github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

deny" #5149

New issue

Closed

opened 2026-05-05 10:33:11 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:33:11 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/4410
Author: @kmk3
Created: 7/18/2021
Status: ✅ Merged
Merged: 7/25/2021
Merged by: @netblue30

Base: master ← Head: revert-allow-deny-etc

📝 Commits (2)

f43382f Revert "move whitelist/blacklist to allow/deny"
209cdb5 Merge branch 'master' into revert-allow-deny-etc

📊 Changes

798 files changed (+5094 additions, -5093 deletions)

View changed files

📝 etc/inc/allow-bin-sh.inc (+3 -3)
📝 etc/inc/allow-common-devel.inc (+18 -18)
📝 etc/inc/allow-gjs.inc (+8 -8)
📝 etc/inc/allow-java.inc (+5 -5)
📝 etc/inc/allow-lua.inc (+8 -8)
📝 etc/inc/allow-nodejs.inc (+2 -2)
📝 etc/inc/allow-opengl-game.inc (+2 -2)
📝 etc/inc/allow-perl.inc (+8 -8)
📝 etc/inc/allow-php.inc (+3 -3)
📝 etc/inc/allow-python2.inc (+5 -5)
📝 etc/inc/allow-python3.inc (+6 -6)
📝 etc/inc/allow-ruby.inc (+2 -2)
📝 etc/inc/allow-ssh.inc (+4 -4)
📝 etc/inc/disable-common.inc (+355 -355)
📝 etc/inc/disable-devel.inc (+40 -40)
📝 etc/inc/disable-interpreters.inc (+42 -42)
📝 etc/inc/disable-passwdmgr.inc (+15 -15)
📝 etc/inc/disable-programs.inc (+1100 -1100)
📝 etc/inc/disable-shell.inc (+11 -11)
📝 etc/inc/disable-xdg.inc (+4 -4)

...and 80 more files

📄 Description

This reverts commit fe0f975f44.

Note: This only reverts the changes from etc.

The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on #3447 and in fact only make things more confusing (as has
already been mentioned on this and later comments). The main
reason is that the aliases do not meaningfully map to the original
commands. For example, the commands from each pair below seem like they
would do the exact same thing:

allow and nodeny
deny and noallow

Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.

The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: git diff versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert. Note: This is still the case
even if a commit is ignored by git blame.

So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.

How the revert was applied: Despite using the auto-generated message
from git revert, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):

# Find out which files have been changed on fe0f975f44, but have not
# been changed afterwards and list them on "filestorevert"
git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
comm -2 -3 allfiles filestoignore >filestorevert

# Note: There are 3 extra files on filestoignore because they were
# added after commit fe0f975f44
wc -l allfiles filestoignore filestorevert | head -n 3
#   797 allfiles
#     8 filestoignore
#   792 filestorevert

# Automatically revert files in "filestorevert"
# See https://stackoverflow.com/a/23401018/10095231
tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
git apply --reverse

printf 'Total files reverted:\n'
git diff --name-only | wc -l
# 792

Secondly, do some search/replace on the rest:

tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
  -e 's/allow  /whitelist /' -e 's/noallow  /nowhitelist /' \
  -e 's/deny  /blacklist /' -e 's/nodeny  /noblacklist /' \
  -e 's/deny-nolog  /blacklist-nolog /'

find etc -name '*.bak' -print0 | xargs -0 rm

Thirdly, verify the result. The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):

