| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
* profiles: refactor log viewers
Introduces system-log-common.profile as a common profile for existing
GUI log viewer applications.
* system-log-common: enable no3d
|
|\
| |
| | |
modif: keep pipewire group unless nosound is used
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This group is apparently used on Gentoo[1].
Currently only the "audio" supplementary group is kept.
Fixes #5992.
See also commit f32938669 ("Keep vglusers group unless no3d is used
(virtualgl)", 2022-01-07) / PR #4851.
[1] https://wiki.gentoo.org/wiki/PipeWire
Reported-by: @amano-kenji
|
| |
| |
| |
| | |
Add directories to config so Factorio runs correctly.
|
| | |
|
| | |
|
| |
| |
| | |
New TelegramWebApps uses another directory for saving local storage.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.5 to 2.21.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/00e563ead9f72a8461b24876bee2d0c2e8bd2ee8...04daf014b50eaf774287bf3f0f1869d4b4c4b913)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/f43a0e5ff2bd294095638e18286ca9a3d1956744...3df4ab11eba7bda6032a0b82a6bb43b11571feac)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|\ \
| | |
| | | |
profiles: fix commented code and eol comments
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Main changes:
* Remove the space after `#` for commented code lines to distinguish
them from normal comments
* Use `#` instead of `-` for comments at the end of the line so that
commented code lines work after being uncommented
Commands used to search and replace:
arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
git ls-files -z -- etc/inc etc/profile* | xargs -0 -I '{}' \
sh -c "printf '%s\n' \"\$(sed -E \
-e 's/^# ($arg0)( [#-]-? .*)?\$/#\\1\\2/' \
-e 's/^# ($arg1)( [^ ]*)?( [#-]-? .*)?\$/#\\1\\2\\3/' \
-e 's/^# (whitelist \\$)/#\\1/' \
-e 's/^(#[^ ].+) --? /\\1 # /' \
'{}')\" >'{}'"
Commands used to check for leftover entries:
arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
git grep -E "^# ($arg0|$arg1)( +|$)" -- etc/inc etc/profile*
See also commit 30f9ad908 ("build: improve comments in firecfg.config",
2023-08-05) / PR #5942.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Turn very long end-of-line comments into normal comments
* Turn multi-line end-of-line comments into normal comments
* Fix a comment being below instead of above the relevant entry
* Turn some comments that look like code into end-of-line comments
|
| |/
|/| |
|
|/
|
|
|
|
|
|
| |
Closes https://github.com/netblue30/firejail/issues/5990
Arduino IDE: https://github.com/arduino/arduino-ide
PlatformIO: https://github.com/platformio
Signed-off-by: Marek Küthe <m.k@mk16.de>
|
|
|
|
|
|
| |
Fix the list generation and run `make syntax`.
Relates to #5627.
|
|
|
|
| |
The latest Neochat package on Arch (23.08.0-2, with libquotient
0.8.1.1-1) crashes otherwise.
|
|
|
| |
Fixes #5974.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
What works:
- Basic functionality
- Receiving notifications
- Voice communication
- Watching streams
What wasn't tested:
- Casting streams
- Opening links
- Tracking/displaying "current activity" as status message
- Apparmor
Notes:
- Discord tries to access system dbus (`[ERROR:bus.cc(399)] Failed to
connect to the bus: Failed to connect to socket
/run/firejail/mnt/dbus/system: Permission denied`). I don't know what
business it has with the system dbus, and didn't notice any problems
due to that.
- I had one crash after 2h of watching a stream. Probably unrelated.
Fixes #5971.
|
|
|
|
| |
Relates to #5965 #5976 #5984.
|
|\
| |
| | |
ci: fix dependabot duplicated workflow runs
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Every workflow is being executed twice for dependabot: Once when its
branch is pushed to this repository and again when a PR is opened for
it.
For example, see the checks in #5979 ("29 checks passed").
This happens because both `on.push` and `on.pull_request` are specified
in the workflow files.
