aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.travis.yml12
-rw-r--r--Makefile.in6
-rw-r--r--README.md4
-rw-r--r--RELNOTES1
-rw-r--r--etc/inc/disable-common.inc1
-rw-r--r--etc/inc/disable-programs.inc3
-rw-r--r--etc/inc/whitelist-common.inc2
-rw-r--r--etc/inc/whitelist-usr-share-common.inc1
-rw-r--r--etc/profile-a-l/filezilla.profile1
-rw-r--r--etc/profile-a-l/gnome-todo.profile4
-rw-r--r--etc/profile-a-l/linphone.profile11
-rw-r--r--etc/profile-m-z/minetest.profile3
-rw-r--r--etc/profile-m-z/spectacle.profile64
-rw-r--r--etc/profile-m-z/xournalpp.profile1
-rw-r--r--src/firecfg/firecfg.config1
15 files changed, 92 insertions, 23 deletions
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index f1590aaa2..000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,12 +0,0 @@
1language: c
2dist: trusty
3sudo: true
4
5script:
6 - sudo apt-get -y install expect csh xzdec lintian fakeroot
7 - ( ./configure --enable-fatal-warnings --prefix=/usr && make && sudo make install && make test-travis )
8 - ( sudo make install-strip DESTDIR=$(readlink -f appdir) )
9# # If successful, build release tarball
10# - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
11# - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2
12# - # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead
diff --git a/Makefile.in b/Makefile.in
index 56e9bfc70..c070688e4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -240,10 +240,8 @@ test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-uti
240test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments 240test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
241 echo "TEST COMPLETE" 241 echo "TEST COMPLETE"
242 242
243test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments 243#test-github: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments
244 echo "TEST COMPLETE" 244test-github: test-fs
245
246test-github: test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments
247 echo "TEST COMPLETE" 245 echo "TEST COMPLETE"
248 246
249########################################## 247##########################################
diff --git a/README.md b/README.md
index 7ddd5e636..253c3ec10 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,4 @@
1# Firejail 1# Firejail
2[![Test Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail)
3[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) 2[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
4[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) 3[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
5 4
@@ -66,8 +65,6 @@ FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
66 65
67Wiki: https://github.com/netblue30/firejail/wiki 66Wiki: https://github.com/netblue30/firejail/wiki
68 67
69Travis-CI status: https://travis-ci.org/netblue30/firejail
70
71GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ 68GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
72 69
73 70
@@ -197,3 +194,4 @@ Stats:
197 194
198### New profiles: 195### New profiles:
199 196
197spectacle
diff --git a/RELNOTES b/RELNOTES
index c5a481fea..18ea99c1f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
1firejail (0.9.65) baseline; urgency=low 1firejail (0.9.65) baseline; urgency=low
2 * allow --tmpfs inside $HOME for unprivileged users 2 * allow --tmpfs inside $HOME for unprivileged users
3 * --disable-usertmpfs compile time option 3 * --disable-usertmpfs compile time option
4 * new profiles: spectacle
4 -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 5 -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500
5 6
6firejail (0.9.64) baseline; urgency=low 7firejail (0.9.64) baseline; urgency=low
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index b2be4270e..51bfb3fa9 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -480,6 +480,7 @@ blacklist ${RUNUSER}/app
480blacklist ${RUNUSER}/doc 480blacklist ${RUNUSER}/doc
481blacklist ${RUNUSER}/.dbus-proxy 481blacklist ${RUNUSER}/.dbus-proxy
482blacklist ${RUNUSER}/.flatpak 482blacklist ${RUNUSER}/.flatpak
483blacklist ${RUNUSER}/.flatpak-cache
483blacklist ${RUNUSER}/.flatpak-helper 484blacklist ${RUNUSER}/.flatpak-helper
484blacklist /usr/share/flatpak 485blacklist /usr/share/flatpak
485noblacklist /var/lib/flatpak/exports 486noblacklist /var/lib/flatpak/exports
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 42d690c94..1fba79f43 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -291,6 +291,7 @@ blacklist ${HOME}/.config/kwriterc
291blacklist ${HOME}/.config/leafpad 291blacklist ${HOME}/.config/leafpad
292blacklist ${HOME}/.config/libreoffice 292blacklist ${HOME}/.config/libreoffice
