| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
Homepage: https://mullvad.net/en/download/browser/linux
mullvad-browser: don't use restrict-namespaces
mullvad-browser: cover both installation paths
Suggested in review by @kmk3.
|
|
|
|
|
|
| |
Closes #5899.
Suggested-by: @shaggonit
|
|
|
|
| |
To make it clearer that they are not modified later.
|
|
|
|
| |
To make it match the function used in src/jailcheck/utils.c.
|
| |
|
|\
| |
| | |
modif: improve errExit error messages
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Move msg to the end of errExit (right before perror(3p))
* Include the full file path (within the repository)
* Add "()" to function name for clarity
Before:
Error malloc: main.c:123 main: Cannot allocate memory
After:
Error src/firejail/main.c:123 main(): malloc: Cannot allocate memory
Note: This clarifies which is the exact file that the error message
comes from, as there are many source files with the same name. For
example:
$ git ls-files 'src/*/main.c' | wc -l
20
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And remove the comment, as firecfg does not appear to support
end-of-line comments and normal comments break the linter:
$ ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
sort: -:13: disorder: #Debian 11 seems to be installing the same fbreader executable twice under two different names
This amends commit 869333a5f ("firecfg.config: fix sorting",
2023-06-28).
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It's currently breaking the profile-checks job in CI[1].
Tihs amends commit d88c8d439 ("fbreader/FBReader profile fixes; more on
static ip map", 2023-06-27).
[1] https://github.com/netblue30/firejail/actions/runs/5394764503/jobs/9796380881
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To make them less confusing, as they are extra dependencies, not files
that are specific to the module.
Commands used to search and replace:
$ git grep -IFlz -e 'MOD_HDRS' -e 'MOD_OBJS' -- src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/MOD_HDRS/EXTRA_HDRS/g' \
-e 's/MOD_OBJS/EXTRA_OBJS/g' '{}')\" >'{}'"
Added on commit f5b1ccaad ("makefiles: move extra deps into new MOD
vars", 2022-05-07) / PR #5478.
|
|/ |
|
|
|
|
|
|
|
| |
To reduce the amount of boilerplate in the makefiles.
This amends commit 9789c263a ("build: disable all built-in implicit make
rules", 2023-06-21) / PR #5864.
|
|\
| |
| | |
profiles: vmware improvements and new redirect
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It appears to be broken on Linux Mint 20.3 (based on Ubuntu 20.04), due
to the "VMWare Kernel Module Updater" being unable to install kernel
modules[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598407890
Reported-by: @MikeNavy
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As a redirect to vmware.profile.
This is apparently the filename for the "VMWare Workstation Player" on
Linux Mint 20.3 (based on Ubuntu 20.04)[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598132860
Reported-by: @MikeNavy
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is not too uncommon for the firejail version to be missing when
issues are reported; this commit makes it more likely that any posted
logs will contain the program version.
Do so just for firejail and firecfg for now because they are the most
common user-facing programs.
Print the version after argument parsing, in order to avoid printing the
program version more than once and to avoid interfering with commands
that generate machine-readable output (like `firejail --list` and
`firecfg --list`). Also, only print it after all profiles have been
loaded, because a profile may contain `quiet`.
Note: This does not cover the case where the program exits before the
end of argument/profile parsing (such as when an error occurs).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency and readability.
Note: This also makes exactly one extra blank line be printed at the end
of every usage text, which is currently only done in the following
files:
* src/fcopy/main.c
* src/fnettrace-dns/main.c
* src/fnettrace-icmp/main.c
* src/fnettrace-sni/main.c
* src/fnettrace/main.c
* src/profstats/main.c
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Name them all "usage_str"
* Make them const
For the latter item, see commit eb20f52ef ("Make list of paths const to
fix a false positive of gcc analyzer", 2022-07-27) / PR #5275.
|
|
|
|
|
|
|
|
|
| |
Changes:
* Only print the version line in the print_version function
* Add a print_version function where missing (put it in usage.c if the
file exists)
* Always a blank line after the version
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, --version doesn't print a dash while --help does. Example:
$ firejail --version | grep 'version 0'
firejail version 0.9.73
$ firejail --help | grep 'version 0'
firejail - version 0.9.73
For consistency, always print the version without a dash.
Commands used to search and replace:
$ git grep -IFlz ' - version' -- src | xargs -0 -I '{}' sh -c
"printf '%s\n' \"\$(sed 's/ - version/ version/' '{}')\" >'{}'"
|
|
|
|
|
| |
* Create url-eater.profile
* RELNOTES: add url-eater to 'new profiles'
|
|\
| |
| | |
add mov-cli.profile
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* microsoft-edge*: fix spacing
* Create microsoft-edge-stable.profile
Relates to #5696.
