Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

luarocks #1

Closed
wants to merge 1,570 commits into from
Closed

luarocks #1

wants to merge 1,570 commits into from

Conversation

matu3ba
Copy link
Owner

@matu3ba matu3ba commented Oct 7, 2021

netblue30 and others added 30 commits June 17, 2021 14:44
Fixes the following "implicit declaration" warning (13 occurrences in
total) when building with gcov support:

    $ pacman -Q gcc10
    gcc10 1:10.2.0-3
    $ CC=gcc-10 && export CC
    $ ./configure --prefix=/usr --enable-apparmor --enable-gcov >/dev/null
    $ make >/dev/null
    appimage.c: In function ‘appimage_set’:
    appimage.c:140:2: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
      140 |  __gcov_flush();
          |  ^~~~~~~~~~~~
    interface.c: In function ‘print_sandbox’:
    interface.c:149:3: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
      149 |   __gcov_flush();
          |   ^~~~~~~~~~~~
    netstats.c: In function ‘netstats’:
    netstats.c:246:4: warning: implicit declaration of function ‘__gcov_flush’ [-Wimplicit-function-declaration]
      246 |    __gcov_flush();
          |    ^~~~~~~~~~~~
    [...]

Note: The commands above were executed from makepkg, while building
firejail-git from the AUR.

Note2: gcc-10 was used because the build fails with the current gcc
version (11.1.0) on Artix Linux.  The failure happens because
__gcov_flush was removed on gcc 11.1.0[1]; this will be addressed later.

Note3: The following command helped find the affected files:

    $ git grep -Fl __gcov -- src

[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=811b7636cb8c10f1a550a76242b5666c7ae36da2
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* downgrade error to warning,
smiliar to read-write option;
this simplifies use of tmpfs
option in general purpose
profiles, for example we
don't need to worry about links
people put in their homedir

* update manpage
* firecfg.config alpine

* Create alpinef.profile

* Create alpine.profile

* disable-programs.inc alpine

* workaround in comment

* Update etc/profile-a-l/alpine.profile

Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>

* deactivating whitelists in ${HOME}

* comment

Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Address netblue30#3872 with changes in pipewire for Firefox and Chromium
netblue30 and others added 29 commits September 24, 2021 13:42
users, and fldd in particular, might have no read permission
on the firejail executable, make that ok by running fldd
as root
don't try to read /usr/bin/firejail if private-bin removed it
from the sandbox filesystem
 - Allow org.freedesktop.secrets, fixes netblue30#4584
 - Improve comments about notifications and systray
 * cheese
   - fix: dbus-user.own org.gnome.Cheese
   - fix: whitelist /usr/share/gstreamer-1.0
   - fix: include allow-python3.inc
   - hardening: include disable-shell.inc
   - hardening: include whitelist-run-common.inc and whitelist /run/udev/data
   - hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
   - hardening: noinput
   - hardening: nosound
   - hardening: seccomp.block-secondary
   - hardening: private-dev
 * geekbench (closes netblue30#4576)
   - fix: noblacklist /sbin and noblacklist /usr/sbin
   - fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
   - fix: comment/remove private-bin, private-lib, private-opt
 * inkscape
   - add quiet for cli usage
 * musixmatch (netblue30#4518)
   - allow chroot
 * pandoc
   - fix: include allow-bin-sh.inc
   - fix: drop private-bin
   - hardening: include whitelist-runuser-common.inc
   - hardening: seccomp.block-secondary
In order UPnP to work netlink protocol must be enabled.
Enables recursive remounting on very old kernels, which has some relevance
for SailfishOS community ports.
Read mount id also on legacy kernels
DO NOT MERGE! Please review.

MERGE BLOCKER: firecfg does not create the necessary symlink in
/usr/local/bin
/usr/bin/luarocks however is a proper working binary.

Another annoyance from this: Neovim has a package manager called packer,
which pollutes $HOME with manifest-5-[1-4].zip and a pile of .rockspec
and .src.rock files.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
noblacklist in allow-lua.inc must corresponds to blacklist section for
lua in disable-interpreters.inc
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* disable /run/user/userid
* use well tested whitelist-usr-share-common.inc
* use disable-X11.inc
* dont break various application sandboxes with
  noblacklist /usr/include/lua*
  Instead insert it manually for luarocks.
* remove redundant `blacklist /usr/share/lua` from
  disable-interpreters.inc
@matu3ba matu3ba closed this Oct 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment