| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow overriding the following tools at configure-time and build-time:
* codespell
* cppcheck
* gawk
* scan-build
For example, instead of hardcoding `gawk`, enable overriding it at
configure-time with:
./configure GAWK=/path/to/gawk
To override it for a single `make` invocation:
make GAWK=/path/to/gawk
Also, add default values for the programs that are not found (rather
than leaving the variables empty), to make error messages clearer when
trying to run them:
$ make CPPCHECK= cppcheck-old
[...]
force --error-exitcode=1 --enable=warning,performance .
make: force: No such file or directory
$ make CPPCHECK=cppcheck cppcheck-old
[...]
cppcheck --force --error-exitcode=1 --enable=warning,performance .
make: cppcheck: No such file or directory
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move most of the `errExit` macro into a new `_errExit` inline function
and use the former just to forward arguments to the latter.
This reduces the noise in the build output when using `-fanalyzer`, as
it causes the `errExit` macro to stop being expanded.
For example, the complete output of the following warning in
src/firejail/dbus.c is reduced from 243 lines to 141 lines (a ~41%
reduction):
$ pacman -Q gcc
gcc 13.2.1-5
$ ./configure --enable-apparmor --enable-analyzer >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/dbus.c: In function ‘dbus_proxy_start’:
../../src/firejail/dbus.c:311:36: warning: leak of file descriptor ‘dup2(output_fd, 1)’ [CWE-775] [-Wanalyzer-fd-leak]
311 | if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
[...]
‘dbus_create_user_dir’: event 5
|
|../../src/firejail/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (5) ...to here
../../src/firejail/dbus.c:239:17: note: in expansion of macro ‘errExit’
| 239 | errExit("asprintf");
| | ^~~~~~~
[...]
Relates to #6190.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently it is the only part of the build that prints to stderr on a
normal build, which makes it harder to keep just the warnings and errors
in the output:
$ ./configure >/dev/null && make clean >/dev/null &&
make -j "$(nproc)" >/dev/null
static ip map: input 5998, output 2490
Added on commit f3774678f ("compress static ip map for fnettrace at
compile time", 2023-07-06).
|
|
|
|
|
|
|
|
|
| |
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Misc: This was noticed on #6203.
Relates to #6078.
|
|\
| |
| | |
gnome-keyring: harden and add gnome-keyring-daemon.profile
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently (as of Landlock ABI 4), the `handled_access_net` field was
added to the `landlock_ruleset_attr` struct in the Linux kernel (in
linux/landlock.h). In src/firejail/landlock.c, that field is not being
set in the struct (as we currently do not use it) before passing it to
the `landlock_create_full_ruleset` syscall, so it is likely to contain
random garbage when used, resulting in the syscall returning EINVAL:
$ firejail --debug --profile=/etc/firejail/landlock-common.inc \
--landlock.enforce true
[...]
ll_is_supported: Detected Landlock ABI version 4
ll_restrict: Starting Landlock restrict
ll_create_full_ruleset: Creating Landlock ruleset (abi=4 fs=1fff)
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_read: Adding Landlock rule (abi=4 fs=c) for /
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
[...]
Not enforcing Landlock
So ensure that all structs in src/firejail/landlock.c are initialized to
0 before using them.
Note: Arch has recently (2024-01-31) updated the linux-api-headers
package from version 6.4-1 to 6.7-1[1]. The former version is not affected
(as it does not contain the extra struct field in linux/landlock.h),
while the latter is.
Fixes #6195.
Relates to #6078.
[1] https://gitlab.archlinux.org/archlinux/packaging/packages/linux-api-headers/-/commit/b4223b0c2bfba54c26acc4dc289415b81b15989f
Reported-by: @curiosityseeker
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the error message format in `ll_create_full_ruleset` match the
other ones in landlock.c.
This amends commit 01a9ddbbe ("landlock: improve logs for debugging",
2023-11-08).
Misc: This was noticed on #6195.
Relates to #6078.
|
|
|
|
|
|
|
| |
This amends commit bf5a99360 ("landlock: add support for PATH macro",
2023-12-22).
Relates to #6078.
|
|\
| |
| | |
landlock: split .special into .makeipc and .makedev
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
|\ \
| | |
| | | |
build: improve main clean target
|
| | |
| | |
| | |
| | | |
Move some clean commands into more relevant makefiles.
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the following CodeQL warning (CWE-253)[1]:
> Rule ID: cpp/incorrectly-checked-scanf
> The result of scanf is only checked against 0, but it can also return
> EOF.
> Functions in the scanf family return either EOF (a negative value) in
> case of IO failure, or the number of items successfully read from the
> input. Consequently, a simple check that the return value is nonzero
> is not enough.
>
> Recommendation
>
> Ensure that all uses of scanf check the return value against the
> expected number of arguments rather than just against zero.
Note: The affected code portions attempt to read values from /etc/passwd
and /etc/group, so invalid input seems unlikely to be the case. Either
way, the changes make the checks in question more consistent with
similar sscanf return value checks in the rest of the code.
