| Commit message (Collapse) | Author | Age |
|\
| |
| | |
gcov: use no-op functions if not enabled
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of wrapping every gcov function call in an ifdef.
Note: The usage of `((void)0)` is based on section 7.2 of the C99
standard (N1256)[1] [2]:
> 7.2 Diagnostics <assert.h>
>
> 1 The header <assert.h> defines the assert macro and refers to another
> macro,
>
> NDEBUG
>
> which is not defined by <assert.h>. If NDEBUG is defined as a macro
> name at the point in the source file where <assert.h> is included, the
> assert macro is defined simply as
>
> #define assert(ignore) ((void)0)
See also assert.h(0p) from POSIX.1-2017[3].
Note: This is a continuation of commit b408b20c7 ("gcov: fix build
failure with gcc 11.1.0") / PR #4373.
[1] http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1256.pdf
[2] https://port70.net/~nsz/c/c99/n1256.html#7.2
[3] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/assert.h.html
|
| | |
|
|\ \
| | |
| | | |
remove kcmp from seccomp default drop list
|
| | | |
|
|\ \ \
| | |/
| |/| |
gcov: fix build failure with gcc 11.1.0
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The build currently fails if gcov support is enabled:
$ pacman -Q gcc
gcc 11.1.0-1
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
[...]
netstats.c: In function ‘netstats’:
netstats.c:250:25: warning: implicit declaration of function ‘__gcov_flush’; did you mean ‘__gcov_dump’? [-Wimplicit-function-declaration]
250 | __gcov_flush();
| ^~~~~~~~~~~~
| __gcov_dump
[...]
/usr/bin/ld: netstats.o: in function `netstats':
/tmp/firejail-git/src/firejail-git/src/firemon/netstats.c:250: undefined reference to `__gcov_flush'
[...]
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firemon] Error 1
make: *** [Makefile:42: src/firemon/firemon] Error 2
[...]
This happens because __gcov_flush was removed on gcc 11.1.0[1] [2] [3].
See the following gcc commits:
* d39f7dc8d5 ("Do locking for __gcov_dump and __gcov_reset as well.")
* c0532db47d ("Use __gcov_dump and __gcov_reset in execv and fork context.")
* 811b7636cb ("Remove __gcov_flush.")
Its implementation did the following[4]:
__gcov_lock ();
__gcov_dump_int ();
__gcov_reset_int ();
__gcov_unlock ();
As hinted in the commit messages above, the function is no longer needed
because locking is now done inside each of __gcov_dump and __gcov_reset.
So add an implementation of __gcov_flush (on a new gcov_wrapper.h file)
for gcc >= 11.1.0, which just calls __gcov_dump and then __gcov_reset.
Commands used to search and replace:
$ git grep -Flz '#include <gcov.h>' -- '*.c' |
xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\`sed 's|<gcov\\.h>|\"../include/gcov_wrapper.h\"|' '{}'\`\" >'{}'"
Note: This is the continuation of commit 31557e9c7 ("gcov: add missing
gcov.h includes") / PR #4360.
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d39f7dc8d558ca31a661b02d08ff090ce65e6652
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=c0532db47d092430f8e8f497b2dc53343527bb13
[3] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
[4] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libgcc/libgcov-interface.c;h=855e8612018d1c9caf90396a3271337aaefdb9b3#l86
|
| | | |
|
|\ \ \
| | |/
| |/| |
augment seccomp lists in firejail.config
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* move everything related to modification
of the default seccomp filter from --seccomp
to --seccomp= entry
* update errno descriptions
|
| | | |
|
|\ \ \
| | | |
| | | | |
fs_home.c: run more code with euid of the user
|
| | | | |
|
| | | | |
|
|/ / /
| | |
| | |
| | | |
Added on commit e770ab6d8 ("appimage: automatically detect profile").
