Awesome Privacy

Recent Commits

• Kelvin M. Klann (28 Apr 24)

  landlock: fix building without landlock.h landlock.h may not be available on the system (such as with older versions of Linux API headers), so only try to include it if `HAVE_LANDLOCK` is defined. This fixes the following error from `build_debian_package` (which uses `debian:buster`) on GitLab CI[1]: $ ./mkdeb.sh --enable-fatal-warnings [...] gcc [...] -c ../../src/firejail/landlock.c -o ../../src/firejail/landlock.o ../../src/firejail/landlock.c:22:10: fatal error: linux/landlock.h: No such file or directory #include <linux/landlock.h> ^~~~~~~~~~~~~~~~~~ compilation terminated. This amends commit a05ae97af ("landlock: amend empty functions and comments", 2024-04-08) / PR #6305. Relates to #6078. [1] https://gitlab.com/Firejail/firejail_ci/-/jobs/6743161059

• Kelvin M. Klann (29 Apr 24)

  profiles: fix new game profiles Fix sorting and improve comments. See etc/templates/profile.template. This amends commit 4c5f55899 ("several kids programs", 2024-04-29).

• netblue30 (29 Apr 24)

  several kids programs

• netblue30 (29 Apr 24)

  whitelisting /var/games by default

• netblue30 (28 Apr 24)

  Merge branch 'master' of ssh://github.com/netblue30/firejail

• netblue30 (28 Apr 24)

  --fbuilder cleanup

• glitsj16 (25 Apr 24)

  profiles: fluffychat: remove option already present in disable-common.inc (#6322)

• glitsj16 (25 Apr 24)

  profiles: audacity: allow networking by default (#6321) Newly-released audacity 3.5 supports cloud-saving and remote backup features: - https://www.audacityteam.org/blog/audacity-3-5/ - https://support.audacityteam.org/additional-resources/changelog/audacity-3.5#cloud-project-saving

• Kelvin M. Klann (25 Apr 24)

  RELNOTES: add feature, modif and profile items Relates to #6302 #6305 #6307 #6308 #6309.

• Kelvin M. Klann (25 Apr 24)

  Merge pull request #6307 from spiiroin/serialize_remounts modif: populate /run/firejail while holding flock

• Simo Piiroinen (04 Apr 24)

  modif: populate /run/firejail while holding flock There are reports of firejail sandboxed applications occasionally taking a long time (12 seconds) to start up. When this happens, it affects all sandboxed applications until the device is rebooted. The reason for the slowdown seems to be a timing hazard in the way remounts under /run/firejail are handled. This gets triggered when multiple firejail processes are launched in parallel as part of user session bring up and results in some, dozens, hundreds, or even thousands of stray /run/firejail/xxx mounts. The amount of mount points then affects every mount operation that is done during sandbox filesystem construction. To stop this from happening, arrange it so that only one firejail process at time is inspecting and/or modifying mountpoints under /run/firejail by doing: 1. Create /run/firejail directory (without locking) 2. Create and obtain a lock for /run/firejail/firejail-run.lock 3. Setup files, directories and mounts under /run/firejail 4. Release /run/firejail/firejail-run.lock

• Simo Piiroinen (17 Apr 24)

  modif: improve flock handling Changes: * Centralize flock handling in preproc.c * Add debug and error logging * Abort if anything fails Co-authored-by: Kelvin M. Klann <[email protected]>

• Kelvin M. Klann (17 Apr 24)

  refactor: make rundir lock variables global To enable using them outside of src/firejail/main.c.

• netblue30 (23 Apr 24)

  static ip map

• tools200ms (20 Apr 24)

  profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6309) The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3). Fixes #6308.