Added on commit 4f003daec ("prevent leaking user information by
modifying /home directory, /etc/passwd and /etc/group", 2015-11-19).
[1] https://github.com/netblue30/firejail/security/code-scanning/32
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Warnings:
$ make codespell
Running codespell...
./README:757: Manuel ==> Manual
./RELNOTES:269: relpaced ==> replaced
./src/firecfg/desktop_files.c:60: diectory ==> directory
./platform/debian/control.i386:11: namepaces ==> namespaces
./platform/debian/control.amd64:11: namepaces ==> namespaces
make: *** [Makefile:383: codespell] Error 65
$ codespell --version
2.2.6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike the rest of the normal startup output (which goes to stderr), the
version number is being printed to stdout, which makes it harder to
ignore all of firejail's output. Example:
$ firejail --noprofile /usr/bin/true --version 2>/dev/null
firejail version 0.9.73
true (GNU coreutils) 9.4
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Jim Meyering.
So make the normal startup version output go to stderr and keep the
other occurrences (such as in `firejail --version`) going to stdout, to
make it easier to grep things in the output.
Added on commit f019f0ec3 ("Print version on startup for
firejail/firecfg", 2023-05-11) / PR #5829.
Reported by @rusty-snake[1].
[1] https://github.com/netblue30/firejail/issues/6171#issuecomment-1912768721
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of manually specifying which source files depend on which
headers, use compiler flags to automatically generate depfiles (.d),
which declare the correct header (make) dependencies for each source
file (.c).
Use `-MMD` (which ignores system headers) to generate the dependencies
and `-MP` to prevent make from complaining when a header file is removed
while it is listed as a dependency in a depfile.
If depfiles exist, just include them. If not, make each object file
(.o) unconditionally depend on all header files in its source directory
and in src/include, to ensure that rebuilds are done when needed. The
latter case applies to the first build after `make clean` (which would
build everything anyway) and when the compiler does not support
generating depfiles.
Note that both gcc and clang have supported these options for a long
time.
Misc: This depends on the changes from commit 5b1bd33c7 ("build: use
full paths on compile/link targets", 2023-07-02) / PR #6158 to avoid
issues with make dependency tracking.
|
| |
|
|\
| |
| | |
build: use full paths on compile/link targets
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes the compile commands clearer when building in parallel (with
`make -j`) and ensures that `__FILE__` includes the full build-time path
(relative to the root of the repository) whenever it is referenced, such
as in failed assert() messages (currently the full path is only shown in
errExit() messages). Example:
Before:
firejail: main.c:100: main: Assertion `1 == 2' failed.
Error src/firecfg/main.c:100: main: malloc: Cannot allocate memory
After:
firejail: ../../src/firejail/main.c:100: main: Assertion `1 == 2' failed.
Error ../../src/firecfg/main.c:100: main: malloc: Cannot allocate memory
Commands used to search and replace:
$ git grep -Ilz '^MOD_DIR =' -- '*Makefile' | xargs -0 -I '{}' \
sh -c "printf '%s\n' \"\$(sed -E \
-e 's|^MOD_DIR = src/(.*)|MOD = \\1\\nMOD_DIR = \$(ROOT)/src/\$(MOD)|' \
-e 's:^(PROG|SO) = [^.]+(\.so)?$:\\1 = \$(MOD_DIR)/\$(MOD)\2:' \
'{}')\" >'{}'"
$ git grep -Ilz '^HDRS :=' -- '*.mk' | xargs -0 -I '{}' \
sh -c "printf '%s\n' \"\$(sed -E \
-e 's|wildcard (\*\..)|wildcard \$(MOD_DIR)/\\1|' '{}')\" >'{}'"
Note: config.mk.in, src/fnettrace/Makefile and src/include/common.h were
edited manually.
This is a follow-up to #5871.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make it more similar to the assert() message format for consistency.
Example:
Before:
firejail: main.c:100: main: Assertion `1 == 2' failed.
Error src/firecfg/main.c:100 main(): malloc: Cannot allocate memory
After:
firejail: main.c:100: main: Assertion `1 == 2' failed.
Error src/firecfg/main.c:100: main: malloc: Cannot allocate memory
This amends commit b963fe41a ("Improve errExit error messages",
2023-06-16) / PR #5871.
|
|\ \
| | |
| | | |
build: use CPPFLAGS instead of INCLUDE in compile targets
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With this, CFLAGS and CPPFLAGS are used when compiling and LDFLAGS when
linking, just like in the built-in GNU make rules. From `make -p`:
COMPILE.c = $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c
LINK.c = $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH)
LINK.o = $(CC) $(LDFLAGS) $(TARGET_ARCH)
Note: It is unclear where the `INCLUDE` variable comes from; it is not
documented in autoconf nor GNU make and automake (which itself is not
used in this repository) only mentions `INCLUDES`:
`INCLUDES`
This does the same job as `AM_CPPFLAGS` (or any per-target
`_CPPFLAGS` variable if it is used). It is an older name for
the same functionality. This variable is deprecated; we
suggest using `AM_CPPFLAGS` and per-target `_CPPFLAGS` instead.
