| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Move msg to the end of errExit (right before perror(3p))
* Include the full file path (within the repository)
* Add "()" to function name for clarity
Before:
Error malloc: main.c:123 main: Cannot allocate memory
After:
Error src/firejail/main.c:123 main(): malloc: Cannot allocate memory
Note: This clarifies which is the exact file that the error message
comes from, as there are many source files with the same name. For
example:
$ git ls-files 'src/*/main.c' | wc -l
20
|
| |
|
|
|
|
| |
For increased portability.
The former is in C99, the latter is from gcc.
|
| | |
|
| |
|
|
|
|
| |
Use errExit in every place that uses __FILE__ and __LINE__ manually.
Note: This currently only happens in the duplicated `is_dir` function.
|
| |
|
|
| |
Relates to #5859 #5864 #5866.
|
| |\
| |
| | |
build: organize and standardize make vars and targets
|
| | |
| |
| |
| | |
This allows overriding them when calling make.
|
| | |
| |
| |
| |
| |
| |
| | |
Changes:
* Deduplicate common CFLAGS into a new COMMON_CFLAGS variable
* Move some definitions from PROG_CFLAGS into COMMON_CFLAGS
|
| | |
| |
| |
| | |
Put all definitions in the same file.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Remove -fPIE, as it is mutually exclusive with -fPIC
* Remove -pie, as it is intended for executables (with -fPIE / -fpie)
* Remove duplicated `-z relro`
Note: The files built by the affected recipe are identical with and
without these changes when using gcc 13.1.1-1 on Artix Linux.
|
| | |
| |
| |
| | |
And remove a duplicated `HAVE_SUID` declaration.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Changes:
* clean: remove the same types of files in src/prog.mk and src/so.mk
* distclean: remove unused recipes and DISTCLEANFILES variable
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To CLEANFILES and DISTCLEANFILES, respectively.
This matches what GNU automake uses.
Commands used to search and replace:
$ git grep -IFlz -e TOCLEAN -e TODISTCLEAN |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/TOCLEAN/CLEANFILES/g' \
-e 's/TODISTCLEAN/DISTCLEANFILES/g' '{}')\" >'{}'"
Added on commit cbdee6555 ("makefiles: add TOCLEAN and TODISTCLEAN
variables", 2022-07-15) / PR #5478.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To make them less confusing, as they are extra dependencies, not files
that are specific to the module.
Commands used to search and replace:
$ git grep -IFlz -e 'MOD_HDRS' -e 'MOD_OBJS' -- src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/MOD_HDRS/EXTRA_HDRS/g' \
-e 's/MOD_OBJS/EXTRA_OBJS/g' '{}')\" >'{}'"
Added on commit f5b1ccaad ("makefiles: move extra deps into new MOD
vars", 2022-05-07) / PR #5478.
|
| | |
| |
| |
| |
| |
| |
| | |
It is unused and is unlikely to be used.
Added on commit f5b1ccaad ("makefiles: move extra deps into new MOD
vars", 2022-05-07) / PR #5478.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/128a63446a954579617e875aaab7d2978154e969...55d479fb1c5bcad5a4f9099a5d9f37c8857b2845)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.20.0 to 2.20.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/6c089f53dd51dc3fc7e599c3cb5356453a52ca9e...f6e388ebf0efc915c6c5b165b019ee61a6746a38)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
| |
To reduce the amount of boilerplate in the makefiles.
This amends commit 9789c263a ("build: disable all built-in implicit make
rules", 2023-06-21) / PR #5864.
|
| |\
| |
| | |
update lobster profile
|
| | | |
|
| |\ \
| | |
| | | |
profiles: vmware improvements and new redirect
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It appears to be broken on Linux Mint 20.3 (based on Ubuntu 20.04), due
to the "VMWare Kernel Module Updater" being unable to install kernel
modules[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598407890
Reported-by: @MikeNavy
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It apparently fails on Linux Mint 20.3 (based on Ubuntu 20.04) due to
the "VMWare Kernel Module Updater" being unable to find gcc[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598407890
Reported-by: @MikeNavy
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As a redirect to vmware.profile.
