| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note: This seems to already be done for `protocol` lines.
Before:
$ ./contrib/sort.py test.profile
sort.py: checking 1 profile(s)...
test.profile:1:-private-etc ,,bar,,foo,,bar,,,
test.profile:1:+private-etc ,,,,,,,bar,bar,foo
test.profile:2:-protocol ,,unix,,bluetooth,,unix,,inet,,,
test.profile:2:+protocol unix,inet,bluetooth
[ Fixed ] test.profile
After:
$ ./contrib/sort.py test.profile
sort.py: checking 1 profile(s)...
test.profile:1:-private-etc ,,bar,,foo,,bar,,,
test.profile:1:+private-etc bar,foo
test.profile:2:-protocol ,,unix,,bluetooth,,unix,,inet,,,
test.profile:2:+protocol unix,inet,bluetooth
[ Fixed ] test.profile
|
|\
| |
| | |
build: reduce hardcoding and inconsistencies
|
| |
| |
| |
| | |
To reduce TARNAME hardcoding.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
|
|\
| |
| | |
feature: add Landlock support
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
|/ |
|
|
|
|
|
|
|
|
| |
The `mimetypes` property contains the section `text/plain`. This causes
for example the Gnome Editor to recognize every simple text file as a
firejail profile file. See this issue:
https://gitlab.gnome.org/GNOME/gnome-text-editor/-/issues/612
Fixes #6057.
|
|
|
|
|
|
| |
Fix the list generation and run `make syntax`.
Relates to #5627.
|
|\
| |
| | |
build: add missing makefile dep & syntax improvements
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
|
|/
|
|
|
|
| |
Found by simply running `codespell .`.
Environment: codespell 2.2.5-2 on Artix Linux.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the `shell` command. Note that it's still being parsed in
profile.c, even if it's just to return an error.
Commands used to remake them:
rm contrib/syntax/lists/*
make syntax
Relates to #5627 #5894.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently it only sets the appropriate filetype for files in
`/etc/firejail` and `~/.config/firejail`.
With this commit, the firejail filetype should also be set when opening
`etc/inc/*.inc`, for example, as long as there is a "firejail" directory
somewhere before that (such as in `/foo/firejail/bar/etc/inc/*.inc`).
Note: At least `*/firejail/*.inc` needs to force the match (by using
`set filetype` rather than `setfiletype`), or else the default vim
checks take precedence (and the filetype for all files in
`etc/inc/*.inc` gets set to `pov`).
Fixes #4319.
Relates to #2679.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Commands used to list the file extensions used in the project:
$ git ls-files | sed -En 's/.*(\.[^.]+)$/\1/p' |
LC_ALL=C sort | uniq -c
For rules that are more specific to a given directory, put a dedicated
.editorconfig file in it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Almost all of the shell scripts in the repository use tabs for
indentation (or have no indentation at all):
$ git grep -Il '^\t' -- '*.sh' | wc -l
19
$ git grep -Il '^ ' -- '*.sh' | wc -l
5
$ git grep -IL '^[ \t]' -- '*.sh' | wc -l
25
So do the same in the few shell scripts that currently use spaces for
indentation.
Except for the following file:
* platform/rpm/mkrpm.sh
Not sure if it's following a packaging-specific scheme, so just fix the
one indentation inconsistency in it and otherwise leave it as is for
now.
Command used to search for shell scripts using spaces for indentation:
$ git grep -In '^ ' -- '*.sh'
|
|\
| |
| | |
build: deb: enable apparmor by default & remove deb-apparmor
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The official .deb package is always built with apparmor support, so use
`--enable-apparmor` in mkdeb.sh and remove the "deb-apparmor" target in
order to reduce redundancy.
Note that custom configure options may be specified by calling
./mkdeb.sh directly.
For example, to build the .deb package without apparmor support, instead
of running `make deb`, the following commands can be used:
make dist
./mkdeb.sh --disable-apparmor
Also, change the `build_apparmor` GitLab CI job into
`build_no_apparmor`, which is intended to check that building without
apparmor still works.
Note: This commit makes the resulting .deb package not have an
"-apparmor" suffix (see `EXTRA_VERSION` in mkdeb.sh), to avoid
redundancy (as having apparmor support becomes the default).
Misc: This is a follow-up to #5654.
Relates to #5154 #5176 #5547.
|
| | |
|
|/
|
|
|
|
|
|
| |
This fixes #1127.
This allow a user to provide their own zshrc/bashrc inside the jail.
