| Commit message (Collapse) | Author | Age |
|
|
|
| |
mount without stash locations, only using the file descriptors
|
| |
|
| |
|
|\
| |
| | |
private-lib: move to mount-only
|
| | |
|
| | |
|
| | |
|
|/ |
|
|\
| |
| | |
Grammar
|
| | |
|
| | |
|
|\ \
| | |
| | | |
private-lib: mask /usr/local/lib[,64] directories, too
|
| | | |
|
|\| |
| | |
| | | |
private-lib hardening
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ensure that libraries are loaded
from a default ld.so search path
it is reasonable for firejail to
expect that unprivileged users have
no write permission on these paths;
lax permissions there mean that the
system is probably screwed anyway
|
|\ \ \
| | | |
| | | | |
sandbox setup: postpone library preloading
|
| |/ /
| | |
| | |
| | |
| | | |
for now avoids mixing of traces from sandbox helpers
into application traces
|
|\ \ \
| | | |
| | | | |
sandbox setup: postpone fslogger
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
postpone writing of log file in order to
catch filesystem modifications from x11
functions
|
|\ \ \
| | | |
| | | | |
Zsh completion improvements
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
I don't understand the current brace expansions, so let's use a easier
one:
--foo <> one-time; no argument
*--foo <> multi-time; no argument
--foo=- <> one-time; with argument (direct after the =)
*--foo=- <> multi-time; with argument (direct after the =)
|
|\ \ \ \
| | | | |
| | | | | |
Add new condition ?HAS_PRIVATE:
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Idea from @vinc17fr
https://github.com/netblue30/firejail/issues/4026#issuecomment-789178572
|
|\ \ \ \ \
| |_|_|_|/
|/| | | | |
Create nextcloud-desktop.profile
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
back in the days always the same default seccomp filter was loaded
for chroot/appimage/overlayfs sandboxes. Nowadays users can configure
their own filters, so allow postexecseccomp again.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
remove whitespaces in order to create
a uniform message layout. Compare with:
** Note: you can use --noprofile to disable default.profile **
when firejail loads the default profile.
|
| |/ / /
|/| | |
| | | |
| | | | |
fixes reversed /etc and /usr/etc timetraces
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Better for portability and consistency. Currently strerror() is used
everywhere else, so use it here as well. printf's %m is a glibc
extension that is supported also by some other libc implementations.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Move error message after debug logging and add cause message.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | | | |
|
|\ \ \ \
| |_|/ /
|/| | | |
Makefile improvements
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Avoid a stat() call for each affected target and also potentially speed
up parallel builds.
From the GNU make manual[1]:
> Phony targets are also useful in conjunction with recursive
> invocations of make (see Recursive Use of make). In this situation
> the makefile will often contain a variable which lists a number of
> sub-directories to be built.
[...]
> The implicit rule search (see Implicit Rules) is skipped for .PHONY
> targets. This is why declaring a target as .PHONY is good for
> performance, even if you are not worried about the actual file
> existing.
Commands used to search, replace and cleanup:
$ find -type f -name '*Makefile.in' -exec sed -i.bak \
-e 's/^all:/.PHONY: all\nall:/' \
-e 's/^clean:/.PHONY: clean\nclean:/' \
-e 's/^distclean:/.PHONY: distclean\ndistclean:/' '{}' +
$ find -type f -name '*Makefile.in.bak' -exec rm '{}' +
[1]: https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
With a fun little script:
$ git ls-files -z -- '*Makefile*' |
xargs -0 -I '{}' sh -c \
"test -s '{}' && printf '%s\n' \"\`git stripspace <'{}'\`\" >'{}'"
|
| | | |
| | | |
| | | |
| | | | |
man firejail-profiles has it already. [skip ci]
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
bash:
- remove --audit
zsh:
- add --mkdir + --mkfile
- remove -audit
and fix typo in 9b56dc8e
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
The current message misses the info that nnp and nogroups is applied
too. The new mentions nnp too, but is very long. If anyone has a better
wording, say it.
|
| | |
| | |
| | |
| | | |
This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- RELNOTS: protocol now accumulates
- fix #3978 -- Android Studio: cannot create the directory
Unresolved:
> google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too,
> so we should consider to add additional blacklists for ~/.config/Google/*.
- marker.profile: allow ${DOCUMENTS}
- profile.template: add bluetooth protocol
- profile.template: add DBus portal note
- firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile
see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|