aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
* Merge pull request #4376 from kmk3/gcov-add-nop-functionsLibravatar netblue302021-06-27
|\ | | | | gcov: use no-op functions if not enabled
| * gcov: use no-op functions if not enabledLibravatar Kelvin M. Klann2021-06-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of wrapping every gcov function call in an ifdef. Note: The usage of `((void)0)` is based on section 7.2 of the C99 standard (N1256)[1] [2]: > 7.2 Diagnostics <assert.h> > > 1 The header <assert.h> defines the assert macro and refers to another > macro, > > NDEBUG > > which is not defined by <assert.h>. If NDEBUG is defined as a macro > name at the point in the source file where <assert.h> is included, the > assert macro is defined simply as > > #define assert(ignore) ((void)0) See also assert.h(0p) from POSIX.1-2017[3]. Note: This is a continuation of commit b408b20c7 ("gcov: fix build failure with gcc 11.1.0") / PR #4373. [1] http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1256.pdf [2] https://port70.net/~nsz/c/c99/n1256.html#7.2 [3] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/assert.h.html
| * gcov: fix indentationLibravatar Kelvin M. Klann2021-06-27
| |
* | Merge pull request #4375 from smitsohu/kcmpLibravatar netblue302021-06-27
|\ \ | | | | | | remove kcmp from seccomp default drop list
| * | remove kcmp from seccomp default drop list (#3219)Libravatar smitsohu2021-06-26
| | |
* | | Merge pull request #4373 from kmk3/gcov-fix-build-gcc11Libravatar netblue302021-06-27
|\ \ \ | | |/ | |/| gcov: fix build failure with gcc 11.1.0
| * | gcov: fix build failure with gcc 11.1.0Libravatar Kelvin M. Klann2021-06-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The build currently fails if gcov support is enabled: $ pacman -Q gcc gcc 11.1.0-1 $ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null $ make >/dev/null [...] netstats.c: In function ‘netstats’: netstats.c:250:25: warning: implicit declaration of function ‘__gcov_flush’; did you mean ‘__gcov_dump’? [-Wimplicit-function-declaration] 250 | __gcov_flush(); | ^~~~~~~~~~~~ | __gcov_dump [...] /usr/bin/ld: netstats.o: in function `netstats': /tmp/firejail-git/src/firejail-git/src/firemon/netstats.c:250: undefined reference to `__gcov_flush' [...] collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firemon] Error 1 make: *** [Makefile:42: src/firemon/firemon] Error 2 [...] This happens because __gcov_flush was removed on gcc 11.1.0[1] [2] [3]. See the following gcc commits: * d39f7dc8d5 ("Do locking for __gcov_dump and __gcov_reset as well.") * c0532db47d ("Use __gcov_dump and __gcov_reset in execv and fork context.") * 811b7636cb ("Remove __gcov_flush.") Its implementation did the following[4]: __gcov_lock (); __gcov_dump_int (); __gcov_reset_int (); __gcov_unlock (); As hinted in the commit messages above, the function is no longer needed because locking is now done inside each of __gcov_dump and __gcov_reset. So add an implementation of __gcov_flush (on a new gcov_wrapper.h file) for gcc >= 11.1.0, which just calls __gcov_dump and then __gcov_reset. Commands used to search and replace: $ git grep -Flz '#include <gcov.h>' -- '*.c' | xargs -0 -I '{}' sh -c \ "printf '%s\n' \"\`sed 's|<gcov\\.h>|\"../include/gcov_wrapper.h\"|' '{}'\`\" >'{}'" Note: This is the continuation of commit 31557e9c7 ("gcov: add missing gcov.h includes") / PR #4360. [1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d39f7dc8d558ca31a661b02d08ff090ce65e6652 [2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=c0532db47d092430f8e8f497b2dc53343527bb13 [3] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2 [4] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libgcc/libgcov-interface.c;h=855e8612018d1c9caf90396a3271337aaefdb9b3#l86
* | | tweaksLibravatar smitsohu2021-06-26
| | |
* | | Merge pull request #4340 from smitsohu/kcmpLibravatar smitsohu2021-06-26
|\ \ \ | | |/ | |/| augment seccomp lists in firejail.config
| * | seccomp man page updateLibravatar smitsohu2021-06-26
| | | | | | | | | | | | | | | | | | | | | | | | * move everything related to modification of the default seccomp filter from --seccomp to --seccomp= entry * update errno descriptions
| * | augment seccomp lists in firejail.configLibravatar smitsohu2021-06-20
| | |
* | | Merge pull request #4374 from smitsohu/euidLibravatar smitsohu2021-06-26
|\ \ \ | | | | | | | | fs_home.c: run more code with euid of the user
| * | | fs_home.c: improve EUID switching, fix selinux relabelingLibravatar smitsohu2021-06-26
| | | |
| * | | copy_file_as_user function: drop not needed argumentsLibravatar smitsohu2021-06-23
| | | |
* | | | firejail.h: fix typo of "either" in license headerLibravatar Kelvin M. Klann2021-06-26
|/ / / | | | | | | | | | Added on commit e770ab6d8 ("appimage: automatically detect profile").
