Changes:
* Strip whitespace at the beginning
* Strip whitespace at the end
* Ensure exactly one newline at the end
* Strip extraneous newlines
Also, for clarity print the git diff in the sort.py ci job, since the
specific lines changed are not printed by the sort.py script in this
case (as whitespace is fixed in the entire profile at once).
Command used to search and replace:
./contrib/sort.py etc/inc/*.inc etc/profile*/*.profile
This is a follow-up to #6556.
Update contrib/sort.py
Currently whitespace is left as is within an entry.
In a `protocol` entry, if there is whitespace between the command and
its argument or around an item, the item in question is dropped from the
output.
Changes:
* `protocol`: Strip all whitespace in the argument
* Other commands: Strip leading/trailing whitespace around each item,
including any extra whitespace between a command and its argument
Note: Whitespace characters inside paths are left as is, as some paths
(such as `Foo Bar` may contain spaces.
Before:
$ printf 'private-bin a,b\nprivate-bin a,b\nprivate-bin b,a\nprivate-bin C,A B\nprotocol unix,net\nprotocol inet,unix\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile
sort.py: checking 1 profile(s)...
foo.profile:5:-protocol unix,net
foo.profile:5:+protocol
foo.profile:6:-protocol inet,unix
foo.profile:6:+protocol unix
After:
$ printf 'private-bin a,b\nprivate-bin a,b\nprivate-bin b,a\nprivate-bin C,A B\nprotocol unix,net\nprotocol inet,unix\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile
sort.py: checking 1 profile(s)...
foo.profile:2:-private-bin a,b
foo.profile:2:+private-bin a,b
foo.profile:3:-private-bin b,a
foo.profile:3:+private-bin a,b
foo.profile:4:-private-bin C,A B
foo.profile:4:+private-bin A B,C
foo.profile:5:-protocol unix,net
foo.profile:5:+protocol unix
foo.profile:6:-protocol inet,unix
foo.profile:6:+protocol unix,inet
Currently the output is mangled if the last item on the line contains
trailing whitespace and is moved when sorting.
So remove trailing whitespace in all lines (that is, not just in lines
containing supported commands).
Leave leading whitespace as is for now since it could potentially be
used for indentation.
Before:
$ printf '# hello world \nprivate-bin a,b \nprivate-bin b,a \nprivate-bin a,b\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile | tr ' ' .
sort.py:.checking.1.profile(s)...
foo.profile:3:-private-bin.b,a..
foo.profile:3:+private-bin.a..,b
After:
$ printf '# hello world \nprivate-bin a,b \nprivate-bin b,a \n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile | tr ' ' .
sort.py:.checking.1.profile(s)...
foo.profile:1:-#.hello.world..
foo.profile:1:+#.hello.world
foo.profile:2:-private-bin.a,b..
foo.profile:2:+private-bin.a,b
foo.profile:3:-private-bin.b,a..
foo.profile:3:+private-bin.a,b
Rename `line` to `original_line` to make it less likely to accidentally
read from/write to it instead of the fixed line.
Rename `fixed_line` to `line` to make the code shorter since it is now
referenced much more often (up to 3 times in the same line of code) than
the original line.
See also commit aa17ca5fc ("sort.py: rename protocols to
original_protocols", 2022-10-17) / PR #5429.
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
Overwrite in-place by default (`-i`) and add `-n` to override it.
This restores the previous default behavior (from 0.9.72), for the sake
of being consistent with all previous versions and because it's more
likely to be the desired behavior in most cases.
This amends commit aa08aa132 ("build: sort.py: add and require -i to
edit in-place (#6290)", 2024-03-25).
Similarly to `sed -i` and `perl -i`.
This allows checking if sort.py correctly sorts the relevant lines in a
profile without having to overwrite it, which makes debugging and
testing easier (for example, in #6261).
Note: If it finds items that are not sorted, it still sorts them, prints
the diff and returns an error.
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
This adds the `shell` command. Note that it's still being parsed in
profile.c, even if it's just to return an error.
Commands used to remake them:
rm contrib/syntax/lists/*
make syntax
Relates to #5627#5894.
Currently it only sets the appropriate filetype for files in
`/etc/firejail` and `~/.config/firejail`.
With this commit, the firejail filetype should also be set when opening
`etc/inc/*.inc`, for example, as long as there is a "firejail" directory
somewhere before that (such as in `/foo/firejail/bar/etc/inc/*.inc`).
Note: At least `*/firejail/*.inc` needs to force the match (by using
`set filetype` rather than `setfiletype`), or else the default vim
checks take precedence (and the filetype for all files in
`etc/inc/*.inc` gets set to `pov`).
Fixes#4319.
Relates to #2679.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Commands used to list the file extensions used in the project:
$ git ls-files | sed -En 's/.*(\.[^.]+)$/\1/p' |
LC_ALL=C sort | uniq -c
For rules that are more specific to a given directory, put a dedicated
.editorconfig file in it.
Almost all of the shell scripts in the repository use tabs for
indentation (or have no indentation at all):
$ git grep -Il '^\t' -- '*.sh' | wc -l
19
$ git grep -Il '^ ' -- '*.sh' | wc -l
5
$ git grep -IL '^[ \t]' -- '*.sh' | wc -l
25
So do the same in the few shell scripts that currently use spaces for
indentation.
Except for the following file:
* platform/rpm/mkrpm.sh
Not sure if it's following a packaging-specific scheme, so just fix the
one indentation inconsistency in it and otherwise leave it as is for
now.