There does not seem to be a simple and generic way to avoid such
duplicated runs directly in GitHub Actions (such as preventing the same
check from running for the same exact commit)[1], so just ignore the
dependabot branches on push for now.
See also and commit 5871b08a4 ("ci: run for every branch instead of just
master", 2023-04-23) / PR #5815.
[1] https://github.com/orgs/community/discussions/26276
|
|\ \
| |/
|/| |
Fix wrong syscall names for s390_pci_mmio_{read,write}
|
| |
| |
| |
| | |
Closes #5965
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 3.6.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/c85c95e3d7251135ab7dc9ce3241c5835cc595a9...f43a0e5ff2bd294095638e18286ca9a3d1956744)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.2 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2.21.2...00e563ead9f72a8461b24876bee2d0c2e8bd2ee8)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
They are taking longer than the 30s timeout[1] [2]:
runner@fv-az246-621:~/work/firejail/firejail/test/sysutils$
<ysutils$ firejail --ignore=quiet wget -q debian.org
Reading profile /etc/firejail/wget.profile
[...]
Child process initialized in 115.54 ms
TESTING ERROR 2
runner@fv-az1234-541:~/work/firejail/firejail/test/utils$
<irejail --build wget --output-document=~ debian.org
[...]
Resolving www.debian.org (www.debian.org)... 128.31.0.62
Connecting to www.debian.org (www.debian.org)|128.31.0.62|:443... connected.
TESTING ERROR 13
[1] https://github.com/kmk3/firejail/actions/runs/6005119423/job/16287436840
[2] https://github.com/kmk3/firejail/actions/runs/6005314148/job/16287794321
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is apparently getting in the way of the rm test[1]:
runner@fv-az1417-728:~/work/firejail/firejail/test/utils$
<ail/test/utils$ firejail --trace wget -q debian.org
5:wget:exec /usr/local/bin/wget:0
5:wget:stat64 /etc/wgetrc:0
5:wget:fopen64 /etc/wgetrc:0x561585600510
5:wget:stat64 /home/runner/.wgetrc:-1
OK
[...]
firejail --trace rm index.html
5:wget:connect 4 128.31.0.62 port 443:0
[...]
5:wget:stat64 /home/runner/.wget-hsts:0
runner@fv-az1417-728:~/work/firejail/firejail/test/utils$ TESTING ERROR 9
[1] https://github.com/kmk3/firejail/actions/runs/6004405511/job/16284920616
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This should fix the following error[1]:
runner@fv-az1230-523:~/work/firejail/firejail/test/utils$
<ail/test/utils$ firejail --trace wget -q debian.org
[...]
5:wget:stat64 index.html:-1
5:wget:stat64 index.html:-1
5:wget:stat64 /home/runner/.netrc:-1
5:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:4
5:wget:connect 4 151.101.66.132 port 80:0
5:wget:stat64 index.html:-1
5:wget:stat64 index.html:-1
5:wget:stat64 index.html:-1
[...]
TESTING ERROR 8.6
[1] https://github.com/kmk3/firejail/actions/runs/6004266783/job/16284476671
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To try to fix the following errors[1] [2]:
runner@fv-az298-480:~/work/firejail/firejail/test/utils$
<irejail --build wget --output-document=~ debian.org
[...]
Resolving www.debian.org (www.debian.org)... 128.31.0.62
Connecting to www.debian.org (www.debian.org)|128.31.0.62|:443... connected.
TESTING ERROR 13
runner@fv-az305-745:~/work/firejail/firejail/test/sysutils$
<ysutils$ firejail --ignore=quiet wget -q debian.org
[...]
Child process initialized in 106.89 ms
TESTING ERROR 2
[1] https://github.com/netblue30/firejail/actions/runs/5996420917/job/16278071977?pr=5979
[2] https://github.com/netblue30/firejail/actions/runs/5996420917/job/16278071219?pr=5979
|
|
|
|
|
|
| |
Commit 3077b2d1f blacklists `${PATH}/patch` in disable-devel.inc[1]. We
need to noblacklist it in the profiles that need it.
