| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
And fix the argument order in the examples to reflect that.
Background: The order in which these options appeared in the
documentation was inconsistent. src/man/firejail.txt used --appimage
before --profile and src/man/firejail-profile.txt used --profile before
--appimage. Then commit 44fefcac0 ("Make appimage examples consistent
with --appimage option short description", 2022-10-05) / PR #5402 was
made, which standardized on --profile before --appimage in both places.
But as mentioned by @rusty-snake[1], --appimage has be specified before
--profile in order for any `?HAS_APPIMAGE` conditionals inside of the
profile to evaluate to true.
So change the documentation to use and recommend the latter form.
Also, add --quiet to one example to make it clear that --appimage does
not have to be the first option (nor the last option before --profile).
[1] https://github.com/netblue30/firejail/pull/5402#issuecomment-1274889618
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 54cb3e741e972c754e595d56de0bca0792299f83, reversing
changes made to 97b1e02d5f4dca4261dc9928f8a5ebf8966682d7.
There were many issues and requests for changes raised in the pull
request (both code-wise and design-wise) and most of them are still
unresolved[1].
[1] https://github.com/netblue30/firejail/pull/5315
|
| |
|
| |
|
|\
| |
| | |
docs: set vim filetype on man pages for syntax highlighting
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the man pages in src/man use a ".txt" file extension (rather than
".1" or ".5"), their filetype is detected by (neo)vim as "text".
So at the bottom of every man page, add a vim modeline in a comment and
set the filetype to "groff", to enable syntax highlighting.
Note: All of the generated ".man", ".1" and ".5" files are currently
being detected as "nroff".
Note2: Set the filetype to "groff" rather than "nroff" because at least
.UR and .UE are groff extensions. These macros look the same with
either filetype, but there may be more extensions being used and the
nroff.vim syntax file (which is included by groff.vim) does things
differently based on which filetype is used.
Based on the following example from (neo)vim's filetype.txt:
or add this modeline to the file:
/* vim: set filetype=idl : */
See `:help groff.vim` and `:help filetype.txt` in (neo)vim.
See also groff_man(7) for the man page macros (including extensions).
Environment: neovim 0.7.2-3 on Artix Linux.
Misc: I noticed this on #5290.
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
| |
As hinted by @rusty-snake[1].
[1] https://github.com/netblue30/firejail/discussions/5064#discussioncomment-2417395
|
|\
| |
| | |
docs: mention inconsistent homedir bug involving --private=dir
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And the workaround suggested by @smitsohu[1] and @rusty-snake[2].
Relates to #903 #5048.
[1] https://github.com/netblue30/firejail/issues/903#issuecomment-946673346
[2] https://github.com/netblue30/firejail/discussions/5048#discussioncomment-2360034
|
| |
| |
| |
| |
| |
| | |
It's currently only present on firejail.txt.
This amends commit 340699fbd ("misc things", 2020-02-22).
|
|/
|
|
|
|
|
|
|
|
|
|
| |
As mentioned by @rusty-snake[1].
This amends commit 39654d016 ("adding netlink to --protocol list
(#4605)", 2022-01-21).
See also commit 75073e0e4 ("man: mention that private-bin and
private-etc are cumulative", 2022-01-22) and issue #4078.
[1] https://github.com/netblue30/firejail/pull/5042/files#r825477891
|
| |
|
|
|
|
|
|
| |
This amends commit ac6c8c038 ("fix #4078", 2022-01-21).
Fixes #4078.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
See CONTRIBUTING.md.
The changes are based on what was done on commit 5a612029b ("rename
noautopulse to keep-config-pulse", 2021-05-13) / PR #4278.
This amends commit bd15e763e ("--noprinter option", 2021-10-20) and
commit d9403dcdc ("small fix", 2021-10-20).
Relates to #4607.
|
| |
|
| |
|
| |
|
|\
| |
| | |
Add new condition ALLOW_TRAY
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit a11707ea273e5665047f8a7d9387ba07f08d72f6.
The man pages currently direct users to use the aliases instead of the
commands, which some users of firejail-git may end up doing. Example:
https://github.com/netblue30/firejail/discussions/4496
So revert the man page changes as well to avoid confusion.
Note: This is not a full revert. The commit in question also contains
some string formatting fixes on src/firejail/usage.c (related to dbus
and netmask), which are left intact.
