firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	more on nettrace	netblue30	2022-01-16
\|
*	Merge pull request #4856 from smitsohu/fildes	netblue30	2022-01-16
\|\ \| \| \| \|	keep-fd option (#4845)
\| *	keep-fd option (#4845)	smitsohu	2022-01-14
\| \|
* \|	Merge pull request #4851 from kmk3/groups-keep-vglusers	netblue30	2022-01-16
\|\ \ \| \| \| \| \| \|	Keep vglusers group unless no3d is used (virtualgl)
\| * \|	Keep vglusers group unless no3d is used (virtualgl)	Kelvin M. Klann	2022-01-12
\| \|/ \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	virtualgl[1] runs `chown root:vglusers` on `/dev/nvidia*` and on devices usually owned by the "render" group[2]. This makes them unavailable in the sandbox if `noroot` (which causes groups to be dropped) is used. Since firejail classifies all of the aforementioned devices as being `DEV_3D` on fs_dev.c (which means that they are controlled by `no3d`), treat the "vglusers" group the same as the "render" group (by always keeping "vglusers" unless `no3d` is used). See the discussion on #2042 (from this comment[3] onwards). [1] https://virtualgl.org [2] https://github.com/VirtualGL/virtualgl/blob/6f0b90be02d13171dfdfffb112485f4091a5904f/server/vglserver_config#L393 [3] https://github.com/netblue30/firejail/issues/2042#issuecomment-1007468715 Reported-by: @JCallicoat
* \|	raincat	netblue30	2022-01-14
\| \|
* \|	fix warzone2100 (Debian 11)	netblue30	2022-01-13
\| \|
* \|	add wget2 to firecfg.config	glitsj16	2022-01-13
\|/
*	refactor closing of file descriptors	smitsohu	2022-01-12
\|
*	fix scan-build	netblue30	2022-01-11
\|
*	fix scan-build/cppcheck warnings	netblue30	2022-01-11
\|
*	remove compile warning	netblue30	2022-01-10
\|
*	nettrace	netblue30	2022-01-09
\|
*	Merge pull request #4826 from adrianlshaw/master	netblue30	2022-01-08
\|\ \| \| \| \|	RPCS3 profile
\| *	Add rpcs3 profile	Adrian L. Shaw	2022-01-06
\| \|
* \|	Merge pull request #4827 from kmk3/noprinters-add-missing	netblue30	2022-01-08
\|\ \ \| \| \| \| \| \|	noprinters: add missing items & add to profile.template
\| * \|	noprinters: add missing items from new command checklist	Kelvin M. Klann	2022-01-05
\| \|/ \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	See CONTRIBUTING.md. The changes are based on what was done on commit 5a612029b ("rename noautopulse to keep-config-pulse", 2021-05-13) / PR #4278. This amends commit bd15e763e ("--noprinter option", 2021-10-20) and commit d9403dcdc ("small fix", 2021-10-20). Relates to #4607.
* \|	2022 copyright update	netblue30	2022-01-07
\| \|
* \|	more on nettrace	netblue30	2022-01-07
\| \|
* \|	fix wrap/nowrap help string in firemon	netblue30	2022-01-07
\|/
*	add notable	glitsj16	2022-01-05
\|
*	nettrace/netlock	netblue30	2022-01-04
\|
*	remove compile warnings	netblue30	2021-12-28
\|
*	updates	netblue30	2021-12-28
\|
*	Merge branch 'master' into whitelist-ro	netblue30	2021-12-28
\|\
\| *	nettrace	netblue30	2021-12-28
\| \|
\| *	nettrace/netlock	netblue30	2021-12-28
\| \|
\| *	Fix a typo	Tad	2021-12-21
\| \| \| \| \| \| \| \|	Signed-off-by: Tad <tad@spotco.us>
\| *	firecfg fix (#4235)	netblue30	2021-12-21
\| \|
\| *	fix bug: firejail rejects empty arguments (#4395)	netblue30	2021-12-21
\| \|
\| *	updates	netblue30	2021-12-19
\| \|
\| *	fix --private-cwd problem	netblue30	2021-12-19
\| \|
\| *	Remove profcleaner.c and profcleaner.sh	Kelvin M. Klann	2021-12-10
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	As of this commit, these are not of much use. Though later if a generic profile search/replace tool with built-in rules is to be added, the tools in question could be used as a starting point. src/tools/profcleaner.c was added on commit fe0f975f4 ("move whitelist/blacklist to allow/deny", 2021-07-05). src/tools/profcleaner.sh was added on commit ed02ab57b ("Create profcleaner.sh", 2021-07-07) / PR #4389. Relates to #4410.
\| *	Revert "allow/noallow/deny/nodeny aliases for ↵	Kelvin M. Klann	2021-12-10
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	whitelist/nowhitelist/blacklist/noblacklist" This reverts commit 45f2ba544e9934b49e03b17c0a638dddc3a44734. Note: This is not a clean revert. Note2: This also reverts the changes to src/firejail/profile.c from commit fe0f975f4 ("move whitelist/blacklist to allow/deny", 2021-07-05). Relates to #4410.
\| *	Revert "allow/deny in zsh completion"	Kelvin M. Klann	2021-12-10
\| \| \| \| \| \| \| \| \| \| \| \|	This reverts commit 1021fb9e5d32a48698c0c8c913d44a048b12db7f. Relates to #4388 and #4410.