293blacklist ${HOME}/.config/liferea 293blacklist ${HOME}/.config/liferea
294blacklist ${HOME}/.config/linphone
294blacklist ${HOME}/.config/lugaru 295blacklist ${HOME}/.config/lugaru
295blacklist ${HOME}/.config/lximage-qt 296blacklist ${HOME}/.config/lximage-qt
296blacklist ${HOME}/.config/mailtransports 297blacklist ${HOME}/.config/mailtransports
@@ -372,6 +373,7 @@ blacklist ${HOME}/.config/smuxi
372blacklist ${HOME}/.config/snox 373blacklist ${HOME}/.config/snox
373blacklist ${HOME}/.config/sound-juicer 374blacklist ${HOME}/.config/sound-juicer
374blacklist ${HOME}/.config/specialmailcollectionsrc 375blacklist ${HOME}/.config/specialmailcollectionsrc
376blacklist ${HOME}/.config/spectaclerc
375blacklist ${HOME}/.config/spotify 377blacklist ${HOME}/.config/spotify
376blacklist ${HOME}/.config/sqlitebrowser 378blacklist ${HOME}/.config/sqlitebrowser
377blacklist ${HOME}/.config/stellarium 379blacklist ${HOME}/.config/stellarium
@@ -653,6 +655,7 @@ blacklist ${HOME}/.local/share/kube
653blacklist ${HOME}/.local/share/kwrite 655blacklist ${HOME}/.local/share/kwrite
654blacklist ${HOME}/.local/share/kxmlgui5/* 656blacklist ${HOME}/.local/share/kxmlgui5/*
655blacklist ${HOME}/.local/share/liferea 657blacklist ${HOME}/.local/share/liferea
658blacklist ${HOME}/.local/share/linphone
656blacklist ${HOME}/.local/share/local-mail 659blacklist ${HOME}/.local/share/local-mail
657blacklist ${HOME}/.local/share/lollypop 660blacklist ${HOME}/.local/share/lollypop
658blacklist ${HOME}/.local/share/love 661blacklist ${HOME}/.local/share/love
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 1b4e98d0e..fda02be06 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -60,11 +60,13 @@ whitelist ${HOME}/.themes
60whitelist ${HOME}/.cache/kioexec/krun 60whitelist ${HOME}/.cache/kioexec/krun
61whitelist ${HOME}/.config/Kvantum 61whitelist ${HOME}/.config/Kvantum
62whitelist ${HOME}/.config/Trolltech.conf 62whitelist ${HOME}/.config/Trolltech.conf
63whitelist ${HOME}/.config/QtProject.conf
63whitelist ${HOME}/.config/kdeglobals 64whitelist ${HOME}/.config/kdeglobals
64whitelist ${HOME}/.config/kio_httprc 65whitelist ${HOME}/.config/kio_httprc
65whitelist ${HOME}/.config/kioslaverc 66whitelist ${HOME}/.config/kioslaverc
66whitelist ${HOME}/.config/ksslcablacklist 67whitelist ${HOME}/.config/ksslcablacklist
67whitelist ${HOME}/.config/qt5ct 68whitelist ${HOME}/.config/qt5ct
69whitelist ${HOME}/.config/qtcurve
68whitelist ${HOME}/.kde/share/config/kdeglobals 70whitelist ${HOME}/.kde/share/config/kdeglobals
69whitelist ${HOME}/.kde/share/config/kio_httprc 71whitelist ${HOME}/.kde/share/config/kio_httprc
70whitelist ${HOME}/.kde/share/config/kioslaverc 72whitelist ${HOME}/.kde/share/config/kioslaverc
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index ceeb14dcc..de4ae2101 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -16,6 +16,7 @@ whitelist /usr/share/enchant-2
16whitelist /usr/share/file 16whitelist /usr/share/file
17whitelist /usr/share/fontconfig 17whitelist /usr/share/fontconfig
18whitelist /usr/share/fonts 18whitelist /usr/share/fonts
19whitelist /usr/share/fonts-config
19whitelist /usr/share/gir-1.0 20whitelist /usr/share/gir-1.0
20whitelist /usr/share/gjs-1.0 21whitelist /usr/share/gjs-1.0
21whitelist /usr/share/glib-2.0 22whitelist /usr/share/glib-2.0
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 6c7ab8f0d..43e877fd0 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/filezilla 9noblacklist ${HOME}/.config/filezilla
10noblacklist ${HOME}/.filezilla 10noblacklist ${HOME}/.filezilla
11noblacklist ${HOME}/.ssh
11 12
12# Allow python (blacklisted by disable-interpreters.inc) 13# Allow python (blacklisted by disable-interpreters.inc)
13include allow-python2.inc 14include allow-python2.inc
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 2fab3dcc7..5bef96ae7 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -53,8 +53,8 @@ dbus-user filter
53dbus-user.own org.gnome.Todo 53dbus-user.own org.gnome.Todo
54dbus-user.talk ca.desrt.dconf 54dbus-user.talk ca.desrt.dconf
55#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 55#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
56#dbus-user.talk org.gnome.evolution.dataserver.Calendar8 56dbus-user.talk org.gnome.evolution.dataserver.Calendar8
57#dbus-user.talk org.gnome.evolution.dataserver.Sources5 57dbus-user.talk org.gnome.evolution.dataserver.Sources5
58#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* 58#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
59#dbus-user.talk org.gnome.OnlineAccounts 59#dbus-user.talk org.gnome.OnlineAccounts
