| Commit message (Collapse) | Author | Age |
... | |
|
|
|
|
|
|
|
|
| |
Fix formatting and wrong/outdated information.
This amends commit 6d0559de7 ("landlock: update README.md, small fix in
man firejal; update profile stats in README.md", 2023-12-04).
Relates to #6078.
|
|
|
|
|
|
| |
Originally from PR #5359.
Relates to #6078.
|
|
|
|
| |
in README.md
|
| |
|
|\
| |
| | |
feature: add Landlock support
|
| |
| |
| |
| |
| | |
And ignore landlock-related commands if Landlock is unsupported at
runtime.
|
| | |
|
| |
| |
| |
| | |
Apply rules in the sandbox thread before the application is started.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| | |
|
|\ \
| | |
| | | |
ci: re-enable sort.py
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It was disabled on commit df6ea884f ("merges, disable sort.py in profile
checks temporarely, two more private-etc profiles", 2023-02-14).
Currently all profiles are sorted and there are no ongoing `private-etc`
changes, so it should be safe to re-enable.
Note that the script is useful to catch sorting issues not only in
`private-etc` but also in other commands, such as `seccomp`[1] [2].
This is a follow-up to #6070.
Relates to #5610.
[1] https://github.com/netblue30/firejail/pull/6066#discussion_r1372055800
[2] https://github.com/netblue30/firejail/pull/6067#discussion_r1372027243
|
|\ \ \
| | | |
| | | | |
lutris.profile: allow mangohud
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
Similarly to steam.profile (see #4864).
Fixes #6106.
|
|\ \ \
| | | |
| | | | |
feature: expand simple macros in more commands
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This includes macros such as `${HOME}` and `${RUNUSER}`.
Commands:
* --chroot=
* --netfilter=
* --netfilter6=
* --trace=
Closes #6032.
Reported-by: @michelesr
|
|\ \ \
| | | |
| | | | |
feature: firecfg: add firecfg.d & add ignore command
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].
It prevents firecfg from creating a symlink for the given program.
Also, document the paths used and the config file syntax.
Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.
Closes #2097.
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As suggested by @WhyNotHugo[1].
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Instead of using asprintf + free.
Also, use LIBDIR instead of hardcoded "/usr/lib" for fzenity.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* fix inconsistent indentation/braces
* add missing free
|
| | | |
| | | |
| | | |
| | | | |
Relates to #5982 #6006 #6057 #6059 #6070 #6086 #6087.
|
| |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 2.22.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/66b90a5db151a8042fa97405c6cf843bbe433f7b...407ffafae6a767df3e0230c3df91b6443ae8df75)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I accidentally removed the `!` when sorting the arguments in #6067.
This amends commit fbba03790 ("lutris.profile: allow more syscalls",
2023-10-24) / PR #6067.
|
| | | |
|
|\ \ \
| | | |
| | | | |
Lookup xauth in PATH.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Don't use hardcoded `/usr/bin/xauth`,
iterate over directories inside PATH instead.
This fixes https://github.com/netblue30/firejail/issues/6006
|
|\ \ \ \
| | | | |
| | | | | |
build: sort.py: use case-sensitive sorting
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
lutris.profile: allow more syscalls
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work.
journalctl did list `process_vm_readv` when a game was running, but it
didn't crash the game.
Fixes #6035.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
steam.profile: allow process_vm_readv syscall
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
EA Origin (game launcher) won't launch without this.
See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
|
|\ \ \ \ \
| | | | | |
| | | | | | |
fcopy: Use lstat when copy directory.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When copying directories use lstat when reading info about source files.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The most generic way is to use `intmax_t`
because we dont't know what is the "parent" type of `off_t`.
This fixes https://github.com/netblue30/firejail/issues/5982 .
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.0 to 2.6.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/1b05615854632b887b69ae1be8cbefe72d3ae423...eb238b55efaa70779f274895e782ed17c84f2895)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/74483a38d39275f33fcff5f35b679b5ca4a26a99...66b90a5db151a8042fa97405c6cf843bbe433f7b)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |_|_|/ /
|/| | | |
| | | | |
| | | | | |
on Debian the data is in /usr/share/tesseract-ocr/
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* disable-programs.inc: add support for tiny-rdm
* Create tiny-rdm.profile
* firecfg.config: add support for tiny-rdm
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/49abf0ba24d0b7953cb586944e918a0b92074c80...74483a38d39275f33fcff5f35b679b5ca4a26a99)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
It's the only workflow missing it.
See commit 339d395fb ("ci: print env-related settings in each job",
2023-04-22) / PR #5802.
|
| |_|/ /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | | |
discord_arch_electron[1] stores its files in /usr/share/discord, rather than
the usual /opt/discord.
[1] https://aur.archlinux.org/packages/discord_arch_electron
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* nodejs-common: add pnpm support
* disable-programs.inc: add pnpm support
* Create pnpm.profile
* Create pnpx.profile
|
|\ \ \ \
| |_|/ /
|/| | | |
disable-programs.inc: remove duplicated entries
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
They are already present in disable-common.inc.
Added in the following commits:
* 6bf6d5ed5 ("updated program files", 2016-12-02) / PR #951
* 49280197c ("various hardening (#3394)", 2020-05-02)
* 2e2c2327f ("profiles: support more msmtp configuration paths (#6060)",
2023-10-22)
Misc: This was noticed on PR #6060.
|