diff options
56 files changed, 395 insertions, 178 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 7fb51e92f..6c2905e43 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -43,7 +43,7 @@ jobs: | |||
43 | runs-on: ubuntu-22.04 | 43 | runs-on: ubuntu-22.04 |
44 | steps: | 44 | steps: |
45 | - name: Harden Runner | 45 | - name: Harden Runner |
46 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 46 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
47 | with: | 47 | with: |
48 | egress-policy: block | 48 | egress-policy: block |
49 | allowed-endpoints: > | 49 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5eb84a843..ae1aef039 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -59,7 +59,7 @@ jobs: | |||
59 | runs-on: ubuntu-22.04 | 59 | runs-on: ubuntu-22.04 |
60 | steps: | 60 | steps: |
61 | - name: Harden Runner | 61 | - name: Harden Runner |
62 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 62 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
63 | with: | 63 | with: |
64 | egress-policy: block | 64 | egress-policy: block |
65 | allowed-endpoints: > | 65 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 2658ce1d1..3324906f7 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -45,7 +45,7 @@ jobs: | |||
45 | runs-on: ubuntu-22.04 | 45 | runs-on: ubuntu-22.04 |
46 | steps: | 46 | steps: |
47 | - name: Harden Runner | 47 | - name: Harden Runner |
48 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 48 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
49 | with: | 49 | with: |
50 | egress-policy: block | 50 | egress-policy: block |
51 | allowed-endpoints: > | 51 | allowed-endpoints: > |
@@ -76,7 +76,7 @@ jobs: | |||
76 | runs-on: ubuntu-22.04 | 76 | runs-on: ubuntu-22.04 |
77 | steps: | 77 | steps: |
78 | - name: Harden Runner | 78 | - name: Harden Runner |
79 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 79 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
80 | with: | 80 | with: |
81 | egress-policy: block | 81 | egress-policy: block |
82 | allowed-endpoints: > | 82 | allowed-endpoints: > |
@@ -103,7 +103,7 @@ jobs: | |||
103 | runs-on: ubuntu-20.04 | 103 | runs-on: ubuntu-20.04 |
104 | steps: | 104 | steps: |
105 | - name: Harden Runner | 105 | - name: Harden Runner |
106 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 106 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
107 | with: | 107 | with: |
108 | egress-policy: block | 108 | egress-policy: block |
109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
@@ -132,7 +132,7 @@ jobs: | |||
132 | 132 | ||
133 | steps: | 133 | steps: |
134 | - name: Harden Runner | 134 | - name: Harden Runner |
135 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 135 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
136 | with: | 136 | with: |
137 | disable-sudo: true | 137 | disable-sudo: true |
138 | egress-policy: block | 138 | egress-policy: block |
@@ -150,7 +150,7 @@ jobs: | |||
150 | 150 | ||
151 | # Initializes the CodeQL tools for scanning. | 151 | # Initializes the CodeQL tools for scanning. |
152 | - name: Initialize CodeQL | 152 | - name: Initialize CodeQL |
153 | uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 | 153 | uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 |
154 | with: | 154 | with: |
155 | languages: cpp | 155 | languages: cpp |
156 | 156 | ||
@@ -161,4 +161,4 @@ jobs: | |||
161 | run: make -j "$(nproc)" | 161 | run: make -j "$(nproc)" |
162 | 162 | ||
163 | - name: Perform CodeQL Analysis | 163 | - name: Perform CodeQL Analysis |
164 | uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 | 164 | uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index f1b69ec47..0185376a4 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | runs-on: ubuntu-latest | 31 | runs-on: ubuntu-latest |
32 | steps: | 32 | steps: |
33 | - name: Harden Runner | 33 | - name: Harden Runner |
34 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 34 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
35 | with: | 35 | with: |
36 | disable-sudo: true | 36 | disable-sudo: true |
37 | egress-policy: block | 37 | egress-policy: block |
@@ -43,10 +43,10 @@ jobs: | |||
43 | run: ./ci/printenv.sh | 43 | run: ./ci/printenv.sh |
44 | - run: python3 --version | 44 | - run: python3 --version |
45 | 45 | ||
46 | # - name: sort.py | 46 | - name: sort.py |
47 | # run: > | 47 | run: > |
48 | # ./ci/check/profiles/sort.py | 48 | ./ci/check/profiles/sort.py |
49 | # etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 49 | etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
50 | # Currently broken (see #5610) | 50 | # Currently broken (see #5610) |
51 | # - name: private-etc-always-required.sh | 51 | # - name: private-etc-always-required.sh |
52 | # run: > | 52 | # run: > |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 0581da320..4425af2b7 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -30,7 +30,7 @@ jobs: | |||
30 | 30 | ||
31 | steps: | 31 | steps: |
32 | - name: Harden Runner | 32 | - name: Harden Runner |
33 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 33 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
34 | with: | 34 | with: |
35 | disable-sudo: true | 35 | disable-sudo: true |
36 | egress-policy: block | 36 | egress-policy: block |
@@ -50,9 +50,9 @@ jobs: | |||
50 | 50 | ||
51 | # Initializes the CodeQL tools for scanning. | 51 | # Initializes the CodeQL tools for scanning. |
52 | - name: Initialize CodeQL | 52 | - name: Initialize CodeQL |
53 | uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 | 53 | uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 |
54 | with: | 54 | with: |
55 | languages: python | 55 | languages: python |
56 | 56 | ||
57 | - name: Perform CodeQL Analysis | 57 | - name: Perform CodeQL Analysis |
58 | uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 | 58 | uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 3da4411cc..f3c512c3e 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -23,7 +23,7 @@ jobs: | |||
23 | runs-on: ubuntu-22.04 | 23 | runs-on: ubuntu-22.04 |
24 | steps: | 24 | steps: |
25 | - name: Harden Runner | 25 | - name: Harden Runner |
26 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 26 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
27 | with: | 27 | with: |
28 | egress-policy: block | 28 | egress-policy: block |
29 | allowed-endpoints: > | 29 | allowed-endpoints: > |
@@ -38,6 +38,8 @@ jobs: | |||
38 | run: sudo apt-get update -qy | 38 | run: sudo apt-get update -qy |
39 | - name: install dependencies | 39 | - name: install dependencies |
40 | run: sudo apt-get install -qy codespell | 40 | run: sudo apt-get install -qy codespell |
41 | - name: print env | ||
42 | run: ./ci/printenv.sh | ||
41 | - name: configure | 43 | - name: configure |
42 | run: ./configure || (cat config.log; exit 1) | 44 | run: ./configure || (cat config.log; exit 1) |
43 | - run: codespell --version | 45 | - run: codespell --version |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a63abafcb..0a6069a5c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -53,7 +53,7 @@ jobs: | |||
53 | SHELL: /bin/bash | 53 | SHELL: /bin/bash |
54 | steps: | 54 | steps: |
55 | - name: Harden Runner | 55 | - name: Harden Runner |
56 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 56 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
57 | with: | 57 | with: |
58 | egress-policy: block | 58 | egress-policy: block |
59 | allowed-endpoints: > | 59 | allowed-endpoints: > |
@@ -100,7 +100,7 @@ jobs: | |||
100 | SHELL: /bin/bash | 100 | SHELL: /bin/bash |
101 | steps: | 101 | steps: |
102 | - name: Harden Runner | 102 | - name: Harden Runner |
103 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 103 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
104 | with: | 104 | with: |
105 | egress-policy: block | 105 | egress-policy: block |
106 | allowed-endpoints: > | 106 | allowed-endpoints: > |
@@ -138,7 +138,7 @@ jobs: | |||
138 | SHELL: /bin/bash | 138 | SHELL: /bin/bash |
139 | steps: | 139 | steps: |
140 | - name: Harden Runner | 140 | - name: Harden Runner |
141 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 141 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
142 | with: | 142 | with: |
143 | egress-policy: block | 143 | egress-policy: block |
144 | allowed-endpoints: > | 144 | allowed-endpoints: > |
@@ -176,7 +176,7 @@ jobs: | |||
176 | SHELL: /bin/bash | 176 | SHELL: /bin/bash |
177 | steps: | 177 | steps: |
178 | - name: Harden Runner | 178 | - name: Harden Runner |
179 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 179 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
180 | with: | 180 | with: |
181 | egress-policy: block | 181 | egress-policy: block |
182 | allowed-endpoints: > | 182 | allowed-endpoints: > |
@@ -216,7 +216,7 @@ jobs: | |||
216 | SHELL: /bin/bash | 216 | SHELL: /bin/bash |
217 | steps: | 217 | steps: |
218 | - name: Harden Runner | 218 | - name: Harden Runner |
219 | uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 | 219 | uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 |
220 | with: | 220 | with: |
221 | egress-policy: block | 221 | egress-policy: block |
222 | allowed-endpoints: > | 222 | allowed-endpoints: > |
@@ -235,6 +235,7 @@ endif | |||
235 | install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* | 235 | install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* |
236 | # profiles and settings | 236 | # profiles and settings |
237 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail | 237 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail |
238 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d | ||
238 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 239 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
239 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config | 240 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config |
240 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 241 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
@@ -125,6 +125,7 @@ Aleksey Manevich (https://github.com/manevich) | |||
125 | Alexander Gerasiov (https://github.com/gerasiov) | 125 | Alexander Gerasiov (https://github.com/gerasiov) |
