Merge branch 'master' into profile-template-improve-rules

This commit is contained in:
netblue30 2026-06-24 06:07:44 -04:00 committed by GitHub
commit 925bba49ae
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
32 changed files with 169 additions and 389 deletions

View file

@ -44,7 +44,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -79,7 +79,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >

View file

@ -58,7 +58,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >

View file

@ -46,7 +46,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -79,7 +79,7 @@ jobs:
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -112,7 +112,7 @@ jobs:
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
disable-sudo: true
egress-policy: block
@ -131,7 +131,7 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
with:
languages: cpp
@ -142,4 +142,4 @@ jobs:
run: make -j "$(nproc)" -Orecurse
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa

View file

@ -33,7 +33,7 @@ jobs:
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
disable-sudo: true
egress-policy: block

View file

@ -31,7 +31,7 @@ jobs:
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
disable-sudo: true
egress-policy: block
@ -52,9 +52,9 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
with:
languages: python
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa

View file

@ -24,7 +24,7 @@ jobs:
timeout-minutes: 5
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >

View file

@ -54,7 +54,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -103,7 +103,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -144,7 +144,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -184,7 +184,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >
@ -226,7 +226,7 @@ jobs:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
with:
egress-policy: block
allowed-endpoints: >

View file

@ -17,6 +17,7 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
bindir=@bindir@
libdir=@libdir@
libexecdir=@libexecdir@
datarootdir=@datarootdir@
docdir=@docdir@
mandir=@mandir@
@ -89,9 +90,12 @@ COMMON_CFLAGS = \
-Wall -Wextra $(HAVE_FATAL_WARNINGS) \
-Wformat -Wformat-security \
-fstack-protector-all \
-DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/$(TARNAME)"' \
-DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \
-DVARDIR='"$(localstatedir)/lib/$(TARNAME)"'
-DPREFIX='"$(prefix)"' \
-DBINDIR='"$(bindir)"' \
-DLIBDIR='"$(libdir)"' \
-DLIBEXECDIR='"$(libexecdir)"' \
-DVARDIR='"$(localstatedir)/lib/$(TARNAME)"' \
-DSYSCONFDIR='"$(sysconfdir)/$(TARNAME)"'
PROG_CFLAGS = \
$(COMMON_CFLAGS) \

View file

@ -1,32 +0,0 @@
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
protocol unix,inet,inet6,netlink
netfilter
# tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/dwhelper
whitelist ${HOME}/.zotero
whitelist ${HOME}/.lastpass
whitelist ${HOME}/.vimperatorrc
whitelist ${HOME}/.vimperator
whitelist ${HOME}/.pentadactylrc
whitelist ${HOME}/.pentadactyl
whitelist ${HOME}/.keysnail.js
whitelist ${HOME}/.config/gnome-mplayer
whitelist ${HOME}/.cache/gnome-mplayer/plugin
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

View file

@ -1,31 +0,0 @@
# Firejail profile for atom
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/atom.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus
noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.keep sys_admin,sys_chroot
# net none
netfilter
nodvd
nogroups
nosound
notv
novideo
shell none
private-dev
private-tmp
noexec ${HOME}
noexec /tmp