[1] https://github.com/netblue30/firejail/commit/3077b2d1ff6c6e26a83487ae460985157b5c61fd
|
|
|
|
|
|
|
|
| |
Which also blacklists ~/.cargo.
Note that ~/.rustup is the only `${HOME}` entry in disable-devel.inc.
Added on commit 8d9b12d1c ("New profiles + fixes + hardening",
2020-09-14).
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was broken likely due to `private-dev` being added to default.profile
on commit 307dad542 ("adding private-tmp and private-dev to
default.profile", 2023-08-20).
So ignore `private-dev` in the test and make sure to run the tests when
default.profile changes.
This amends commit 75cefd5b1 ("tests: fix error when /dev/kmsg is
missing", 2023-08-21).
|
|
|
|
|
| |
`dh_*` and `fakeroot` can be used when building .deb packages; they are
not part of autoconf/automake.
|
|
|
|
| |
And fix a few inconsistent comments.
|
|
|
|
|
|
| |
As of commit 96beb3358, `fakeroot` is blacklisted in disable-common.inc,
which may break makepkg and other build-related tools; cfr [1].
[1] https://github.com/netblue30/firejail/commit/96beb3358c430a5e470ce02fd64ffc3f7fc23706#r125237349.
|
|
|
|
| |
Relates to #5942 #5955 #5956 #5960.
|
|\
| |
| | |
ci: whitelist paths, reorganize workflows & speed-up tests
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Considering the most recent runs, this reduces the total amount of time
it takes to run the tests from about 9-10 minutes to about 3 minutes.
Note: Which jobs are split is mostly determined by how long each test
takes.
For example, this is the time each test step took in a run of
`build_and_test` (10m17s total for the job) on commit bfcf8bc31 ("Merge
pull request #5956 from kmk3/build-fix-dep-syntax", 2023-08-14)[1]:
* 17s test-seccomp-extra
* 1s test-firecfg
* 16s test-capabilities
* 6s test-apparmor
* 10s test-appimage
* 10s test-chroot
* 41s test-sysutils
* 24s test-private-etc
* 40s test-profiles
* 4s test-fcopy
* 2s test-fnetfilter
* 98s test-fs
* 103s test-utils
* 57s test-environment
* 69s test-network
[1]: https://github.com/netblue30/firejail/actions/runs/5860927500/job/15890009169
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move scan-build, cppcheck and CodeQL (cpp).
This is similar to build-extra.yml, but for jobs that check for issues
in the code rather than checking for build failures.
Note: As this deletes codeql-analysis.yml, its configuration also has to
be deleted in the GitHub web UI to prevent it from warning about the
file being missing:
* Security -> Code scanning -> Tool status -> (Setup Types) CodeQL ->
(Configurations) language:python -> Delete configuration
Misc: The above was clarified by @topimiettinen[1].
[1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643
|
| |
| |
| |
| |
| |
| |
| | |
Do so when the output of the given job is not important.
For example, when the output of another job can be used for debugging
build-related issues.
|
| |
| |
| |
| |
| | |
Testing takes significantly longer than building, so this makes the
default build check faster.
|
| |
| |
| |
| | |
All of the current workflows are used for CI.
|
| |
| |
| |
| | |
Only run the CodeQL Python analysis if a .py file is changed.
|
| |
| |
| |
| |
| | |
Note: When generating a new workflow, the permissions do not have
comments anymore.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, replace `paths-ignore` with `paths`.
This should reduce the number of unnecessary workflow executions and the
frequency at which paths are changed. It also reduces the overall
number of paths used.
Also, add the missing ci/printenv.sh to the path whitelists.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And limit the output of `diff` in the test to avoid logging thousands of
lines of a hexdump.
Likely broken by commit 3077b2d1f ("update disable-devel.inc",
2023-08-22)[1].
[1] https://github.com/netblue30/firejail/actions/runs/5945120115/job/16123622451
|