This is very useful when using firejail to develop and prevent bad pip
packages to access your system.
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Generate firejail.vim from firejail.vim.in
* Generate firejail-profile.lang from firejail-profile.lang.in
* Update the manual syntax file steps on the new command checklist on
CONTRIBUTING.md to use `make syntax` instead
Relates to #2679 #5502 #5577 #5612.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Use the commands from contrib/vim/syntax/firejail.vim to create
makefile targets to generate syntax lists in contrib/syntax/lists
* Add contrib/syntax/files/example.in as an example of how to generate
syntax files
* Generate and add the syntax lists, to make it easier to spot if they
are properly updated when a new command is added or if their recipes
also need changes
* Add "syntax" and "contrib" makefile targets
Note: The generation commands are executed mostly silently to avoid
generating too much noise when also making other targets.
Note2: In some generation commands, a `$$` escape is used to pass `$` to
the shell, to avoid being interpreted by make as the start of a macro.
Note3: `@make_input@` is used in example.in to make it clear that the
file is generated (and that it is generated by make rather than
configure), similarly to how `@configure_input@` is used in configure
input files. See also apparmor.vim:
$ head -n 2 /usr/share/vim/vimfiles/syntax/apparmor.vim
" generated from apparmor.vim.in by create-apparmor.vim.py
" do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead
Environment: apparmor 3.1.2-1 on Artix Linux.
Relates to #2679 #5502 #5577 #5612.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having all of syntax files in the same directory makes it easier to
reference all of them at once on a makefile (such as with
`contrib/syntax/files/*.in`).
Also, this makes the path to the gtksourceview language-spec shorter.
Current path/new path:
* contrib/gtksourceview-5/language-specs/firejail-profile.lang
* contrib/syntax/files/firejail-profile.lang
Currently, adding a rule to the root Makefile to generate the
language-spec in the same directory as an input file would take at least
95 characters (with only a single dependency):
contrib/gtksourceview-5/language-specs/%.lang: contrib/gtksourceview-5/language-specs/%.lang.in
With this commit, the above shortened to 59 characters:
contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in
Which should make it more readable.
Relates to #2679 #5502.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid depending on an extra package without need.
Commands used to search and replace:
$ f=contrib/vim/syntax/firejail.vim; \
printf '%s\n' "$(sed -E \
"s|rg -o '([^']+)' -r '\\\$1'|sed -En 's/.*\\1.*/\\\\1/p'|" "$f")" >"$f"
Note: `sed -E` is not in POSIX.1-2017 (Issue 7), but it has been
accepted into the upcoming POSIX standard version[1] and is supported by
at least GNU, busybox and OpenBSD grep.
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06).
[1] https://www.austingroupbugs.net/view.php?id=528
|
|
|
|
|
|
|
|
| |
Only a single script is passed by argument in each invocation.
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06) and on commit d2e10f2f5 ("vim: update list of syscalls",
2021-05-29) / PR #4318.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems to be equivalent to just delimiting the beginning and the end
of the line with `^foo$`.
Also, put the regex mode (-E) first.
Commands used to search and replace:
$ f=contrib/vim/syntax/firejail.vim; \
printf '%s\n' "$(sed -E \
"s|grep -vEx '([^']+)'|grep -Ev '^\\1\$'|" "$f")" >"$f"
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
POSIX tr understands '\n', so use that instead of the less portable
$'\n'.
Commands used to search and replace:
$ f=contrib/vim/syntax/firejail.vim; \
printf '%s\n' "$(sed -E \
"s/tr +\\\$'\\\\n'/tr '\\\\n'/g" "$f")" >"$f"
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06).
|
|
|
|
|
|
|
| |
Tested with org.gnome.TextEditor.
The gtksourceview language-spec hasn't changed between gtksourceview 3,
4 and 5 AFAIK so it should also work on older systems if you copy/link
the file in the right places.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this, the help section remains consistent regardless of how the
script is called and even if the filename is changed. For example, if
someone renames "sort.py" to "firejail-sort" and puts it somewhere in
`$PATH`.
Example outputs of the script name (using `print(argv[0]); return`):
$ ./contrib/sort.py
./contrib/sort.py
$ python contrib/sort.sh
contrib/sort.py
$ (cd contrib && ./sort.py)
./sort.py
Note: This depends on `os.path` and `sys.argv`, so the imports have to
appear before the docstring. In which case, the docstring has to be
explicitly assigned to `__doc__` (as it ceases to be the first statement
in the file).
