| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |\ \ \ \
| | |/ /
| |/| | |
augment seccomp lists in firejail.config
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* move everything related to modification
of the default seccomp filter from --seccomp
to --seccomp= entry
* update errno descriptions
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
fs_home.c: run more code with euid of the user
|
| | | | | | |
|
| | | | | | |
|
| |/ / / /
| | | |
| | | |
| | | | |
Added on commit e770ab6d8 ("appimage: automatically detect profile").
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* firecfg.config alpine
* Create alpinef.profile
* Create alpine.profile
* disable-programs.inc alpine
* workaround in comment
* Update etc/profile-a-l/alpine.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* deactivating whitelists in ${HOME}
* comment
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* downgrade error to warning,
smiliar to read-write option;
this simplifies use of tmpfs
option in general purpose
profiles, for example we
don't need to worry about links
people put in their homedir
* update manpage
|
| | | |_|/
| |/| | |
|
| | | | | |
|
| | | | | |
|
| | |\ \ \
| | | |/
| | |/| |
gcov: add missing gcov.h includes
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes the following "implicit declaration" warning (13 occurrences in
total) when building with gcov support:
$ pacman -Q gcc10
gcc10 1:10.2.0-3
$ CC=gcc-10 && export CC
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
appimage.c: In function ‘appimage_set’:
appimage.c:140:2: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
140 | __gcov_flush();
| ^~~~~~~~~~~~
interface.c: In function ‘print_sandbox’:
interface.c:149:3: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
149 | __gcov_flush();
| ^~~~~~~~~~~~
netstats.c: In function ‘netstats’:
netstats.c:246:4: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
246 | __gcov_flush();
| ^~~~~~~~~~~~
[...]
Note: The commands above were executed from makepkg, while building
firejail-git from the AUR.
Note2: gcc-10 was used because the build fails with the current gcc
version (11.1.0) on Artix Linux. The failure happens because
__gcov_flush was removed on gcc 11.1.0[1]; this will be addressed later.
Note3: The following command helped find the affected files:
$ git grep -Fl __gcov -- src
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
|
| | |/ / |
|
| | | | |
|
| | |\ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* mcomix
* Create mcomix.profile
* tightening
* fixes
* comment
|
| | |/ /
| | |
| | |
| | | |
PR #4349
|
| | |\ \
| | | |
| | | | |
creating qcomicbook profile
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
always access files under control of the user
with effective user id of the user
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
just in case users decide to remove them
completely from the sandbox, by means of
private-etc or whitelist
|
| | | | | |
|
| | |/ / |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create googler-common.profile
* Create googler.profile
* Create ddgr.profile
* Update firecfg.config
* sort fix
* space
* space
* tightening
* comment
* fix comment
* fix private-etc and ${DOWNLOADS}
* fix sort
* redundant ${DOWNLOADS}
|
| | |\ \
| | | |
| | | | |
cmdline.c: optionally quote the resulting command line
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If we were launched by sshd, do not add extra quotes to the command
line. This is because if firejail is a login shell, sshd will launch
firejail thusly:
* argv[0]: /path/to/firejail
* argv[1]: -c
* argv[2]: user's command to execute
For example, if the user executed "ssh othernode echo hello world",
argv[2] will be "echo hello world". Firejail will then add *extra*
quotes to it, resulting in argv[2] becoming "'echo hello world' "
(without the "", of course). The user's shell (e.g., bash) will see
the extra single quotes and will not split the token into multiple
tokens. The shell will be unable to find an executable or intrinsic
named "echo hello world ", so it will fail.
This commit changes the above behavior if firejail is launched by
sshd. In that case, firejail will *not* add the extra single quotes
around argv[2]. Specifically: all the tokens still end up in argv[2],
but there's no *extra* quotes around argv[2], so the shell will split
argv[2] into multiple tokens (if necessary). In the above example,
argv[2] will be "echo hello world" (without the ""), which will be
split. The shell will then look for an intrinsic or executable named
"echo", which will succeed, and "hello world" will ultimately be
emitted.
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| | |\ \ \
| | |_|/
| |/| | |
add firejail.config switch for private-{bin,etc,opt,srv}
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Create links-common.profile
* Update links.profile
* Create links2.profile
* Update links.profile
* Update links2.profile
* Update elinks.profile
* Update elinks.profile
* links2
* Update firecfg.config
* Update xlinks.profile
* .xlinks
* add dbus and whitelist-usr-share-common
* .xlinks doesn't exist
* revert
* Create xlinks2
* xlinks2
* Update xlinks2
* Update xlinks.profile
* no wayland
* no wayland
* doesn't use /tmp/.X11-unix
* doesn't use /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | |/
| |/| |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | |
| | |
| | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
this commit add support to size parsing for k,m,g suffix for numbers and
applies this support to rlimit-as and rlimit-fsize arguments in both for
commandline and profile parsing.
supported suffix:
- k for kilobytes
- m for megabytes
- g for gigabytes
( these values uses 1024 bases instead of 1000 )
|
smitsohu
Kelvin M. Klann
Reiner Herrmann
pirate486743186
netblue30
Jeff Squyres
rusty-snake
kuesji koesnu