Environment: automake 1.16.5-2 and GNU make 4.4.1 on Artix Linux.
See also commit 671c3f249 ("build: actually set LDFLAGS and LIBS in
makefiles", 2022-11-30) / PR #5504.
|
|\ \
| | |
| | | |
firecfg: use ignorelist also for .profile/.desktop files
|
| | |
| | |
| | |
| | |
| | |
| | | |
Closes #5245.
Relates to #5876.
|
| | |
| | |
| | |
| | | |
And make it const.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Export `in_ignorelist` function
* Allow only building the ignorelist without setting the symlinks
* Rename the functions to reflect the above
* Add a function that parses all config files (`parse_config_all`)
Also, make sure that `parse_config_all` only parses config files once,
even if called multiple times.
Relates to #5876.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently it is only used when parsing the configuration files:
* /etc/firecfg.d/*.conf
* /etc/firecfg.config
Use it when searching for profile filenames as well:
* ~/.config/firejail/*.profile
Relates to #5876.
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Committer note: For each profile there is both XXX-gtk and gtk-XXX (such
as lbry-viewer-gtk and gtk-lbry-viewer).
XXX-gtk is the symlink
gtk-XXX is the actual file
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Revert "Lookup xauth in PATH."
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 407c05ebefe23e725f858b6170b3e52659e044a2.
If --private-lib is used (and firejail is configured with
--enable-private-lib), the following error occurs:
$ firejail --quiet --noprofile --private-lib true
firejail: fs_lib.c:56: find_in_path: Assertion `geteuid() != 0' failed.
Error: proc 10000 cannot sync with peer: unexpected EOF
Peer 10001 unexpectedly killed (Segmentation fault)
Given that it causes an uid assertion failure, the logic appears to not
be correct and the current behavior may be unsafe, so for now revert
that commit until the issue is properly addressed.
Relates to #6006 #6087.
Fixes #6113.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Avoid checking if Landlock is supported in ll_add_profile(), as it may
result in a warning being printed in ll_is_supported() in the next
commit.
Relates to #6078.
|
| |
| |
| |
| | |
Relates to #6078.
|
|/
|
|
|
|
|
| |
This includes macros such as `${HOME}` and `${RUNUSER}`, but not
`${PATH}`, which may expand to multiple strings.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build on Alpine fails due to `__u32` not being defined. It seems
that musl itself does not define it, so linux/types.h would have to be
included (for example, by including linux/landlock.h).
Error from `build_src_package`[1]:
make -C src/firejail/
make[1]: Entering directory '/builds/Firejail/firejail_ci/src/firejail'
gcc [...] -DMOD_DIR='"src/firejail"' [...] -c appimage.c -o appimage.o
In file included from appimage.c:23:
firejail.h:977:17: error: unknown type name '__u32'
977 | int ll_restrict(__u32 flags);
| ^~~~~
make[1]: Leaving directory '/builds/Firejail/firejail_ci/src/firejail'
make[1]: *** [../../src/prog.mk:16: appimage.o] Error 1
make: *** [Makefile:58: src/firejail/firejail] Error 2
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
[1] https://gitlab.com/Firejail/firejail_ci/-/jobs/5729692038
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Print everything to stderr (to ensure that the messages are shown in
order)
* Print debug messages at the beginning of most functions
* Include the function name and access flags used
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions with `...` as the first parameter appear to be unsupported in
older versions of gcc, as they fail to compile. Examples:
Error from gcc 9.5.0-1ubuntu1~16.04.sav1 on Ubuntu 16.04:
[...]
In file included from appimage.c:23:
firejail.h:981:27: error: ISO C requires a named argument before ‘...’
981 | static inline int ll_read(...) { return 0; }
| ^~~
Warning from gcc 13.2.1-3 on Artix Linux:
$ ./configure --disable-landlock >/dev/null && make clean >/dev/null &&
make EXTRA_CFLAGS+='-std=c99 -Wpedantic -Wno-error'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.73"' -DMOD_DIR='"src/firejail"' [...]
In file included from appimage.c:23:
firejail.h:982:27: warning: ISO C requires a named argument before ‘...’ before C2X [-Wpedantic]
982 | static inline int ll_read(...) { return 0; }
| ^~~
Fixes #6115.
Relates to #6078.
|
|
|
|
|
| |
Geary uses bubblewrap now.
Fixes #6103.
|
|
|
|
|
|
|
| |
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new landlock entry is parsed from a profile, the first entry in
the `cfg.lprofile` list is being set as the next/second entry and the
new entry is being set as the first entry in the list, so all entries
are being processed from last to first.
This commit makes the behavior of ll_add_profile() match the one from
profile_add() in src/firejail/profile.c so that the entries are
processed in the same order that they are parsed.
This amends commit b94cc754a ("landlock: apply rules in sandbox before
app start", 2023-10-26) / PR #6078.
|
|
|
|
|
| |
This amends commit 520508d5b ("landlock: avoid parsing landlock commands
twice", 2023-11-02) / PR #6078.
|
|
|
|
|
|
|
|
| |
To avoid confusion, only return a new ruleset and let the caller set the
global one.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|