View file

@ -1,99 +0,0 @@
# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.config/okularpartrc
noblacklist ${HOME}/.config/okularrc
noblacklist ${HOME}/.config/qpdfview
noblacklist ${HOME}/.kde/share/apps/kget
noblacklist ${HOME}/.kde/share/apps/okular
noblacklist ${HOME}/.kde/share/config/kgetrc
noblacklist ${HOME}/.kde/share/config/okularpartrc
noblacklist ${HOME}/.kde/share/config/okularrc
noblacklist ${HOME}/.kde4/share/apps/kget
noblacklist ${HOME}/.kde4/share/apps/okular
noblacklist ${HOME}/.kde4/share/config/kgetrc
noblacklist ${HOME}/.kde4/share/config/okularpartrc
noblacklist ${HOME}/.kde4/share/config/okularrc
# noblacklist ${HOME}/.local/share/gnome-shell/extensions
noblacklist ${HOME}/.local/share/okular
noblacklist ${HOME}/.local/share/qpdfview
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/gnome-mplayer/plugin
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.config/gnome-mplayer
whitelist ${HOME}/.config/okularpartrc
whitelist ${HOME}/.config/okularrc
whitelist ${HOME}/.config/pipelight-silverlight5.1
whitelist ${HOME}/.config/pipelight-widevine
whitelist ${HOME}/.config/qpdfview
whitelist ${HOME}/.kde/share/apps/kget
whitelist ${HOME}/.kde/share/apps/okular
whitelist ${HOME}/.kde/share/config/kgetrc
whitelist ${HOME}/.kde/share/config/okularpartrc
whitelist ${HOME}/.kde/share/config/okularrc
whitelist ${HOME}/.kde4/share/apps/kget
whitelist ${HOME}/.kde4/share/apps/okular
whitelist ${HOME}/.kde4/share/config/kgetrc
whitelist ${HOME}/.kde4/share/config/okularpartrc
whitelist ${HOME}/.kde4/share/config/okularrc
whitelist ${HOME}/.keysnail.js
whitelist ${HOME}/.lastpass
whitelist ${HOME}/.local/share/gnome-shell/extensions
whitelist ${HOME}/.local/share/okular
whitelist ${HOME}/.local/share/qpdfview
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.pentadactyl
whitelist ${HOME}/.pentadactylrc
whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.vimperator
whitelist ${HOME}/.vimperatorrc
whitelist ${HOME}/.wine-pipelight
whitelist ${HOME}/.wine-pipelight64
whitelist ${HOME}/.zotero
whitelist ${HOME}/dwhelper
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc
caps.drop all
# machine-id breaks pulse audio; it should work fine in setups where sound is not required
#machine-id
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
#seccomp - replaced with seccomp.drop for Firefox 60
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
shell none
#tracelog - disabled for Firefox 60
disable-mnt
# firefox requires a shell to launch on Arch.
# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
private-dev
# private-etc below works fine on most distributions. There are some problems on CentOS.
# private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
private-tmp
noexec ${HOME}
noexec /tmp

View file

@ -1,44 +0,0 @@
# Firejail profile for gedit
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/gedit.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
noblacklist ${HOME}/.config/enchant
noblacklist ${HOME}/.config/gedit
noblacklist ${HOME}/.gitconfig
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/whitelist-var-common.inc
caps.drop all
# net none - makes settings immutable
machine-id
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog
# private-bin gedit
private-dev
# private-etc alternatives,fonts
#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
private-tmp
noexec ${HOME}
noexec /tmp

View file

@ -1,36 +0,0 @@
# Firejail profile for libreoffice
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/libreoffice.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ${HOME}/.java
noblacklist /usr/local/sbin
noblacklist ${HOME}/.config/libreoffice
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/whitelist-var-common.inc
caps.drop all
machine-id
netfilter
nodvd
nogroups
#nonewprivs
noroot
notv
#protocol unix,inet,inet6
#seccomp
shell none
#tracelog
private-dev
private-tmp
noexec ${HOME}
noexec /tmp

View file

@ -1,6 +0,0 @@
# Firejail profile alias for brave
# This file is overwritten after every install/update
# Redirect
include /etc/firejail/brave.profile

View file

@ -1,24 +0,0 @@
# Firejail profile for brave
# This file is overwritten after every install/update
# Description: Web browser that blocks ads and trackers by default.
# Persistent local customizations
include brave.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/BraveSoftware
# brave uses gpg for built-in password manager
noblacklist ${HOME}/.gnupg
mkdir ${HOME}/.config/brave
mkdir ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.gnupg
# noexec /tmp is included in chromium-common.profile and breaks Brave
ignore noexec /tmp
# Redirect
include /etc/firejail/chromium-common.profile

View file

@ -1,35 +0,0 @@
# Firejail profile for atom
# Description: A hackable text editor for the 21st Century
# This file is overwritten after every install/update
# Persistent local customizations
include atom.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
noblacklist ${HOME}/.cargo/config
noblacklist ${HOME}/.cargo/registry
include disable-common.inc
include disable-passwdmgr.inc
include disable-programs.inc
caps.keep sys_admin,sys_chroot
# net none
netfilter
nodbus
nodvd
nogroups
nosound
notv
nou2f
novideo
shell none
private-cache
private-dev
private-tmp
noexec ${HOME}
noexec /tmp