126 | - read-only ~/.ssh/authorized_keys | 126 | - read-only ~/.ssh/authorized_keys |
127 | - profile updates | 127 | - profile updates |
128 | - fcopy: Use lstat when copy directory | ||
128 | Alexander Stein (https://github.com/ajstein) | 129 | Alexander Stein (https://github.com/ajstein) |
129 | - added profile for qutebrowser | 130 | - added profile for qutebrowser |
130 | alkim0 (https://github.com/alkim0) | 131 | alkim0 (https://github.com/alkim0) |
@@ -169,6 +170,8 @@ aoand (https://github.com/aoand) | |||
169 | - seccomp fix: allow numeric syscalls | 170 | - seccomp fix: allow numeric syscalls |
170 | Arne Welzel (https://github.com/awelzel) | 171 | Arne Welzel (https://github.com/awelzel) |
171 | - ignore SIGTTOU during flush_stdin() | 172 | - ignore SIGTTOU during flush_stdin() |
173 | archaon616 (https://github.com/archaon616) | ||
174 | - steam.profile: Allow Factorio | ||
172 | Atrate (https://github.com/Atrate) | 175 | Atrate (https://github.com/Atrate) |
173 | - BetterDiscord support | 176 | - BetterDiscord support |
174 | Austin Morton (https://github.com/apmorton) | 177 | Austin Morton (https://github.com/apmorton) |
@@ -284,6 +287,8 @@ Christian Stadelmann (https://github.com/genodeftest) | |||
284 | - evolution profile fix | 287 | - evolution profile fix |
285 | Clayton Williams (https://github.com/gosre) | 288 | Clayton Williams (https://github.com/gosre) |
286 | - addition of RLIMIT_AS | 289 | - addition of RLIMIT_AS |
290 | CodeWithMa (https://github.com/CodeWithMa) | ||
291 | - mpv.profile: add new XDG_STATE_HOME path | ||
287 | corecontingency (https://https://github.com/corecontingency) | 292 | corecontingency (https://https://github.com/corecontingency) |
288 | - tighten private-bin and etc for torbrowser-launcher.profile | 293 | - tighten private-bin and etc for torbrowser-launcher.profile |
289 | - added i2prouter profile | 294 | - added i2prouter profile |
@@ -350,6 +355,10 @@ David Hyrule (https://github.com/Svaag) | |||
350 | - remove nou2f in ssh profile | 355 | - remove nou2f in ssh profile |
351 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 356 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
352 | - added xpdf profile | 357 | - added xpdf profile |
358 | DefaultUser (https://github.com/DefaultUser) | ||
359 | - neochat: Allow netlink | ||
360 | Denis Subbotin (https://github.com/mr-tron) | ||
361 | - telegram.profile: allow ~/.local/share/telegram-desktop | ||
353 | Denys Havrysh (https://github.com/vutny) | 362 | Denys Havrysh (https://github.com/vutny) |
354 | - update SkypeForLinux profile for latest version | 363 | - update SkypeForLinux profile for latest version |
355 | - removed outdated Skype profile | 364 | - removed outdated Skype profile |
@@ -372,6 +381,7 @@ dmfreemon (https://github.com/dmfreemon) | |||
372 | - handle malloc() failures; use gnu_basename() instead of basenaem() | 381 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
373 | Dmitriy Chestnykh (https://github.com/chestnykh) | 382 | Dmitriy Chestnykh (https://github.com/chestnykh) |
374 | - add ability to disable user profiles at compile time | 383 | - add ability to disable user profiles at compile time |
384 | - lookup xauth in PATH | ||
375 | Dpeta (https://github.com/Dpeta) | 385 | Dpeta (https://github.com/Dpeta) |
376 | - add Chatterino profile | 386 | - add Chatterino profile |
377 | dshmgh (https://github.com/dshmgh) | 387 | dshmgh (https://github.com/dshmgh) |
@@ -466,6 +476,9 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
466 | - added Catfish profile | 476 | - added Catfish profile |
467 | Frederik Olesen (https://github.com/Freso) | 477 | Frederik Olesen (https://github.com/Freso) |
468 | - added many vim profiles | 478 | - added many vim profiles |
479 | Frostbyte4664 (https://github.com/Frostbyte4664) | ||
480 | - steam.profile: Allow Baba Is You | ||
481 | - blender-3.6 redirect | ||
469 | g3ngr33n (https://github.com/g3ngr33n) | 482 | g3ngr33n (https://github.com/g3ngr33n) |
470 | - fix musl compilation | 483 | - fix musl compilation |
471 | G4JC (https://sourceforge.net/u/gaming4jc/profile/) | 484 | G4JC (https://sourceforge.net/u/gaming4jc/profile/) |
@@ -498,6 +511,8 @@ glitsj16 (https://github.com/glitsj16) | |||
498 | - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh | 511 | - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh |
499 | - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie | 512 | - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie |
500 | - new profiles: masterpdfeditor | 513 | - new profiles: masterpdfeditor |
514 | glu8716 (https://github.com/glu8716) | ||
515 | - nicotine: support Fcitx and dconf via dbus-user filter | ||
501 | gm10 (https://github.com/gm10) | 516 | gm10 (https://github.com/gm10) |
502 | - get_user() do not use the unreliable getlogin() | 517 | - get_user() do not use the unreliable getlogin() |
503 | GovanifY (https://github.com/GovanifY) | 518 | GovanifY (https://github.com/GovanifY) |
@@ -515,6 +530,7 @@ GSI (https://github.com/GSI) | |||
515 | - added Uzbl browser profile | 530 | - added Uzbl browser profile |
516 | haarp (https://github.com/haarp) | 531 | haarp (https://github.com/haarp) |
517 | - Allow sound for hexchat | 532 | - Allow sound for hexchat |
533 | - discord-common.profile: harden & allow notifications | ||
518 | hamzadis (https://github.com/hamzadis) | 534 | hamzadis (https://github.com/hamzadis) |
519 | - added --overlay-named=name and --overlay-path=path | 535 | - added --overlay-named=name and --overlay-path=path |
520 | Hans-Christoph Steiner (https://github.com/eighthave) | 536 | Hans-Christoph Steiner (https://github.com/eighthave) |
@@ -643,6 +659,8 @@ jrabe (https://github.com/jrabe) | |||
643 | - Polari profile | 659 | - Polari profile |
644 | - qTox profile | 660 | - qTox profile |
645 | - X11 fixes | 661 | - X11 fixes |
662 | jtrv (https://github.com/jtrv) | ||
663 | - tidal-hifi profile | ||
646 | juan (https://github.com/nyancat18) | 664 | juan (https://github.com/nyancat18) |
647 | - fixed Kdenlive, Shotcut profiles | 665 | - fixed Kdenlive, Shotcut profiles |
648 | - new profiles for Cinelerra, Cliqz, Bluefish | 666 | - new profiles for Cinelerra, Cliqz, Bluefish |
@@ -691,6 +709,8 @@ kuesji koesnu (https://github.com/kuesji) | |||
691 | - better parser for size strings | 709 | - better parser for size strings |
692 | Kunal Mehta (https://github.com/legoktm) | 710 | Kunal Mehta (https://github.com/legoktm) |
693 | - converted all links to https in manpages | 711 | - converted all links to https in manpages |
712 | kzsa (https://github.com/kzsa) | ||
713 | - wusc: add /usr/share/locale-langpack (LC_MESSAGES) | ||
694 | laniakea64 (https://github.com/laniakea64) | 714 | laniakea64 (https://github.com/laniakea64) |
695 | - added fj-mkdeb.py script to build deb packages | 715 | - added fj-mkdeb.py script to build deb packages |
696 | Lari Rauno (https://github.com/tuutti) | 716 | Lari Rauno (https://github.com/tuutti) |
@@ -706,6 +726,8 @@ layderv (https://github.com/layderv) | |||
706 | lecso7 (https://github.com/lecso7) | 726 | lecso7 (https://github.com/lecso7) |
707 | - added goldendict profile | 727 | - added goldendict profile |
708 | - allow evince to read .cbz file format | 728 | - allow evince to read .cbz file format |
729 | leukimi (https://github.com/leukimi) | ||
730 | - 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed | ||
709 | Loïc Damien (https://github.com/dzamlo) | 731 | Loïc Damien (https://github.com/dzamlo) |
710 | - small fixes | 732 | - small fixes |
711 | Liorst4 (https://github.com/Liorst4) | 733 | Liorst4 (https://github.com/Liorst4) |
@@ -730,12 +752,15 @@ Madura A (https://github.com/manushanga) | |||
730 | mahdi1234 (https://github.com/mahdi1234) | 752 | mahdi1234 (https://github.com/mahdi1234) |
731 | - cherrytree profile | 753 | - cherrytree profile |
732 | - Seamonkey profiles | 754 | - Seamonkey profiles |
755 | mammo0 (https://github.com/mammo0) | ||
756 | - remove 'text/plain' from firejail-profile.lang.in | ||
733 | Manuel Dipolt (https://github.com/xeniter) | 757 | Manuel Dipolt (https://github.com/xeniter) |
734 | - stack alignment for the ARM Architecture | 758 | - stack alignment for the ARM Architecture |
735 | Marek Küthe (https://github.com/marek22k) | 759 | Marek Küthe (https://github.com/marek22k) |
736 | - allow loading plugins in gajim | 760 | - allow loading plugins in gajim |
737 | - allow bsfilter in email-common.profile | 761 | - allow bsfilter in email-common.profile |
738 | - email-common.profile: allow clamav plugin for claws-mail | 762 | - email-common.profile: allow clamav plugin for claws-mail |
763 | - VSCodium: Fix developing Arduino | ||
739 | Martin Carpenter (https://github.com/mcarpenter) | 764 | Martin Carpenter (https://github.com/mcarpenter) |
740 | - security audit and bug fixes | 765 | - security audit and bug fixes |
741 | - Centos 6.x support | 766 | - Centos 6.x support |
@@ -824,6 +849,9 @@ Nikos Chantziaras (https://github.com/realnc) | |||
824 | - fix audio support for Discord | 849 | - fix audio support for Discord |
825 | nolanl (https://github.com/nolanl) | 850 | nolanl (https://github.com/nolanl) |
826 | - added localtime to signal-desktop's profile | 851 | - added localtime to signal-desktop's profile |
852 | nutta-git (https://github.com/nutta-git) | ||
853 | - steam.profile: allow process_vm_readv syscall | ||
854 | - lutris.profile: allow more syscalls | ||
827 | nyancat18 (https://github.com/nyancat18) | 855 | nyancat18 (https://github.com/nyancat18) |
828 | - added ardour4, dooble, karbon, krita profiles | 856 | - added ardour4, dooble, karbon, krita profiles |
829 | nya1 (https://github.com/nya1) | 857 | nya1 (https://github.com/nya1) |
@@ -1194,6 +1222,9 @@ Vadim A. Misbakh-Soloviov (https://github.com/msva) | |||
1194 | ValdikSS (https://github.com/ValdikSS) | 1222 | ValdikSS (https://github.com/ValdikSS) |
1195 | - Psi+, Corebird, Konversation profiles | 1223 | - Psi+, Corebird, Konversation profiles |
1196 | - various profile fixes | 1224 | - various profile fixes |