git diff fe0f975f44~1 -- etc

From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/4410 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 7/18/2021 **Status:** ✅ Merged **Merged:** 7/25/2021 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `revert-allow-deny-etc` --- ### 📝 Commits (2) - [`f43382f`](https://github.com/netblue30/firejail/commit/f43382f1e9707b4fd5e63c7bfe881912aa4ee994) Revert "move whitelist/blacklist to allow/deny" - [`209cdb5`](https://github.com/netblue30/firejail/commit/209cdb529b8fcaebd1775e553d63367bb7a86ecd) Merge branch 'master' into revert-allow-deny-etc ### 📊 Changes **798 files changed** (+5094 additions, -5093 deletions) <details> <summary>View changed files</summary> 📝 `etc/inc/allow-bin-sh.inc` (+3 -3) 📝 `etc/inc/allow-common-devel.inc` (+18 -18) 📝 `etc/inc/allow-gjs.inc` (+8 -8) 📝 `etc/inc/allow-java.inc` (+5 -5) 📝 `etc/inc/allow-lua.inc` (+8 -8) 📝 `etc/inc/allow-nodejs.inc` (+2 -2) 📝 `etc/inc/allow-opengl-game.inc` (+2 -2) 📝 `etc/inc/allow-perl.inc` (+8 -8) 📝 `etc/inc/allow-php.inc` (+3 -3) 📝 `etc/inc/allow-python2.inc` (+5 -5) 📝 `etc/inc/allow-python3.inc` (+6 -6) 📝 `etc/inc/allow-ruby.inc` (+2 -2) 📝 `etc/inc/allow-ssh.inc` (+4 -4) 📝 `etc/inc/disable-common.inc` (+355 -355) 📝 `etc/inc/disable-devel.inc` (+40 -40) 📝 `etc/inc/disable-interpreters.inc` (+42 -42) 📝 `etc/inc/disable-passwdmgr.inc` (+15 -15) 📝 `etc/inc/disable-programs.inc` (+1100 -1100) 📝 `etc/inc/disable-shell.inc` (+11 -11) 📝 `etc/inc/disable-xdg.inc` (+4 -4) _...and 80 more files_ </details> ### 📄 Description This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3. Note: This only reverts the changes from etc. The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases. That is, they fail to address the different usability problems discussed on [#3447][3447] and in fact only make things more confusing (as has already been mentioned on [this][4379] and later comments). The main reason is that the aliases do not meaningfully map to the original commands. For example, the commands from each pair below seem like they would do the exact same thing: * `allow` and `nodeny` * `deny` and `noallow` Additionally, if these aliases are not the final commands, but only a test/work-in-progress, then keeping the wide-scale search/replace changes made on commit fe0f975f4 would only serve to cause confusion, as users of firejail-git, contributors and downstream projects might start changing the commands used on their profiles, only to later have to change them again, potentially to completely different commands. The sooner this is undone the better, as (besides the above reasons) the more profile changes there are between the original commit and the revert, the harder it is to e.g.: `git diff` versions of files across the following revision ranges: before the commit, after the commit but before the revert and after the revert. Note: This is still the case even if a commit is [ignored by `git blame`][4390]. So let us revert fe0f975f4 and only reapply similar large-scale changes once we have discussed and settled on better commands. How the revert was applied: Despite using the auto-generated message from `git revert`, to ensure correctness and to avoid conflicts the changes were reverted in different steps: Firstly, revert the files which can be safely reverted directly ("filestorevert"): # Find out which files have been changed on fe0f975f44, but have not # been changed afterwards and list them on "filestorevert" git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore comm -2 -3 allfiles filestoignore >filestorevert # Note: There are 3 extra files on filestoignore because they were # added after commit fe0f975f44 wc -l allfiles filestoignore filestorevert | head -n 3 # 797 allfiles # 8 filestoignore # 792 filestorevert # Automatically revert files in "filestorevert" # See https://stackoverflow.com/a/23401018/10095231 tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- | git apply --reverse printf 'Total files reverted:\n' git diff --name-only | wc -l # 792 Secondly, do some search/replace on the rest: tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \ -e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \ -e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \ -e 's/deny-nolog /blacklist-nolog /' find etc -name '*.bak' -print0 | xargs -0 rm Thirdly, verify the result. The following command shows the difference between all the changes in etc from before fe0f975f44 and this commit (inclusive): git diff fe0f975f44~1 -- etc From the output, it looks like all alias changes are fully reverted and that the other changes to etc (from after fe0f975f44) remain, so the revert seems to be done correctly. [3447]: https://github.com/netblue30/firejail/issues/3447 [4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222 [4390]: https://github.com/netblue30/firejail/issues/4390 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:33:11 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5149

No description provided.

Rows
Columns