| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
| |
Fix the list generation and run `make syntax`.
Relates to #5627.
|
| |
|
|
| |
The latest Neochat package on Arch (23.08.0-2, with libquotient
0.8.1.1-1) crashes otherwise.
|
| |
|
| |
Fixes #5974.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
What works:
- Basic functionality
- Receiving notifications
- Voice communication
- Watching streams
What wasn't tested:
- Casting streams
- Opening links
- Tracking/displaying "current activity" as status message
- Apparmor
Notes:
- Discord tries to access system dbus (`[ERROR:bus.cc(399)] Failed to
connect to the bus: Failed to connect to socket
/run/firejail/mnt/dbus/system: Permission denied`). I don't know what
business it has with the system dbus, and didn't notice any problems
due to that.
- I had one crash after 2h of watching a stream. Probably unrelated.
Fixes #5971.
|
| |
|
|
| |
Relates to #5965 #5976 #5984.
|
| |\
| |
| | |
ci: fix dependabot duplicated workflow runs
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Every workflow is being executed twice for dependabot: Once when its
branch is pushed to this repository and again when a PR is opened for
it.
For example, see the checks in #5979 ("29 checks passed").
This happens because both `on.push` and `on.pull_request` are specified
in the workflow files.
There does not seem to be a simple and generic way to avoid such
duplicated runs directly in GitHub Actions (such as preventing the same
check from running for the same exact commit)[1], so just ignore the
dependabot branches on push for now.
See also and commit 5871b08a4 ("ci: run for every branch instead of just
master", 2023-04-23) / PR #5815.
[1] https://github.com/orgs/community/discussions/26276
|
| |\ \
| |/
|/| |
Fix wrong syscall names for s390_pci_mmio_{read,write}
|
| | |
| |
| |
| | |
Closes #5965
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 3.6.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/c85c95e3d7251135ab7dc9ce3241c5835cc595a9...f43a0e5ff2bd294095638e18286ca9a3d1956744)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.2 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2.21.2...00e563ead9f72a8461b24876bee2d0c2e8bd2ee8)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
They are taking longer than the 30s timeout[1] [2]:
runner@fv-az246-621:~/work/firejail/firejail/test/sysutils$
<ysutils$ firejail --ignore=quiet wget -q debian.org
Reading profile /etc/firejail/wget.profile
[...]
Child process initialized in 115.54 ms
TESTING ERROR 2
runner@fv-az1234-541:~/work/firejail/firejail/test/utils$
<irejail --build wget --output-document=~ debian.org
[...]
Resolving www.debian.org (www.debian.org)... 128.31.0.62
Connecting to www.debian.org (www.debian.org)|128.31.0.62|:443... connected.
TESTING ERROR 13
[1] https://github.com/kmk3/firejail/actions/runs/6005119423/job/16287436840
[2] https://github.com/kmk3/firejail/actions/runs/6005314148/job/16287794321
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is apparently getting in the way of the rm test[1]:
runner@fv-az1417-728:~/work/firejail/firejail/test/utils$
<ail/test/utils$ firejail --trace wget -q debian.org
5:wget:exec /usr/local/bin/wget:0
5:wget:stat64 /etc/wgetrc:0
5:wget:fopen64 /etc/wgetrc:0x561585600510
5:wget:stat64 /home/runner/.wgetrc:-1
OK
[...]
firejail --trace rm index.html
5:wget:connect 4 128.31.0.62 port 443:0
[...]
5:wget:stat64 /home/runner/.wget-hsts:0
runner@fv-az1417-728:~/work/firejail/firejail/test/utils$ TESTING ERROR 9
[1] https://github.com/kmk3/firejail/actions/runs/6004405511/job/16284920616
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This should fix the following error[1]:
runner@fv-az1230-523:~/work/firejail/firejail/test/utils$
<ail/test/utils$ firejail --trace wget -q debian.org
[...]
5:wget:stat64 index.html:-1
5:wget:stat64 index.html:-1
5:wget:stat64 /home/runner/.netrc:-1
5:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:4
5:wget:connect 4 151.101.66.132 port 80:0
5:wget:stat64 index.html:-1
5:wget:stat64 index.html:-1
5:wget:stat64 index.html:-1
[...]
TESTING ERROR 8.6
[1] https://github.com/kmk3/firejail/actions/runs/6004266783/job/16284476671
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To try to fix the following errors[1] [2]:
runner@fv-az298-480:~/work/firejail/firejail/test/utils$
<irejail --build wget --output-document=~ debian.org
[...]
Resolving www.debian.org (www.debian.org)... 128.31.0.62
Connecting to www.debian.org (www.debian.org)|128.31.0.62|:443... connected.
TESTING ERROR 13
runner@fv-az305-745:~/work/firejail/firejail/test/sysutils$
<ysutils$ firejail --ignore=quiet wget -q debian.org
[...]
Child process initialized in 106.89 ms
TESTING ERROR 2
[1] https://github.com/netblue30/firejail/actions/runs/5996420917/job/16278071977?pr=5979
[2] https://github.com/netblue30/firejail/actions/runs/5996420917/job/16278071219?pr=5979
|
| |
|
|
|
|
| |
Commit 3077b2d1f blacklists `${PATH}/patch` in disable-devel.inc[1]. We
need to noblacklist it in the profiles that need it.
