| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
Changes:
* Use the same command from the cppcheck CI job in the cppcheck target
* Add cppcheck-old target based on the cppcheck_old CI job
* Call the make targets in CI to avoid duplicating the commands
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow overriding the following tools at configure-time and build-time:
* codespell
* cppcheck
* gawk
* scan-build
For example, instead of hardcoding `gawk`, enable overriding it at
configure-time with:
./configure GAWK=/path/to/gawk
To override it for a single `make` invocation:
make GAWK=/path/to/gawk
Also, add default values for the programs that are not found (rather
than leaving the variables empty), to make error messages clearer when
trying to run them:
$ make CPPCHECK= cppcheck-old
[...]
force --error-exitcode=1 --enable=warning,performance .
make: force: No such file or directory
$ make CPPCHECK=cppcheck cppcheck-old
[...]
cppcheck --force --error-exitcode=1 --enable=warning,performance .
make: cppcheck: No such file or directory
|
|
|
|
| |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
|\
| |
| | |
build: move errExit macro into inline function
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move most of the `errExit` macro into a new `_errExit` inline function
and use the former just to forward arguments to the latter.
This reduces the noise in the build output when using `-fanalyzer`, as
it causes the `errExit` macro to stop being expanded.
For example, the complete output of the following warning in
src/firejail/dbus.c is reduced from 243 lines to 141 lines (a ~41%
reduction):
$ pacman -Q gcc
gcc 13.2.1-5
$ ./configure --enable-apparmor --enable-analyzer >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/dbus.c: In function ‘dbus_proxy_start’:
../../src/firejail/dbus.c:311:36: warning: leak of file descriptor ‘dup2(output_fd, 1)’ [CWE-775] [-Wanalyzer-fd-leak]
311 | if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
[...]
‘dbus_create_user_dir’: event 5
|
|../../src/firejail/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (5) ...to here
../../src/firejail/dbus.c:239:17: note: in expansion of macro ‘errExit’
| 239 | errExit("asprintf");
| | ^~~~~~~
[...]
Relates to #6190.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.0 to 3.24.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/e8893c57a1f3a2b659b6b55564fdfdbbd2982911...379614612a29c9e28f31f39a59013eb8012a51f0)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Profile for Electron Cash
|
| | | |
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Profile for RawTherapee
|
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently it is the only part of the build that prints to stderr on a
normal build, which makes it harder to keep just the warnings and errors
in the output:
$ ./configure >/dev/null && make clean >/dev/null &&
make -j "$(nproc)" >/dev/null
static ip map: input 5998, output 2490
Added on commit f3774678f ("compress static ip map for fnettrace at
compile time", 2023-07-06).
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Misc: This was noticed on #6203.
Relates to #6078.
|
|\ \
| | |
| | | |
gnome-keyring: harden and add gnome-keyring-daemon.profile
|
| | | |
|
| | |
| | |
| | |
| | | |
And use it as the base for the existing gnome-keyring.profile.
|
| | | |
|
| | |
| | |
| | |
| | | |
Relates to #6195 #6196 #6200.
|
| | | |
|
|\ \ \
| | | |
| | | | |
build: mkrpm.sh improvements
|
| | | |
| | | |
| | | |
| | | |
| | | | |
They are not being properly forwarded to mkrpm.sh (which re-runs
./configure before the actual build), so just remove them for now.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To abort the build if any error occurs.
See also commit 7d9db8355 ("fail build if any step in the script fails",
2019-06-21).
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
To make the CI logs more informative, as currently nothing from the
build itself is shown.
Added on commit d684d9988 ("Fix mkrpm.sh", 2016-02-16) / PR #297.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recently (as of Landlock ABI 4), the `handled_access_net` field was
added to the `landlock_ruleset_attr` struct in the Linux kernel (in
linux/landlock.h). In src/firejail/landlock.c, that field is not being
set in the struct (as we currently do not use it) before passing it to
the `landlock_create_full_ruleset` syscall, so it is likely to contain
random garbage when used, resulting in the syscall returning EINVAL:
$ firejail --debug --profile=/etc/firejail/landlock-common.inc \
--landlock.enforce true
[...]
ll_is_supported: Detected Landlock ABI version 4
ll_restrict: Starting Landlock restrict
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
[...]
Not enforcing Landlock
So ensure that all structs in src/firejail/landlock.c are initialized to
0 before using them.
Note: Arch has recently (2024-01-31) updated the linux-api-headers
package from version 6.4-1 to 6.7-1[1]. The former version is not affected
(as it does not contain the extra struct field in linux/landlock.h),
while the latter is.