1225 | Varun Sharma (https://github.com/varunsh-coder) | ||
1226 | - update allowed endpoints | ||
1227 | - build(deps): bump step-security/harden-runner from 2.5.0 to 2.5.1 | ||
1197 | Vasya Novikov (https://github.com/vn971) | 1228 | Vasya Novikov (https://github.com/vn971) |
1198 | - Wesnoth profile | 1229 | - Wesnoth profile |
1199 | - Hedegewars profile | 1230 | - Hedegewars profile |
@@ -22,12 +22,15 @@ firejail (0.9.73) baseline; urgency=low | |||
22 | * modif: improve errExit error messages (#5871) | 22 | * modif: improve errExit error messages (#5871) |
23 | * modif: drop deprecated 'shell' option references (#5894) | 23 | * modif: drop deprecated 'shell' option references (#5894) |
24 | * modif: keep pipewire group unless nosound is used (#5992 #5993) | 24 | * modif: keep pipewire group unless nosound is used (#5992 #5993) |
25 | * modif: Lookup xauth in PATH (#6006 #6087) | ||
25 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 | 26 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 |
26 | #5618) | 27 | #5618) |
27 | * bugfix: fix --hostname and --hosts-file commands | 28 | * bugfix: fix --hostname and --hosts-file commands |
28 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | 29 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) |
29 | * bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write | 30 | * bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write |
30 | (#5965 #5976) | 31 | (#5965 #5976) |
32 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 | ||
33 | #6086) | ||
31 | * build: auto-generate syntax files (#5627) | 34 | * build: auto-generate syntax files (#5627) |
32 | * build: mark all phony targets as such (#5637) | 35 | * build: mark all phony targets as such (#5637) |
33 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 36 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
@@ -46,6 +49,7 @@ firejail (0.9.73) baseline; urgency=low | |||
46 | * build: firecfg.config sorting improvements (#5942) | 49 | * build: firecfg.config sorting improvements (#5942) |
47 | * build: codespell improvements (#5955) | 50 | * build: codespell improvements (#5955) |
48 | * build: add missing makefile dep & syntax improvements (#5956) | 51 | * build: add missing makefile dep & syntax improvements (#5956) |
52 | * build: sort.py: use case-sensitive sorting (#6070) | ||
49 | * ci: always update the package db before installing packages (#5742) | 53 | * ci: always update the package db before installing packages (#5742) |
50 | * ci: fix codeql unable to download its own bundle (#5783) | 54 | * ci: fix codeql unable to download its own bundle (#5783) |
51 | * ci: split configure/build/install commands on gitlab (#5784) | 55 | * ci: split configure/build/install commands on gitlab (#5784) |
@@ -57,6 +61,8 @@ firejail (0.9.73) baseline; urgency=low | |||
57 | * ci: whitelist paths, reorganize workflows & speed-up tests (#5960) | 61 | * ci: whitelist paths, reorganize workflows & speed-up tests (#5960) |
58 | * ci: fix dependabot duplicated workflow runs (#5984) | 62 | * ci: fix dependabot duplicated workflow runs (#5984) |
59 | * ci: allow running workflows manually (#6026) | 63 | * ci: allow running workflows manually (#6026) |
64 | * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057 | ||
65 | #6059) | ||
60 | * contrib/vim: match profile files more broadly (#5850) | 66 | * contrib/vim: match profile files more broadly (#5850) |
61 | * test: split individual test groups in github workflows | 67 | * test: split individual test groups in github workflows |
62 | * test: add chroot, appimage and network tests in github workflows | 68 | * test: add chroot, appimage and network tests in github workflows |
diff --git a/contrib/sort.py b/contrib/sort.py index cdeecf99b..a827e20ba 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -15,8 +15,8 @@ Usage: {path.basename(argv[0])} [/path/to/profile ...] | |||
15 | 15 | ||
16 | The following commands are supported: | 16 | The following commands are supported: |
17 | 17 | ||
18 | private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, | 18 | private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp, |
19 | seccomp.drop, protocol | 19 | seccomp.drop, seccomp.keep, protocol |
20 | 20 | ||
21 | Note that this is only applicable to commands that support multiple arguments. | 21 | Note that this is only applicable to commands that support multiple arguments. |
22 | 22 | ||
@@ -38,7 +38,7 @@ Exit Codes: | |||
38 | 38 | ||
39 | def sort_alphabetical(original_items): | 39 | def sort_alphabetical(original_items): |
40 | items = original_items.split(",") | 40 | items = original_items.split(",") |
41 | items.sort(key=str.casefold) | 41 | items.sort() |
42 | return ",".join(items) | 42 | return ",".join(items) |
43 | 43 | ||
44 | 44 | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 264fc29b2..55aabbc73 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -192,6 +192,7 @@ blacklist ${HOME}/.VirtualBox | |||
192 | blacklist ${HOME}/VirtualBox VMs | 192 | blacklist ${HOME}/VirtualBox VMs |
193 | 193 | ||
194 | # GNOME Boxes | 194 | # GNOME Boxes |
195 | blacklist ${HOME}/.cache/gnome-boxes | ||
195 | blacklist ${HOME}/.config/gnome-boxes | 196 | blacklist ${HOME}/.config/gnome-boxes |
196 | blacklist ${HOME}/.local/share/gnome-boxes | 197 | blacklist ${HOME}/.local/share/gnome-boxes |
197 | 198 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e013872df..13b4b2078 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid | |||
22 | blacklist ${HOME}/.TelegramDesktop | 22 | blacklist ${HOME}/.TelegramDesktop |
23 | blacklist ${HOME}/.VSCodium | 23 | blacklist ${HOME}/.VSCodium |
24 | blacklist ${HOME}/.ViberPC | 24 | blacklist ${HOME}/.ViberPC |
25 | blacklist ${HOME}/.VirtualBox | ||
26 | blacklist ${HOME}/.WebStorm* | 25 | blacklist ${HOME}/.WebStorm* |
27 | blacklist ${HOME}/.Wolfram Research | 26 | blacklist ${HOME}/.Wolfram Research |
28 | blacklist ${HOME}/.ZAP | 27 | blacklist ${HOME}/.ZAP |
@@ -125,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie | |||
125 | blacklist ${HOME}/.cache/gegl-0.4 | 124 | blacklist ${HOME}/.cache/gegl-0.4 |
126 | blacklist ${HOME}/.cache/gfeeds | 125 | blacklist ${HOME}/.cache/gfeeds |
127 | blacklist ${HOME}/.cache/gimp | 126 | blacklist ${HOME}/.cache/gimp |
128 | blacklist ${HOME}/.cache/gnome-boxes | ||
129 | blacklist ${HOME}/.cache/gnome-builder | 127 | blacklist ${HOME}/.cache/gnome-builder |
130 | blacklist ${HOME}/.cache/gnome-control-center | 128 | blacklist ${HOME}/.cache/gnome-control-center |
131 | blacklist ${HOME}/.cache/gnome-recipes | 129 | blacklist ${HOME}/.cache/gnome-recipes |
@@ -223,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart | |||
223 | blacklist ${HOME}/.cache/systemsettings | 221 | blacklist ${HOME}/.cache/systemsettings |
224 | blacklist ${HOME}/.cache/telepathy | 222 | blacklist ${HOME}/.cache/telepathy |
225 | blacklist ${HOME}/.cache/thunderbird | 223 | blacklist ${HOME}/.cache/thunderbird |
224 | blacklist ${HOME}/.cache/tiny-rdm | ||
226 | blacklist ${HOME}/.cache/torbrowser | 225 | blacklist ${HOME}/.cache/torbrowser |
227 | blacklist ${HOME}/.cache/transmission | 226 | blacklist ${HOME}/.cache/transmission |
228 | blacklist ${HOME}/.cache/ueberzugpp | 227 | blacklist ${HOME}/.cache/ueberzugpp |
@@ -347,10 +346,10 @@ blacklist ${HOME}/.config/Slack | |||
347 | blacklist ${HOME}/.config/Standard Notes | 346 | blacklist ${HOME}/.config/Standard Notes |
348 | blacklist ${HOME}/.config/SubDownloader | 347 | blacklist ${HOME}/.config/SubDownloader |
349 | blacklist ${HOME}/.config/Thunar | 348 | blacklist ${HOME}/.config/Thunar |
349 | blacklist ${HOME}/.config/TinyRDM | ||
350 | blacklist ${HOME}/.config/Twitch | 350 | blacklist ${HOME}/.config/Twitch |
351 | blacklist ${HOME}/.config/Unknown Organization | 351 | blacklist ${HOME}/.config/Unknown Organization |
352 | blacklist ${HOME}/.config/VSCodium | 352 | blacklist ${HOME}/.config/VSCodium |
353 | blacklist ${HOME}/.config/VirtualBox | ||
354 | blacklist ${HOME}/.config/Whalebird | 353 | blacklist ${HOME}/.config/Whalebird |
355 | blacklist ${HOME}/.config/Wire | 354 | blacklist ${HOME}/.config/Wire |
356 | blacklist ${HOME}/.config/Youtube | 355 | blacklist ${HOME}/.config/Youtube |
@@ -559,7 +558,6 @@ blacklist ${HOME}/.config/mpDris2 | |||
559 | blacklist ${HOME}/.config/mpd | 558 | blacklist ${HOME}/.config/mpd |
560 | blacklist ${HOME}/.config/mps-youtube | 559 | blacklist ${HOME}/.config/mps-youtube |
561 | blacklist ${HOME}/.config/mpv | 560 | blacklist ${HOME}/.config/mpv |
562 | blacklist ${HOME}/.config/msmtp | ||
563 | blacklist ${HOME}/.config/mullvad-browser-flags.conf | 561 | blacklist ${HOME}/.config/mullvad-browser-flags.conf |
564 | blacklist ${HOME}/.config/mupen64plus | 562 | blacklist ${HOME}/.config/mupen64plus |
565 | blacklist ${HOME}/.config/mutt | 563 | blacklist ${HOME}/.config/mutt |
@@ -939,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie | |||
939 | blacklist ${HOME}/.local/share/ghostwriter | 937 | blacklist ${HOME}/.local/share/ghostwriter |
940 | blacklist ${HOME}/.local/share/gitg | 938 | blacklist ${HOME}/.local/share/gitg |
941 | blacklist ${HOME}/.local/share/gnome-2048 | 939 | blacklist ${HOME}/.local/share/gnome-2048 |
942 | blacklist ${HOME}/.local/share/gnome-boxes | ||
943 | blacklist ${HOME}/.local/share/gnome-builder | 940 | blacklist ${HOME}/.local/share/gnome-builder |
944 | blacklist ${HOME}/.local/share/gnome-chess | 941 | blacklist ${HOME}/.local/share/gnome-chess |
945 | blacklist ${HOME}/.local/share/gnome-klotski | 942 | blacklist ${HOME}/.local/share/gnome-klotski |
@@ -1019,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage | |||
1019 | blacklist ${HOME}/.local/share/org.kde.gwenview | 1016 | blacklist ${HOME}/.local/share/org.kde.gwenview |
1020 | blacklist ${HOME}/.local/share/pix | 1017 | blacklist ${HOME}/.local/share/pix |
1021 | blacklist ${HOME}/.local/share/plasma_notes | 1018 | blacklist ${HOME}/.local/share/plasma_notes |
1019 | blacklist ${HOME}/.local/share/pnpm | ||
1022 | blacklist ${HOME}/.local/share/profanity | 1020 | blacklist ${HOME}/.local/share/profanity |