[1] https://github.com/netblue30/firejail/commit/3077b2d1ff6c6e26a83487ae460985157b5c61fd
|
| |
|
|
|
|
|
|
| |
Which also blacklists ~/.cargo.
Note that ~/.rustup is the only `${HOME}` entry in disable-devel.inc.
Added on commit 8d9b12d1c ("New profiles + fixes + hardening",
2020-09-14).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It was broken likely due to `private-dev` being added to default.profile
on commit 307dad542 ("adding private-tmp and private-dev to
default.profile", 2023-08-20).
So ignore `private-dev` in the test and make sure to run the tests when
default.profile changes.
This amends commit 75cefd5b1 ("tests: fix error when /dev/kmsg is
missing", 2023-08-21).
|
| |
|
|
|
| |
`dh_*` and `fakeroot` can be used when building .deb packages; they are
not part of autoconf/automake.
|
| |
|
|
| |
And fix a few inconsistent comments.
|
| |
|
|
|
|
| |
As of commit 96beb3358, `fakeroot` is blacklisted in disable-common.inc,
which may break makepkg and other build-related tools; cfr [1].
[1] https://github.com/netblue30/firejail/commit/96beb3358c430a5e470ce02fd64ffc3f7fc23706#r125237349.
|
| |
|
|
| |
Relates to #5942 #5955 #5956 #5960.
|
| |\
| |
| | |
ci: whitelist paths, reorganize workflows & speed-up tests
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Considering the most recent runs, this reduces the total amount of time
it takes to run the tests from about 9-10 minutes to about 3 minutes.
Note: Which jobs are split is mostly determined by how long each test
takes.
For example, this is the time each test step took in a run of
`build_and_test` (10m17s total for the job) on commit bfcf8bc31 ("Merge
pull request #5956 from kmk3/build-fix-dep-syntax", 2023-08-14)[1]:
* 17s test-seccomp-extra
* 1s test-firecfg
* 16s test-capabilities
* 6s test-apparmor
* 10s test-appimage
* 10s test-chroot
* 41s test-sysutils
* 24s test-private-etc
* 40s test-profiles
* 4s test-fcopy
* 2s test-fnetfilter
* 98s test-fs
* 103s test-utils
* 57s test-environment
* 69s test-network
[1]: https://github.com/netblue30/firejail/actions/runs/5860927500/job/15890009169
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move scan-build, cppcheck and CodeQL (cpp).
This is similar to build-extra.yml, but for jobs that check for issues
in the code rather than checking for build failures.
Note: As this deletes codeql-analysis.yml, its configuration also has to
be deleted in the GitHub web UI to prevent it from warning about the
file being missing:
* Security -> Code scanning -> Tool status -> (Setup Types) CodeQL ->
(Configurations) language:python -> Delete configuration
Misc: The above was clarified by @topimiettinen[1].
[1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643
|
| | |
| |
| |
| |
| |
| |
| | |
Do so when the output of the given job is not important.
For example, when the output of another job can be used for debugging
build-related issues.
|
| | |
| |
| |
| |
| | |
Testing takes significantly longer than building, so this makes the
default build check faster.
|
| | |
| |
| |
| | |
All of the current workflows are used for CI.
|
| | |
| |
| |
| | |
Only run the CodeQL Python analysis if a .py file is changed.
|
| | |
| |
| |
| |
| | |
Note: When generating a new workflow, the permissions do not have
comments anymore.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, replace `paths-ignore` with `paths`.
This should reduce the number of unnecessary workflow executions and the
frequency at which paths are changed. It also reduces the overall
number of paths used.
Also, add the missing ci/printenv.sh to the path whitelists.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And limit the output of `diff` in the test to avoid logging thousands of
lines of a hexdump.
Likely broken by commit 3077b2d1f ("update disable-devel.inc",
2023-08-22)[1].
[1] https://github.com/netblue30/firejail/actions/runs/5945120115/job/16123622451
|
| | | |
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This partially reverts commit d94f54736 ("disable all ssh utilities in
disable-common.inc", 2023-08-20).
Certain files in ~/.ssh are only used by sshd (not by ssh), so always
blacklist them.
Also, ssh itself does not need write access to the configuration files,
so make them read-only by default.
For details, see commit 2ec3f3a96 ("disable-common.inc: add missing
openssh paths", 2021-01-09) / PR #3885.
Cc: @netblue30
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is breaking test-fs in CI since at least commit f37cd57cd ("disable
all /bin/dpkg* programs in disable-common.inc", 2023-08-20)[1].
[1] https://github.com/netblue30/firejail/actions/runs/5918495917/job/16062400120
|
| |/ / |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| | |
build: add missing makefile dep & syntax improvements
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
|
| | |
| |
| |
| | |
Relates to #5627.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make the non-phony targets that are defined in the root Makefile depend
on it, to ensure that they get re-generated if their recipes change.
Note that these targets are generated nearly instantly, so this should
not noticeably affect rebuild times.
Relates to #5627.
|
Kelvin M. Klann
DefaultUser
kzsa
haarp
Topi Miettinen
dependabot[bot]
glitsj16
netblue30