Command used to search for shell scripts using spaces for indentation:
$ git grep -In '^ ' -- '*.sh'
The official .deb package is always built with apparmor support, so use
`--enable-apparmor` in mkdeb.sh and remove the "deb-apparmor" target in
order to reduce redundancy.
Note that custom configure options may be specified by calling
./mkdeb.sh directly.
For example, to build the .deb package without apparmor support, instead
of running `make deb`, the following commands can be used:
make dist
./mkdeb.sh --disable-apparmor
Also, change the `build_apparmor` GitLab CI job into
`build_no_apparmor`, which is intended to check that building without
apparmor still works.
Note: This commit makes the resulting .deb package not have an
"-apparmor" suffix (see `EXTRA_VERSION` in mkdeb.sh), to avoid
redundancy (as having apparmor support becomes the default).
Misc: This is a follow-up to #5654.
Relates to #5154#5176#5547.
This fixes#1127.
This allow a user to provide their own zshrc/bashrc inside the jail.
This is very useful when using firejail to develop and prevent bad pip
packages to access your system.
Changes:
* Generate firejail.vim from firejail.vim.in
* Generate firejail-profile.lang from firejail-profile.lang.in
* Update the manual syntax file steps on the new command checklist on
CONTRIBUTING.md to use `make syntax` instead
Relates to #2679#5502#5577#5612.
Changes:
* Use the commands from contrib/vim/syntax/firejail.vim to create
makefile targets to generate syntax lists in contrib/syntax/lists
* Add contrib/syntax/files/example.in as an example of how to generate
syntax files
* Generate and add the syntax lists, to make it easier to spot if they
are properly updated when a new command is added or if their recipes
also need changes
* Add "syntax" and "contrib" makefile targets
Note: The generation commands are executed mostly silently to avoid
generating too much noise when also making other targets.
Note2: In some generation commands, a `$$` escape is used to pass `$` to
the shell, to avoid being interpreted by make as the start of a macro.
Note3: `@make_input@` is used in example.in to make it clear that the
file is generated (and that it is generated by make rather than
configure), similarly to how `@configure_input@` is used in configure
input files. See also apparmor.vim:
$ head -n 2 /usr/share/vim/vimfiles/syntax/apparmor.vim
" generated from apparmor.vim.in by create-apparmor.vim.py
" do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead
Environment: apparmor 3.1.2-1 on Artix Linux.
Relates to #2679#5502#5577#5612.
Having all of syntax files in the same directory makes it easier to
reference all of them at once on a makefile (such as with
`contrib/syntax/files/*.in`).
Also, this makes the path to the gtksourceview language-spec shorter.
Current path/new path:
* contrib/gtksourceview-5/language-specs/firejail-profile.lang
* contrib/syntax/files/firejail-profile.lang
Currently, adding a rule to the root Makefile to generate the
language-spec in the same directory as an input file would take at least
95 characters (with only a single dependency):
contrib/gtksourceview-5/language-specs/%.lang: contrib/gtksourceview-5/language-specs/%.lang.in
With this commit, the above shortened to 59 characters:
contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in
Which should make it more readable.
Relates to #2679#5502.
To avoid depending on an extra package without need.
Commands used to search and replace:
$ f=contrib/vim/syntax/firejail.vim; \
printf '%s\n' "$(sed -E \
"s|rg -o '([^']+)' -r '\\\$1'|sed -En 's/.*\\1.*/\\\\1/p'|" "$f")" >"$f"
Note: `sed -E` is not in POSIX.1-2017 (Issue 7), but it has been
accepted into the upcoming POSIX standard version[1] and is supported by
at least GNU, busybox and OpenBSD grep.
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06).
[1] https://www.austingroupbugs.net/view.php?id=528
Only a single script is passed by argument in each invocation.
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06) and on commit d2e10f2f5 ("vim: update list of syscalls",
2021-05-29) / PR #4318.
It seems to be equivalent to just delimiting the beginning and the end
of the line with `^foo$`.
Also, put the regex mode (-E) first.
Commands used to search and replace:
$ f=contrib/vim/syntax/firejail.vim; \
printf '%s\n' "$(sed -E \
"s|grep -vEx '([^']+)'|grep -Ev '^\\1\$'|" "$f")" >"$f"
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06).
POSIX tr understands '\n', so use that instead of the less portable
$'\n'.
Commands used to search and replace:
$ f=contrib/vim/syntax/firejail.vim; \
printf '%s\n' "$(sed -E \
"s/tr +\\\$'\\\\n'/tr '\\\\n'/g" "$f")" >"$f"
Added on commit a1cc4a556 ("Add vim syntax and ftdetect files (#2679)",
2019-05-06).
Tested with org.gnome.TextEditor.
The gtksourceview language-spec hasn't changed between gtksourceview 3,
4 and 5 AFAIK so it should also work on older systems if you copy/link
the file in the right places.
With this, the help section remains consistent regardless of how the
script is called and even if the filename is changed. For example, if
someone renames "sort.py" to "firejail-sort" and puts it somewhere in
`$PATH`.
Example outputs of the script name (using `print(argv[0]); return`):
$ ./contrib/sort.py
./contrib/sort.py
$ python contrib/sort.sh
contrib/sort.py
$ (cd contrib && ./sort.py)
./sort.py
Note: This depends on `os.path` and `sys.argv`, so the imports have to
appear before the docstring. In which case, the docstring has to be
explicitly assigned to `__doc__` (as it ceases to be the first statement
in the file).
Note2: When running `pydoc ./contrib/sort.py`, `argv[0]` becomes
"/usr/bin/pydoc" (using python 3.10.8-1 on Artix Linux).
