| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And remove the comment, as firecfg does not appear to support
end-of-line comments and normal comments break the linter:
$ ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
sort: -:13: disorder: #Debian 11 seems to be installing the same fbreader executable twice under two different names
This amends commit 869333a5f ("firecfg.config: fix sorting",
2023-06-28).
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
It's currently breaking the profile-checks job in CI[1].
Tihs amends commit d88c8d439 ("fbreader/FBReader profile fixes; more on
static ip map", 2023-06-27).
[1] https://github.com/netblue30/firejail/actions/runs/5394764503/jobs/9796380881
|
| |\| |
|
| | |\
| | |
| | | |
build: organize and standardize make vars and targets
|
| | | |
| | |
| | |
| | | |
Put all definitions in the same file.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Remove -fPIE, as it is mutually exclusive with -fPIC
* Remove -pie, as it is intended for executables (with -fPIE / -fpie)
* Remove duplicated `-z relro`
Note: The files built by the affected recipe are identical with and
without these changes when using gcc 13.1.1-1 on Artix Linux.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* clean: remove the same types of files in src/prog.mk and src/so.mk
* distclean: remove unused recipes and DISTCLEANFILES variable
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To CLEANFILES and DISTCLEANFILES, respectively.
This matches what GNU automake uses.
Commands used to search and replace:
$ git grep -IFlz -e TOCLEAN -e TODISTCLEAN |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/TOCLEAN/CLEANFILES/g' \
-e 's/TODISTCLEAN/DISTCLEANFILES/g' '{}')\" >'{}'"
Added on commit cbdee6555 ("makefiles: add TOCLEAN and TODISTCLEAN
variables", 2022-07-15) / PR #5478.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To make them less confusing, as they are extra dependencies, not files
that are specific to the module.
Commands used to search and replace:
$ git grep -IFlz -e 'MOD_HDRS' -e 'MOD_OBJS' -- src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/MOD_HDRS/EXTRA_HDRS/g' \
-e 's/MOD_OBJS/EXTRA_OBJS/g' '{}')\" >'{}'"
Added on commit f5b1ccaad ("makefiles: move extra deps into new MOD
vars", 2022-05-07) / PR #5478.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
It is unused and is unlikely to be used.
Added on commit f5b1ccaad ("makefiles: move extra deps into new MOD
vars", 2022-05-07) / PR #5478.
|
| |/ / |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
| |
To reduce the amount of boilerplate in the makefiles.
This amends commit 9789c263a ("build: disable all built-in implicit make
rules", 2023-06-21) / PR #5864.
|
| |\
| |
| | |
profiles: vmware improvements and new redirect
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It appears to be broken on Linux Mint 20.3 (based on Ubuntu 20.04), due
to the "VMWare Kernel Module Updater" being unable to install kernel
modules[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598407890
Reported-by: @MikeNavy
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As a redirect to vmware.profile.
This is apparently the filename for the "VMWare Workstation Player" on
Linux Mint 20.3 (based on Ubuntu 20.04)[1].
Relates to #3526.
[1] https://github.com/netblue30/firejail/issues/5861#issuecomment-1598132860
Reported-by: @MikeNavy
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
| |/
|
|
| |
To make the makefiles look more similar.
|
| |\
| |
| | |
modif: Standardize and add missing name/hostname checks
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Note that the sandbox name may also be set through the "join-or-start"
option.
Relates to #5578 #5708.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Use only `invalid_name` to check the name and hostname instead of
ad-hoc checks
* Standardize empty/invalid error messages for name/hostname
Note: This makes the hostname validation less strict, though it still
forbids control characters and only numbers.
Relates to #5578 #5708.
See also commit b4ffaa207 ("merges; more on cleaning up esc chars",
2023-02-14).
|
| | |
| |
| |
| | |
In `invalid_name`.
|
| | |
| |
| |
| | |
To match the hostname check in src/firejail/main.c.
|
| | |
| |
| |
| |
| |
| |
| | |
The `invalid_name` function does not allow control characters.
Added on commit d349a2ff8 ("Forbid control chars in names", 2023-03-03)
/ PR #5708.
|
| |/ |
|
| |
|
|
| |
Enable -Wall by default and add -Wextra.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is not too uncommon for the firejail version to be missing when
issues are reported; this commit makes it more likely that any posted
logs will contain the program version.
Do so just for firejail and firecfg for now because they are the most
common user-facing programs.
Print the version after argument parsing, in order to avoid printing the
program version more than once and to avoid interfering with commands
that generate machine-readable output (like `firejail --list` and
`firecfg --list`). Also, only print it after all profiles have been
loaded, because a profile may contain `quiet`.
