| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
Print the argument when failing with "too long arguments"
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Also, s/arguments/argument/ since the message refers to one specific
argument.
Relates to commit 0d06369a8 ("Make env/arg sanity check failure messages
more useful", 2021-11-10) / PR #4676.
Relates to #5676.
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create qpdf.profile and redirects
qpdf (CLI) provides PDF metadata cleaning.
See privacy-handbuch.de[1] for details.
The site offers pdf-meta-clean.sh[2], which works very well with
firejailed qpdf.
[1] https://www.privacy-handbuch.de/handbuch_43a.htm
[2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh
* RELNOTES: add qpdf and redirects to new profiles section
* firecfg.config: add qpdf and redirects
* qpdf: use 'seccomp socket' instead of 'protocol unix'
See https://github.com/netblue30/firejail/issues/639. Thanks @rusty-snake in code review.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream file is licensed under the LGPLv2.1+ and it uses an SPDX
license identifier rather than an LGPL license notice[1].
And according to the GNU project, the LGPLv2.1+ is compatible with both
the GPLv2 (with the result being GPLv2) and the GPLv3 (with the result
being GPLv3), though the reverse (GPL -> LGPL) does not apply[2] [3].
This means that if we make changes that are only available under the
GPLv2, systemd would be unable to copy them back and release the result
under the LGPLv2.1 without being in violation of the GPLv2.
So replace the GPL license notice with the SPDX license identifier of
the upstream file ("LGPL-2.1-or-later"), to make it easier to share
changes between both projects.
See also the following systemd commits[4] [5] [6] [7]:
* 53e1b68390 ("Add SPDX license identifiers to source files under the
LGPL", 2017-11-18)
* db9ecf0501 ("license: LGPL-2.1+ -> LGPL-2.1-or-later", 2020-11-09)
[1] https://github.com/systemd/systemd/blob/254d1313ae5a69c08c9b93032aaaf3d6083cfc07/src/shared/selinux-util.c
[2] https://www.gnu.org/licenses/license-list.en.html#LGPLv2.1
[3] https://www.gnu.org/licenses/license-compatibility.html
[4] https://github.com/systemd/systemd/commit/53e1b683907c2f12330f00feb9630150196f064d
[5] https://github.com/systemd/systemd/pull/7386
[6] https://github.com/systemd/systemd/commit/db9ecf050165fd1033c6f81485917e229c4be537
[7] https://github.com/systemd/systemd/pull/17548
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes firejail's Copyright notice match the ones in basically
every other file, which simplifies updating the Copyright years.
selinux.c was added on commit 1ad2d54c0 ("Add support for SELinux
labeling", 2020-02-18) and it claims to be "from systemd
selinux-util.c".
As for systemd's Copyright notice, the current version of that file on
the systemd project does not have any[1].
The first commit in the systemd repository is from 2009[2] and the file
was copied in 2020 (and does not seem to have been synced since), so set
the years in its Copyright notice to 2009-2020.
Since there is no Copyright notice (and no author) in the upstream file,
list "The systemd Authors" in the Copyright notice.
See also systemd commit 0c69794138 ("tree-wide: remove Lennart's
copyright lines", 2018-06-12)[3] [4].
[1] https://github.com/systemd/systemd/blob/254d1313ae5a69c08c9b93032aaaf3d6083cfc07/src/shared/selinux-util.c
[2] https://github.com/systemd/systemd/commit/6091827530d6dd43479d6709fb6e9f745c11e900
[3] https://github.com/systemd/systemd/commit/0c697941389b7379c4471bc0a067ede02814bc57
[4] https://github.com/systemd/systemd/pull/9274
|
| |
|
|
|
|
|
|
|
|
| |
Make it "2014-2023", which is the same as in basically every other file
that has the same Copyright author.
This kind of amends commit b408b20c7 ("gcov: fix build failure with gcc
11.1.0", 2021-06-15) / PR #4376.
This is a follow-up to #5664.
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
modif: Escape control characters of the command line
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Names and commands can contain control characters:
```
firejail --name="$(echo -e '\e[31mRed\n\b\b\bText\e[0m')" sleep 10s
```
results in "Text" printed in red.
Prevent commands like `--tree` to control the terminal.
|
| | |
| |
| |
| | |
profiles
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
md5sum/sha512sum, more sysutils testing, fix electron-hardened.inc.profile
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
feature: Add 'keep-shell-rc' command and option
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This fixes #1127.
This allow a user to provide their own zshrc/bashrc inside the jail.
This is very useful when using firejail to develop and prevent bad pip
packages to access your system.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ / |
|
| |\ \
| | |
| | | |
modif: Prevent sandbox name from containing only digits
|
| | | |
| | |
| | |
| | |
| | | |
Names should not contain only numbers,
as they are used in other commands as PIDs.
|
| | | |
| | |
| | |
| | | |
group; added nvidia and X11 directories to @x11 group.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
groups added
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
feature
|
| |\ \ \
| | | |
| | | | |
modif: Stop forwarding own double-dash to the shell
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently, if double-dash ("--") is passed to firejail, it is forwarded
to the user shell:
$ firejail --debug --noprofile -- echo test 2>&1 |
grep -e execvp -e test
Building quoted command line: 'echo' 'test'
Building quoted command line: 'echo' 'test'
Running 'echo' 'test' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: --
execvp argument 3: 'echo' 'test'
test
This causes issues when the user shell does not accept "--" / is not
POSIX-compatible:
$ /bin/bash -c -- 'echo test'
test
$ /bin/fish -c -- 'echo test'
fish: Unknown command: --
fish:
--
^
Fixes #5599.
Relates to #3434.
Reported-by: @iltep64
Reported-by: @ferreum
|
| | | | | |
|
| |/ / / |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
To make it clearer.
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To avoid boolean confusion (`no-foo no` / `no-foo yes`) in
firejail.config:
etc-no-blacklisted no
etc-no-blacklisted yes
Commands used to search and replace:
git grep -Ilz -i 'etc.no.blacklisted' -- etc src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/etc-no-blacklisted/etc-hide-blacklisted/' \
-e 's/ETC_NO_BLACKLISTED/ETC_HIDE_BLACKLISTED/' \
'{}')\" >'{}'"
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
| |\ \ \
| | | |
| | | | |
opt-in: hide blacklisted files in /etc
|
| | |/ / |
|
| |\ \ \
| |_|/
|/| | |
New profiles: linuxqq/qq
|
| | |\| |
|
| | | | |
|
netblue30
Kelvin M. Klann
glitsj16
David Fetter
layderv
Antoine Catton
smitsohu