1023 | blacklist ${HOME}/.local/share/psi | 1021 | blacklist ${HOME}/.local/share/psi |
1024 | blacklist ${HOME}/.local/share/psi+ | 1022 | blacklist ${HOME}/.local/share/psi+ |
@@ -1084,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk | |||
1084 | blacklist ${HOME}/.mpd | 1082 | blacklist ${HOME}/.mpd |
1085 | blacklist ${HOME}/.mpdconf | 1083 | blacklist ${HOME}/.mpdconf |
1086 | blacklist ${HOME}/.mplayer | 1084 | blacklist ${HOME}/.mplayer |
1087 | blacklist ${HOME}/.msmtprc | ||
1088 | blacklist ${HOME}/.mullvad/mullvadbrowser | 1085 | blacklist ${HOME}/.mullvad/mullvadbrowser |
1089 | blacklist ${HOME}/.multimc5 | 1086 | blacklist ${HOME}/.multimc5 |
1090 | blacklist ${HOME}/.nanorc | 1087 | blacklist ${HOME}/.nanorc |
@@ -1233,7 +1230,6 @@ blacklist ${RUNUSER}/*firefox* | |||
1233 | blacklist ${RUNUSER}/akonadi | 1230 | blacklist ${RUNUSER}/akonadi |
1234 | blacklist ${RUNUSER}/psd/*firefox* | 1231 | blacklist ${RUNUSER}/psd/*firefox* |
1235 | blacklist ${RUNUSER}/qutebrowser | 1232 | blacklist ${RUNUSER}/qutebrowser |
1236 | blacklist /etc/msmtprc | ||
1237 | blacklist /etc/ssmtp | 1233 | blacklist /etc/ssmtp |
1238 | blacklist /tmp/.wine-* | 1234 | blacklist /tmp/.wine-* |
1239 | blacklist /tmp/akonadi-* | 1235 | blacklist /tmp/akonadi-* |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile index afd76282c..76db2986d 100644 --- a/etc/profile-a-l/ani-cli.profile +++ b/etc/profile-a-l/ani-cli.profile | |||
@@ -33,7 +33,7 @@ notv | |||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc | 34 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc |
35 | #private-cache | 35 | #private-cache |
36 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 36 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | # Redirect | 39 | # Redirect |
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 9fc73ee55..7651c5d32 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for clamtk | 1 | # Firejail profile for clamtk |
2 | # Description: Easy to use, light-weight, on-demand virus scanner for Linux systems | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include clamtk.local | 5 | include clamtk.local |
@@ -7,15 +8,22 @@ include globals.local | |||
7 | 8 | ||
8 | include disable-exec.inc | 9 | include disable-exec.inc |
9 | 10 | ||
11 | # Add the below lines to your clamtk.local if you update signatures databases per-user: | ||
12 | #ignore net none | ||
13 | #netfilter | ||
14 | #protocol inet,inet6 | ||
15 | |||
10 | caps.drop all | 16 | caps.drop all |
11 | ipc-namespace | 17 | ipc-namespace |
12 | net none | 18 | net none |
13 | no3d | 19 | no3d |
14 | nodvd | 20 | nodvd |
15 | nogroups | 21 | # nogroups breaks scanning |
22 | #nogroups | ||
16 | noinput | 23 | noinput |
17 | nonewprivs | 24 | nonewprivs |
18 | noroot | 25 | # noroot breaks scanning |
26 | #noroot | ||
19 | nosound | 27 | nosound |
20 | notv | 28 | notv |
21 | nou2f | 29 | nou2f |
@@ -25,7 +33,9 @@ seccomp | |||
25 | 33 | ||
26 | private-dev | 34 | private-dev |
27 | 35 | ||
28 | dbus-user none | 36 | dbus-user filter |
37 | dbus-user.talk ca.desrt.dconf | ||
38 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
29 | dbus-system none | 39 | dbus-system none |
30 | 40 | ||
31 | restrict-namespaces | 41 | restrict-namespaces |
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile index b67729301..acf0281d9 100644 --- a/etc/profile-a-l/discord-canary.profile +++ b/etc/profile-a-l/discord-canary.profile | |||
@@ -12,7 +12,7 @@ whitelist ${HOME}/.config/discordcanary | |||
12 | whitelist /opt/DiscordCanary | 12 | whitelist /opt/DiscordCanary |
13 | whitelist /opt/discord-canary | 13 | whitelist /opt/discord-canary |
14 | 14 | ||
15 | private-bin discord-canary,DiscordCanary | 15 | private-bin DiscordCanary,discord-canary |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile index a657c52b5..82b33174c 100644 --- a/etc/profile-a-l/discord-ptb.profile +++ b/etc/profile-a-l/discord-ptb.profile | |||
@@ -12,7 +12,7 @@ whitelist ${HOME}/.config/discordptb | |||
12 | whitelist /opt/DiscordPTB | 12 | whitelist /opt/DiscordPTB |
13 | whitelist /opt/discord | 13 | whitelist /opt/discord |
14 | 14 | ||
15 | private-bin discord-ptb,DiscordPTB | 15 | private-bin DiscordPTB,discord-ptb |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index a4fcae5b8..9776b41d5 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile | |||
@@ -11,8 +11,9 @@ mkdir ${HOME}/.config/discord | |||
11 | whitelist ${HOME}/.config/discord | 11 | whitelist ${HOME}/.config/discord |
12 | whitelist /opt/Discord | 12 | whitelist /opt/Discord |
13 | whitelist /opt/discord | 13 | whitelist /opt/discord |
14 | whitelist /usr/share/discord | ||
14 | 15 | ||
15 | private-bin discord,Discord | 16 | private-bin Discord,discord |
16 | 17 | ||
17 | # Redirect | 18 | # Redirect |
18 | include discord-common.profile | 19 | include discord-common.profile |
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 40e19dfc3..53ed90e9c 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -40,7 +40,7 @@ private-bin display,python* | |||
40 | private-dev | 40 | private-dev |
41 | # On Debian-based systems, display is a symlink in /etc/alternatives | 41 | # On Debian-based systems, display is a symlink in /etc/alternatives |
42 | private-etc ImageMagick-6,ImageMagick-7 | 42 | private-etc ImageMagick-6,ImageMagick-7 |
43 | private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.* | 43 | private-lib ImageMagick*,gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,libMagickWand-*.so.*,libXext.so.*,libfreetype.so.*,libltdl.so.* |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile index 93929c6ea..62e9d42ac 100644 --- a/etc/profile-a-l/enpass.profile +++ b/etc/profile-a-l/enpass.profile | |||
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink | |||
52 | seccomp | 52 | seccomp |
53 | tracelog | 53 | tracelog |
54 | 54 | ||
55 | private-bin dirname,Enpass,importer_enpass,readlink,sh | 55 | private-bin Enpass,dirname,importer_enpass,readlink,sh |
56 | ?HAS_APPIMAGE: ignore private-dev | 56 | ?HAS_APPIMAGE: ignore private-dev |
57 | private-dev | 57 | private-dev |
58 | private-opt Enpass | 58 | private-opt Enpass |
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile index 434371aee..5906085de 100644 --- a/etc/profile-a-l/fbreader.profile +++ b/etc/profile-a-l/fbreader.profile | |||
@@ -33,7 +33,7 @@ novideo | |||
33 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
34 | seccomp | 34 | seccomp |
35 | 35 | ||
36 | private-bin fbreader,FBReader | 36 | private-bin FBReader,fbreader |
37 | private-dev | 37 | private-dev |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile index abc5979da..1c5db09e9 100644 --- a/etc/profile-a-l/fluffychat.profile +++ b/etc/profile-a-l/fluffychat.profile | |||
@@ -60,7 +60,7 @@ disable-mnt | |||
60 | private-bin firefox,fluffychat,sh,which,zenity | 60 | private-bin firefox,fluffychat,sh,which,zenity |
61 | private-cache | 61 | private-cache |
62 | private-dev | 62 | private-dev |
63 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 63 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
64 | private-tmp | 64 | private-tmp |
65 | 65 | ||
66 | dbus-user filter | 66 | dbus-user filter |
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index 133d66f0d..f59094567 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include clamav.local | 5 | include freshclam.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index c4085cf9c..683e1b5f7 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile | |||
@@ -38,7 +38,7 @@ novideo | |||
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | 40 | ||
41 | private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize | 41 | private-bin PTBatcherGUI,align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile index f9dc4f60c..367f69743 100644 --- a/etc/profile-a-l/lobster.profile +++ b/etc/profile-a-l/lobster.profile | |||
@@ -44,7 +44,7 @@ notv | |||
44 | disable-mnt | 44 | disable-mnt |
45 | private-bin base64,bash,cat,command,curl,cut,date,dirname,echo,ffmpeg,ffprobe,find,fzf,grep,head,hxunent,ln,lobster,ls,mkdir,mkfifo,nano,nohup,openssl,patch,pgrep,ps,rm,rofi,sed,sh,sleep,socat,tail,tee,tput,tr,ueberzugpp,uname,uuidgen,vim,wc | 45 | private-bin base64,bash,cat,command,curl,cut,date,dirname,echo,ffmpeg,ffprobe,find,fzf,grep,head,hxunent,ln,lobster,ls,mkdir,mkfifo,nano,nohup,openssl,patch,pgrep,ps,rm,rofi,sed,sh,sleep,socat,tail,tee,tput,tr,ueberzugpp,uname,uuidgen,vim,wc |
46 | #private-cache | 46 | #private-cache |
47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 47 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | # Redirect | 50 | # Redirect |
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index c3497c3bd..0462cb503 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/Games | |||
11 | noblacklist ${HOME}/.cache/lutris | 11 | noblacklist ${HOME}/.cache/lutris |
12 | noblacklist ${HOME}/.cache/wine | 12 | noblacklist ${HOME}/.cache/wine |
13 | noblacklist ${HOME}/.cache/winetricks | 13 | noblacklist ${HOME}/.cache/winetricks |
14 | noblacklist ${HOME}/.config/MangoHud | ||
14 | noblacklist ${HOME}/.config/lutris | 15 | noblacklist ${HOME}/.config/lutris |
15 | noblacklist ${HOME}/.local/share/lutris | 16 | noblacklist ${HOME}/.local/share/lutris |
16 | #noblacklist ${HOME}/.wine | 17 | #noblacklist ${HOME}/.wine |
@@ -45,6 +46,7 @@ whitelist ${HOME}/Games | |||
45 | whitelist ${HOME}/.cache/lutris | 46 | whitelist ${HOME}/.cache/lutris |
46 | whitelist ${HOME}/.cache/wine | 47 | whitelist ${HOME}/.cache/wine |
47 | whitelist ${HOME}/.cache/winetricks | 48 | whitelist ${HOME}/.cache/winetricks |
49 | whitelist ${HOME}/.config/MangoHud | ||
48 | whitelist ${HOME}/.config/lutris | 50 | whitelist ${HOME}/.config/lutris |
49 | whitelist ${HOME}/.local/share/lutris | 51 | whitelist ${HOME}/.local/share/lutris |
50 | #whitelist ${HOME}/.wine | 52 | #whitelist ${HOME}/.wine |
@@ -69,7 +71,7 @@ notv | |||
69 | nou2f | 71 | nou2f |
70 | novideo | 72 | novideo |
71 | protocol unix,inet,inet6,netlink | 73 | protocol unix,inet,inet6,netlink |
72 | seccomp !modify_ldt | 74 | seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace |
