| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
| |
Make it "2014-2023", which is the same as in basically every other file
that has the same Copyright author.
This kind of amends commit b408b20c7 ("gcov: fix build failure with gcc
11.1.0", 2021-06-15) / PR #4376.
This is a follow-up to #5664.
|
| |
|
|\
| |
| | |
modif: Escape control characters of the command line
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Names and commands can contain control characters:
```
firejail --name="$(echo -e '\e[31mRed\n\b\b\bText\e[0m')" sleep 10s
```
results in "Text" printed in red.
Prevent commands like `--tree` to control the terminal.
|
| |
| |
| |
| | |
profiles
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
group; added nvidia and X11 directories to @x11 group.
|
| | |
|
| | |
|
| |
| |
| |
| | |
groups added
|
|/
|
|
| |
feature
|
| |
|
|
|
|
|
|
| |
produced using commands documented in src/lib/syscall.c:
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
gcov: fix gcov functions always declared as dummy
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, the check to enable gcov relies on a non-existent macro due
to a typo, which looks like it would cause the dummy/empty versions of
the gcov functions to always be declared (even with --enable-gcov),
instead of the real ones from gcov.h. This commit fixes the typo
(HAS_GCOV -> HAVE_GCOV). See configure.ac for the macro declaration.
This amends commit 5106b2ec4 ("gcov: use no-op functions if not
enabled", 2021-06-20) / PR #4376.
Occurrences of each macro with this commit applied:
$ git grep -F HAVE_GCOV | wc -l
16
$ git grep -F HAS_GCOV | wc -l
0
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of wrapping every gcov function call in an ifdef.
Note: The usage of `((void)0)` is based on section 7.2 of the C99
standard (N1256)[1] [2]:
> 7.2 Diagnostics <assert.h>
>
> 1 The header <assert.h> defines the assert macro and refers to another
> macro,
>
> NDEBUG
>
> which is not defined by <assert.h>. If NDEBUG is defined as a macro
> name at the point in the source file where <assert.h> is included, the
> assert macro is defined simply as
>
> #define assert(ignore) ((void)0)
See also assert.h(0p) from POSIX.1-2017[3].
Note: This is a continuation of commit b408b20c7 ("gcov: fix build
failure with gcc 11.1.0") / PR #4373.
[1] http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1256.pdf
[2] https://port70.net/~nsz/c/c99/n1256.html#7.2
[3] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/assert.h.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build currently fails if gcov support is enabled:
$ pacman -Q gcc
gcc 11.1.0-1
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
[...]
netstats.c: In function ‘netstats’:
netstats.c:250:25: warning: implicit declaration of function ‘__gcov_flush’; did you mean ‘__gcov_dump’? [-Wimplicit-function-declaration]
250 | __gcov_flush();
| ^~~~~~~~~~~~
| __gcov_dump
[...]
/usr/bin/ld: netstats.o: in function `netstats':
/tmp/firejail-git/src/firejail-git/src/firemon/netstats.c:250: undefined reference to `__gcov_flush'
[...]
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firemon] Error 1
make: *** [Makefile:42: src/firemon/firemon] Error 2
[...]
This happens because __gcov_flush was removed on gcc 11.1.0[1] [2] [3].
See the following gcc commits:
* d39f7dc8d5 ("Do locking for __gcov_dump and __gcov_reset as well.")
* c0532db47d ("Use __gcov_dump and __gcov_reset in execv and fork context.")
* 811b7636cb ("Remove __gcov_flush.")
Its implementation did the following[4]:
__gcov_lock ();
__gcov_dump_int ();
__gcov_reset_int ();
__gcov_unlock ();
As hinted in the commit messages above, the function is no longer needed
because locking is now done inside each of __gcov_dump and __gcov_reset.
So add an implementation of __gcov_flush (on a new gcov_wrapper.h file)
for gcc >= 11.1.0, which just calls __gcov_dump and then __gcov_reset.
Commands used to search and replace:
$ git grep -Flz '#include <gcov.h>' -- '*.c' |
xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\`sed 's|<gcov\\.h>|\"../include/gcov_wrapper.h\"|' '{}'\`\" >'{}'"
Note: This is the continuation of commit 31557e9c7 ("gcov: add missing
gcov.h includes") / PR #4360.
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d39f7dc8d558ca31a661b02d08ff090ce65e6652
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=c0532db47d092430f8e8f497b2dc53343527bb13
[3] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
[4] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libgcc/libgcov-interface.c;h=855e8612018d1c9caf90396a3271337aaefdb9b3#l86
|
| |
|
| |
|
|
|
|
| |
mount without stash locations, only using the file descriptors
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL
fseccomp: use correct BPF code for errno action
firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed
Closes: #3933
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
| |
(hopefully) fixes the issues that led to reverting
commits 6abb65d328af61d67361890743190bd4c57f8e3c and 98e42dc6da4e4b1e47ed2aa020012d4dedc1e80e
|
| |
|
| |
|
|
|
|
| |
Debian8; we will bring it back in the next release
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1) close #3612
2) remove an implicit limitation on rlimit-fsize option
(could not set limit to smaller than 6 bytes without affecting
the ability to join a sandbox)
3) rename 'join-or-start' file to just 'join'
4) when waiting for a sandbox that is not fully configured yet,
increase polling frequency from 10 per second to 100 per second
|
| |
|
|\
| |
| | |
hardening: run plugins with dumpable flag cleared
|
| | |
|