Fixes #6195.
Relates to #6078.
[1] https://gitlab.archlinux.org/archlinux/packaging/packages/linux-api-headers/-/commit/b4223b0c2bfba54c26acc4dc289415b81b15989f
Reported-by: @curiosityseeker
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to certain variables not being declared:
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/kmk3/firejail_ci'
error: run ./configure to generate config.mk
[...]
rm -f contrib/syntax/files/example [...]
rm -fr - -.tar.xz
rm: invalid option -- '.'
Try 'rm --help' for more information.
make[1]: *** [Makefile:175: clean] Error 1
This amends commit 8a783cdc2 ("build: use TARNAME and remove more paths
on clean", 2023-07-29) / PR #6186.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to test/compile/compile.sh not being able to source config.mk (which is
created by ./configure):
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/Firejail/firejail_ci'
error: run ./configure to generate config.mk
[...]
cd compile && ./compile.sh --clean
./compile.sh: line 15: ./../../config.sh: No such file or directory
make[2]: *** [Makefile:24: clean] Error 1
This amends commit 152a21f15 ("build: simplify clean target",
2023-07-29) / PR #6186.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make the error message format in `ll_create_full_ruleset` match the
other ones in landlock.c.
This amends commit 01a9ddbbe ("landlock: improve logs for debugging",
2023-11-08).
Misc: This was noticed on #6195.
Relates to #6078.
|
| |
| |
| |
| |
| |
| |
| | |
This amends commit bf5a99360 ("landlock: add support for PATH macro",
2023-12-22).
Relates to #6078.
|
| |
| |
| |
| | |
Relates to #6172 #6178 #6184 #6186 #6187.
|
|\ \
| | |
| | | |
landlock: split .special into .makeipc and .makedev
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.2 to 3.24.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b7bf0a3ed3ecfa44160715d7c442788f65f0f923...e8893c57a1f3a2b659b6b55564fdfdbbd2982911)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/eb238b55efaa70779f274895e782ed17c84f2895...63c24ba6bd7ba022e95695ff85de572c04a18142)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|\ \ \
| | | |
| | | | |
build: improve main clean target
|
| | | |
| | | |
| | | |
| | | | |
Instead of `firejail-*.tar.xz`, to match `*.deb` and `*.rpm`.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
Move some clean commands into more relevant makefiles.
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fix the following CodeQL warning (CWE-253)[1]:
> Rule ID: cpp/incorrectly-checked-scanf
> The result of scanf is only checked against 0, but it can also return
> EOF.
> Functions in the scanf family return either EOF (a negative value) in
> case of IO failure, or the number of items successfully read from the
> input. Consequently, a simple check that the return value is nonzero
> is not enough.
>
> Recommendation
>
> Ensure that all uses of scanf check the return value against the
> expected number of arguments rather than just against zero.
Note: The affected code portions attempt to read values from /etc/passwd
and /etc/group, so invalid input seems unlikely to be the case. Either
way, the changes make the checks in question more consistent with
similar sscanf return value checks in the rest of the code.
Added on commit 4f003daec ("prevent leaking user information by
modifying /home directory, /etc/passwd and /etc/group", 2015-11-19).
[1] https://github.com/netblue30/firejail/security/code-scanning/32
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
So that they fail early instead of letting them run indefinitely when
there are problems with the CI infrastructure.
Use 5 minutes for the jobs that usually complete in under a minute
(check-profiles and codespell) and 10 minutes for the rest (most jobs
usually take 1-3 minutes).
|
| |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Recent versions of geeqie[1] use a Lua interpreter, like the one
currently in Arch Linux (2.2).
Without this fix it fails with:
/usr/bin/geeqie: error while loading shared libraries: liblua.so.5.4: [...]
[1] https://www.geeqie.org/
|
| | |
| | |
| | |
| | |
| | | |
Add common Lua include to crawl.profile (Dungeon Crawl Stone Soup) to
allow Lua libraries, as both the ncurses and tiles executables are
dynamically linked to Lua.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Warnings:
$ make codespell
Running codespell...
./README:757: Manuel ==> Manual
./RELNOTES:269: relpaced ==> replaced
./src/firecfg/desktop_files.c:60: diectory ==> directory
./platform/debian/control.i386:11: namepaces ==> namespaces
./platform/debian/control.amd64:11: namepaces ==> namespaces
make: *** [Makefile:383: codespell] Error 65
$ codespell --version
2.2.6
|