| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| | |
|
| |
|
|
|
| |
Geary uses bubblewrap now.
Fixes #6103.
|
| |
|
|
|
|
|
| |
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new landlock entry is parsed from a profile, the first entry in
the `cfg.lprofile` list is being set as the next/second entry and the
new entry is being set as the first entry in the list, so all entries
are being processed from last to first.
This commit makes the behavior of ll_add_profile() match the one from
profile_add() in src/firejail/profile.c so that the entries are
processed in the same order that they are parsed.
This amends commit b94cc754a ("landlock: apply rules in sandbox before
app start", 2023-10-26) / PR #6078.
|
| |
|
|
|
| |
This amends commit 520508d5b ("landlock: avoid parsing landlock commands
twice", 2023-11-02) / PR #6078.
|
| |
|
|
|
|
|
|
| |
To avoid confusion, only return a new ruleset and let the caller set the
global one.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
| |
|
|
|
|
|
| |
For consistency with the other functions that have no paramters.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
| |
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
| |
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
| |
|
|
|
| |
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
| |
|
|
|
|
|
|
|
| |
Fix formatting and wrong/outdated information.
This amends commit 6d0559de7 ("landlock: update README.md, small fix in
man firejal; update profile stats in README.md", 2023-12-04).
Relates to #6078.
|
| |
|
|
|
|
| |
Originally from PR #5359.
Relates to #6078.
|
| |
|
|
| |
in README.md
|
| | |
|
| |\
| |
| | |
feature: add Landlock support
|
| | |
| |
| |
| |
| | |
And ignore landlock-related commands if Landlock is unsupported at
runtime.
|
| | | |
|
| | |
| |
| |
| | |
Apply rules in the sandbox thread before the application is started.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| | | |
|
| |\ \
| | |
| | | |
ci: re-enable sort.py
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It was disabled on commit df6ea884f ("merges, disable sort.py in profile
checks temporarely, two more private-etc profiles", 2023-02-14).
Currently all profiles are sorted and there are no ongoing `private-etc`
changes, so it should be safe to re-enable.
Note that the script is useful to catch sorting issues not only in
`private-etc` but also in other commands, such as `seccomp`[1] [2].
This is a follow-up to #6070.
Relates to #5610.
[1] https://github.com/netblue30/firejail/pull/6066#discussion_r1372055800
[2] https://github.com/netblue30/firejail/pull/6067#discussion_r1372027243
|
| |\ \ \
| | | |
| | | | |
lutris.profile: allow mangohud
|
| | |/ /
| | |
| | |
| | |
| | |
| | | |
Similarly to steam.profile (see #4864).
Fixes #6106.
|
| |\ \ \
| | | |
| | | | |
feature: expand simple macros in more commands
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This includes macros such as `${HOME}` and `${RUNUSER}`.
Commands:
* --chroot=
* --netfilter=
* --netfilter6=
* --trace=
Closes #6032.
Reported-by: @michelesr
|
| |\ \ \
| | | |
| | | | |
feature: firecfg: add firecfg.d & add ignore command
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].
It prevents firecfg from creating a symlink for the given program.
Also, document the paths used and the config file syntax.
Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.
Closes #2097.
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As suggested by @WhyNotHugo[1].
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Instead of using asprintf + free.
Also, use LIBDIR instead of hardcoded "/usr/lib" for fzenity.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* fix inconsistent indentation/braces
* add missing free
|
| | | | |
| | | |
| | | |
| | | | |
Relates to #5982 #6006 #6057 #6059 #6070 #6086 #6087.
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 2.22.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/66b90a5db151a8042fa97405c6cf843bbe433f7b...407ffafae6a767df3e0230c3df91b6443ae8df75)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
I accidentally removed the `!` when sorting the arguments in #6067.
This amends commit fbba03790 ("lutris.profile: allow more syscalls",
2023-10-24) / PR #6067.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Lookup xauth in PATH.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Don't use hardcoded `/usr/bin/xauth`,
iterate over directories inside PATH instead.
This fixes https://github.com/netblue30/firejail/issues/6006
|
| |\ \ \ \
| | | | |
| | | | | |
build: sort.py: use case-sensitive sorting
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
lutris.profile: allow more syscalls
|
| | | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work.
journalctl did list `process_vm_readv` when a game was running, but it
didn't crash the game.
Fixes #6035.
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
steam.profile: allow process_vm_readv syscall
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
EA Origin (game launcher) won't launch without this.
See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
fcopy: Use lstat when copy directory.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
When copying directories use lstat when reading info about source files.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The most generic way is to use `intmax_t`
because we dont't know what is the "parent" type of `off_t`.
This fixes https://github.com/netblue30/firejail/issues/5982 .
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.0 to 2.6.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/1b05615854632b887b69ae1be8cbefe72d3ae423...eb238b55efaa70779f274895e782ed17c84f2895)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/74483a38d39275f33fcff5f35b679b5ca4a26a99...66b90a5db151a8042fa97405c6cf843bbe433f7b)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
NetSysFire
glitsj16
Kelvin M. Klann
netblue30
dependabot[bot]
Dmitry Chestnykh
duevo
Alexander Gerasiov