View file

@ -1,37 +0,0 @@
# Firejail profile for atom
# Description: A hackable text editor for the 21st Century
# This file is overwritten after every install/update
# Persistent local customizations
include atom.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.cargo/config
noblacklist ${HOME}/.cargo/registry
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.git-credentials
noblacklist ${HOME}/.pythonrc.py
include disable-common.inc
include disable-exec.inc
include disable-passwdmgr.inc
include disable-programs.inc
caps.keep sys_admin,sys_chroot
# net none
netfilter
nodbus
nodvd
nogroups
nosound
notv
nou2f
novideo
shell none
private-cache
private-dev
private-tmp

View file

@ -1,10 +0,0 @@
These are patches for various Firejail versions for the security bug reported by Austin Morton
on May 21, 2019:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
The original discussion thread: https://github.com/netblue30/firejail/issues/2718
The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134

View file

@ -0,0 +1,10 @@
# Firejail profile alias for gimp
# This file is overwritten after every install/update
# Persistent local customizations
include gimp-3.2.local
# Persistent global definitions
# added by included profile
#include globals.local
# Redirect
include gimp.profile

View file

@ -45,7 +45,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
#ipc-namespace # problems on Arch
machine-id
net none
nodvd

View file

@ -54,6 +54,7 @@ whitelist ${HOME}/.cache/winetricks
whitelist ${HOME}/.config/MangoHud
whitelist ${HOME}/.config/lutris
whitelist ${HOME}/.local/share/lutris
whitelist ${HOME}/.local/share/umu
#whitelist ${HOME}/.wine
whitelist /usr/share/lutris
whitelist /usr/share/wine
@ -78,7 +79,7 @@ notv
#nou2f # may break gamepads in certain games (see #6523)
novideo
protocol unix,inet,inet6,netlink
seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace
seccomp !chroot,!clone3,!modify_ldt,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
seccomp.32 !modify_ldt
# Add the next line to your lutris.local if you do not need controller support.
@ -90,4 +91,5 @@ dbus-user.own net.lutris.Lutris
dbus-user.talk com.feralinteractive.GameMode
dbus-system none
restrict-namespaces
#breaks proton
#restrict-namespaces

View file

@ -59,7 +59,7 @@ disable-mnt
#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
private-cache
private-dev
private-etc @x11,groff,man_db.conf,manpath.config,sysless
private-etc @x11,groff,man_db.conf,manpath.config,sysless,terminfo
#private-tmp
dbus-user none

View file

@ -18,6 +18,7 @@ noblacklist /sys/module
nowhitelist /sys/module/nvidia*
ignore read-only /sys/module/nvidia*
allow-bwrap
allow-debuggers
allusers
keep-config-pulse

View file

@ -176,9 +176,10 @@ include globals.local
##landlock.fs.execute PATH
##include landlock-common.inc
## Commands that increase access to resources.
##
## Note: Keep this in sync with ../../etc/profile-m-z/noprofile.profile.
# Commands that increase access to resources.
#
# Note: Keep this in sync with ../../etc/profile-m-z/noprofile.profile.
##allow-bwrap
##allow-debuggers
##allusers
##keep-config-pulse

View file

@ -348,6 +348,7 @@ gimp
gimp-2.10
gimp-2.8
gimp-3.0
gimp-3.2
gist
gist-paste
git-cola

12
src/firecfg/firejail-symlink.sh Executable file
View file

@ -0,0 +1,12 @@
#!/bin/sh
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License MIT
FIREJAIL_SYMLINK=1
export FIREJAIL_SYMLINK
bindir="/usr/bin"
basename="$(basename "$0")"
exec firejail "$bindir/$basename" "$@"