73 | seccomp.32 !modify_ldt | 75 | seccomp.32 !modify_ldt |
74 | 76 | ||
75 | # Add the next line to your lutris.local if you do not need controller support. | 77 | # Add the next line to your lutris.local if you do not need controller support. |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index dd5639268..853b6ae52 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -72,7 +72,7 @@ seccomp | |||
72 | tracelog | 72 | tracelog |
73 | 73 | ||
74 | disable-mnt | 74 | disable-mnt |
75 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 75 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer |
76 | private-cache | 76 | private-cache |
77 | private-dev | 77 | private-dev |
78 | private-etc @tls-ca | 78 | private-etc @tls-ca |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index eed839041..e7dba9cd5 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -47,7 +47,7 @@ seccomp | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | private-bin gio,QOwnNotes | 50 | private-bin QOwnNotes,gio |
51 | private-dev | 51 | private-dev |
52 | private-etc @tls-ca,host.conf | 52 | private-etc @tls-ca,host.conf |
53 | private-tmp | 53 | private-tmp |
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index fe1f9b877..ea7d8bfa7 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -31,7 +31,7 @@ protocol unix,inet,inet6 | |||
31 | seccomp !chroot | 31 | seccomp !chroot |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin awk,bash,dig,sh,Viber | 34 | private-bin Viber,awk,bash,dig,sh |
35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf | 35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile index 97b9d2898..5b8747825 100644 --- a/etc/profile-m-z/XMind.profile +++ b/etc/profile-m-z/XMind.profile | |||
@@ -31,7 +31,7 @@ protocol unix,inet,inet6 | |||
31 | seccomp | 31 | seccomp |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin cp,sh,XMind | 34 | private-bin XMind,cp,sh |
35 | private-tmp | 35 | private-tmp |
36 | private-dev | 36 | private-dev |
37 | 37 | ||
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 8007b887a..1efd1e8f9 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -26,7 +26,7 @@ notv | |||
26 | disable-mnt | 26 | disable-mnt |
27 | private-bin ffmpeg,fzf,mov-cli | 27 | private-bin ffmpeg,fzf,mov-cli |
28 | #private-cache | 28 | #private-cache |
29 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 29 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | # Redirect | 32 | # Redirect |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index ab1e0ab02..097ce6e83 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -127,7 +127,7 @@ tracelog | |||
127 | #disable-mnt | 127 | #disable-mnt |
128 | private-cache | 128 | private-cache |
129 | private-dev | 129 | private-dev |
130 | private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo | 130 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo |
131 | private-tmp | 131 | private-tmp |
132 | writable-run-user | 132 | writable-run-user |
133 | writable-var | 133 | writable-var |
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile index b979e1aee..30dd164b6 100644 --- a/etc/profile-m-z/natron.profile +++ b/etc/profile-m-z/natron.profile | |||
@@ -30,7 +30,7 @@ nou2f | |||
30 | protocol unix | 30 | protocol unix |
31 | seccomp | 31 | seccomp |
32 | 32 | ||
33 | private-bin natron,Natron,NatronRenderer | 33 | private-bin Natron,NatronRenderer,natron |
34 | 34 | ||
35 | dbus-user none | 35 | dbus-user none |
36 | dbus-system none | 36 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index b15e98424..51e2e43bf 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -119,7 +119,7 @@ tracelog | |||
119 | #disable-mnt | 119 | #disable-mnt |
120 | private-cache | 120 | private-cache |
121 | private-dev | 121 | private-dev |
122 | private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver | 122 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver |
123 | private-tmp | 123 | private-tmp |
124 | writable-run-user | 124 | writable-run-user |
125 | writable-var | 125 | writable-var |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4c463521c..f301196c6 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,7 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts | 10 | # Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full |
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented |
13 | # as a sourced shell function, not an executable binary. Hence it is not | 13 | # as a sourced shell function, not an executable binary. Hence it is not |
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc | |||
22 | ignore read-only ${HOME}/.nvm | 22 | ignore read-only ${HOME}/.nvm |
23 | ignore read-only ${HOME}/.yarnrc | 23 | ignore read-only ${HOME}/.yarnrc |
24 | 24 | ||
25 | noblacklist ${HOME}/.local/share/pnpm | ||
25 | noblacklist ${HOME}/.node-gyp | 26 | noblacklist ${HOME}/.node-gyp |
26 | noblacklist ${HOME}/.npm | 27 | noblacklist ${HOME}/.npm |
27 | noblacklist ${HOME}/.npmrc | 28 | noblacklist ${HOME}/.npmrc |
@@ -43,6 +44,7 @@ include disable-xdg.inc | |||
43 | 44 | ||
44 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | 45 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory |
45 | # and add the next lines to your nodejs-common.local. | 46 | # and add the next lines to your nodejs-common.local. |
47 | #mkdir ${HOME}/.local/share/pnpm | ||
46 | #mkdir ${HOME}/.node-gyp | 48 | #mkdir ${HOME}/.node-gyp |
47 | #mkdir ${HOME}/.npm | 49 | #mkdir ${HOME}/.npm |
48 | #mkdir ${HOME}/.npm-packages | 50 | #mkdir ${HOME}/.npm-packages |
@@ -52,6 +54,7 @@ include disable-xdg.inc | |||
52 | #mkdir ${HOME}/.yarn-config | 54 | #mkdir ${HOME}/.yarn-config |
53 | #mkdir ${HOME}/.yarncache | 55 | #mkdir ${HOME}/.yarncache |
54 | #mkfile ${HOME}/.yarnrc | 56 | #mkfile ${HOME}/.yarnrc |
57 | #whitelist ${HOME}/.local/share/pnpm | ||
55 | #whitelist ${HOME}/.node-gyp | 58 | #whitelist ${HOME}/.node-gyp |
56 | #whitelist ${HOME}/.npm | 59 | #whitelist ${HOME}/.npm |
57 | #whitelist ${HOME}/.npm-packages | 60 | #whitelist ${HOME}/.npm-packages |
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile new file mode 100644 index 000000000..08f88be43 --- /dev/null +++ b/etc/profile-m-z/pnpm.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for pnpm | ||
2 | # Description: Fast, disk space efficient package manager | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include pnpm.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile new file mode 100644 index 000000000..a99d1232a --- /dev/null +++ b/etc/profile-m-z/pnpx.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for pnpx | ||
2 | # Description: Part of the Node.js stack | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include pnpx.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile index c8f00584d..a74b72695 100644 --- a/etc/profile-m-z/postman.profile +++ b/etc/profile-m-z/postman.profile | |||
@@ -17,7 +17,7 @@ include whitelist-run-common.inc | |||
17 | 17 | ||
18 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6,netlink |
19 | 19 | ||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh | 20 | private-bin Postman,electron,electron[0-9],electron[0-9][0-9],locale,node,postman,sh |
21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | 21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM | 22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM |
23 | # https://github.com/netblue30/firejail/discussions/5307 | 23 | # https://github.com/netblue30/firejail/discussions/5307 |
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index da16ae912..5ae6ccf04 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -39,7 +39,7 @@ novideo | |||
39 | protocol unix,netlink | 39 | protocol unix,netlink |
40 | seccomp | 40 | seccomp |
41 | 41 | ||
42 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL | 42 | private-bin PPSSPP,PPSSPPQt,PPSSPPSDL,ppsspp |
43 | # Add the next line to your ppsspp.local if you do not need controller support. | 43 | # Add the next line to your ppsspp.local if you do not need controller support. |
44 | #private-dev | 44 | #private-dev |
45 | private-etc @tls-ca,@x11,host.conf | 45 | private-etc @tls-ca,@x11,host.conf |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index 7ce6748d1..3a3a9062e 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc @tls-ca,fstab,SoftMaker | 45 | private-etc @tls-ca,SoftMaker,fstab |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 34cb3631a..41de746dd 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink | |||
163 | # Add 'ignore seccomp' to your steam.local if you experience this. | 163 | # Add 'ignore seccomp' to your steam.local if you experience this. |
164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
165 | # (see #4366). | 165 | # (see #4366). |
166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2 |
167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). |
168 | seccomp.32 !process_vm_readv | 168 | seccomp.32 !process_vm_readv |
169 | # tracelog breaks integrated browser | 169 | # tracelog breaks integrated browser |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fa992ad1a..7ed3d98d4 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -46,7 +46,7 @@ seccomp | |||
46 | seccomp.block-secondary | 46 | seccomp.block-secondary |
47 | 47 | ||
48 | disable-mnt | 48 | disable-mnt |
49 | private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open | 49 | private-bin Telegram,bash,sh,telegram,telegram-desktop,xdg-open |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc @tls-ca,@x11,os-release | 52 | private-etc @tls-ca,@x11,os-release |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 5babfb8d2..c0293406d 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
@@ -26,6 +26,7 @@ include whitelist-common.inc | |||
26 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | whitelist /usr/share/tessdata | 28 | whitelist /usr/share/tessdata |
29 | whitelist /usr/share/tesseract-ocr | ||
29 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile new file mode 100644 index 000000000..4134d666c --- /dev/null +++ b/etc/profile-m-z/tiny-rdm.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for tiny-rdm | ||