Relates to #4410.
|
|
|
|
|
| |
machine-id is not affected by --disable-network and matches in "User
Environment" as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* downgrade error to warning,
smiliar to read-write option;
this simplifies use of tmpfs
option in general purpose
profiles, for example we
don't need to worry about links
people put in their homedir
* update manpage
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* add the keep-config-pulse option
* make noautopulse an alias for keep-config-pulse
* deprecate the noautopulse option
* misc: fix indentation of --keep-dev-shm on src/firejail/usage.c
Even though noautopulse is not intended for hardening, it looks like it
is, because it starts with "no", just like no3d, noroot, etc). In fact,
it is the only "no" option that differs in such a way.
And it has been accidentally misused as such before; see PR #4269 and
commit e4beaeaa8 ("drop noautopulse from agetpkg").
So effectively rename it to keep-config-pulse in order to avoid
confusion. This is similar to the keep-var-tmp and keep-dev-shm
options, which are used to "leave a path alone", just like noautopulse.
Note: The changes on this patch are based on the ones from commit
617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854.
See #4269 for the discussion.
|
| |
|
|\
| |
| |
| |
| | |
davidebeatrici/private-dev-input-support-and-noinput-option
Map /dev/input with "--private-dev", add "--no-input" option to disable it
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By default only joystick devices ("/dev/input/js*") can be accessed.
At least, that's the case on Debian: the other entries have more restrictive permissions.
The original owner and group are "root" and "input", respectively.
However, until we have granular input control options, allowing access to joysticks only is better than nothing.
$ ls -l /dev
total 0
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrom -> /dev/sr0
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrw -> /dev/sr0
drwxr-xr-x 3 nobody nogroup 100 22 apr 19.18 dri
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvd -> /dev/sr0
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvdrw -> /dev/sr0
lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 fd -> /proc/self/fd
crw-rw-rw- 1 nobody nogroup 1, 7 23 apr 07.22 full
crw-rw----+ 1 nobody nogroup 244, 0 22 apr 19.18 hidraw0
crw-rw----+ 1 nobody nogroup 244, 1 22 apr 19.18 hidraw1
crw-rw----+ 1 nobody nogroup 244, 2 22 apr 19.18 hidraw2
crw-rw----+ 1 nobody nogroup 244, 3 22 apr 19.18 hidraw3
crw-rw----+ 1 nobody nogroup 244, 4 22 apr 19.18 hidraw4
crw-rw----+ 1 nobody nogroup 244, 5 22 apr 19.18 hidraw5
drwxr-xr-x 4 nobody nogroup 760 23 apr 07.22 input
srw-rw-rw- 1 nobody nogroup 0 22 apr 19.18 log
crw-rw-rw- 1 nobody nogroup 1, 3 23 apr 07.22 null
lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 nobody nogroup 0 23 apr 07.22 pts
crw-rw-rw- 1 nobody nogroup 1, 8 23 apr 07.22 random
drwxrwxrwt 2 nobody nogroup 40 23 apr 07.22 shm
drwxr-xr-x 4 nobody nogroup 500 22 apr 19.18 snd
brw-rw----+ 1 nobody nogroup 11, 0 23 apr 00.24 sr0
lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdout -> /proc/self/fd/1
crw-rw-rw- 1 nobody nogroup 5, 0 23 apr 07.22 tty
crw-rw-rw- 1 nobody nogroup 1, 9 23 apr 07.22 urandom
drwxr-xr-x 2 nobody nogroup 120 22 apr 19.18 usb
crw-rw----+ 1 nobody video 81, 0 22 apr 19.18 video0
crw-rw----+ 1 nobody video 81, 1 22 apr 19.18 video1
crw-rw----+ 1 nobody video 81, 2 22 apr 19.18 video2
crw-rw----+ 1 nobody video 81, 3 22 apr 19.18 video3
crw-rw-rw- 1 nobody nogroup 1, 5 23 apr 07.22 zero
$ ls -l /dev/input
total 0
drwxr-xr-x 2 nobody nogroup 280 23 apr 07.22 by-id
drwxr-xr-x 2 nobody nogroup 300 23 apr 07.22 by-path
crw-rw---- 1 nobody nogroup 13, 64 22 apr 19.18 event0
crw-rw---- 1 nobody nogroup 13, 65 22 apr 19.18 event1
crw-rw---- 1 nobody nogroup 13, 74 22 apr 19.18 event10
crw-rw---- 1 nobody nogroup 13, 75 22 apr 19.18 event11
crw-rw---- 1 nobody nogroup 13, 76 22 apr 19.18 event12
crw-rw---- 1 nobody nogroup 13, 77 22 apr 19.18 event13
crw-rw---- 1 nobody nogroup 13, 78 22 apr 19.18 event14
crw-rw---- 1 nobody nogroup 13, 79 22 apr 19.18 event15
crw-rw---- 1 nobody nogroup 13, 80 22 apr 19.18 event16
crw-rw---- 1 nobody nogroup 13, 81 22 apr 19.18 event17
crw-rw---- 1 nobody nogroup 13, 82 22 apr 19.18 event18
crw-rw---- 1 nobody nogroup 13, 83 22 apr 19.18 event19
crw-rw---- 1 nobody nogroup 13, 66 22 apr 19.18 event2
crw-rw---- 1 nobody nogroup 13, 84 22 apr 19.18 event20
