| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|\
| |
| | |
feature: Add 'keep-shell-rc' command and option
|
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes #1127.
This allow a user to provide their own zshrc/bashrc inside the jail.
This is very useful when using firejail to develop and prevent bad pip
packages to access your system.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
|\
| |
| | |
modif: Prevent sandbox name from containing only digits
|
| |
| |
| |
| |
| | |
Names should not contain only numbers,
as they are used in other commands as PIDs.
|
| |
| |
| |
| | |
group; added nvidia and X11 directories to @x11 group.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
groups added
|
| | |
|
| | |
|
| |
| |
| |
| | |
feature
|
|\ \
| | |
| | | |
modif: Stop forwarding own double-dash to the shell
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently, if double-dash ("--") is passed to firejail, it is forwarded
to the user shell:
$ firejail --debug --noprofile -- echo test 2>&1 |
grep -e execvp -e test
Building quoted command line: 'echo' 'test'
Building quoted command line: 'echo' 'test'
Running 'echo' 'test' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: --
execvp argument 3: 'echo' 'test'
test
This causes issues when the user shell does not accept "--" / is not
POSIX-compatible:
$ /bin/bash -c -- 'echo test'
test
$ /bin/fish -c -- 'echo test'
fish: Unknown command: --
fish:
--
^
Fixes #5599.
Relates to #3434.
Reported-by: @iltep64
Reported-by: @ferreum
|
| | | |
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
To make it clearer.
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To avoid boolean confusion (`no-foo no` / `no-foo yes`) in
firejail.config:
etc-no-blacklisted no
etc-no-blacklisted yes
Commands used to search and replace:
git grep -Ilz -i 'etc.no.blacklisted' -- etc src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/etc-no-blacklisted/etc-hide-blacklisted/' \
-e 's/ETC_NO_BLACKLISTED/ETC_HIDE_BLACKLISTED/' \
'{}')\" >'{}'"
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
|\ \
| | |
| | | |
opt-in: hide blacklisted files in /etc
|
| |/ |
|
|\ \
| | |
| | | |
New profiles: linuxqq/qq
|
| |\| |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | | |
Fixes #5585
|
| | | |
|
| |/
|/| |
|
|\ \
| | |
| | | |
A temporary fix to the bug caused by apparmor profiles stacking.
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Add profile for Chatterino
|
| | | |
|
|/ / |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add a profile for the Qt5 GUI to process Avidemux jobs.
Use a redirection to the avidemux3_qt5 profile to reuse translation
files. The application needs to create a network socket on localhost and
fails to run with protocol unix, so that entry in the default avidemux
profile needs to be extended.
|
| |
| |
| |
| |
| | |
Add a profile for the command-line interface of Avidemux, which
redirects to the existing avidemux profile.
|
| | |
|
|\ \
| | |
| | | |
build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From the manual of GNU Automake (version 1.16.5)[1] [2]:
> 3.6 Variables reserved for the user
>
> Some `Makefile` variables are reserved by the GNU Coding Standards for
> the use of the "user"—the person building the package. For instance,
> `CFLAGS` is one such variable.
>
> Sometimes package developers are tempted to set user variables such
> as `CFLAGS` because it appears to make their job easier. However, the
> package itself should never set a user variable, particularly not to
> include switches that are required for proper compilation of the
> package. Since these variables are documented as being for the
> package builder, that person rightfully expects to be able to override
> any of these variables at build time.
>
> To get around this problem, Automake introduces an
> automake-specific shadow variable for each user flag variable.
> (Shadow variables are not introduced for variables like `CC`, where
> they would make no sense.) The shadow variable is named by prepending
> `AM_` to the user variable's name. For instance, the shadow variable
> for `YFLAGS` is `AM_YFLAGS`. The package maintainer—that is, the
> author(s) of the `Makefile.am` and `configure.ac` files—may adjust
> these shadow variables however necessary.
>
> Note Flag Variables Ordering::, for more discussion about these
> variables and how they interact with per-target variables.
See also the description of CFLAGS in the GNU Autoconf manual[3].
Note: We do not use automake (save for aclocal) nor generally follow the
GNU Coding Standards, but the concept still applies. Also, the closest
analogous in the project to the `AM_` prefix would currently likely be
`EXTRA_`.
[1] https://www.gnu.org/software/automake/manual/1.16.5/html_node/User-Variables.html
[2] https://www.gnu.org/software/automake/manual/1.16.5/html_node/Flag-Variables-Ordering.html
[3] https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Preset-Output-Variables.html
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Add firecfg support for tesseract
* Add tesseract to 'New profiles' section in README.md
* Create tesseract.profile
* tesseract: fix private-etc
* tesseract: fix XDG black/whitelisting
* tesseract: use 'seccomp socket' instead of 'protocol unix'
As kindly suggested by @rusty-snake.
* tesseract: add 'restrict-namespaces'
As kindly suggested by @rusty-snake.
* tesseract: use full seccomp filtering
The tesseract application works fine without 'protocol' or 'seccomp socket'.
|