdg.inc for consistency with other
profiles.
Added on commit 73a6fced2 ("New profile: ssmtp (#5544)", 2022-12-21).
|
| |/
|
|
|
|
|
|
|
|
| |
The files in this directory are intended to be automatically executed
when the user logs in.
In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).
Misc: This was noticed on #6244.
|
| |
|
|
|
|
|
|
|
|
| |
It is a GUI program.
It was apparently added by accident on commit 73321c597 ("Fixes
(#2816)", 2019-07-01).
Reported by @glitsj16 at
https://github.com/netblue30/firejail/pull/6286#discussion_r1536618241
|
dependabot[bot]
Tavi
netblue30
Kelvin M. Klann
glitsj16
Simo Piiroinen
tools200ms
pirate486743186
RundownRhino