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* firecfg.config alpine
* Create alpinef.profile
* Create alpine.profile
* disable-programs.inc alpine
* workaround in comment
* Update etc/profile-a-l/alpine.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* deactivating whitelists in ${HOME}
* comment
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* downgrade error to warning,
smiliar to read-write option;
this simplifies use of tmpfs
option in general purpose
profiles, for example we
don't need to worry about links
people put in their homedir
* update manpage
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |/
| | |/| |
gcov: add missing gcov.h includes
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes the following "implicit declaration" warning (13 occurrences in
total) when building with gcov support:
$ pacman -Q gcc10
gcc10 1:10.2.0-3
$ CC=gcc-10 && export CC
$ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
$ make >/dev/null
appimage.c: In function ‘appimage_set’:
appimage.c:140:2: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
140 | __gcov_flush();
| ^~~~~~~~~~~~
interface.c: In function ‘print_sandbox’:
interface.c:149:3: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
149 | __gcov_flush();
| ^~~~~~~~~~~~
netstats.c: In function ‘netstats’:
netstats.c:246:4: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
246 | __gcov_flush();
| ^~~~~~~~~~~~
[...]
Note: The commands above were executed from makepkg, while building
firejail-git from the AUR.
Note2: gcc-10 was used because the build fails with the current gcc
version (11.1.0) on Artix Linux. The failure happens because
__gcov_flush was removed on gcc 11.1.0[1]; this will be addressed later.
Note3: The following command helped find the affected files:
$ git grep -Fl __gcov -- src
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
|
| |/ / |
|
| | | |
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* mcomix
* Create mcomix.profile
* tightening
* fixes
* comment
|
| |/ /
| | |
| | |
| | | |
PR #4349
|
| |\ \
| | | |
| | | | |
creating qcomicbook profile
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
always access files under control of the user
with effective user id of the user
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
just in case users decide to remove them
completely from the sandbox, by means of
private-etc or whitelist
|
| | | | |
|
| |/ / |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create googler-common.profile
* Create googler.profile
* Create ddgr.profile
* Update firecfg.config
* sort fix
* space
* space
* tightening
* comment
* fix comment
* fix private-etc and ${DOWNLOADS}
* fix sort
* redundant ${DOWNLOADS}
|
| |\ \
| | | |
| | | | |
cmdline.c: optionally quote the resulting command line
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If we were launched by sshd, do not add extra quotes to the command
line. This is because if firejail is a login shell, sshd will launch
firejail thusly:
* argv[0]: /path/to/firejail
* argv[1]: -c
* argv[2]: user's command to execute
For example, if the user executed "ssh othernode echo hello world",
argv[2] will be "echo hello world". Firejail will then add *extra*
quotes to it, resulting in argv[2] becoming "'echo hello world' "
(without the "", of course). The user's shell (e.g., bash) will see
the extra single quotes and will not split the token into multiple
tokens. The shell will be unable to find an executable or intrinsic
named "echo hello world ", so it will fail.
This commit changes the above behavior if firejail is launched by
sshd. In that case, firejail will *not* add the extra single quotes
around argv[2]. Specifically: all the tokens still end up in argv[2],
but there's no *extra* quotes around argv[2], so the shell will split
argv[2] into multiple tokens (if necessary). In the above example,
argv[2] will be "echo hello world" (without the ""), which will be
split. The shell will then look for an intrinsic or executable named
"echo", which will succeed, and "hello world" will ultimately be
emitted.
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| |\ \ \
| | |_|/
| |/| | |
add firejail.config switch for private-{bin,etc,opt,srv}
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Create links-common.profile
* Update links.profile
* Create links2.profile
* Update links.profile
* Update links2.profile
* Update elinks.profile
* Update elinks.profile
* links2
* Update firecfg.config
* Update xlinks.profile
* .xlinks
* add dbus and whitelist-usr-share-common
* .xlinks doesn't exist
* revert
* Create xlinks2
* xlinks2
* Update xlinks2
* Update xlinks.profile
* no wayland
* no wayland
* doesn't use /tmp/.X11-unix
* doesn't use /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
|
| | | | |
|
| | | | |
|