2 | # Description: A Modern Redis GUI Client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tiny-rdm.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/tiny-rdm | ||
10 | noblacklist ${HOME}/.config/TinyRDM | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-proc.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/tiny-rdm | ||
22 | mkdir ${HOME}/.config/TinyRDM | ||
23 | whitelist ${HOME}/.cache/tiny-rdm | ||
24 | whitelist ${HOME}/.config/TinyRDM | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | noinput | ||
39 | nonewprivs | ||
40 | noprinters | ||
41 | noroot | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | nosound | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | seccomp.block-secondary | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin tiny-rdm | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc @network,@tls-ca,@x11 | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 9f1f1c241..bac48805c 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
@@ -49,7 +49,7 @@ private-bin geoiplookup,geoiplookup6,transgui | |||
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc @network,@tls-ca,@x11 | 51 | private-etc @network,@tls-ca,@x11 |
52 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | 52 | private-lib libGeoIP.so*,libX11.so.*,libgdk_pixbuf-2.0.so.*,libgthread-2.0.so.*,libgtk-x11-2.0.so.* |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index a56e8a91b..84fe44d73 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
277 | 277 | ||
278 | // don't copy it if we already have the file | 278 | // don't copy it if we already have the file |
279 | struct stat s; | 279 | struct stat s; |
280 | if (stat(outfname, &s) == 0) { | 280 | if (lstat(outfname, &s) == 0) { |
281 | if (first) | 281 | if (first) |
282 | first = 0; | 282 | first = 0; |
283 | else if (!arg_quiet) | 283 | else if (!arg_quiet) |
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
286 | } | 286 | } |
287 | 287 | ||
288 | // extract mode and ownership | 288 | // extract mode and ownership |
289 | if (stat(infname, &s) != 0) | 289 | if (lstat(infname, &s) != 0) |
290 | goto out; | 290 | goto out; |
291 | 291 | ||
292 | uid_t uid = s.st_uid; | 292 | uid_t uid = s.st_uid; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 19c3166fa..558fe51ed 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -834,6 +834,7 @@ thunderbird-beta | |||
834 | thunderbird-wayland | 834 | thunderbird-wayland |
835 | tidal-hifi | 835 | tidal-hifi |
836 | tilp | 836 | tilp |
837 | tiny-rdm | ||
837 | tor-browser | 838 | tor-browser |
838 | tor-browser-ar | 839 | tor-browser-ar |
839 | tor-browser-ca | 840 | tor-browser-ca |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 8f74a1198..11e3ebc67 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -37,6 +37,16 @@ | |||
37 | #include "../include/common.h" | 37 | #include "../include/common.h" |
38 | #define MAX_BUF 4096 | 38 | #define MAX_BUF 4096 |
39 | 39 | ||
40 | // config files | ||
41 | #define FIRECFG_CFGFILE SYSCONFDIR "/firecfg.config" | ||
42 | #define FIRECFG_CONF_GLOB SYSCONFDIR "/firecfg.d/*.conf" | ||
43 | |||
44 | // programs | ||
45 | #define FIREJAIL_EXEC PREFIX "/bin/firejail" | ||
46 | #define FIREJAIL_WELCOME_SH LIBDIR "/firejail/firejail-welcome.sh" | ||
47 | #define FZENITY_EXEC LIBDIR "/firejail/fzenity" | ||
48 | #define ZENITY_EXEC "/usr/bin/zenity" | ||
49 | #define SUDO_EXEC "sudo" | ||
40 | 50 | ||
41 | // main.c | 51 | // main.c |
42 | extern int arg_debug; | 52 | extern int arg_debug; |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 4ec81c5b3..604b12633 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -20,6 +20,8 @@ | |||
20 | 20 | ||
21 | #include "firecfg.h" | 21 | #include "firecfg.h" |
22 | #include "../include/firejail_user.h" | 22 | #include "../include/firejail_user.h" |
23 | #include <glob.h> | ||
24 | |||
23 | int arg_debug = 0; | 25 | int arg_debug = 0; |
24 | char *arg_bindir = "/usr/local/bin"; | 26 | char *arg_bindir = "/usr/local/bin"; |
25 | int arg_guide = 0; | 27 | int arg_guide = 0; |
@@ -76,10 +78,6 @@ static void list(void) { | |||
76 | exit(1); | 78 | exit(1); |
77 | } | 79 | } |
78 | 80 | ||
79 | char *firejail_exec; | ||
80 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
81 | errExit("asprintf"); | ||
82 | |||
83 | struct dirent *entry; | 81 | struct dirent *entry; |
84 | while ((entry = readdir(dir)) != NULL) { | 82 | while ((entry = readdir(dir)) != NULL) { |
85 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 83 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
@@ -92,7 +90,7 @@ static void list(void) { | |||
92 | if (is_link(fullname)) { | 90 | if (is_link(fullname)) { |
93 | char* fname = realpath(fullname, NULL); | 91 | char* fname = realpath(fullname, NULL); |
94 | if (fname) { | 92 | if (fname) { |
95 | if (strcmp(fname, firejail_exec) == 0) | 93 | if (strcmp(fname, FIREJAIL_EXEC) == 0) |
96 | printf("%s\n", fullname); | 94 | printf("%s\n", fullname); |
97 | free(fname); | 95 | free(fname); |
98 | } | 96 | } |
@@ -101,7 +99,6 @@ static void list(void) { | |||
101 | } | 99 | } |
102 | 100 | ||
103 | closedir(dir); | 101 | closedir(dir); |
104 | free(firejail_exec); | ||
105 | } | 102 | } |
106 | 103 | ||
107 | static void clean(void) { | 104 | static void clean(void) { |
@@ -114,10 +111,6 @@ static void clean(void) { | |||
114 | exit(1); | 111 | exit(1); |
115 | } | 112 | } |
116 | 113 | ||
117 | char *firejail_exec; | ||
118 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
119 | errExit("asprintf"); | ||
120 | |||
121 | struct dirent *entry; | 114 | struct dirent *entry; |
122 | while ((entry = readdir(dir)) != NULL) { | 115 | while ((entry = readdir(dir)) != NULL) { |
123 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 116 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
@@ -130,7 +123,7 @@ static void clean(void) { | |||
130 | if (is_link(fullname)) { | 123 | if (is_link(fullname)) { |
131 | char* fname = realpath(fullname, NULL); | 124 | char* fname = realpath(fullname, NULL); |
132 | if (fname) { | 125 | if (fname) { |
133 | if (strcmp(fname, firejail_exec) == 0) { | 126 | if (strcmp(fname, FIREJAIL_EXEC) == 0) { |
134 | char *ptr = strrchr(fullname, '/'); | 127 | char *ptr = strrchr(fullname, '/'); |
135 | assert(ptr); | 128 | assert(ptr); |
136 | ptr++; | 129 | ptr++; |
@@ -147,10 +140,43 @@ static void clean(void) { | |||
147 | } | 140 | } |
148 | 141 | ||
149 | closedir(dir); | 142 | closedir(dir); |
150 | free(firejail_exec); | ||
151 | printf("\n"); | 143 | printf("\n"); |
152 | } | 144 | } |
153 | 145 | ||
146 | #define ignorelist_maxlen 2048 | ||
147 | static const char *ignorelist[ignorelist_maxlen]; | ||
148 | static int ignorelist_len = 0; | ||
149 | |||
150 | static int append_ignorelist(const char *const str) { | ||
151 | assert(str); | ||
152 | if (ignorelist_len >= ignorelist_maxlen) { | ||
153 | fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n", | ||
154 | ignorelist_len, ignorelist_maxlen, str); | ||
155 | return 0; | ||
156 | } | ||
157 | |||
158 | printf(" ignoring '%s'\n", str); | ||
159 | const char *const dup = strdup(str); | ||
160 | if (!dup) | ||
161 | errExit("strdup"); | ||
162 | |||
163 | ignorelist[ignorelist_len] = dup; | ||
164 | ignorelist_len++; | ||
165 | |||
166 | return 1; | ||
167 | } | ||
168 | |||
169 | static int in_ignorelist(const char *const str) { | ||
170 | assert(str); | ||
171 | int i; | ||
172 | for (i = 0; i < ignorelist_len; i++) { | ||
173 | if (strcmp(str, ignorelist[i]) == 0) | ||
174 | return 1; | ||
175 | } | ||
176 | |||
177 | return 0; | ||
178 | } | ||
179 | |||
154 | static void set_file(const char *name, const char *firejail_exec) { | 180 | static void set_file(const char *name, const char *firejail_exec) { |
155 | if (which(name) == 0) | 181 | if (which(name) == 0) |
156 | return; | 182 | return; |
@@ -165,35 +191,26 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
165 | if (rv) { | 191 | if (rv) { |
166 | fprintf(stderr, "Error: cannot create %s symbolic link\n", fname); | 192 | fprintf(stderr, "Error: cannot create %s symbolic link\n", fname); |
167 | perror("symlink"); | 193 | perror("symlink"); |
168 | } | 194 | } else { |
169 | else | ||
170 | printf(" %s created\n", name); | 195 | printf(" %s created\n", name); |
171 | } | 196 | } |
172 | else { | 197 | } else { |
173 | fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname); | 198 | fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname); |
174 | } | 199 | } |
175 | 200 | ||
176 | free(fname); | 201 | free(fname); |
177 | } | 202 | } |
178 | 203 | ||
179 | // parse /etc/firejail/firecfg.config file | 204 | // parse a single config file |
180 | static void set_links_firecfg(void) { | 205 | static void set_links_firecfg(const char *cfgfile) { |
181 | char *cfgfile; | 206 | printf("Configuring symlinks in %s based on %s\n", arg_bindir, cfgfile); |
182 | if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1) | ||
183 | errExit("asprintf"); | ||
184 | |||
185 | char *firejail_exec; | ||
186 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
187 | errExit("asprintf"); | ||
188 | 207 | ||
189 | // parse /etc/firejail/firecfg.config file | ||
190 | FILE *fp = fopen(cfgfile, "r"); | 208 | FILE *fp = fopen(cfgfile, "r"); |
191 | if (!fp) { | 209 | if (!fp) { |
192 | perror("fopen"); | 210 | perror("fopen"); |
193 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); | 211 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); |
194 | exit(1); | 212 | exit(1); |
195 | } | 213 | } |
196 | printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir); | ||
197 | 214 | ||
198 | char buf[MAX_BUF]; | 215 | char buf[MAX_BUF]; |
199 | int lineno = 0; | 216 | int lineno = 0; |
@@ -223,13 +240,43 @@ static void set_links_firecfg(void) { | |||
223 | if (*start == '\0') | 240 | if (*start == '\0') |
224 | continue; | 241 | continue; |
225 | 242 | ||
243 | // handle ignore command | ||
244 | if (*start == '!') { | ||
245 | append_ignorelist(start + 1); | ||
246 | continue; | ||
247 | } | ||
248 | |||
226 | // set link | 249 | // set link |
227 | set_file(start, firejail_exec); | 250 | if (!in_ignorelist(start)) |
251 | set_file(start, FIREJAIL_EXEC); | ||