60dbus-system none 60dbus-system none
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index dc156b298..c509122e2 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -6,8 +6,10 @@ include linphone.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.config/linphone
9noblacklist ${HOME}/.linphone-history.db 10noblacklist ${HOME}/.linphone-history.db
10noblacklist ${HOME}/.linphonerc 11noblacklist ${HOME}/.linphonerc
12noblacklist ${HOME}/.local/share/linphone
11 13
12include disable-common.inc 14include disable-common.inc
13include disable-devel.inc 15include disable-devel.inc
@@ -16,10 +18,15 @@ include disable-interpreters.inc
16include disable-passwdmgr.inc 18include disable-passwdmgr.inc
17include disable-programs.inc 19include disable-programs.inc
18 20
19mkfile ${HOME}/.linphone-history.db 21# linphone 4.0 (released 2017-06-26) moved config and database files to respect
20mkfile ${HOME}/.linphonerc 22# freedesktop standards. For backward compatibility we continue to whitelist
23# ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
24mkdir ${HOME}/.config/linphone
25mkdir ${HOME}/.local/share/linphone
26whitelist ${HOME}/.config/linphone
21whitelist ${HOME}/.linphone-history.db 27whitelist ${HOME}/.linphone-history.db
22whitelist ${HOME}/.linphonerc 28whitelist ${HOME}/.linphonerc
29whitelist ${HOME}/.local/share/linphone
23whitelist ${DOWNLOADS} 30whitelist ${DOWNLOADS}
24include whitelist-common.inc 31include whitelist-common.inc
25 32
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 1da430ce6..9f46ba17b 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -12,6 +12,9 @@ include globals.local
12noblacklist ${HOME}/.cache/minetest 12noblacklist ${HOME}/.cache/minetest
13noblacklist ${HOME}/.minetest 13noblacklist ${HOME}/.minetest
14 14
15# Allow lua (blacklisted by disable-interpreters.inc)
16include allow-lua.inc
17
15include disable-common.inc 18include disable-common.inc
16include disable-devel.inc 19include disable-devel.inc
17include disable-exec.inc 20include disable-exec.inc
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
new file mode 100644
index 000000000..ad39f1071
--- /dev/null
+++ b/etc/profile-m-z/spectacle.profile
@@ -0,0 +1,64 @@
1# Firejail profile for spectacle
2# Description: Spectacle is a simple application for capturing desktop screenshots.
3# This file is overwritten after every install/update
4# Persistent local customizations
5include spectacle.local
6# Persistent global definitions
7include globals.local
8
9# Uncomment the following lines to use sharing services.
10#netfilter
11#ignore net none
12#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
13#protocol unix,inet,inet6
14
15noblacklist ${HOME}/.config/spectaclerc
16noblacklist ${PICTURES}
17
18include disable-common.inc
19include disable-devel.inc
20include disable-exec.inc
21include disable-interpreters.inc
22include disable-passwdmgr.inc
23include disable-programs.inc
24include disable-xdg.inc
25
26mkfile ${HOME}/.config/spectaclerc
27whitelist ${HOME}/.config/spectaclerc
28whitelist ${PICTURES}
29include whitelist-common.inc
30include whitelist-runuser-common.inc
31include whitelist-usr-share-common.inc
32include whitelist-var-common.inc
33
34apparmor
35caps.drop all
36machine-id
37net none
38no3d
39nodvd
40nogroups
41nonewprivs
42noroot
43nosound
44notv
45nou2f
46novideo
47protocol unix
48seccomp
49shell none
50tracelog
51
52disable-mnt
53private-bin spectacle
54private-cache
55private-dev
56private-etc alternatives,fonts,ld.so.conf
57private-tmp
58
59dbus-user filter
60dbus-user.own org.kde.spectacle
61dbus-user.talk org.freedesktop.FileManager1
62#dbus-user.talk org.kde.JobViewServer
63#dbus-user.talk org.kde.kglobalaccel
64dbus-system none
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 4fd6fad9d..a52858870 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -18,6 +18,7 @@ include whitelist-runuser-common.inc
18 18
19#mkdir ${HOME}/.xournalpp 19#mkdir ${HOME}/.xournalpp
20#whitelist ${HOME}/.xournalpp 20#whitelist ${HOME}/.xournalpp
21#whitelist ${HOME}/.texlive2019
21#whitelist ${DOCUMENTS} 22#whitelist ${DOCUMENTS}
22#include whitelist-common.inc 23#include whitelist-common.inc
23 24
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 906d86484..e41ed32b3 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -668,6 +668,7 @@ soffice
668sol 668sol
669sound-juicer 669sound-juicer
670soundconverter 670soundconverter
671spectacle
671spectral 672spectral
672spotify 673spotify
673sqlitebrowser 674sqlitebrowser
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 19:11:55 +0000