| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions with `...` as the first parameter appear to be unsupported in
older versions of gcc, as they fail to compile. Examples:
Error from gcc 9.5.0-1ubuntu1~16.04.sav1 on Ubuntu 16.04:
[...]
In file included from appimage.c:23:
firejail.h:981:27: error: ISO C requires a named argument before ‘...’
981 | static inline int ll_read(...) { return 0; }
| ^~~
Warning from gcc 13.2.1-3 on Artix Linux:
$ ./configure --disable-landlock >/dev/null && make clean >/dev/null &&
make EXTRA_CFLAGS+='-std=c99 -Wpedantic -Wno-error'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.73"' -DMOD_DIR='"src/firejail"' [...]
In file included from appimage.c:23:
firejail.h:982:27: warning: ISO C requires a named argument before ‘...’ before C2X [-Wpedantic]
982 | static inline int ll_read(...) { return 0; }
| ^~~
Fixes #6115.
Relates to #6078.
|
|
|
|
|
| |
Geary uses bubblewrap now.
Fixes #6103.
|
|
|
|
|
|
|
| |
The relevant functions are all identical except for the access flags
used.
Relates to #6078.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new landlock entry is parsed from a profile, the first entry in
the `cfg.lprofile` list is being set as the next/second entry and the
new entry is being set as the first entry in the list, so all entries
are being processed from last to first.
This commit makes the behavior of ll_add_profile() match the one from
profile_add() in src/firejail/profile.c so that the entries are
processed in the same order that they are parsed.
This amends commit b94cc754a ("landlock: apply rules in sandbox before
app start", 2023-10-26) / PR #6078.
|
|
|
|
|
| |
This amends commit 520508d5b ("landlock: avoid parsing landlock commands
twice", 2023-11-02) / PR #6078.
|
|
|
|
|
|
|
|
| |
To avoid confusion, only return a new ruleset and let the caller set the
global one.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
|
|
| |
For consistency with the other functions that have no paramters.
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
This amends commit d10bf154a ("landlock: detect support at runtime",
2023-11-06) / PR #6078.
|
|
|
|
|
| |
This amends commit 13b2c566d ("feature: add Landlock support",
2023-10-24) / PR #6078.
|
|
|
|
|
|
| |
Originally from PR #5359.
Relates to #6078.
|
|
|
|
| |
in README.md
|
| |
|
|\
| |
| | |
feature: add Landlock support
|
| |
| |
| |
| |
| | |
And ignore landlock-related commands if Landlock is unsupported at
runtime.
|
| | |
|
| |
| |
| |
| | |
Apply rules in the sandbox thread before the application is started.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
|
| | |
|
|\ \
| | |
| | | |
feature: expand simple macros in more commands
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This includes macros such as `${HOME}` and `${RUNUSER}`.
Commands:
* --chroot=
* --netfilter=
* --netfilter6=
* --trace=
Closes #6032.
Reported-by: @michelesr
|
|\ \ \
| |/ /
|/| | |
feature: firecfg: add firecfg.d & add ignore command
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].
It prevents firecfg from creating a symlink for the given program.
Also, document the paths used and the config file syntax.
Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.
Closes #2097.
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | |
| | |
| | |
| | |
| | |
| | | |
As suggested by @WhyNotHugo[1].
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of using asprintf + free.
Also, use LIBDIR instead of hardcoded "/usr/lib" for fzenity.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* fix inconsistent indentation/braces
* add missing free
|
| | | |
|
|\ \ \
| | | |
| | | | |
Lookup xauth in PATH.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Don't use hardcoded `/usr/bin/xauth`,
iterate over directories inside PATH instead.
This fixes https://github.com/netblue30/firejail/issues/6006
|
|\ \ \ \
| | | | |
| | | | | |
fcopy: Use lstat when copy directory.
|
| | | | |
| | | | |
| | | | |
| | | | | |
When copying directories use lstat when reading info about source files.
|
| |/ / /
|/| | |
| | | |
| | | |
| | | | |
The most generic way is to use `intmax_t`
because we dont't know what is the "parent" type of `off_t`.
This fixes https://github.com/netblue30/firejail/issues/5982 .
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | | |
* disable-programs.inc: add support for tiny-rdm
* Create tiny-rdm.profile
* firecfg.config: add support for tiny-rdm
|
| | |
| | |
| | |
| | | |
to run these options
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* profiles: drop private-opt (existing whitelist)
* profiles: replace private-opt with whitelist
In most profiles.
Kept private-opt for enpass (~85MB), mate-dictionary (<20MB),
minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't
check: xmr-stak.
* docs: note potential issues with private-opt
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create termshark.profile
* firecfg.config: add termshark support
* termshark: CLI hardening
|
|\ \ \
| | | |
| | | | |
New profile: tidal-hifi
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
modified src/firecfg/firecfg.config to add tidal-hifi
created etc/profile-m-z/tidal-hifi.profile
closes: #6008
Apply suggestions from code review
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
* disable-programs.inc: add lettura support
* Create lettura.profile
* firecfg.config: add lettura
|
| | |
| | |
| | | |
Co-authored-by: pirate486743186 <>
|
|\ \ \
| | | |
| | | | |
modif: keep pipewire group unless nosound is used
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This group is apparently used on Gentoo[1].
Currently only the "audio" supplementary group is kept.
Fixes #5992.
See also commit f32938669 ("Keep vglusers group unless no3d is used
(virtualgl)", 2022-01-07) / PR #4851.
[1] https://wiki.gentoo.org/wiki/PipeWire
Reported-by: @amano-kenji
|
| | | | |
|
|/ / / |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Fix the list generation and run `make syntax`.
Relates to #5627.
|
| | |
| | |
| | |
| | | |
Closes #5965
|
| | | |
|
| | | |
|
| | | |
|