252 | else | ||
253 | printf(" %s ignored\n", start); | ||
228 | } | 254 | } |
229 | 255 | ||
230 | fclose(fp); | 256 | fclose(fp); |
231 | free(cfgfile); | 257 | printf("\n"); |
232 | free(firejail_exec); | 258 | } |
259 | |||
260 | // parse all config files matching pattern | ||
261 | static void set_links_firecfg_glob(const char *pattern) { | ||
262 | printf("Looking for config files in %s\n", pattern); | ||
263 | |||
264 | glob_t globbuf; | ||
265 | int globerr = glob(pattern, 0, NULL, &globbuf); | ||
266 | if (globerr == GLOB_NOMATCH) { | ||
267 | fprintf(stderr, "No matches for glob pattern %s\n", pattern); | ||
268 | goto out; | ||
269 | } else if (globerr != 0) { | ||
270 | fprintf(stderr, "Warning: Failed to match glob pattern %s: %s\n", | ||
271 | pattern, strerror(errno)); | ||
272 | goto out; | ||
273 | } | ||
274 | |||
275 | size_t i; | ||
276 | for (i = 0; i < globbuf.gl_pathc; i++) | ||
277 | set_links_firecfg(globbuf.gl_pathv[i]); | ||
278 | out: | ||
279 | globfree(&globbuf); | ||
233 | } | 280 | } |
234 | 281 | ||
235 | // parse ~/.config/firejail/ directory | 282 | // parse ~/.config/firejail/ directory |
@@ -246,10 +293,6 @@ static void set_links_homedir(const char *homedir) { | |||
246 | return; | 293 | return; |
247 | } | 294 | } |
248 | 295 | ||
249 | char *firejail_exec; | ||
250 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
251 | errExit("asprintf"); | ||
252 | |||
253 | // parse ~/.config/firejail/ directory | 296 | // parse ~/.config/firejail/ directory |
254 | printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir); | 297 | printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir); |
255 | 298 | ||
@@ -260,6 +303,7 @@ static void set_links_homedir(const char *homedir) { | |||
260 | free(dirname); | 303 | free(dirname); |
261 | return; | 304 | return; |
262 | } | 305 | } |
306 | free(dirname); | ||
263 | 307 | ||
264 | struct dirent *entry; | 308 | struct dirent *entry; |
265 | while ((entry = readdir(dir))) { | 309 | while ((entry = readdir(dir))) { |
@@ -280,12 +324,10 @@ static void set_links_homedir(const char *homedir) { | |||
280 | } | 324 | } |
281 | 325 | ||
282 | *ptr = '\0'; | 326 | *ptr = '\0'; |
283 | set_file(exec, firejail_exec); | 327 | set_file(exec, FIREJAIL_EXEC); |
284 | free(exec); | 328 | free(exec); |
285 | } | 329 | } |
286 | closedir(dir); | 330 | closedir(dir); |
287 | |||
288 | free(firejail_exec); | ||
289 | } | 331 | } |
290 | 332 | ||
291 | static const char *get_sudo_user(void) { | 333 | static const char *get_sudo_user(void) { |
@@ -449,18 +491,20 @@ int main(int argc, char **argv) { | |||
449 | } | 491 | } |
450 | 492 | ||
451 | if (arg_guide) { | 493 | if (arg_guide) { |
494 | const char *zenity_exec; | ||
495 | if (arg_debug) | ||
496 | zenity_exec = FZENITY_EXEC; | ||
497 | else | ||
498 | zenity_exec = ZENITY_EXEC; | ||
499 | |||
452 | char *cmd; | 500 | char *cmd; |
453 | if (arg_debug) { | 501 | if (asprintf(&cmd, "%s %s %s %s %s", |
454 | if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/lib/firejail/fzenity %s %s", LIBDIR, SYSCONFDIR, user) == -1) | 502 | SUDO_EXEC, FIREJAIL_WELCOME_SH, zenity_exec, SYSCONFDIR, user) == -1) |
455 | errExit("asprintf"); | 503 | errExit("asprintf"); |
456 | } | 504 | |
457 | else { | ||
458 | if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/bin/zenity %s %s", LIBDIR, SYSCONFDIR, user) == -1) | ||
459 | errExit("asprintf"); | ||
460 | } | ||
461 | int status = system(cmd); | 505 | int status = system(cmd); |
462 | if (status == -1) { | 506 | if (status == -1) { |
463 | fprintf(stderr, "Error: cannot run firejail-welcome.sh\n"); | 507 | fprintf(stderr, "Error: cannot run %s\n", FIREJAIL_WELCOME_SH); |
464 | exit(1); | 508 | exit(1); |
465 | } | 509 | } |
466 | free(cmd); | 510 | free(cmd); |
@@ -474,12 +518,15 @@ else { | |||
474 | // clear all symlinks | 518 | // clear all symlinks |
475 | clean(); | 519 | clean(); |
476 | 520 | ||
477 | // set new symlinks based on /etc/firejail/firecfg.config | 521 | // set new symlinks based on .conf files |
478 | set_links_firecfg(); | 522 | set_links_firecfg_glob(FIRECFG_CONF_GLOB); |
523 | |||
524 | // set new symlinks based on firecfg.config | ||
525 | set_links_firecfg(FIRECFG_CFGFILE); | ||
479 | 526 | ||
480 | if (getuid() == 0) { | 527 | if (getuid() == 0) { |
481 | // add user to firejail access database - only for root | 528 | // add user to firejail access database - only for root |
482 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 529 | printf("Adding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
483 | // temporarily set the umask, access database must be world-readable | 530 | // temporarily set the umask, access database must be world-readable |
484 | mode_t orig_umask = umask(022); | 531 | mode_t orig_umask = umask(022); |
485 | firejail_user_add(user); | 532 | firejail_user_add(user); |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 583888e0e..b43c36c1a 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) { | |||
166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user | 166 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user |
167 | 167 | ||
168 | // bring in xauth libraries | 168 | // bring in xauth libraries |
169 | |||
170 | char *xauth_bin = find_in_path("xauth"); | ||
169 | if (arg_x11_xorg) | 171 | if (arg_x11_xorg) |
170 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user | 172 | fslib_mount_libs(xauth_bin, 1); // parse as user |
173 | |||
174 | free(xauth_bin); | ||
171 | 175 | ||
172 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | 176 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); |
173 | } | 177 | } |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2ab1c188..6dc4904fc 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) { | |||
154 | 154 | ||
155 | // file size | 155 | // file size |
156 | char *sz; | 156 | char *sz; |
157 | if (asprintf(&sz, "%d", (int) s.st_size) == -1) | 157 | if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1) |
158 | errExit("asprintf"); | 158 | errExit("asprintf"); |
159 | 159 | ||
160 | // file name | 160 | // file name |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b39693af7..5bcc3a0e5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1600,7 +1600,7 @@ int main(int argc, char **argv, char **envp) { | |||
1600 | arg_trace = 1; | 1600 | arg_trace = 1; |
1601 | else if (strncmp(argv[i], "--trace=", 8) == 0) { | 1601 | else if (strncmp(argv[i], "--trace=", 8) == 0) { |
1602 | arg_trace = 1; | 1602 | arg_trace = 1; |
1603 | arg_tracefile = argv[i] + 8; | 1603 | arg_tracefile = expand_macros(argv[i] + 8); |
1604 | if (*arg_tracefile == '\0') { | 1604 | if (*arg_tracefile == '\0') { |
1605 | fprintf(stderr, "Error: invalid trace option\n"); | 1605 | fprintf(stderr, "Error: invalid trace option\n"); |
1606 | exit(1); | 1606 | exit(1); |
@@ -1610,13 +1610,6 @@ int main(int argc, char **argv, char **envp) { | |||
1610 | fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile); | 1610 | fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile); |
1611 | exit(1); | 1611 | exit(1); |
1612 | } | 1612 | } |
1613 | // if the filename starts with ~, expand the home directory | ||
1614 | if (*arg_tracefile == '~') { | ||
1615 | char *tmp; | ||
1616 | if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1) | ||
1617 | errExit("asprintf"); | ||
1618 | arg_tracefile = tmp; | ||
1619 | } | ||
1620 | } | 1613 | } |
1621 | else if (strcmp(argv[i], "--tracelog") == 0) { | 1614 | else if (strcmp(argv[i], "--tracelog") == 0) { |
1622 | if (checkcfg(CFG_TRACELOG)) | 1615 | if (checkcfg(CFG_TRACELOG)) |
@@ -1981,20 +1974,13 @@ int main(int argc, char **argv, char **envp) { | |||
1981 | } | 1974 | } |
1982 | 1975 | ||
1983 | // extract chroot dirname | 1976 | // extract chroot dirname |
1984 | cfg.chrootdir = argv[i] + 9; | 1977 | cfg.chrootdir = expand_macros(argv[i] + 9); |
1985 | if (*cfg.chrootdir == '\0') { | 1978 | if (*cfg.chrootdir == '\0') { |
1986 | fprintf(stderr, "Error: invalid chroot option\n"); | 1979 | fprintf(stderr, "Error: invalid chroot option\n"); |
1987 | exit(1); | 1980 | exit(1); |
1988 | } | 1981 | } |
1989 | invalid_filename(cfg.chrootdir, 0); // no globbing | 1982 | invalid_filename(cfg.chrootdir, 0); // no globbing |
1990 | 1983 | ||
1991 | // if the directory starts with ~, expand the home directory | ||
1992 | if (*cfg.chrootdir == '~') { | ||
1993 | char *tmp; | ||
1994 | if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1) | ||
1995 | errExit("asprintf"); | ||
1996 | cfg.chrootdir = tmp; | ||
1997 | } | ||
1998 | // check chroot directory | 1984 | // check chroot directory |
1999 | fs_check_chroot_dir(); | 1985 | fs_check_chroot_dir(); |
2000 | } | 1986 | } |
@@ -2776,16 +2762,7 @@ int main(int argc, char **argv, char **envp) { | |||
2776 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 2762 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
2777 | if (checkcfg(CFG_NETWORK)) { | 2763 | if (checkcfg(CFG_NETWORK)) { |
2778 | arg_netfilter = 1; | 2764 | arg_netfilter = 1; |
2779 | arg_netfilter_file = argv[i] + 12; | 2765 | arg_netfilter_file = expand_macros(argv[i] + 12); |
2780 | |||
2781 | // expand tilde | ||
2782 | if (*arg_netfilter_file == '~') { | ||
2783 | char *tmp; | ||
2784 | if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1) | ||
2785 | errExit("asprintf"); | ||
2786 | arg_netfilter_file = tmp; | ||
2787 | } | ||
2788 | |||
2789 | check_netfilter_file(arg_netfilter_file); | 2766 | check_netfilter_file(arg_netfilter_file); |
2790 | } | 2767 | } |
2791 | else | 2768 | else |
@@ -2795,16 +2772,7 @@ int main(int argc, char **argv, char **envp) { | |||
2795 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { | 2772 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { |
2796 | if (checkcfg(CFG_NETWORK)) { | 2773 | if (checkcfg(CFG_NETWORK)) { |
2797 | arg_netfilter6 = 1; | 2774 | arg_netfilter6 = 1; |
2798 | arg_netfilter6_file = argv[i] + 13; | 2775 | arg_netfilter6_file = expand_macros(argv[i] + 13); |
2799 | |||
2800 | // expand tilde | ||
2801 | if (*arg_netfilter6_file == '~') { | ||
2802 | char *tmp; | ||
