There are a lot of common options in the `d-feet` and `d-spy` profiles.
Create a new common include file and refactor the existing profiles as
redirects.
Relates to #2492#6328.
There are various reports in #5127 that the current profile is broken on
wayland (and at least one report that it is broken on xorg as well).
Relates to #6268.
The coredump-related code fails to build on Linux kernel version 3.8 as
apparently it only exists on Linux since version 3.10:
docker run --platform linux/386 --rm -it satmandu/crewbuild:386
[...]
./configure && make
[...]
gcc -ggdb -O2 -DVERSION='"0.9.73"' [...] -march=i686 -c ../../src/firemon/procevent.c -o ../../src/firemon/procevent.o
../../src/firemon/procevent.c: In function ‘procevent_monitor’:
../../src/firemon/procevent.c:399:38: error: ‘PROC_EVENT_COREDUMP’ undeclared (first use in this function); did you mean ‘PROC_EVENT_COMM’?
399 | case PROC_EVENT_COREDUMP:
| ^~~~~~~~~~~~~~~~~~~
| PROC_EVENT_COMM
../../src/firemon/procevent.c:399:38: note: each undeclared identifier is reported only once for each function it appears in
../../src/firemon/procevent.c:400:66: error: ‘union <anonymous>’ has no member named ‘coredump’
400 | pid = proc_ev->event_data.coredump.process_tgid;
| ^
make[1]: *** [../../src/prog.mk:25: ../../src/firemon/procevent.o] Error 1
make[1]: Leaving directory '/home/chronos/user/firejail/src/firemon'
make: *** [Makefile:72: src/firemon/firemon] Error 2
Environment: gcc 14.1.0, glibc 2.23 and linuxheaders 3.8 on ChromeOS
M58.
Misc: @Zopolis4 also reports that "All i686 chromebooks have a kernel
version of 3.8".
This amends commit e11949a71 ("add support for comm, coredump, and prctl
procevents in firemon", 2024-04-30).
Fixes#6414.
Reported-by: @Zopolis4
Changes:
* Use the exact same source date string for all `date` invocations
* Use `-d` instead of `--date=`
* Fallback to `-r` and then to no argument
Some `date` implementations only support BSD `-r` instead of GNU `-d` /
`--date=` and others may not support any of them since neither option is
in POSIX.
For example, if zoneinfo is installed by chromebrew on ChromeOS, it
provides a date program that only supports `-r` and overrides the system
one (which supports `-d`) [1]:
./mkman.sh 0.9.72 src/man/firejail.man firejail.1
date: invalid option -- '-'
date: usage: date [-u] [-c] [-r seconds] [+format]
make: *** [Makefile:42: firejail.1] Error 1
Environment: zoneinfo 2024a on ChromeOS M125.
Note: The changes are based on what is suggested by
reproducible-builds.org [2].
Relates to #193.
Fixes#6403.
[1] https://github.com/netblue30/firejail/issues/6403#issue-2402292506
[2] https://reproducible-builds.org/docs/source-date-epoch/
Reported-by: @Zopolis4
Remove the newer #6390 item as it is already on the list, remove the
older #6307 item (modif) and sort the new #6307 item (bugfix).
This amends commit 9ebecd00d ("readme/relnotes update", 2024-07-13).
This command is deprecated and may be confused for a hardening option.
This amends commit 5a612029b ("rename noautopulse to keep-config-pulse",
2021-05-13) / PR #4278.
This is a follow-up to #6390.
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
The `@sound` group currently only contains paths related to alsa and
pulseaudio.
This amends commit 02d37680c ("private-etc rework: file groups moved to
src/include/etc_groups.h, new groups added", 2023-01-25).
Relates to #5610#6400.
Fractal 7 (and possibly earlier) stores messages and key material in
${XDG_DATA_DIR}/fractal which defaults to ~/.local/share/fractal.
Lack of access causes it to be unable to load messages offline and
de- or encrypt messages even when online without sharing keys again.
It is apparently used by the (widely used) "Fancy" plugin, which
"Renders HTML e-mail using the WebKit library".
https://www.claws-mail.org/plugins.php
Relates to #6377.
Note: etc/profile-a-l/email-common.profile contains `private-cache`.
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes#6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
Apparently hashcat needs access to this device for hardware acceleration
on AMD gpus and `private-dev` currently breaks that (see #6364).
It seems to be used by the "amdgpu" and "amdkfd" Linux kernel drivers
and as with /dev/dri/renderD128, this file is owned by the "render"
group.
Relevant udev rules from /usr/lib/udev/rules.d/50-udev-default.rules:
SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="0666"
SUBSYSTEM=="kfd", GROUP="render", MODE="0666"
SUBSYSTEM=="accel", GROUP="render", MODE="0666"
Environment: udev 255.6-1 on Artix Linux.
Reported-by: @schrotthaufen
We still see lots of issue reports where the user runs `firejail foo`
and ends up running foo's sandbox twice (due to firecfg's symlink
precedence). Try to improve the situation by explicitly using absolute
paths in the 'steps to reproduce' section.
Changes:
* Remove / after `$(DESTDIR)`
* Remove useless -c
* Use 0755 instead of 755
* Use -d after -m
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
The command below already installs it.
Added on commit 926790411 ("add basic Firejail support to AppArmor base
abstraction (#3226)", 2021-10-21) / PR #4628.
And remove the extraneous semicolon at the end of the command string.
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
Just in case the value is not defined in config.mk and `make` is first
executed from another directory (such as in src/man) instead of the root
directory.
This amends commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