* firecfg.config: add support for microsoft-edge-stable redirect
* disable-common.inc: blacklist msedge SUID executables
* microsoft-edge: add private-opt and allow internal sandbox access
|
| | |
|
|\ \
| | |
| | | |
add ani-cli.profile
|
| |/
| |
| |
| | |
https://github.com/pystardust/ani-cli
|
|\ \
| | |
| | | |
add porn-cli.profile
|
| |/ |
|
|/
|
|
| |
https://github.com/justchokingaround/lobster
|
|\
| |
| | |
build: Fix whitespace and add .editorconfig
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes all of the "space before tab in indent" errors raised by git:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD |
grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c
72 space before tab in indent.
Commands used to find the errors:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD
$ git grep -In "$(printf '\t') "
Note: Unlike "space before tab in indent", the reverse ("space after tab
in indent") is not reported by git. That is because spaces could be
intentionally used for alignment or line continuation, but in some cases
they are being used for indentation together with tabs and in others the
formatting is misaligned. The second command was used to help find and
fix these other issues.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create qpdf.profile and redirects
qpdf (CLI) provides PDF metadata cleaning.
See privacy-handbuch.de[1] for details.
The site offers pdf-meta-clean.sh[2], which works very well with
firejailed qpdf.
[1] https://www.privacy-handbuch.de/handbuch_43a.htm
[2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh
* RELNOTES: add qpdf and redirects to new profiles section
* firecfg.config: add qpdf and redirects
* qpdf: use 'seccomp socket' instead of 'protocol unix'
See https://github.com/netblue30/firejail/issues/639. Thanks @rusty-snake in code review.
|
| |
|
|
|
|
| |
md5sum/sha512sum, more sysutils testing, fix electron-hardened.inc.profile
|
|\ |
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
| |
Add a profile for the Qt5 GUI to process Avidemux jobs.
Use a redirection to the avidemux3_qt5 profile to reuse translation
files. The application needs to create a network socket on localhost and
fails to run with protocol unix, so that entry in the default avidemux
profile needs to be extended.
|
|
|
|
|
| |
Add a profile for the command-line interface of Avidemux, which
redirects to the existing avidemux profile.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add firecfg support for tesseract
* Add tesseract to 'New profiles' section in README.md
* Create tesseract.profile
* tesseract: fix private-etc
* tesseract: fix XDG black/whitelisting
* tesseract: use 'seccomp socket' instead of 'protocol unix'
As kindly suggested by @rusty-snake.
* tesseract: add 'restrict-namespaces'
As kindly suggested by @rusty-snake.
* tesseract: use full seccomp filtering
The tesseract application works fine without 'protocol' or 'seccomp socket'.
|
|
|
|
|
|
|
|
|
|
|
|
| |
For clarity, as it is included by the Makefiles that create programs and
non-shared-objects, but not by the ones that create shared objects (see
src/so.mk).
Commands used to move and search and replace:
$ git mv src/common.mk src/prog.mk
$ git grep -IFlz 'common.mk' -- src | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed 's/common.mk/prog.mk/' '{}')\" >'{}'"
|
|
|
|
|
|
|
|
|
|
| |
The makefiles that both build C programs and include src/common.mk are
nearly identical, save for the main target name and for any extra
headers and objects that they might use.
So move all of their (duplicated) code into src/common.mk, which (other
than the "lib" target on src/lib/Makefile) leaves only variables and the
includes of config.mk and src/common.mk in place.
|
|
|
|
|
|
|
|
|
|
| |
Put the main target name into a new PROG variable, put PROG into a new
TARGET variable, make "all" depend on `$(TARGET)` and replace every
other occurrence of the main target name with `$(PROG)`.
On the makefiles that build non-shared objects, to make them more
similar. With this commit, all of their targets are identical (except
for the extra "lib" target on src/lib/Makefile).
|
|
|
|
|
| |
For increased readability, list one item per line on lines that are
currently longer than 80 characters.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make the makefiles more similar.
That is, add the following new variables:
* MOD_HDRS
* MOD_SRCS
* MOD_OBJS
And move existing module-specific header and object dependencies into
`MOD_HDRS` and `MOD_OBJS`, respectively. `MOD_SRCS` is added mostly for
symmetry/consistency.
Note: Use `MOD_` as a prefix instead of `EXTRA_` to avoid confusion, as
the latter is currently used for global variables (such as
`EXTRA_CFLAGS`), as opposed to module-specific variables.
Note2: Add them directly into the HDRS/SRCS/OBJS variables to avoid
cluttering the existing recipes with an extra variables unnecessarily.
This also allows, for example, referencing all of the object
dependencies with `$<` if `$(OBJS)` is the first dependency (at least in
GNU make).
Note3: Since HDRS/SRCS/OBJS use simple assignment (through `:=`), the
MOD variables should appear before including src/common.mk (or
src/so.mk).
|