2803 | if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1) | ||
2804 | errExit("asprintf"); | ||
2805 | arg_netfilter6_file = tmp; | ||
2806 | } | ||
2807 | |||
2808 | check_netfilter_file(arg_netfilter6_file); | 2776 | check_netfilter_file(arg_netfilter6_file); |
2809 | } | 2777 | } |
2810 | else | 2778 | else |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e3554eb12..62d3c78e7 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -635,9 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
635 | #ifdef HAVE_NETWORK | 635 | #ifdef HAVE_NETWORK |
636 | if (checkcfg(CFG_NETWORK)) { | 636 | if (checkcfg(CFG_NETWORK)) { |
637 | arg_netfilter = 1; | 637 | arg_netfilter = 1; |
638 | arg_netfilter_file = strdup(ptr + 10); | 638 | arg_netfilter_file = expand_macros(ptr + 10); |
639 | if (!arg_netfilter_file) | ||
640 | errExit("strdup"); | ||
641 | check_netfilter_file(arg_netfilter_file); | 639 | check_netfilter_file(arg_netfilter_file); |
642 | } | 640 | } |
643 | else | 641 | else |
@@ -649,9 +647,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
649 | #ifdef HAVE_NETWORK | 647 | #ifdef HAVE_NETWORK |
650 | if (checkcfg(CFG_NETWORK)) { | 648 | if (checkcfg(CFG_NETWORK)) { |
651 | arg_netfilter6 = 1; | 649 | arg_netfilter6 = 1; |
652 | arg_netfilter6_file = strdup(ptr + 11); | 650 | arg_netfilter6_file = expand_macros(ptr + 11); |
653 | if (!arg_netfilter6_file) | ||
654 | errExit("strdup"); | ||
655 | check_netfilter_file(arg_netfilter6_file); | 651 | check_netfilter_file(arg_netfilter6_file); |
656 | } | 652 | } |
657 | else | 653 | else |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2eaa9bde5..3721a2c2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) { | |||
1164 | } | 1164 | } |
1165 | #endif | 1165 | #endif |
1166 | 1166 | ||
1167 | |||
1168 | void x11_xorg(void) { | 1167 | void x11_xorg(void) { |
1169 | #ifdef HAVE_X11 | 1168 | #ifdef HAVE_X11 |
1170 | 1169 | ||
@@ -1175,31 +1174,38 @@ void x11_xorg(void) { | |||
1175 | exit(1); | 1174 | exit(1); |
1176 | } | 1175 | } |
1177 | 1176 | ||
1177 | char *xauth_bin = find_in_path("xauth"); | ||
1178 | |||
1178 | // check xauth utility is present in the system | 1179 | // check xauth utility is present in the system |
1179 | struct stat s; | 1180 | if (!xauth_bin) { |
1180 | if (stat("/usr/bin/xauth", &s) == -1) { | 1181 | fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n"); |
1181 | fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"); | ||
1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); | 1182 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); |
1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); | 1183 | fprintf(stderr, " Arch: sudo pacman -S xorg-xauth\n"); |
1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); | 1184 | fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); |
1185 | exit(1); | 1185 | exit(1); |
1186 | } | 1186 | } |
1187 | |||
1188 | struct stat s; | ||
1189 | if (stat(xauth_bin, &s) == -1) { | ||
1190 | fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno)); | ||
1191 | exit(1); | ||
1192 | } | ||
1187 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { | 1193 | if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { |
1188 | fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); | 1194 | fprintf(stderr, "Error: invalid %s executable\n", xauth_bin); |
1189 | exit(1); | 1195 | exit(1); |
1190 | } | 1196 | } |
1191 | if (s.st_size > 1024 * 1024) { | 1197 | if (s.st_size > 1024 * 1024) { |
1192 | fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); | 1198 | fprintf(stderr, "Error: %s executable is too large\n", xauth_bin); |
1193 | exit(1); | 1199 | exit(1); |
1194 | } | 1200 | } |
1195 | // copy /usr/bin/xauth in the sandbox and set mode to 0711 | 1201 | // copy xauth in the sandbox and set mode to 0711 |
1196 | // users are not able to trace the running xauth this way | 1202 | // users are not able to trace the running xauth this way |
1197 | if (arg_debug) | 1203 | if (arg_debug) |
1198 | printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); | 1204 | printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE); |
1199 | if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { | 1205 | |
1200 | fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); | 1206 | copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711); |
1201 | exit(1); | 1207 | |
1202 | } | 1208 | free(xauth_bin); |
1203 | 1209 | ||
1204 | fmessage("Generating a new .Xauthority file\n"); | 1210 | fmessage("Generating a new .Xauthority file\n"); |
1205 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); | 1211 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); |
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt index aeac58c6a..830df058f 100644 --- a/src/fnettrace/static-ip-map.txt +++ b/src/fnettrace/static-ip-map.txt | |||
@@ -92,7 +92,7 @@ | |||
92 | 8.8.4.0/24 Google DNS | 92 | 8.8.4.0/24 Google DNS |
93 | 8.8.8.0/24 Google DNS | 93 | 8.8.8.0/24 Google DNS |
94 | 8.20.247.20/32 Comodo DNS | 94 | 8.20.247.20/32 Comodo DNS |
95 | 8.26.56.26/32 Comodo DNS | 95 | 8.26.56.0/24 Comodo DNS |
96 | 9.9.9.0/24 Quad9 DNS | 96 | 9.9.9.0/24 Quad9 DNS |
97 | 45.90.28.0/22 NextDNS | 97 | 45.90.28.0/22 NextDNS |
98 | 45.11.45.0/24 DNS-SB | 98 | 45.11.45.0/24 DNS-SB |
@@ -103,8 +103,7 @@ | |||
103 | 76.76.10.0/24 ControlD DNS | 103 | 76.76.10.0/24 ControlD DNS |
104 | 76.76.19.0/24 Alternate DNS | 104 | 76.76.19.0/24 Alternate DNS |
105 | 76.223.122.150/32 Alternate DNS | 105 | 76.223.122.150/32 Alternate DNS |
106 | 77.88.8.8/32 Yandex DNS | 106 | 77.88.8.0/24 Yandex DNS |
107 | 77.88.8.1/32 Yandex DNS | ||
108 | 80.80.80.0/24 Freenom DNS Cloud | 107 | 80.80.80.0/24 Freenom DNS Cloud |
109 | 80.80.81.0/24 Freenom DNS Cloud | 108 | 80.80.81.0/24 Freenom DNS Cloud |
110 | 84.200.69.80/32 DSN Watch | 109 | 84.200.69.80/32 DSN Watch |
@@ -123,8 +122,7 @@ | |||
123 | 205.171.3.66/32 CentyrLink DNS | 122 | 205.171.3.66/32 CentyrLink DNS |
124 | 205.171.202.166/32 CentyrLink DNS | 123 | 205.171.202.166/32 CentyrLink DNS |
125 | 208.67.216.0/21 OpenDNS | 124 | 208.67.216.0/21 OpenDNS |
126 | 216.146.35.35/32 Dyn DNS | 125 | 216.146.32.0/20 Dyn DNS |
127 | 216.146.36.36/32 Dyn DNS | ||
128 | 126 | ||
129 | # whois | 127 | # whois |
130 | 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service | 128 | 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service |
@@ -288,6 +286,7 @@ | |||
288 | 192.187.114.96/29 BitChute | 286 | 192.187.114.96/29 BitChute |
289 | 192.187.118.168/29 BitChute | 287 | 192.187.118.168/29 BitChute |
290 | 192.187.121.208/29 BitChute | 288 | 192.187.121.208/29 BitChute |
289 | 192.187.122.72/29 BitChute | ||
291 | 192.187.123.112/29 BitChute | 290 | 192.187.123.112/29 BitChute |
292 | 192.187.126.0/29 BitChute | 291 | 192.187.126.0/29 BitChute |
293 | 198.204.226.120/29 BitChute | 292 | 198.204.226.120/29 BitChute |
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a85fbc5da..e43a573de 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in | |||
@@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported. | |||
29 | To set it up, run "sudo firecfg" after installing Firejail software. | 29 | To set it up, run "sudo firecfg" after installing Firejail software. |
30 | The same command should also be run after | 30 | The same command should also be run after |
31 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin | 31 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin |
32 | will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config". | 32 | will be created. |
33 | 33 | .PP | |
34 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. | 34 | To configure the list of programs used by firecfg when creating symlinks, see |
35 | \fBFILES\fR and \fBSYNTAX\fR. | ||
36 | .PP | ||
37 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in | ||
38 | \fBman 1 firejail\fR. | ||
35 | .SH DEFAULT ACTIONS | 39 | .SH DEFAULT ACTIONS |
36 | The following actions are implemented by default by running sudo firecfg: | 40 | The following actions are implemented by default by running sudo firecfg: |
37 | 41 | ||
@@ -135,8 +139,53 @@ $ sudo firecfg --clean | |||
135 | /usr/local/bin/vlc removed | 139 | /usr/local/bin/vlc removed |
136 | .br | 140 | .br |
137 | [...] | 141 | [...] |
142 | .SH FILES | ||
143 | .PP | ||
144 | Configuration files are searched for and parsed in the following paths: | ||
145 | .PP | ||
146 | .RS | ||
147 | 1. /etc/firejail/firecfg.d/*.conf (in alphabetical order) | ||
148 | .br | ||
149 | 2. /etc/firejail/firecfg.config | ||
150 | .RE | ||
151 | .PP | ||
152 | The programs that are supported by default are listed in | ||
153 | /etc/firejail/firecfg.config. | ||
154 | It is recommended to leave it as is and put all customizations inside | ||
155 | /etc/firejail/firecfg.d/. | ||
156 | .PP | ||
157 | Profile files are also searched in the user configuration directory: | ||
158 | .PP | ||
159 | .RS | ||
160 | 3. ~/.config/firejail/*.profile | ||
161 | .RE | ||
162 | .PP | ||
163 | For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a | ||
164 | symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file. | ||
165 | .SH SYNTAX | ||
166 | Configuration file syntax: | ||
167 | .PP | ||
168 | A line that starts with \fB#\fR is considered a comment. | ||
169 | .br | ||
170 | A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating | ||
171 | symlinks. | ||
172 | .br | ||
173 | A line that starts with anything else is considered to be the name of an | ||
174 | executable and firecfg will attempt to create a symlink for it. | ||
175 | .PP | ||
176 | For example, to prevent firecfg from creating symlinks for "firefox" and | ||
177 | "patch" while attempting to create a symlink for "myprog", the following lines | ||
178 | could be added to /etc/firejail/firecfg.d/10-my.conf: | ||
179 | .PP | ||
180 | .RS | ||
181 | !firefox | ||
182 | .br | ||
183 | !patch | ||
184 | .br | ||
138 | 185 | ||
139 | 186 | .br | |
187 | myprog | ||
188 | .RE | ||
140 | .SH LICENSE | 189 | .SH LICENSE |
141 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 190 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
142 | .PP | 191 | .PP |