crw-rw---- 1 nobody nogroup 13, 85 22 apr 19.18 event21
crw-rw---- 1 nobody nogroup 13, 86 22 apr 19.18 event22
crw-rw---- 1 nobody nogroup 13, 87 22 apr 19.18 event23
crw-rw---- 1 nobody nogroup 13, 88 22 apr 19.18 event24
crw-rw---- 1 nobody nogroup 13, 89 22 apr 19.18 event25
crw-rw---- 1 nobody nogroup 13, 90 22 apr 19.18 event26
crw-rw---- 1 nobody nogroup 13, 91 22 apr 19.18 event27
crw-rw----+ 1 nobody nogroup 13, 92 23 apr 07.22 event28
crw-rw---- 1 nobody nogroup 13, 67 22 apr 19.18 event3
crw-rw---- 1 nobody nogroup 13, 68 22 apr 19.18 event4
crw-rw---- 1 nobody nogroup 13, 69 22 apr 19.18 event5
crw-rw---- 1 nobody nogroup 13, 70 22 apr 19.18 event6
crw-rw---- 1 nobody nogroup 13, 71 22 apr 19.18 event7
crw-rw---- 1 nobody nogroup 13, 72 22 apr 19.18 event8
crw-rw---- 1 nobody nogroup 13, 73 22 apr 19.18 event9
crw-rw-r-- 1 nobody nogroup 13, 0 22 apr 19.18 js0
crw-rw-r--+ 1 nobody nogroup 13, 1 23 apr 07.22 js1
crw-rw---- 1 nobody nogroup 13, 63 22 apr 19.18 mice
crw-rw---- 1 nobody nogroup 13, 32 22 apr 19.18 mouse0
crw-rw---- 1 nobody nogroup 13, 33 22 apr 19.18 mouse1
$ ls -l /dev/input/by-id
total 0
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-if01 -> ../event9
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-kbd -> ../event8
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-kbd -> ../event11
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-mouse -> ../event12
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-if01-mouse -> ../mouse1
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-if01 -> ../event5
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-mouse -> ../event2
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-if01-event-kbd -> ../event3
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-mouse -> ../mouse0
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-Sonix_Technology_Co.__Ltd._H264_USB_Camera_SN0001-event-if00 -> ../event27
lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-event-joystick -> ../event28
lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-joystick -> ../js1
$ ls -l /dev/input/by-path
total 0
lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-event-joystick -> ../event28
lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-joystick -> ../js1
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-event-mouse -> ../event2
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-mouse -> ../mouse0
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event -> ../event5
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event-kbd -> ../event3
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.0-event-kbd -> ../event8
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event -> ../event9
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-kbd -> ../event11
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-mouse -> ../event12
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-mouse -> ../mouse1
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:0c:00.3-usb-0:4:1.0-event -> ../event27
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 platform-pcspkr-event-spkr -> ../event13
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 0.9.60-1070-g40d3604f updated the man pages with respect to
--private-opt, --private-etc, and --private-srv. It was made after
testing firejail 0.9.52 (from Ubuntu 18.04). However, it
unfortunately did not accurately reflect the the behavior of the
current HEAD at the time, because commit 0.9.56-rc1-14-ga9242301 had
previously slightly changed the behavior of these three options (after
0.9.52), and was released in 0.9.56. The man pages changes made in
commit 40d3604f were therefore not entirely correct.
This commit updates the man pages to describe the behavior as
implemented in a9242301 (and is still the behavior as of the current
HEAD: 0.9.64-737-g937815ba).
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| |
|
|
|
|
|
| |
Idea from @vinc17fr
https://github.com/netblue30/firejail/issues/4026#issuecomment-789178572
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- RELNOTS: protocol now accumulates
- fix #3978 -- Android Studio: cannot create the directory
Unresolved:
> google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too,
> so we should consider to add additional blacklists for ~/.config/Google/*.
- marker.profile: allow ${DOCUMENTS}
- profile.template: add bluetooth protocol
- profile.template: add DBus portal note
- firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile
see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|