| Commit message (Collapse) | Author | Age |
|\
| |
| | |
feature: add Landlock support
|
| |
| |
| |
| |
| | |
And ignore landlock-related commands if Landlock is unsupported at
runtime.
|
| | |
|
| |
| |
| |
| | |
Apply rules in the sandbox thread before the application is started.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| | |
|
|\ \
| | |
| | | |
feature: expand simple macros in more commands
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This includes macros such as `${HOME}` and `${RUNUSER}`.
Commands:
* --chroot=
* --netfilter=
* --netfilter6=
* --trace=
Closes #6032.
Reported-by: @michelesr
|
|\ \ \
| |/ /
|/| | |
feature: firecfg: add firecfg.d & add ignore command
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].
It prevents firecfg from creating a symlink for the given program.
Also, document the paths used and the config file syntax.
Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.
Closes #2097.
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | |
| | |
| | |
| | |
| | |
| | | |
As suggested by @WhyNotHugo[1].
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of using asprintf + free.
Also, use LIBDIR instead of hardcoded "/usr/lib" for fzenity.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* fix inconsistent indentation/braces
* add missing free
|
| | | |
|
|\ \ \
| | | |
| | | | |
Lookup xauth in PATH.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Don't use hardcoded `/usr/bin/xauth`,
iterate over directories inside PATH instead.
This fixes https://github.com/netblue30/firejail/issues/6006
|
|\ \ \ \
| | | | |
| | | | | |
fcopy: Use lstat when copy directory.
|
| | | | |
| | | | |
| | | | |
| | | | | |
When copying directories use lstat when reading info about source files.
|
| |/ / /
|/| | |
| | | |
| | | |
| | | | |
The most generic way is to use `intmax_t`
because we dont't know what is the "parent" type of `off_t`.
This fixes https://github.com/netblue30/firejail/issues/5982 .
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | | |
* disable-programs.inc: add support for tiny-rdm
* Create tiny-rdm.profile
* firecfg.config: add support for tiny-rdm
|
| | |
| | |
| | |
| | | |
to run these options
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* profiles: drop private-opt (existing whitelist)
* profiles: replace private-opt with whitelist
In most profiles.
Kept private-opt for enpass (~85MB), mate-dictionary (<20MB),
minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't
check: xmr-stak.
* docs: note potential issues with private-opt
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create termshark.profile
* firecfg.config: add termshark support
* termshark: CLI hardening
|
|\ \ \
| | | |
| | | | |
New profile: tidal-hifi
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
modified src/firecfg/firecfg.config to add tidal-hifi
created etc/profile-m-z/tidal-hifi.profile
closes: #6008
Apply suggestions from code review
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
* disable-programs.inc: add lettura support
* Create lettura.profile
* firecfg.config: add lettura
|
| | |
| | |
| | | |
Co-authored-by: pirate486743186 <>
|
|\ \ \
| | | |
| | | | |
modif: keep pipewire group unless nosound is used
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This group is apparently used on Gentoo[1].
Currently only the "audio" supplementary group is kept.
Fixes #5992.
See also commit f32938669 ("Keep vglusers group unless no3d is used
(virtualgl)", 2022-01-07) / PR #4851.
[1] https://wiki.gentoo.org/wiki/PipeWire
Reported-by: @amano-kenji
|
| | | | |
|
|/ / / |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Fix the list generation and run `make syntax`.
Relates to #5627.
|
| | |
| | |
| | |
| | | |
Closes #5965
|
| | | |
|
| | | |
|
| | | |
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
Change the old .txt paths into the new .in paths.
This amends commit 76bd5ad0f ("build: simplify code related to man
pages", 2023-07-12) / PR #5898.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes the following errors:
$ make codespell
[...]
codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test
src/firemon/procevent.c:188: duble ==> double
src/fnettrace/main.c:30: postive ==> positive
src/fnettrace/main.c:30: defiend ==> defined
src/fnettrace/main.c:482: isplay ==> display
make: *** [Makefile:371: codespell] Error 65
$ codespell --version
2.2.5
Added in the following commits:
* bef5d86a1 ("increase socket buffer size for firemon, bug #2700",
2019-09-29)
* c4962789f ("nettrace stats", 2023-08-08)
|
| | |
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | | |
* firecfg.config: add support for clac
* Create clac.profile
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently the CI check does not consider certain special characters
(such as `-`) when sorting due to `sort -d`.
So remove `-d`, sort firecfg using `LC_ALL=C` and enforce that order.
Also add `sort -u` to check for duplicates.
This also allows the CI check to ignore normal comments (lines starting
with `# `) anywhere in the file.
Relates to #4643.
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove the space after `#` for commented code and use `#` instead of `-`
for comments at the end of the line.
Commands used to search and replace:
$ f=src/firecfg/firecfg.config; printf '%s\n' "$(sed -E \
-e '3,9999s/^# /#/' \
-e '3,9999s/^#([^ ]+) --? /#\1 # /' \
"$f")" >"$f"
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create reader.profile
* firecfg.config: add reader support
* reader: integrate review suggestions
- blacklist whole ${RUNUSER}
- drop x11 none
* reader: fix 'x11 none'
|
| |
| |
| |
| |
| | |
* firecfg.config: add daisy support
* Create daisy.profile
|
|/ |
|
|\ |
|