\| *	profstats fix (#4733)	netblue30	2021-12-10
\| \|
\| *	Merge pull request #4743 from vnepogodin/master	netblue30	2021-12-08
\| \|\ \| \| \| \| \| \|	Add CachyBrowser profile
\| \| *	Add new cachy-browser profile	Vladislav Nepogodin	2021-12-06
\| \| \|
\| * \|	Merge pull request #4732 from kmk3/fix-groups-misc3	netblue30	2021-12-08
\| \|\ \ \| \| \| \| \| \| \| \|	Fix keeping certain groups with nogroups
\| \| * \|	Fix keeping certain groups with nogroups	Kelvin M. Klann	2021-12-07
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This amends commit b828a9047 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR #4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups \| grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups \| grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups \| grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before #4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped on such systems. Note2: Even with the static variable, these checks still happen at least twice. It seems that it happens once per translation unit (and I think that it may happen more times if there are multiple processes involved). This also amends (/kind of reverts) commit 6ddedeba0 ("Make nogroups work on nvidia again", 2021-11-29) from PR #4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function.
\| \| * \|	Fix duplicated fwarning warnings	Kelvin M. Klann	2021-12-01
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This amends commit 11418a46c ("dns fixes", 2019-10-31). fwarning already prints "Warning: " at the beginning. Kind of relates to commit 6ddedeba0 ("Make nogroups work on nvidia again", 2021-11-29) / PR #4725, which removed code affected by this. Command used to find the duplicates: git grep -i -F 'fwarning("Warning:' -- src
\| \| * \|	util.c: Rename nogroups to force_nogroups on drop_privs	Kelvin M. Klann	2021-12-01
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	To not be confused with arg_nogroups, as in the vast majority of cases drop_privs is called with either 0 or 1 rather than arg_nogroups. The rename makes it clearer that what the parameter does is to drop all groups without exception, unlike arg_nogroups, which may have certain groups be kept.
\| * \| \|	profstats: Fix whitespace on license notice	Kelvin M. Klann	2021-12-06
\| \| \|/ \| \|/\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This amends commit ebe4c93f2 ("profstats cleanup", 2021-12-01) / #4730. This is the second paragraph verbatim of one of the GPL license notices recommended by GNU[1]: This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. On all but one (external) file (and on src/profstats/main.c), the notice uses the same spacing: $ git grep -I -F 'FITNESS FOR A PARTICULAR PURPOSE. See' \| wc -l 156 $ git grep -I -F 'FITNESS FOR A PARTICULAR PURPOSE. See' m4/ax_check_compile_flag.m4:# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General src/profstats/main.c: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the [1] https://www.gnu.org/licenses/gpl-howto.en.html
\| * \|	Add a profile for Flatseal	Hugo Osvaldo Barrera	2021-12-03
\| \| \|
* \| \|	Implement a `whitelist-ro` command	Hugo Osvaldo Barrera	2021-12-03
\|/ / \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This is a shortcut to: whitelist $PATH read-only $PATH Ideally, a great deal of usages of `whitelist` should be replaced with this instead.
* /	profstats cleanup	glitsj16	2021-12-01
\|/
*	Merge pull request #4725 from kmk3/fix-groups-misc2	netblue30	2021-11-30
\|\ \| \| \| \|	Keep some groups regardless of nogroups and restore nogroups on nvidia
\| *	Make nogroups work on nvidia again	Kelvin M. Klann	2021-11-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Remove workaround from commit 623e68216 ("temporary fix for nvidia/nogroups/noroot issue (#3644, #841)", 2020-10-02) and from commit cb460c32c ("more nvidia (#3644)", 2020-10-03). The handling of the "render" and "video" groups is separate from `nogroups` now, so disabling `nogroups` on nvidia shouldn't be necessary anymore. See the previous 2 commits for details. See also the discussion on PR #4632.
\| *	Keep render, lp, input and other groups regardless of nogroups	Kelvin M. Klann	2021-11-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Mappings of command -> group that this commit adds: * no3d -> render * noprinters -> lp * nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3]) * noinput -> input Mappings that were considered but that are not added: * notv -> ? (unknown group) * nou2f -> ? (devices are apparently owned by root; see #4603) Based on @rusty-snake's suggestion: https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299 See the previous commit ("Keep audio and video groups regardless of nogroups") for details. Relates to #2042 and #4632. [1] https://wiki.debian.org/SystemGroups [2] https://api.gentoo.org/uid-gid.txt [3] https://wiki.archlinux.org/title/Users_and_groups
\| *	Keep audio and video groups regardless of nogroups	Kelvin M. Klann	2021-11-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Currently, on systems that use seat managers that do not implement seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is used. This happens because without ACLs, access to the audio devices in /dev is controlled by the standard group permissions and the "audio" group is always dropped when `nogroups` is used. This patch makes the "audio" and "video" groups be dropped if and only if `noaudio` and `novideo` are in effect, respectively (and independently of `nogroups`). See #4603 and the linked issues/discussions for details. Note: This is a continuation of commit ea564eb74 ("Consider nosound and novideo when keeping groups") / PR #4632. Relates to #2042 and #4531.