| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
group; added nvidia and X11 directories to @x11 group.
|
| |
|
| |
|
|
|
|
| |
groups added
|
|
|
|
| |
feature
|
| |
|
|
|
|
|
|
| |
produced using commands documented in src/lib/syscall.c:
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
gcov: fix gcov functions always declared as dummy
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, the check to enable gcov relies on a non-existent macro due
to a typo, which looks like it would cause the dummy/empty versions of
the gcov functions to always be declared (even with --enable-gcov),
instead of the real ones from gcov.h. This commit fixes the typo
(HAS_GCOV -> HAVE_GCOV). See configure.ac for the macro declaration.
This amends commit 5106b2ec4 ("gcov: use no-op functions if not
enabled", 2021-06-20) / PR #4376.
Occurrences of each macro with this commit applied:
$ git grep -F HAVE_GCOV | wc -l
16
$ git grep -F HAS_GCOV | wc -l
0
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of wrapping every gcov function call in an ifdef.
Note: The usage of `((void)0)` is based on section 7.2 of the C99
standard (N1256)[1] [2]:
> 7.2 Diagnostics <assert.h>
>
> 1 The header <assert.h> defines the assert macro and refers to another
> macro,
>
> NDEBUG
>
> which is not defined by <assert.h>. If NDEBUG is defined as a macro
> name at the point in the source file where <assert.h> is included, the
> assert macro is defined simply as
>
> #define assert(ignore) ((void)0)
See also assert.h(0p) from POSIX.1-2017[3].
Note: This is a continuation of commit b408b20c7 ("gcov: fix build
failure with gcc 11.1.0") / PR #4373.
[1] http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1256.pdf
[2] https://port70.net/~nsz/c/c99/n1256.html#7.2
[3] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/assert.h.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build currently fails if gcov support is enabled:
$ pacman -Q gcc
gcc 11.1.0-1
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
[...]
netstats.c: In function ‘netstats’:
netstats.c:250:25: warning: implicit declaration of function ‘__gcov_flush’; did you mean ‘__gcov_dump’? [-Wimplicit-function-declaration]
250 | __gcov_flush();
| ^~~~~~~~~~~~
| __gcov_dump
[...]
/usr/bin/ld: netstats.o: in function `netstats':
/tmp/firejail-git/src/firejail-git/src/firemon/netstats.c:250: undefined reference to `__gcov_flush'
[...]
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firemon] Error 1
make: *** [Makefile:42: src/firemon/firemon] Error 2
[...]
This happens because __gcov_flush was removed on gcc 11.1.0[1] [2] [3].
See the following gcc commits:
* d39f7dc8d5 ("Do locking for __gcov_dump and __gcov_reset as well.")
* c0532db47d ("Use __gcov_dump and __gcov_reset in execv and fork context.")
* 811b7636cb ("Remove __gcov_flush.")
Its implementation did the following[4]:
__gcov_lock ();
__gcov_dump_int ();
__gcov_reset_int ();
__gcov_unlock ();
As hinted in the commit messages above, the function is no longer needed
because locking is now done inside each of __gcov_dump and __gcov_reset.
So add an implementation of __gcov_flush (on a new gcov_wrapper.h file)
for gcc >= 11.1.0, which just calls __gcov_dump and then __gcov_reset.
Commands used to search and replace:
$ git grep -Flz '#include <gcov.h>' -- '*.c' |
xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\`sed 's|<gcov\\.h>|\"../include/gcov_wrapper.h\"|' '{}'\`\" >'{}'"
Note: This is the continuation of commit 31557e9c7 ("gcov: add missing
gcov.h includes") / PR #4360.
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d39f7dc8d558ca31a661b02d08ff090ce65e6652
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=c0532db47d092430f8e8f497b2dc53343527bb13
[3] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
[4] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libgcc/libgcov-interface.c;h=855e8612018d1c9caf90396a3271337aaefdb9b3#l86
|
| |
|
| |
|
|
|
|
| |
mount without stash locations, only using the file descriptors
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL
fseccomp: use correct BPF code for errno action
firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed
Closes: #3933
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
| |
(hopefully) fixes the issues that led to reverting
commits 6abb65d328af61d67361890743190bd4c57f8e3c and 98e42dc6da4e4b1e47ed2aa020012d4dedc1e80e
|
| |
|
| |
|
|
|
|
| |
Debian8; we will bring it back in the next release
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1) close #3612
2) remove an implicit limitation on rlimit-fsize option
(could not set limit to smaller than 6 bytes without affecting
the ability to join a sandbox)
3) rename 'join-or-start' file to just 'join'
4) when waiting for a sandbox that is not fully configured yet,
increase polling frequency from 10 per second to 100 per second
|
| |
|
|\
| |
| | |
hardening: run plugins with dumpable flag cleared
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1) copy xauth binary into the sandbox and set mode to 0711, so it runs
with cleared dumpable flag for unprivileged users
2) run xauth in an sbox sandbox
3) generate Xauthority file in runtime directory instead of /tmp;
this way xauth is able to connect to the X11 socket even if the
abstract socket doesn't exist, for example because a new network
namespace was instantiated
|
|\ \
| | |
| | | |
seccomp: logging
|
| |/
| |
| |
| |
| |
| |
| | |
Allow `log` as an alternative seccomp error action instead of killing
or returning an errno code.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|/ |
|
| |
|