* | | Merge branch 'master' into kuesji/masterLibravatar Reiner Herrmann2021-06-21
|\ \ \
| * | | creating alpine.profile (#4350)Libravatar pirate4867431862021-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * firecfg.config alpine * Create alpinef.profile * Create alpine.profile * disable-programs.inc alpine * workaround in comment * Update etc/profile-a-l/alpine.profile Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * deactivating whitelists in ${HOME} * comment Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
| * | | tmpfs option enhancementsLibravatar smitsohu2021-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * downgrade error to warning, smiliar to read-write option; this simplifies use of tmpfs option in general purpose profiles, for example we don't need to worry about links people put in their homedir * update manpage
| * | | cleanupLibravatar smitsohu2021-06-20
| | | |
| * | | fixing broken buildLibravatar netblue302021-06-19
| | | |
| * | | jailcheck: networking supportLibravatar netblue302021-06-19
| | | |
| * | | Merge pull request #4360 from kmk3/gcov-add-missing-includesLibravatar netblue302021-06-18
| |\ \ \ | | | |/ | | |/| gcov: add missing gcov.h includes
| | * | gcov: add missing gcov.h includesLibravatar Kelvin M. Klann2021-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following "implicit declaration" warning (13 occurrences in total) when building with gcov support: $ pacman -Q gcc10 gcc10 1:10.2.0-3 $ CC=gcc-10 && export CC $ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null $ make >/dev/null appimage.c: In function ‘appimage_set’: appimage.c:140:2: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration] 140 | __gcov_flush(); | ^~~~~~~~~~~~ interface.c: In function ‘print_sandbox’: interface.c:149:3: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration] 149 | __gcov_flush(); | ^~~~~~~~~~~~ netstats.c: In function ‘netstats’: netstats.c:246:4: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration] 246 | __gcov_flush(); | ^~~~~~~~~~~~ [...] Note: The commands above were executed from makepkg, while building firejail-git from the AUR. Note2: gcc-10 was used because the build fails with the current gcc version (11.1.0) on Artix Linux. The failure happens because __gcov_flush was removed on gcc 11.1.0[1]; this will be addressed later. Note3: The following command helped find the affected files: $ git grep -Fl __gcov -- src [1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
| * | | appimage fixLibravatar netblue302021-06-17
| |/ /
| * | appimage: automatically detect profileLibravatar netblue302021-06-14
| | |
| * | Merge branch 'master' of https://github.com/netblue30/firejailLibravatar smitsohu2021-06-11
| |\ \
| | * | mcomix profile creation (#4338)Libravatar pirate4867431862021-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * mcomix * Create mcomix.profile * tightening * fixes * comment
| * | | follow-upLibravatar smitsohu2021-06-11
| |/ / | | | | | | | | | PR #4349
| * | Merge pull request #4344 from pirate486743186/qcomicbookLibravatar Reiner Herrmann2021-06-08
| |\ \ | | | | | | | | creating qcomicbook profile
| | * | qcomicbookLibravatar pirate4867431862021-06-06
| | | |
| * | | add more EUID switchingLibravatar smitsohu2021-06-08
| | | | | | | | | | | | | | | | | | | | always access files under control of the user with effective user id of the user
| * | | refactor mountingLibravatar smitsohu2021-06-08
| | | |
| * | | miscLibravatar smitsohu2021-06-07
| | | |
| * | | fix OOBLibravatar smitsohu2021-06-07
| | | |
| * | | blacklist cleaned passwd, group, utmp filesLibravatar smitsohu2021-06-06
| | | | | | | | | | | | | | | | | | | | | | | | just in case users decide to remove them completely from the sandbox, by means of private-etc or whitelist
