github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
10825 commits 10 branches 71 tags 33 MiB
Commit graph

10825 commits

This branch
This branch
All branches
Author SHA1 Message Date
Kelvin M. Klann
e31d872a51 profiles: add keep-hostname to profile.template 
Put it together with the other `keep-` commands.

And move it to the allow section in libreoffice.profile.

Related commits:

* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* fbc94070e ("adding keep-hostname to libreoffice.profile", 2026-02-11).

Relates to #7048.
 2026-02-11 16:10:47 -03:00
netblue30
fbc94070ef adding keep-hostname to libreoffice.profile 2026-02-11 10:31:58 -05:00
netblue30
c13331305c adding apparmor profiles for --nettrace option 2026-02-11 09:17:22 -05:00
netblue30
8248f1eb5d
Merge pull request #7055 from pierretom/patch17 
add a new option `--debug-syscall-groups` - part 2
 2026-02-08 07:33:53 -05:00
netblue30
026332a819 merges 2026-02-08 07:17:26 -05:00
netblue30
ef7f8ee83c --keep-hostname part 3 (#7048) 2026-02-08 07:15:25 -05:00
pierretom
ab3d2f907e add a new option --debug-syscall-groups - part 2 
- src/firejail/usage.c
- src/zsh_completion/_firejail.in
  - Add entries for `--debug-syscall-groups`
- src/lib/syscall.c
  - Complete string literals
- src/man/firejail.1.in
  - Add an entry for `--debug-syscall-groups`
  - Add `@memfd` and `@sandbox` syscall groups for the `--seccomp` option

This is the last part.
 2026-02-07 17:04:05 +01:00
netblue30
46134f6972 added link-local addresses to 'nolocal' firewall configs (#7054) 2026-02-06 20:40:02 -05:00
netblue30
6f8cc61d00 merges 2026-02-06 20:39:24 -05:00
netblue30
6e774c3127
Merge pull request #7049 from pierretom/patch16 
feature: add a new option `--debug-syscall-groups` - part 1
 2026-02-06 20:28:50 -05:00
netblue30
ca934a2ccd disable by default some of the systemd tools, more cleanup, and more testing 2026-02-04 07:34:07 -05:00
netblue30
6f164f415e --keep-hostname part 2 (#7048) 2026-02-03 13:43:30 -05:00
Kelvin M. Klann
47d8079259 RELNOTES: add vesktop profile item 
Relates to #7043.
 2026-02-03 15:16:31 -03:00
Kelvin M. Klann
65878d6066 RELNOTES: format/improve profile items 
Keep the existing commit references and add missing PR references.

This amends commit 5dc63f1a0 ("RELNOTES update", 2026-01-22).

Relates to #6996 #6999 #7023 #7029 #7030.
 2026-02-03 15:16:27 -03:00
Kelvin M. Klann
67744b1928 RELNOTES: fix deno profile items 
Fix wrong PR number (#7043 -> #7032) and merge duplicated items.

This amends commit 5dc63f1a0 ("RELNOTES update", 2026-01-22).

Relates to #7032.
 2026-02-03 15:14:34 -03:00
netblue30
cc8b019b5d --keep-hostname part 1 (#7048) 2026-02-03 11:41:34 -05:00
netblue30
f7c80ab0ee testing; adding pierretom to the commiters list 2026-02-02 08:26:23 -05:00
netblue30
7a76998c86 Merge branch 'master' of ssh://github.com/netblue30/firejail 2026-02-02 07:40:20 -05:00
netblue30
d3f182543d Hide/Mask firejail process (pid 1) inside sandbox #7046 2026-02-02 07:39:36 -05:00
Kelvin M. Klann
0ebf16c4fe syscall.c: fix typo of "clock" in comments 
Related commits:

* 825fb24ff ("place some syscalls with access to a clock, used for time
  reading, theoretical resolution and sleep functions into
  `@default-keep`", 2026-01-28) /
  PR #7044
* f281d76f2 ("move other syscalls considered deprecated into
  `@obsolete`", 2026-01-28) /
  PR #7045

Command used to search and replace:

    $ perl -i -pe 's/clokc_/clock_/g' src/lib/syscall.c
 2026-02-01 16:44:12 -03:00
dependabot[bot]
e7844285f8 build(deps): bump actions/checkout from 6.0.1 to 6.0.2 
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8e8c483db8...de0fac2e45)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-01 19:26:27 +00:00
dependabot[bot]
6cd5b9e62c build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](20cf305ff2...e3f713f2d8)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-01 19:26:09 +00:00
dependabot[bot]
44fb777308 build(deps): bump github/codeql-action from 4.31.9 to 4.32.0 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.9 to 4.32.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](5d4e8d1aca...b20883b0cd)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-01 19:25:57 +00:00
pierretom
88a75a650d add a new option --debug-syscall-groups - part 1 
This option allows to list all seccomp groups and their syscalls defined for the architecture in use.

