| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| | |
|
| |\
| |
| | |
Create disable-proc.inc
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removes the inconsistency that some blacklisted
paths could be remounted (files specified explicitly)
and some could not. Now all blacklisted paths can
be mounted nosuid, nodev, noexec if users
specify this.
Also fixes the bug that mount id can indeed be 0.
Other than that no functional or algorithmic changes,
only readability improvements.
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Fix misc in get_group_id
|
| | | |
| | |
| | |
| | |
| | | |
To make things clearer, since there is already a `struct group` in the
same function.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
gr_gid is of type gid_t (not uid_t). From grp.h(0p) of POSIX.1-2017:
> DESCRIPTION
>
> The <grp.h> header shall declare the group structure, which shall
> include the following members:
>
> char *gr_name The name of the group.
> gid_t gr_gid Numerical group ID.
> char **gr_mem Pointer to a null-terminated array of character
> pointers to member names.
>
> The <grp.h> header shall define the gid_t and size_t types as
> described in <sys/types.h>.
Note: The callers already store the result in gid_t variables.
First caused by commit dc3564b18 ("fixes", 2016-03-09).
|
| | | |
| | |
| | |
| | |
| | | |
This amends commit 40ed53c20 ("nvidia fix", 2016-10-08) and commit
74149d248 ("fixes", 2016-03-20).
|
| |\ \ \
| |/ /
|/| | |
libtrace.c: use realpath instead of readlink to avoid PATH_MAX
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
PATH_MAX is not guaranteed to be defined and it may be defined to -1.
Avoid depending on it by getting the result directly from realpath. See
commit 579f856c5 ("firejail.h: add missing linux/limits.h include") /
PR #4583 for details.
Note: This replaces the static char array currently used with a dynamic
one returned from realpath.
Misc: This is a continuation of #4583.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
found in Debian Bullseye.
/run/shm is a symbolic link to /dev/shm,
and whitelisting it will just recreate
the symbolic link.
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Adds minimal cgroupv2 support, and fixes
an effective user id assertion in --join
(instead of asserting effective user id
of the user, drop privileges completely
in a child process).
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Use ?ALLOW_TRAY: (#4510) in profiles
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
s/S_IWRITE/S_IWUSR/
|
| | |\ \ \
| |/ / /
|/| | | |
|
| |\ \ \ \
| | | | |
| | | | | |
firejail.h: add missing linux/limits.h include & include cleanup
|
| | |\ \ \ \
| |/ / / /
|/| | | | |
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
fix compilation on musl (#4578)
|
| | | | | | |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Revert "allow/deny fbuilder"
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This reverts commit 4438f14f2892b5c88d158ae8fad0a80a2eebfd44.
Also, partially revert related commit e4307b409 ("fix whitelist/allow in
make test-utils") to keep the tests working.
The profiles are being generated using aliases, which are not used on
the profiles in the repository. So generate them using the normal
commands for consistency. See also commit dd13595b8 ("Revert
"allow/deny help and man pages"") / PR #4502.
Relates to #4410.
Misc: I noticed this on issue #4592.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Added on commit 9af2c1472 ("Better debug handling.").
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix vscodium
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Both base names are valid:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
$ pacman -Qlq vscodium-bin | grep -v -e '/$' -e /resources/ |
grep /bin/
/usr/bin/codium
/usr/bin/vscodium
/usr/share/vscodium-bin/bin/codium
Note: The first two paths are symlinks to the third one.
Fixes #3871.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
It creates the following directories on startup:
* ~/.config/VSCodium
* ~/.vscode-oss
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
Note: The following entry is already on disable-programs.inc:
noblacklist ${HOME}/.vscode-oss
It was added on commit de90834a8 ("Update disable-programs.inc",
2019-03-02).
Relates to #3871.
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | | |
Added on commit 4bb7dee49 ("small changes", 2019-02-07).
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
trace, tracelog: don't truncate /etc/ld.so.preload in sandbox
|
| | | | | | | | |
|
| |\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
Issue template improvements2
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
As suggested by @rusty-snake.
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
It is not uncommon for people to use other characters to try to mark an
item as checked (which usually screws up the html output), so be sure to
include an example with "[x]".
|
| | | | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This overrides all `LC_*` variables (and LANG) rather than just LANG.
From Section 8.2, Internationalization Variables of POSIX.1-2017[1]:
> LANG
> This variable shall determine the locale category for native
> language, local customs, and coded character set in the absence of
> the LC_ALL and other LC_* (LC_COLLATE, LC_CTYPE, LC_MESSAGES,
> LC_MONETARY, LC_NUMERIC, LC_TIME) environment variables. This can
> be used by applications to determine the language to use for error
> messages and instructions, collating sequences, date formats, and
> so on.
>
> LC_ALL
> This variable shall determine the values for all locale
> categories. The value of the LC_ALL environment variable has
> precedence over any of the other environment variables starting
> with LC_ (LC_COLLATE, LC_CTYPE, LC_MESSAGES, LC_MONETARY,
> LC_NUMERIC, LC_TIME) and the LANG environment variable.
[1] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html
|
| |\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Add new condition ALLOW_TRAY
|
| | | | | | | | | | |
|
| |\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | | |
Add profiles for build-systems (/package-managers)
|
netblue30
smitsohu
rusty-snake
Kelvin M. Klann
Reiner Herrmann
dm9pZCAq