aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
...
| * | private-lib: mask /usr/local/lib[,64] directories, tooLibravatar smitsohu2021-03-04
| | |
* | | Merge pull request #4042 from smitsohu/privatelib6Libravatar netblue302021-03-05
|\| | | | | | | | private-lib hardening
| * | private-lib hardeningLibravatar smitsohu2021-03-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ensure that libraries are loaded from a default ld.so search path it is reasonable for firejail to expect that unprivileged users have no write permission on these paths; lax permissions there mean that the system is probably screwed anyway
* | | Merge pull request #4041 from smitsohu/traceLibravatar netblue302021-03-05
|\ \ \ | | | | | | | | sandbox setup: postpone library preloading
| * | | sandbox setup: postpone library preloadingLibravatar smitsohu2021-03-03
| |/ / | | | | | | | | | | | | for now avoids mixing of traces from sandbox helpers into application traces
* | | Merge pull request #4040 from smitsohu/loggerLibravatar netblue302021-03-05
|\ \ \ | | | | | | | | sandbox setup: postpone fslogger
| * | | sandbox setup: postpone fsloggerLibravatar smitsohu2021-03-03
| |/ / | | | | | | | | | | | | | | | postpone writing of log file in order to catch filesystem modifications from x11 functions
* | | Merge pull request #4038 from rusty-snake/zsh-comp-improvementsLibravatar netblue302021-03-05
|\ \ \ | | | | | | | | Zsh completion improvements
| * | | zsh-comp: better value completionLibravatar rusty-snake2021-03-03
| | | |
| * | | zsh-comp: make some options mutually exclusiveLibravatar rusty-snake2021-03-03
| | | |
| * | | zsh-comp: order and sortLibravatar rusty-snake2021-03-01
| | | |
| * | | zsh-comp: Use easiery syntaxLibravatar rusty-snake2021-03-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I don't understand the current brace expansions, so let's use a easier one: --foo <> one-time; no argument *--foo <> multi-time; no argument --foo=- <> one-time; with argument (direct after the =) *--foo=- <> multi-time; with argument (direct after the =)
* | | | Merge pull request #4036 from rusty-snake/has_privateLibravatar netblue302021-03-05
|\ \ \ \ | | | | | | | | | | Add new condition ?HAS_PRIVATE:
| * | | | Add new condition ?HAS_PRIVATE:Libravatar rusty-snake2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | Idea from @vinc17fr https://github.com/netblue30/firejail/issues/4026#issuecomment-789178572
* | | | | Merge pull request #3997 from nidamanx/patch-2Libravatar netblue302021-03-05
|\ \ \ \ \ | |_|_|_|/ |/| | | | Create nextcloud-desktop.profile
| * | | | Add nextcloudLibravatar Nicola Davide Mannarelli2021-02-22
| | | | |
| * | | | Add nextcloud-desktopLibravatar Nicola Davide Mannarelli2021-02-20
| | | | |
* | | | | bring back postexecseccomp for chroot/appimage/overlay sandboxesLibravatar smitsohu2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | back in the days always the same default seccomp filter was loaded for chroot/appimage/overlayfs sandboxes. Nowadays users can configure their own filters, so allow postexecseccomp again.
* | | | | cosmeticsLibravatar smitsohu2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | remove whitespaces in order to create a uniform message layout. Compare with: ** Note: you can use --noprofile to disable default.profile ** when firejail loads the default profile.
* | | | | private-etc: minor timetrace fixLibravatar smitsohu2021-03-03
| |/ / / |/| | | | | | | | | | | fixes reversed /etc and /usr/etc timetraces
* | | | Use strerror(errno) instead of %mLibravatar Tomi Leppänen2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Better for portability and consistency. Currently strerror() is used everywhere else, so use it here as well. printf's %m is a glibc extension that is supported also by some other libc implementations. Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* | | | Improve error reporting while mountingLibravatar Tomi Leppänen2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | Move error message after debug logging and add cause message. Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* | | | Fix typosLibravatar glitsj162021-03-02
| | | |
* | | | Merge pull request #4024 from kmk3/improve-makefilesLibravatar Reiner Herrmann2021-03-01
|\ \ \ \ | |_|/ / |/| | | Makefile improvements
| * | | makefiles: make all, clean and distclean PHONYLibravatar Kelvin M. Klann2021-03-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid a stat() call for each affected target and also potentially speed up parallel builds. From the GNU make manual[1]: > Phony targets are also useful in conjunction with recursive > invocations of make (see Recursive Use of make). In this situation > the makefile will often contain a variable which lists a number of > sub-directories to be built. [...] > The implicit rule search (see Implicit Rules) is skipped for .PHONY > targets. This is why declaring a target as .PHONY is good for > performance, even if you are not worried about the actual file > existing. Commands used to search, replace and cleanup: $ find -type f -name '*Makefile.in' -exec sed -i.bak \ -e 's/^all:/.PHONY: all\nall:/' \ -e 's/^clean:/.PHONY: clean\nclean:/' \ -e 's/^distclean:/.PHONY: distclean\ndistclean:/' '{}' + $ find -type f -name '*Makefile.in.bak' -exec rm '{}' + [1]: https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html
| * | | makefiles: fix misc blank line consistencyLibravatar Kelvin M. Klann2021-03-01
| | | |
| * | | makefiles: fix whitespaceLibravatar Kelvin M. Klann2021-03-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With a fun little script: $ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \ "test -s '{}' && printf '%s\n' \"\`git stripspace <'{}'\`\" >'{}'"
* | | | manpage: Add log as value of seccomp-error-actionLibravatar rusty-snake2021-03-01
| | | | | | | | | | | | | | | | man firejail-profiles has it already. [skip ci]
* | | | Update shell completionsLibravatar rusty-snake2021-03-01
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | bash: - remove --audit zsh: - add --mkdir + --mkfile - remove -audit and fix typo in 9b56dc8e
* | | some cleanupLibravatar netblue302021-03-01
| | |
* | | retiring --audit (replaced by jailtest)Libravatar netblue302021-03-01
| | |
* | | Clarify enforce_filters messageLibravatar rusty-snake2021-03-01
| | | | | | | | | | | | | | | | | | The current message misses the info that nnp and nogroups is applied too. The new mentions nnp too, but is very long. If anyone has a better wording, say it.