Usage examples:
`firejail --debug-syscall-groups`
`firejail --debug-syscall-groups=@chown,@mount,@swap`
`firejail --debug-syscall-groups=@all`

This is the first part.
 2026-02-01 08:48:22 +01:00
netblue30
4af62ee2da
Merge pull request #7045 from pierretom/patch15 
move other syscalls considered deprecated into `@obsolete`
 2026-01-29 12:54:51 -05:00
pierretom
f281d76f24 move other syscalls considered deprecated into @obsolete 
`futimesat`, `gettimeofday`, `remap_file_pages`, `settimeofday`, `tkill` and `utime`.
 2026-01-28 16:09:05 +01:00
netblue30
2184909cae more make test-apps 2026-01-28 09:09:27 -05:00
netblue30
361d3d87c4
Merge pull request #7044 from pierretom/patch14 
place some syscalls with access to a clock into `@default-keep`
 2026-01-28 07:58:29 -05:00
pierretom
825fb24ff1 place some syscalls with access to a clock, used for time reading, theoretical resolution and sleep functions into @default-keep 
Also move `stime` into `@obsolete`, see `man 2 stime`.
 2026-01-28 13:11:23 +01:00
netblue30
ec2068b656
Merge pull request #7042 from pierretom/patch13 
modif: add missing syscalls in groups & fix setrlimit
 2026-01-27 10:33:56 -05:00
netblue30
3c44462b85
Merge pull request #7039 from pierretom/patch12 
update system call groups - part 4
 2026-01-27 10:33:29 -05:00
sofoxe1
b59005ccf0
profiles: vesktop: fix screen sharing (#7043) 2026-01-27 07:26:11 +00:00
Kelvin M. Klann
e6d63e7037 syscall.c: fix extra char typo in file header 
This amends commit 5d78ff54a ("Removing time-reading syscalls from
@clock group. It stops several networked programs such as firefox, or
any other program that tries to access the time. For example: firejail
sleep 10", 2026-01-25).
 2026-01-27 04:21:30 -03:00
netblue30
b2d5c279ff spelling 2026-01-25 11:33:00 -05:00
netblue30
5d78ff54ab Removing time-reading syscalls from @clock group. 
It stops several networked programs such as firefox, or any other
program that tries to access the time. For example:
firejail sleep 10
 2026-01-25 11:27:50 -05:00
Kelvin M. Klann
f571fb5c70 tests: compile: remove leftover --disable-man test 
The `--disable-man` test was added twice on commit 5c7c58f6e and only
one instance was removed on commit a655b7d1b.

Related commits:

* 5c7c58f6e ("rework make test-compile", 2026-01-20)
* a655b7d1b ("removed ./configure --disable-man option", 2026-01-21).
 2026-01-25 04:39:34 -03:00
Kelvin M. Klann
26c27ff0cf RELNOTES: merge hyphen docs items 
The second commit is a small amendment of the first commit:

* e256efe64 ("fix non-ASCII hypehens in manpages (#5903)", 2026-01-08)
* 0ddf56a31 ("docs: man: fix double backslash before hyphen",
  2026-01-10)

Relates to #5903.
 2026-01-25 04:31:51 -03:00
pierretom
724c603bd6 add missing syscalls in groups 
- `@io-event`:
  - `epoll_pwait2`
  - `osf_select`
  - `ppoll_time64`
  - `pselect6_time64`

- `@process`:
  - `getgid32`

And fix `sched_setrlimit` -> `setrlimit` in `@resources`.
 2026-01-24 15:25:06 +01:00
pierretom
85625e46e6 add missing syscalls in groups 2026-01-24 15:11:49 +01:00
pierretom
f5e01fcc56 update system call groups - part 4 
- Remove extra empty lines
- Definition of groups:
  - Add the two new groups `@memfd` and `@sandbox`
  - Add new syscalls
- Inheritance of groups:
  - Redraw it in a clearer form of groups and subgroups
  - Add the two new groups
  - Sort `@mount` and `@obsolete` groups by alphabetical order

This is the last part.
 2026-01-22 16:21:01 +01:00
netblue30
5dc63f1a08 RELNOTES update 2026-01-22 09:01:27 -05:00
netblue30
756c420f0d
Merge pull request #7034 from pierretom/patch11 
update system call groups - part 3
 2026-01-22 07:31:37 -05:00
netblue30
6b7d77c41e testing --tmpfs as root and regular user 2026-01-21 15:48:06 -05:00
netblue30
b214d080e0 removed ./configure --disable-usertmpfs option 2026-01-21 15:07:43 -05:00
netblue30
a655b7d1ba removed ./configure --disable-man option 2026-01-21 14:14:40 -05:00
netblue30
5c7c58f6e6 rework make test-compile 2026-01-20 12:09:35 -05:00
netblue30
cc89b8391e Merge branch 'master' of ssh://github.com/netblue30/firejail 2026-01-20 11:10:55 -05:00
netblue30
d1a58de3fd fix compile for --enable-only-syscfg-profiles ./config option 2026-01-20 11:07:08 -05:00
netblue30
83bcb6b38b fix make dist (broken earlier) 2026-01-20 07:47:09 -05:00
pierretom
994148c1b6 Fix: exit is defined for all architectures 2026-01-20 12:51:44 +01:00