| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
As suggested by @birdie-github[1].
This amends commit c78c2b4ec ("docs: note that blacklist/whitelist
follow symlinks", 2022-08-28) / PR #5344.
[1] https://github.com/netblue30/firejail/pull/5344#issuecomment-1229903967
|
|
|
|
|
|
| |
Committer note: This is the same as commit 6e687c301 ("tracelog disabled
by default in /etc/firejail/firejail.config file", 2022-08-29) but
without the Landlock-related changes.
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 54cb3e741e972c754e595d56de0bca0792299f83, reversing
changes made to 97b1e02d5f4dca4261dc9928f8a5ebf8966682d7.
There were many issues and requests for changes raised in the pull
request (both code-wise and design-wise) and most of them are still
unresolved[1].
[1] https://github.com/netblue30/firejail/pull/5315
|
|
|
|
|
|
| |
This reverts commit 836ffe37ff891886f15243eacc70963368d57a3f.
Part of reverting commits with Landlock-related changes.
|
|
|
|
|
|
| |
This reverts commit 6e687c30110a52f267c1779c4eeab82bded9cb77.
Part of reverting commits with Landlock-related changes.
|
|
|
|
|
|
| |
This reverts commit 2f3c19a87dd49b220f69f27f8c14c627277355d6.
Part of reverting commits with Landlock-related changes.
|
|
|
| |
Co-authored-by: Albert Kim <alkim@alkim.org>
|
| |
|
| |
|
| |
|
|\
| |
| | |
Add Landlock support to Firejail
|
| | |
|
| | |
|
| |
| |
| | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
| |
| |
| | |
dependency on tinyLL
|
| | |
|
|\ \
| | |
| | | |
lbry-viewer.profile create
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Make it more explicit that they do and add an example for each command.
Relates to #5338.
|
| | |
| | |
| | |
| | | |
Format it and improve the grammar and explanation.
|
| | |
| | |
| | | |
Co-authored-by: pirate486743186 <>
|
| | |
| | |
| | |
| | |
| | | |
This amends commit 7f3b6c19a ("Add support for custom AppArmor profiles
(--apparmor=)", 2022-07-25) / PR #5274.
|
| |/
|/|
| |
| |
| |
| |
| | |
Some man pages are missing it.
This amends commit aacd2e7d8 ("docs: set vim filetype on man pages for
syntax highlighting", 2022-08-04) / PR #5296.
|
|\ \
| | |
| | | |
docs: set vim filetype on man pages for syntax highlighting
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the man pages in src/man use a ".txt" file extension (rather than
".1" or ".5"), their filetype is detected by (neo)vim as "text".
So at the bottom of every man page, add a vim modeline in a comment and
set the filetype to "groff", to enable syntax highlighting.
Note: All of the generated ".man", ".1" and ".5" files are currently
being detected as "nroff".
Note2: Set the filetype to "groff" rather than "nroff" because at least
.UR and .UE are groff extensions. These macros look the same with
either filetype, but there may be more extensions being used and the
nroff.vim syntax file (which is included by groff.vim) does things
differently based on which filetype is used.
Based on the following example from (neo)vim's filetype.txt:
or add this modeline to the file:
/* vim: set filetype=idl : */
See `:help groff.vim` and `:help filetype.txt` in (neo)vim.
See also groff_man(7) for the man page macros (including extensions).
Environment: neovim 0.7.2-3 on Artix Linux.
Misc: I noticed this on #5290.
|
|\ \
| | |
| | | |
docs: mention risk of SUID binaries and also firejail-users(5)
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On the introduction of firejail(1), mention the main risk of SUID
binaries and that by default, only trusted users should be allowed to
run firejail (and how to accomplish that).
Note: The added comment line is completely discarded (so there is no
extraneous blank line); see groff_man(7) for details.
Suggested by @emerajid on #5288.
Relates to #4601.
|
|\ \
| | |
| | | |
Add support for custom AppArmor profiles (--apparmor=)
|
| |/ |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add gdu to 'new profiles' section
* Create gdu.profile
* add gdu to firecfg
* harden gdu sandbox
* fix protocol
* simulate empty protocol in gdu
* more user-friendly gdu sandboxing
|
|\
| |
| | |
introduce new option restrict-namespaces
|
| | |
|
| | |
|
|\ \
| | |
| | | |
improve force-nonewprivs security guarantees
|
| | | |
|
| | | |
|
|/ / |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
| |
now covers syscalls up to including process_madvise (440)
group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305
the only exception is close_range, which was added to both @basic-io and @file-system
this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
|
|
|
|
|
|
| |
produced using commands documented in src/lib/syscall.c:
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
copy using file descriptors, similar
to implementation of get option
|
|
|
|
|
|
| |
Instead of simply erroring out, just warn the user that a filesystem was
unable to be remounted due to EIO. This is helpful for FUSE filesystems
which might be buggy or having issues.
|
|\
| |
| | |
build: reduce autoconf input files from 32 to 2
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the previous commit ("makefiles: stop failing when config.mk does
not exist", 2022-06-23), make will not immediately fail when trying to
build a target without having the proper compile-time flags (which are
defined on common.mk).
For example, when running the command below:
make distclean && make
It will throw an error only after (mis-)compiling multiple objects.
So add a dependency on config.mk on every target that uses output
variables (such as @NAME@ / $(NAME)) on its recipe. And add a
dependency on config.sh on targets that call shell scripts that use
output variables (such as @NAME@ / $NAME). Also, add a recipe for
config.mk / config.sh telling to run ./configure, to make it a bit more
obvious just in case.
With this commit, make will abort earlier, by detecting that the
config.mk / config.sh dependency does not exist. This happens before
trying to execute the recipe.
This also makes the dependencies more accurate, since if config.mk
(which defines some CFLAGS) is changed, the CFLAGS may also have
changed, so a target that uses CFLAGS should probably be considered out
of date in this case anyway.
Relates to #5140.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows running `make clean` and `make distclean` (and possibly
others) without having to run ./configure beforehand.
Note that some packaging-related targets still depend on the existence
of generated files. For example:
* dist: config.mk
* deb: config.sh
Commands used to search and replace:
$ git grep -Elz 'include *([^ ]*/)?config.mk' | xargs -0 -I '{}' \
sh -c "printf '%s\n' \
\"\$(sed -E 's|^include *(([^ ]*/)?config.mk)|-include \1|' '{}')\" >'{}'"
Relates to #5140.
|