| Commit message (Collapse) | Author | Age |
|---|
| |
|
| |
Co-authored-by: Albert Kim <alkim@alkim.org>
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Add Landlock support to Firejail
|
| | | |
|
| | | |
|
| | |
| |
| | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | |
| |
| |
| | |
dependency on tinyLL
|
| | | |
|
| |\ \
| | |
| | | |
lbry-viewer.profile create
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Make it more explicit that they do and add an example for each command.
Relates to #5338.
|
| | | |
| | |
| | |
| | | |
Format it and improve the grammar and explanation.
|
| | | |
| | |
| | | |
Co-authored-by: pirate486743186 <>
|
| | | |
| | |
| | |
| | |
| | | |
This amends commit 7f3b6c19a ("Add support for custom AppArmor profiles
(--apparmor=)", 2022-07-25) / PR #5274.
|
| | |/
|/|
| |
| |
| |
| |
| | |
Some man pages are missing it.
This amends commit aacd2e7d8 ("docs: set vim filetype on man pages for
syntax highlighting", 2022-08-04) / PR #5296.
|
| |\ \
| | |
| | | |
docs: set vim filetype on man pages for syntax highlighting
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the man pages in src/man use a ".txt" file extension (rather than
".1" or ".5"), their filetype is detected by (neo)vim as "text".
So at the bottom of every man page, add a vim modeline in a comment and
set the filetype to "groff", to enable syntax highlighting.
Note: All of the generated ".man", ".1" and ".5" files are currently
being detected as "nroff".
Note2: Set the filetype to "groff" rather than "nroff" because at least
.UR and .UE are groff extensions. These macros look the same with
either filetype, but there may be more extensions being used and the
nroff.vim syntax file (which is included by groff.vim) does things
differently based on which filetype is used.
Based on the following example from (neo)vim's filetype.txt:
or add this modeline to the file:
/* vim: set filetype=idl : */
See `:help groff.vim` and `:help filetype.txt` in (neo)vim.
See also groff_man(7) for the man page macros (including extensions).
Environment: neovim 0.7.2-3 on Artix Linux.
Misc: I noticed this on #5290.
|
| |\ \
| | |
| | | |
docs: mention risk of SUID binaries and also firejail-users(5)
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On the introduction of firejail(1), mention the main risk of SUID
binaries and that by default, only trusted users should be allowed to
run firejail (and how to accomplish that).
Note: The added comment line is completely discarded (so there is no
extraneous blank line); see groff_man(7) for details.
Suggested by @emerajid on #5288.
Relates to #4601.
|
| |\ \
| | |
| | | |
Add support for custom AppArmor profiles (--apparmor=)
|
| | |/ |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add gdu to 'new profiles' section
* Create gdu.profile
* add gdu to firecfg
* harden gdu sandbox
* fix protocol
* simulate empty protocol in gdu
* more user-friendly gdu sandboxing
|
| |\
| |
| | |
introduce new option restrict-namespaces
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
improve force-nonewprivs security guarantees
|
| | | | |
|
| | | | |
|
| |/ / |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
now covers syscalls up to including process_madvise (440)
group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305
the only exception is close_range, which was added to both @basic-io and @file-system
this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
|
| |
|
|
|
|
| |
produced using commands documented in src/lib/syscall.c:
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h
awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
copy using file descriptors, similar
to implementation of get option
|
| |
|
|
|
|
| |
Instead of simply erroring out, just warn the user that a filesystem was
unable to be remounted due to EIO. This is helpful for FUSE filesystems
which might be buggy or having issues.
|
| |\
| |
| | |
build: reduce autoconf input files from 32 to 2
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the previous commit ("makefiles: stop failing when config.mk does
not exist", 2022-06-23), make will not immediately fail when trying to
build a target without having the proper compile-time flags (which are
defined on common.mk).
For example, when running the command below:
make distclean && make
It will throw an error only after (mis-)compiling multiple objects.
So add a dependency on config.mk on every target that uses output
variables (such as @NAME@ / $(NAME)) on its recipe. And add a
dependency on config.sh on targets that call shell scripts that use
output variables (such as @NAME@ / $NAME). Also, add a recipe for
config.mk / config.sh telling to run ./configure, to make it a bit more
obvious just in case.
With this commit, make will abort earlier, by detecting that the
config.mk / config.sh dependency does not exist. This happens before
trying to execute the recipe.
This also makes the dependencies more accurate, since if config.mk
(which defines some CFLAGS) is changed, the CFLAGS may also have
changed, so a target that uses CFLAGS should probably be considered out
of date in this case anyway.
Relates to #5140.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows running `make clean` and `make distclean` (and possibly
others) without having to run ./configure beforehand.
Note that some packaging-related targets still depend on the existence
of generated files. For example:
* dist: config.mk
* deb: config.sh
Commands used to search and replace:
$ git grep -Elz 'include *([^ ]*/)?config.mk' | xargs -0 -I '{}' \
sh -c "printf '%s\n' \
\"\$(sed -E 's|^include *(([^ ]*/)?config.mk)|-include \1|' '{}')\" >'{}'"
Relates to #5140.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Configure summary: autoconf essentially only parses configure.ac and
generates the configure script (that is, the "./configure" shell
script). The latter is what actually checks what is available on the
system and internally sets the value of the output variables. It then,
for every filename foo in AC_CONFIG_FILES (and for every output variable
name BAR in AC_SUBST), reads foo.in, replaces every occurrence of
`@BAR@` with the value of the shell variable `$BAR` and generates the
file foo from the result. After this, configure is finished and `make`
could be executed to start the build.
Now that (as of #5140) all output variables are only defined on
config.mk.in and on config.sh.in, there is no need to generate any
makefile nor any other mkfile or shell script at configure time. So
rename every "Makefile.in" to "Makefile", mkdeb.sh.in to mkdeb.sh,
src/common.mk.in to src/common.mk and leave just config.mk and config.sh
as the files to be generated at configure time.
This allows editing and committing all makefiles directly, without
potentially having to run ./configure in between.
Commands used to rename the makefiles:
$ git ls-files -z -- '*Makefile.in' | xargs -0 -I '{}' sh -c \
"git mv '{}' \"\$(dirname '{}')/Makefile\""
Additionally, from my (rudimentary) testing, this commit reduces the
time it takes to run ./configure by about 20~25% compared to commit
72ece92ea ("Transmission fixes: drop private-lib (#5213)", 2022-06-22).
Environment: dash 0.5.11.5-1, gcc 12.1.0-2, Artix Linux, ext4 on an HDD.
Commands used for benchmarking each commit:
$ : >time_configure && ./configure && make distclean &&
for i in $(seq 1 10); do
{ time -p ./configure; } 2>>time_configure; done
$ grep real time_configure |
awk '{ total += $2 } END { print total/NR }'
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
alkim0
netblue30
Азалия Смарагдова
Азалия Смарагдова
pirate486743186
Kelvin M. Klann
pirate486743186
glitsj16
smitsohu
Reiner Herrmann
Albert Kim