This is apparently the filename for the "VMWare Workstation Player" on
Linux Mint 20.3 (based on Ubuntu 20.04)[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598132860
Reported-by: @MikeNavy
|
| | | |
| | |
| | |
| | | |
Relates to #3526.
|
| |\ \ \
| |/ /
|/| | |
build: disable all built-in implicit make rules
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
| |/ /
| |
| |
| | |
To make the makefiles look more similar.
|
| |\ \
| | |
| | | |
build: remove -mretpoline and NO_EXTRA_CFLAGS
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The -mretpoline flag is not documented in the current versions of gcc
and clang and it is what causes scan-build to fail:
$ ./configure CC=clang | grep retpoline
checking whether C compiler accepts -mretpoline... yes
EXTRA_CFLAGS: -mretpoline -fstack-clash-protection -fstack-protector-strong
$ scan-build --status-bugs make
scan-build: Using '/usr/bin/clang-15' for static analysis
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
/usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o
gcc: error: unrecognized command-line option ‘-mretpoline’
make[1]: *** [../../src/prog.mk:16: common.o] Error 1
make[1]: Leaving directory '/tmp/firejail/src/lib'
make: *** [Makefile:59: src/lib] Error 2
scan-build: Analysis run complete.
scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports.
scan-build: No bugs found.
Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux.
Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all
of the flags in EXTRA_CFLAGS to be ignored.
Note2: -mretpoline was added on commit 4a99c8aa2 ("spectre support for
clang compiler", 2018-03-30) and NO_EXTRA_CFLAGS was added on commit
490918c35 ("fix make scan-build for debian 10 and arch", 2019-07-22).
See also commit 2c64d1fdd ("use AX_CHECK_COMPILE_FLAG to check for
spectre flags", 2019-06-21).
Closes #5509.
Kind of relates to #2661.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.6 to 2.20.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/83f0fe6c4988d98a455712a27f0255212bba9bd4...6c089f53dd51dc3fc7e599c3cb5356453a52ca9e)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8e5e7e5ab8b370d6c329ec480221332ada57f0ab...c85c95e3d7251135ab7dc9ce3241c5835cc595a9)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Added on commit b689b69f6 ("make --private-lib a compile time option,
disabled by default", 2023-03-09) and on commit 91f2b3ffc ("private-lib
cleanup", 2023-03-09).
Relates to #5727 #5732.
|
| | | |
| | |
| | |
| | | |
Relates to #5708 #5741 #5856.
|
| |\ \ \
| | | |
| | | | |
modif: Standardize and add missing name/hostname checks
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Note that the sandbox name may also be set through the "join-or-start"
option.
Relates to #5578 #5708.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* Use only `invalid_name` to check the name and hostname instead of
ad-hoc checks
* Standardize empty/invalid error messages for name/hostname
Note: This makes the hostname validation less strict, though it still
forbids control characters and only numbers.
Relates to #5578 #5708.
See also commit b4ffaa207 ("merges; more on cleaning up esc chars",
2023-02-14).
|
| | | | |
| | | |
| | | |
| | | | |
In `invalid_name`.
|
| | | | |
| | | |
| | | |
| | | | |
To match the hostname check in src/firejail/main.c.
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
The `invalid_name` function does not allow control characters.
Added on commit d349a2ff8 ("Forbid control chars in names", 2023-03-03)
/ PR #5708.
|
| | | |
| | |
| | |
| | | |
Relates to #5842 #5850 #5857.
|
| | |/
|/| |
|
| |\ \
| | |
| | | |
ci: standardize apt-get update/install & misc improvements
|
Kelvin M. Klann
dependabot[bot]
netblue30
pirate486743186