| * | | selinux enhancementsLibravatar smitsohu2021-06-06
| | | |
| * | | fixup 9678da00301562464464099b9d7cfd76424fbb23Libravatar smitsohu2021-06-06
| |/ /
| * | cleanupLibravatar smitsohu2021-06-06
| | |
| * | jailcheck: fix spelling errorsLibravatar Reiner Herrmann2021-06-04
| | |
| * | creating googler and ddgr profiles (#4333)Libravatar pirate4867431862021-06-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create googler-common.profile * Create googler.profile * Create ddgr.profile * Update firecfg.config * sort fix * space * space * tightening * comment * fix comment * fix private-etc and ${DOWNLOADS} * fix sort * redundant ${DOWNLOADS}
| * | Merge pull request #4326 from jsquyres/pr/master/dont-quote-all-cmdlinesLibravatar netblue302021-06-04
| |\ \ | | | | | | | | cmdline.c: optionally quote the resulting command line
| | * | cmdline.c: optionally quote the resulting command lineLibravatar Jeff Squyres2021-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we were launched by sshd, do not add extra quotes to the command line. This is because if firejail is a login shell, sshd will launch firejail thusly: * argv[0]: /path/to/firejail * argv[1]: -c * argv[2]: user's command to execute For example, if the user executed "ssh othernode echo hello world", argv[2] will be "echo hello world". Firejail will then add *extra* quotes to it, resulting in argv[2] becoming "'echo hello world' " (without the "", of course). The user's shell (e.g., bash) will see the extra single quotes and will not split the token into multiple tokens. The shell will be unable to find an executable or intrinsic named "echo hello world ", so it will fail. This commit changes the above behavior if firejail is launched by sshd. In that case, firejail will *not* add the extra single quotes around argv[2]. Specifically: all the tokens still end up in argv[2], but there's no *extra* quotes around argv[2], so the shell will split argv[2] into multiple tokens (if necessary). In the above example, argv[2] will be "echo hello world" (without the ""), which will be split. The shell will then look for an intrinsic or executable named "echo", which will succeed, and "hello world" will ultimately be emitted. Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
| * | | Merge pull request #4330 from smitsohu/fjconfigLibravatar netblue302021-06-04
| |\ \ \ | | |_|/ | |/| | add firejail.config switch for private-{bin,etc,opt,srv}
| | * | add firejail.config switch for private-{bin,etc,opt,srv}Libravatar smitsohu2021-05-22
| | | |
| * | | simplify X11 socket whitelistingLibravatar smitsohu2021-06-03
| | | |
| * | | Update manpage for whitelist2Libravatar rusty-snake2021-06-03
| | | |
| * | | version 0.9.66rc1 released0.9.66rc1Libravatar netblue302021-06-02
| | | |
| * | | reorganizing links browsers (#4320)Libravatar pirate4867431862021-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create links-common.profile * Update links.profile * Create links2.profile * Update links.profile * Update links2.profile * Update elinks.profile * Update elinks.profile * links2 * Update firecfg.config * Update xlinks.profile * .xlinks * add dbus and whitelist-usr-share-common * .xlinks doesn't exist * revert * Create xlinks2 * xlinks2 * Update xlinks2 * Update xlinks.profile * no wayland * no wayland * doesn't use /tmp/.X11-unix * doesn't use /tmp/.X11-unix * noblacklist /tmp/.X11-unix * noblacklist /tmp/.X11-unix
| * | | --debug takes precedence over --quiet (#2743)Libravatar netblue302021-05-30
| | | |
| * | | fix fcoy error message (#2743)Libravatar netblue302021-05-30
| | | |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 00:54:24 +0000