View file

@ -484,14 +484,30 @@ void reject_cntrl_chars(const char *fname) {
}
}
// Note: Characters intentionally ignored:
//
// * `'`: Used in some dirnames (see #4614).
// * `()`: Used in some dirnames (see #3001 #3156).
// * `~`: Might be useful for expansion and seems unlikely to cause problems by
// itself.
#ifndef METACHARS
// All metachars except for ignored chars and chars in other groups.
#define METACHARS "!\"#$%&',;<>\\^`{|}"
#endif
#ifndef GLOBCHARS
#define GLOBCHARS "*?[]"
#endif
void reject_meta_chars(const char *fname, int globbing) {
assert(fname);
reject_cntrl_chars(fname);
const char *reject = "\\&!?\"<>%^{};,*[]";
if (globbing)
reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed
const char *reject = METACHARS GLOBCHARS;
if (globbing) {
// file globbing is allowed
reject = METACHARS;
}
const char *c = strpbrk(fname, reject);
if (c) {

View file

@ -154,8 +154,8 @@ function extract_and_install()
table_file_basen=$(basename "$table_file")
local firejail_header="${table_file_basen%.*}".h
grep --color=never -v '^[[:space:]]*#' "$table_file" | # Ignore comment lines.
grep --color=never -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" | # Keep lines with desired ABIs.
grep -v '^[[:space:]]*#' "$table_file" | # Ignore comment lines.
grep -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" | # Keep lines with desired ABIs.
# Fill the array.
sed -E 's/^([0-9]+)[[:space:]]+[^[:space:]]+[[:space:]]+([^[:space:]]+).*/{ "\2", \1 },/' \
> "$DEST_DIR"/"$firejail_header"
@ -164,8 +164,8 @@ function extract_and_install()
ALL_SYSCALLS+="$firejail_header\n"
ALL_SYSCALLS+=$(
grep --color=never -v '^[[:space:]]*#' "$table_file" |
grep --color=never -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" |
grep -v '^[[:space:]]*#' "$table_file" |
grep -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" |
awk '{printf "%s\t%s\t%s\n", $1, $3, $4}' # Keep column 1, 3 and 4.
)
ALL_SYSCALLS+=$'\n'

View file

@ -16,5 +16,13 @@ echo "TESTING: firecfg (test/firecfg/firecfg.exp)"
sudo rm -fr /tmp/ttt
#sudo cp -f firejail-program-args.sh /usr/bin/firejail-program-args
#sudo printf 'firejail-program-args\n' >/etc/firejail/firecfg.d/firejail-program-args.conf
#sudo firecfg
#echo "TESTING: firejail-program-args (test/firecfg/firejail-program-args.exp)"
#./firejail-program-args.exp
#sudo rm -f /etc/firejail/firecfg.d/firejail-program-args.conf
#sudo rm -f /usr/bin/firejail-program-args
cd ../../
./mkgcov.sh

View file

@ -0,0 +1,57 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License GPL v2
set timeout 3
spawn $env(SHELL)
match_max 100000
send -- "firecfg --list\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"/usr/local/bin/firejail-program-args"
}
after 100
send -- "file /usr/local/bin/firejail-program-args\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "firejail-program-args: symbolic link to .*/firejail-symlink" {}
"cannot open" {puts "TESTING ERROR 2";exit}
}
after 100
send -- "command -V firejail-program-args\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"/usr/local/bin/firejail-program-args" {}
"not found" {puts "TESTING ERROR 4";exit}
}
after 100
send -- "firejail --version\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"firejail version "
}
after 100
# Test that firejail does not intercept `--version` (see #7140).
send -- "./firejail-program-args.sh --version\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"firejail-program-args version " {}
"firejail version " {puts "TESTING ERROR 7";exit}
}
after 100
send -- "firejail-program-args --version\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"firejail-program-args version " {}
"firejail version " {puts "TESTING ERROR 9";exit}
}
after 100
puts "\nall done\n"

View file

@ -0,0 +1,22 @@
#!/bin/sh
# This file is part of Firejail project
# Copyright (C) 2014-2026 Firejail Authors
# License GPL v2
basename="$(basename "$0")"
if test "$#" -lt 1; then
printf '%s: error: missing option\n' "$basename" >&2
exit 1
fi
case "$1" in
--version)
printf '%s: version 1\n' "$basename"
break
;;
*)
printf '%s: error: unknown option: %s\n' "$basename" "$1" >&2
exit 1
;;
esac