Note2: When running `pydoc ./contrib/sort.py`, `argv[0]` becomes
"/usr/bin/pydoc" (using python 3.10.8-1 on Artix Linux).
|
|
|
|
|
|
|
|
|
| |
And return a specific exit code, as suggested by @rusty-snake[1].
Escape the first line in the docstring to avoid printing a blank line as
the first line of the output.
[1] https://github.com/netblue30/firejail/pull/5429#discussion_r999637842
|
|
|
|
|
|
|
|
|
|
|
| |
Where applicable, instead of creating custom ones.
Example error messages:
rm -f 123 && ./contrib/sort.py 123
[ Error ] [Errno 2] No such file or directory: '123'
touch 123 && chmod -rwx 123 && ./contrib/sort.py 123
[ Error ] [Errno 13] Permission denied: '123'
|
|
|
|
|
|
|
| |
Misc: The trailing comma is due to using the opinionated `black` Python
formatter (which seems to be a relatively common one). This was the
only change made, so the code seems to already be following the format
used by this tool.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Line-wrap comments at 79 characters
* Make comments clearer
* Make main docstring more similar to a command "usage" output
See the result with the following command, which generates a
man-page-like output and opens it in the man pager (such as in `less`):
$ pydoc ./contrib/sort.py
See also PEP-257, "Docstring Conventions"[1].
[1] https://peps.python.org/pep-0257/
|
|
|
|
|
|
|
|
|
|
|
| |
To make it clearer.
There are 3 different instances of protocol-related objects being used
in the fix_protocol function:
* The input
* The array of common sorted lines
* The (sorted) output
|
|
|
|
|
|
|
|
| |
To make it clearer.
Both the input and output of the sort_alphabetical function are strings
of comma-separated items, so there is no format conversion of any kind
being done (from "raw" to "not raw"), only sorting.
|
|
|
|
|
|
|
| |
Which also makes it fit in under 80 characters.
Always print "profile(s)" instead of changing the message based on the
argument count.
|
|
|
|
| |
To the sort function, instead of wrapping it in a lambda function.
|
|
|
|
| |
Instead of manually adding 1 to lineno.
|
|
|
|
|
|
|
|
|
|
| |
Test directly for presence of command instead of indirectly testing
the return code.
Additionally:
* uses a shell builtin `command -v` instead of external `which`
* `command -v` is the standardized version of `which`
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 54cb3e741e972c754e595d56de0bca0792299f83, reversing
changes made to 97b1e02d5f4dca4261dc9928f8a5ebf8966682d7.
There were many issues and requests for changes raised in the pull
request (both code-wise and design-wise) and most of them are still
unresolved[1].
[1] https://github.com/netblue30/firejail/pull/5315
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Configure summary: autoconf essentially only parses configure.ac and
generates the configure script (that is, the "./configure" shell
script). The latter is what actually checks what is available on the
system and internally sets the value of the output variables. It then,
for every filename foo in AC_CONFIG_FILES (and for every output variable
name BAR in AC_SUBST), reads foo.in, replaces every occurrence of
`@BAR@` with the value of the shell variable `$BAR` and generates the
file foo from the result. After this, configure is finished and `make`
could be executed to start the build.
Now that (as of #5140) all output variables are only defined on
config.mk.in and on config.sh.in, there is no need to generate any
makefile nor any other mkfile or shell script at configure time. So
rename every "Makefile.in" to "Makefile", mkdeb.sh.in to mkdeb.sh,
src/common.mk.in to src/common.mk and leave just config.mk and config.sh
as the files to be generated at configure time.
This allows editing and committing all makefiles directly, without
potentially having to run ./configure in between.
Commands used to rename the makefiles:
$ git ls-files -z -- '*Makefile.in' | xargs -0 -I '{}' sh -c \
"git mv '{}' \"\$(dirname '{}')/Makefile\""
Additionally, from my (rudimentary) testing, this commit reduces the
time it takes to run ./configure by about 20~25% compared to commit
72ece92ea ("Transmission fixes: drop private-lib (#5213)", 2022-06-22).
Environment: dash 0.5.11.5-1, gcc 12.1.0-2, Artix Linux, ext4 on an HDD.
Commands used for benchmarking each commit:
$ : >time_configure && ./configure && make distclean &&
for i in $(seq 1 10); do
{ time -p ./configure; } 2>>time_configure; done
$ grep real time_configure |
awk '{ total += $2 } END { print total/NR }'
|