| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
modif: Prevent sandbox name from containing only digits
|
| | |
| |
| |
| |
| | |
Names should not contain only numbers,
as they are used in other commands as PIDs.
|
| | |
| |
| |
| | |
group; added nvidia and X11 directories to @x11 group.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
groups added
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
feature
|
| |\ \
| | |
| | | |
modif: Stop forwarding own double-dash to the shell
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently, if double-dash ("--") is passed to firejail, it is forwarded
to the user shell:
$ firejail --debug --noprofile -- echo test 2>&1 |
grep -e execvp -e test
Building quoted command line: 'echo' 'test'
Building quoted command line: 'echo' 'test'
Running 'echo' 'test' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: --
execvp argument 3: 'echo' 'test'
test
This causes issues when the user shell does not accept "--" / is not
POSIX-compatible:
$ /bin/bash -c -- 'echo test'
test
$ /bin/fish -c -- 'echo test'
fish: Unknown command: --
fish:
--
^
Fixes #5599.
Relates to #3434.
Reported-by: @iltep64
Reported-by: @ferreum
|
| | | | |
|
| |/ / |
|
| | |
| |
| |
| |
| |
| |
| | |
To make it clearer.
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To avoid boolean confusion (`no-foo no` / `no-foo yes`) in
firejail.config:
etc-no-blacklisted no
etc-no-blacklisted yes
Commands used to search and replace:
git grep -Ilz -i 'etc.no.blacklisted' -- etc src |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
-e 's/etc-no-blacklisted/etc-hide-blacklisted/' \
-e 's/ETC_NO_BLACKLISTED/ETC_HIDE_BLACKLISTED/' \
'{}')\" >'{}'"
Added on commit ded50200e ("opt-in: skip blacklisted files in
private-etc - #5010, #5230", 2023-01-15) / PR #5591.
|
| |\ \
| | |
| | | |
opt-in: hide blacklisted files in /etc
|
| | |/ |
|
| |\ \
| | |
| | | |
New profiles: linuxqq/qq
|
| | |\| |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | | |
Fixes #5585
|
| | | | |
|
| | |/
|/| |
|
| |\ \
| | |
| | | |
A temporary fix to the bug caused by apparmor profiles stacking.
|
| | | | |
|
| |\ \ \
| |_|/
|/| | |
Add profile for Chatterino
|
| | | | |
|
| |/ / |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add a profile for the Qt5 GUI to process Avidemux jobs.
Use a redirection to the avidemux3_qt5 profile to reuse translation
files. The application needs to create a network socket on localhost and
fails to run with protocol unix, so that entry in the default avidemux
profile needs to be extended.
|
| | |
| |
| |
| |
| | |
Add a profile for the command-line interface of Avidemux, which
redirects to the existing avidemux profile.
|
| | | |
|
| |\ \
| | |
| | | |
build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From the manual of GNU Automake (version 1.16.5)[1] [2]:
> 3.6 Variables reserved for the user
>
> Some `Makefile` variables are reserved by the GNU Coding Standards for
> the use of the "user"—the person building the package. For instance,
> `CFLAGS` is one such variable.
>
> Sometimes package developers are tempted to set user variables such
> as `CFLAGS` because it appears to make their job easier. However, the
> package itself should never set a user variable, particularly not to
> include switches that are required for proper compilation of the
> package. Since these variables are documented as being for the
> package builder, that person rightfully expects to be able to override
> any of these variables at build time.
>
> To get around this problem, Automake introduces an
> automake-specific shadow variable for each user flag variable.
> (Shadow variables are not introduced for variables like `CC`, where
> they would make no sense.) The shadow variable is named by prepending
> `AM_` to the user variable's name. For instance, the shadow variable
> for `YFLAGS` is `AM_YFLAGS`. The package maintainer—that is, the
> author(s) of the `Makefile.am` and `configure.ac` files—may adjust
> these shadow variables however necessary.
>
> Note Flag Variables Ordering::, for more discussion about these
> variables and how they interact with per-target variables.
See also the description of CFLAGS in the GNU Autoconf manual[3].
Note: We do not use automake (save for aclocal) nor generally follow the
GNU Coding Standards, but the concept still applies. Also, the closest
analogous in the project to the `AM_` prefix would currently likely be
`EXTRA_`.
[1] https://www.gnu.org/software/automake/manual/1.16.5/html_node/User-Variables.html
[2] https://www.gnu.org/software/automake/manual/1.16.5/html_node/Flag-Variables-Ordering.html
[3] https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Preset-Output-Variables.html
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Add firecfg support for tesseract
* Add tesseract to 'New profiles' section in README.md
* Create tesseract.profile
* tesseract: fix private-etc
* tesseract: fix XDG black/whitelisting
* tesseract: use 'seccomp socket' instead of 'protocol unix'
As kindly suggested by @rusty-snake.
* tesseract: add 'restrict-namespaces'
As kindly suggested by @rusty-snake.
* tesseract: use full seccomp filtering
The tesseract application works fine without 'protocol' or 'seccomp socket'.
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Just like the other nearby error messages for `chdir`.
Relates to #5510.
Suggested-by: @gitsteff
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Line-wrap them and make the order of the flags more similar across
src/prog.mk and src/so.mk.
This should make it easier to see the differences in CFLAGS between both
files.
|
| | |
| |
| |
| | |
On src/prog.mk and src/so.mk.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
So that includers of src/prog.mk or src/so.mk can just define anything
extra that needs to be cleaned without having to override the "clean"
target (or having to declare a "distclean" target).
Example usage:
TOCLEAN += foo
TODISTCLEAN += bar
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For clarity, as it is included by the Makefiles that create programs and
non-shared-objects, but not by the ones that create shared objects (see
src/so.mk).
Commands used to move and search and replace:
$ git mv src/common.mk src/prog.mk
$ git grep -IFlz 'common.mk' -- src | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed 's/common.mk/prog.mk/' '{}')\" >'{}'"
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The following makefiles are nearly identical, except for the main target
name and for any extra headers that they might use:
* src/libpostexecseccomp/Makefile
* src/libtrace/Makefile
* src/libtracelog/Makefile
So move all of their (duplicated) code into a new src/so.mk file, and
add an include of src/so.mk, which leaves only variables, and the
includes of config.mk and src/so.mk in place.
With this commit, CFLAGS and LDFLAGS are only defined/changed in the
following files:
* config.mk.in
* src/common.mk
* src/so.mk
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Put the main target name into a new SO variable, put SO into a new
TARGET variable, make "all" depend on `$(TARGET)` and replace every
other occurrence of the main target name with `$(SO)`.
On the makefiles that build shared objects, to make them more similar.
With this commit, all of their targets are identical.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The makefiles that both build C programs and include src/common.mk are
nearly identical, save for the main target name and for any extra
headers and objects that they might use.
So move all of their (duplicated) code into src/common.mk, which (other
than the "lib" target on src/lib/Makefile) leaves only variables and the
includes of config.mk and src/common.mk in place.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Put the main target name into a new PROG variable, put PROG into a new
TARGET variable, make "all" depend on `$(TARGET)` and replace every
other occurrence of the main target name with `$(PROG)`.
On the makefiles that build non-shared objects, to make them more
similar. With this commit, all of their targets are identical (except
for the extra "lib" target on src/lib/Makefile).
|
| | |
| |
| |
| |
| | |
For increased readability, list one item per line on lines that are
currently longer than 80 characters.
|
netblue30
layderv
Kelvin M. Klann
smitsohu
glitsj16
rusty-snake
KOLANICH
Dpeta
Hartmut Knaack