* | | Add ./configure --enable-force-nonewprivsLibravatar rusty-snake2021-03-01
| | | | | | | | | | | | This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
* | | fixesLibravatar rusty-snake2021-03-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - RELNOTS: protocol now accumulates - fix #3978 -- Android Studio: cannot create the directory Unresolved: > google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too, > so we should consider to add additional blacklists for ~/.config/Google/*. - marker.profile: allow ${DOCUMENTS} - profile.template: add bluetooth protocol - profile.template: add DBus portal note - firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
* | | compile time: enable LTSLibravatar startx20172021-02-28
| | |
* | | compile time: disable --outputLibravatar startx20172021-02-28
| | |
* | | dbus.c: check_object_path: Allow /StatusNotifierWatcher (#4015)Libravatar rusty-snake2021-02-26
| | |
* | | mkdir/mkfile man pagesLibravatar netblue302021-02-26
| | |
* | | Merge pull request #4009 from Tomin1/protocol_list_improvementsLibravatar netblue302021-02-26
|\ \ \ | | | | | | | | Allow changing protocol list after initial set
| * | | Allow changing "protocol" list after initial setLibravatar Simo Piiroinen2021-02-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Firejail uses set-once logic for "protocol" list. This makes it impossible to accumulate list of allowed protocols from multiple include files. Use profile_list_augment() for maintaining list of protocols. This implicitly means protocols can be added/removed via any number of command line options / profile configuration files. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
| * | | Add utility functions for handling comma separated listsLibravatar Simo Piiroinen2021-02-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A lot of profile options deal with manipulating strings containing comma separated list of things, using several strains of similar but not exactly the same code, duplicated for the purposes of processing command line arguments and parsing configuration files. Having utility functions available for handling such list strings can make higher level logic shorter, cleaner and function in more uniform manner. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* | | | Add --mkdir and --mkfile command line options for firejailLibravatar Simo Piiroinen2021-02-25
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Profile files are defined as a means to "pass several command line arguments to firejail" but apparently for example mkdir and mkfile options are available in context of profile files, but can't be specified directly from command line. Add support for -mkdir and --mkfile options so that executing: firejail --mkdir=${HOME}/directory/path\ --whitelist=${HOME}/directory/path behaves similarly as having profile file content: mkdir ${HOME}/directory/path whitelist ${HOME}/directory/path Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
* | | Merge pull request #4007 from smitsohu/privatelib5Libravatar netblue302021-02-25
|\ \ \ | | | | | | | | fix firecfg links in restrictive sandboxes
| * | | fix firecfg links in restrictive sandboxesLibravatar smitsohu2021-02-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | firejail symbolic link redirection currently depends on a shell, but in restrictive sandboxes there might be no execute permission, or private-lib might have removed necessary libraries, or seccomp might block required syscalls ... Fix this by forcing --shell=none. closes #3911
| * | | cleanupLibravatar smitsohu2021-02-25
| | |/ | |/|
* | | cleanupLibravatar smitsohu2021-02-25
| | |
* | | private-lib: minor simplificationLibravatar smitsohu2021-02-25
| | |
* | | musl fix (#3998)Libravatar smitsohu2021-02-25
| | | | | | | | | | | | | | | musl stdlib (Alpine Linux) doesn't know about canonicalize_file_name, replace with equivalent realpath calls
* | | fcopy: fixes for old compilers, cppcheck fixes (#3998)Libravatar netblue302021-02-24
| | |
* | | Merge pull request #4004 from smitsohu/privatelib4Libravatar netblue302021-02-24
|\ \ \ | | | | | | | | add PATH_FCOPY to private-lib automatically
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-11 21:30:18 +0000