• glitsj16 (20 Apr 24)

  New profile: axel (#6315) https://github.com/axel-download-accelerator/axel

• Kelvin M. Klann (18 Apr 24)

  tests: fix broken rm in gzip.exp This amends commit 29da82d08 ("private-etc: kdiff3, gzip, gunzip, tar etc", 2023-02-10). This is causing CI to fail, as "index.html" has nothing to do with gzip.exp[1]: ##[group]Run make test-sysutils make test-sysutils shell: /usr/bin/bash -e {0} env: SHELL: /bin/bash ##[endgroup] make -C test sysutils make[1]: Entering directory '/home/runner/work/firejail/firejail/test' cd sysutils && ./sysutils.sh 2>&1 | tee sysutils.log /usr/bin/gzip TESTING: gzip spawn /bin/bash rm index.html* runner@fv-az1391-790:~/work/firejail/firejail/test/sysutils$ rm index.html* rm: cannot remove 'index.html*': No such file or directory runner@fv-az1391-790:~/work/firejail/firejail/test/sysutils$ <irejail gzip -c ../../mkdeb.sh | firejail gunzip -c TESTING ERROR 1 [1] https://github.com/netblue30/firejail/actions/runs/8739405468/job/23982517624:

• netblue30 (11 Apr 24)

  Merge pull request #6302 from kmk3/docs-warn-landlock docs: warn about limitations of landlock

• netblue30 (11 Apr 24)

  Merge pull request #6305 from kmk3/landlock-amend-empty landlock: amend empty functions and comments

• Kelvin M. Klann (31 Mar 24)

  docs: warn about limitations of landlock And mark it as experimental. Relates to #6078.

• pirate486743186 (11 Apr 24)

  profiles: mov-cli: remove ffmpeg & allow more paths (#6304) Changes: * Remove ffmpeg from private-bin * Allow download folder * It needs an editor to allow editing the config, so I put in nano; sh and uname are used for launching nano Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>

• Kelvin M. Klann (08 Apr 24)

  landlock: amend empty functions and comments Changes: * Always declare public landlock functions, regardless of `HAVE_LANDLOCK` * Make the other public landlock functions (besides `ll_add_profile`) also be empty when `HAVE_LANDLOCK` is not defined * Clarify related comments This amends commit 8259f66e1 ("landlock fix for old kernel versions", 2024-04-06). For clarity, landlock-common.inc is included by default.profile and the issue that the aforementioned commit fixes is that if profile.c is built without the part that parses landlock commands (that is, when `HAVE_LANDLOCK` is not defined), using default.profile would cause firejail to abort due to "invalid lines". Note that the issue would only occur when firejail is built with an older kernel (or with --disable-landlock), not when simply running on an older kernel. See also commit b02a7a337 ("landlock: remove empty functions", 2023-12-07). Relates to #6078.

• dependabot[bot] (08 Apr 24)

  build(deps): bump github/codeql-action from 3.24.9 to 3.24.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.9 to 3.24.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/1b1aada464948af03b950897e5eb522f92603cc2...4355270be187e1b672a7a1c7c7bae5afdc1ab94a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

• netblue30 (07 Apr 24)

  landlock fix for old kernel versions

• Kelvin M. Klann (05 Apr 24)

  RELNOTES: add profile items Relates to #6298 #6299 #6300.

• Kelvin M. Klann (05 Apr 24)

  profiles: clarify and add opengl-game to profile.template (#6300) To make it consistent with the other include profiles. See etc/templates/profile.template. With this, all `etc/inc/allow-*` files are listed in profile.template. The explanation is based on a comment by @rusty-snake[1]. Relates to #4071. This is a follow-up to #6299. [1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473

• Kelvin M. Klann (03 Apr 24)

  profiles: add allow-php.inc to profile.template (#6299) To make it consistent with the other include profiles. See etc/templates/profile.template. Note: It is not currently included in any profile. Added on commit 89f30f1f2 ("Create allow-php.inc", 2020-01-25). This is a follow-up to #6298.

• Kelvin M. Klann (30 Mar 24)

  profiles: add allow-nodejs.inc to profile.template (#6298) To make it consistent with the other include profiles. See etc/templates/profile.template. Relates to #3866 #5881.

• Kelvin M. Klann (30 Mar 24)

  RELNOTES: move bugfix item into profiles Relates to #5601 #5618.

• Kelvin M. Klann (28 Mar 24)

  RELNOTES: add bugfix and profile items Relates to #5717 #6049 #6051 #6052.