Note: This does not cover the case where the program exits before the
end of argument/profile parsing (such as when an error occurs).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For consistency and readability.
Note: This also makes exactly one extra blank line be printed at the end
of every usage text, which is currently only done in the following
files:
* src/fcopy/main.c
* src/fnettrace-dns/main.c
* src/fnettrace-icmp/main.c
* src/fnettrace-sni/main.c
* src/fnettrace/main.c
* src/profstats/main.c
|
| |
|
|
|
|
|
|
|
|
| |
Changes:
* Name them all "usage_str"
* Make them const
For the latter item, see commit eb20f52ef ("Make list of paths const to
fix a false positive of gcc analyzer", 2022-07-27) / PR #5275.
|
| |
|
|
|
|
|
|
|
| |
Changes:
* Only print the version line in the print_version function
* Add a print_version function where missing (put it in usage.c if the
file exists)
* Always a blank line after the version
|
| |
|
|
| |
Build the entire string at once and print it only once.
|
| |
|
|
|
|
|
| |
Split print_version into two functions:
* print_version: only prints the version line
* print_version_full: also prints compile-time support
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, --version doesn't print a dash while --help does. Example:
$ firejail --version | grep 'version 0'
firejail version 0.9.73
$ firejail --help | grep 'version 0'
firejail - version 0.9.73
For consistency, always print the version without a dash.
Commands used to search and replace:
$ git grep -IFlz ' - version' -- src | xargs -0 -I '{}' sh -c
"printf '%s\n' \"\$(sed 's/ - version/ version/' '{}')\" >'{}'"
|
| |
|
|
|
| |
Added on commit 42e2db127 ("jaitest - simple sandbox testing utility
program", 2021-02-20).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is causing main.o to be built using an implicit rule (rather than
the rule from src/prog.mk), which does not use PROG_CFLAGS. Example
(using src/fldd as a working example for comparison):
$ make -C src/etc-cleanup clean >/dev/null &&
make -C src/etc-cleanup | grep -Ev '(Entering|Leaving) directory'
gcc -g -O2 -c -o main.o main.c
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -o etc-cleanup main.o
$ make -C src/etc-cleanup clean >/dev/null &&
make -C src/etc-cleanup -r | grep -Ev '(Entering|Leaving) directory'
make: *** No rule to make target 'main.o', needed by 'etc-cleanup'. Stop.
$ make -C src/fldd clean >/dev/null &&
make -C src/fldd | grep -Ev '(Entering|Leaving) directory'
gcc -ggdb -O2 -DVERSION='"0.9.73"' -fstack-protector-all [...]
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -o fldd main.o ../lib/common.o ../lib/ldd_utils.o
$ make -C src/fldd clean >/dev/null &&
make -C src/fldd -r | grep -Ev '(Entering|Leaving) directory'
gcc -ggdb -O2 -DVERSION='"0.9.73"' -fstack-protector-all [...]
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -o fldd main.o ../lib/common.o ../lib/ldd_utils.o
Environment: GNU make 4.4.1-2 on Artix Linux.
This amends commit e889db095 ("build fix", 2023-02-06).
See also commit 02d37680c ("private-etc rework: file groups moved to
src/include/etc_groups.h, new groups added", 2023-01-25).
Relates to #5610.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Log from build_and_test[1]:
TESTING: network scan (net_scan.exp)
[...]
firejail /bin/bash
Child process initialized in 1704.83 ms
spawn /bin/bash
firejail --net=br0 --ip=10.10.20.60
runner@fv-az576-472:~/work/firejail/firejail/test/network$
<l/test/network$ firejail --net=br0 --ip=10.10.20.60
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Error select: arp.c:202 arp_check: Invalid argument
runner@fv-az576-472:~/work/firejail/firejail/test/network$ TESTING ERROR 4
This "Invalid argument" error does not always happen, so I assume that
it may be due to a negative integer value in `ts` when calling select.
Misc: Found in #5805.
[1] https://github.com/netblue30/firejail/actions/runs/4806275219/jobs/8553597462
|
| |
|
|
|
| |
* Create url-eater.profile
* RELNOTES: add url-eater to 'new profiles'
|
| | |
|
| |\
| |
| | |
add mov-cli.profile
|
| | | |
|
| |\ \
| | |
| | | |
fs_etc.c: conditionally create /etc/resolv.conf
|
| | | | |
|
Kelvin M. Klann
netblue30
netblue30
smitsohu
glitsj16
pirate486743186