aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* cleanup, fixes, more profstatsLibravatar netblue302020-04-06
|
* Update bitwarden.profileLibravatar rusty-snake2020-04-06
| | | fix #3321
* Fix `man` break - remove less from firecfg by defaultLibravatar Fred Barclay2020-04-05
| | | | | | | | | | | | | | If `less` is sandboxed, then we get a similar message to below when calling `man <anything>` Error clone: main.c:2743 main: Operation not permitted man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143 https://github.com/netblue30/firejail/issues/1856 Noticed on Debian 10, firejail 0.9.63
* Merge pull request #3319 from topimiettinen/sanity-check-for-args-envsLibravatar netblue302020-04-05
|\ | | | | Simple sanity checks for arguments and environment
| * Simple sanity checks for arguments and environmentLibravatar Topi Miettinen2020-04-05
| | | | | | | | | | Restrict number of program arguments and their length as well as number of environment variables and their length.
* | travis make install testLibravatar netblue302020-04-05
| |
* | fix make installLibravatar netblue302020-04-05
| |
* | compile cleanupLibravatar netblue302020-04-05
| |
* | fixing my previous commitLibravatar netblue302020-04-05
| |
* | Merge pull request #3317 from rusty-snake/speedup-buildLibravatar rusty-snake2020-04-05
|\ \ | |/ |/| Speedup the buildsystem
| * Speedup the buildsystemLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | - replaing 'include /etc/firejail/foobar.inc' with 'include $(sysconfdir)/firejail/foobar.inc' is useless since 0.9.58 - onetime calling install with globbing is faster the a loop calling install nearly 1000 times
* | profile fixesLibravatar netblue302020-04-04
| |
* | fix alphabetical ordering of caps.keep in slack.profileLibravatar glitsj162020-04-04
| |
* | noblacklist ncat in ssh profileLibravatar Tad2020-04-04
| | | | | | | | nc is a symlink to ncat on some distros
* | steam profile fixesLibravatar Tad2020-04-04
| | | | | | | | see https://github.com/netblue30/firejail/pull/3292#issuecomment-603467884
* | Add netlink to mumble profileLibravatar SkewedZeppelin2020-04-04
| | | | | | | | Syslog is spammed with the following message otherwise: Could not create AF_NETLINK socket
* | gnome games: more + fixesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | - fix description - add gnome-klotski, five-or-more, swell-foop [skip ci]
* | more gamesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - blobwars - gravity-beams-and-evaporating-stars - hyperrogue - jumpnbump-menu (alias) - jumpnbump - magicor - mindless - mirrormagic - mrrescue - scorched3d-wrapper (alias) - scorchwentbonkers - seahorse-adventures - wordwarvi - xbill
* | Fixes for slack 4.4Libravatar Fred Barclay2020-04-04
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'd like to tighten this up more esp. for seccomp - caps.keep sys_chroot needed or fails with Cannot chroot into /proc/ directory: Operation not permitted 1. caps.drop all replaced with caps.keep - caps.keep sys_admin needed or fails with Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 2. nonewprivs dropped to avoid failure: The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 3. noroot dropped to avoid failure: [22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755. 4. Removed protocol filter to avoid: The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 5. Unable to get a working seccomp filter See https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520 seccomp !chroot seems to have worked for earlier versions of slack 6. private-tmp means no tray icon Observed on Debian 10, Slack 4.4.0
* Harden signal-desktop.profile and add rules for FirefoxLibravatar curiosityseeker2020-04-04
|
* Harden thunderbird.profileLibravatar curiosityseeker2020-04-04
| | | Access to ${HOME}/.cache/mozilla actually not necessary to let Firefox open links
* misc fixes & hardeningLibravatar rusty-snake2020-04-03
|
* allow using wruc on any programLibravatar rusty-snake2020-04-03
| | | | @glitsj16 thanks for the pointer that we now have whitelist globbing
* seccomp/join fixLibravatar netblue302020-04-03
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-04-02
|\
| * Merge pull request #3292 from davidebeatrici/steam-home-directory-privacyLibravatar netblue302020-04-02
| |\ | | | | | | steam.profile: correctly blacklist unneeded directories in user's home
| | * steam.profile: correctly blacklist unneeded directories in user's homeLibravatar Davide Beatrici2020-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "noblacklist" directives prevent following ones from blacklisting the specified directory/file. The profile currently has a "noblacklist" directive for each directory used by Steam and/or its games, which is fine. However, there are no directives blacklisting the user's home, thus all directories and files inside it are accessible by Steam. This commit fixes the issue by adding "whitelist" directives, which automatically blacklist the parent directory (in this case the user's home). "mkdir" and "mkfile" directives are added so that the directories/files are created if they don't exist. Thanks to @SkewedZeppelin for suggesting to keep "noblacklist" and use "mkdir" and "mkfile".
| * | Merge pull request #3294 from curiosityseeker/masterLibravatar netblue302020-04-02
| |\ \ | | | | | | | | thunderbird.profile: harden and enable the rules necessary to make Firefox open links
| | * | thunderbird.profile: harden and enable the rules necessary to make Firefox ↵Libravatar curiosityseeker2020-03-23
| | | | | | | | | | | | | | | | | | | | open links See issue #3291
| * | | Merge pull request #3310 from Liorst4/ac-preserve-cflagsLibravatar netblue302020-04-02
| |\ \ \ | | | | | | | | | | Preserve CFLAGS given to configure in common.mk.in
| | * | | Preserve CFLAGS given to configure in common.mk.inLibravatar Lior Stern2020-03-31
| | | | |
* | | | | fixed firecfg man page, update READMELibravatar netblue302020-04-02
|/ / / /
* | | | Add 'ignore nodbus', remove 'private-tmp'Libravatar Fred Barclay2020-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without 'ignore nodbus', Teams will not close properly. It looks like, by design, Teams ignores the close signal from window managers (i.e. clicking the X in the top corner) - this occurs even without firejail. Instead, there are two ways to close: by right-clicking the tray icon and selecting "Close" or by running `teams --quit`. 'nodbus' hides/prevents the tray icon, and also ignores `teams --quit` if firecfg has been run (so that `teams` and `teams --quit` with both be sandboxed). The only way to stop Teams is then to manually either kill the process (via `kill -9`) or run something like `/usr/bin/teams --quit` so that the unsandboxed app is run. 'private-tmp' blocks the tray icon so, again, there's no good way to kill Teams. Observed on Debian 10 and Teams 1.3.00.5153
* | | | whitelist globing man pageLibravatar netblue302020-04-01
| | | |
* | | | globbing support for whitelistsLibravatar netblue302020-04-01
| | | |
* | | | profstatsLibravatar netblue302020-04-01
| | | |
* | | | Whitelist runuser common (#3286)Libravatar rusty-snake2020-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * introduce whitelist-runuser-common.inc * If an applications does not need a whitelist it can/should be nowhitelisted. Example: nowhitelist ${RUNUSER}/pulse include whitelist-runuser-common.inc * ${RUNUSER}/bus is inaccessible with nodbus regardless of the whitelist. (as it should) * strange wayland setups with an second wayland-compostior need to whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on. * some display-manager store there Xauthority file in ${RUNUSER}. test results with fedora 31: - ssdm: ~/.Xauthority is used - lightdm: /run/lightdm/USER/Xauthority - gdm: /run/user/UID/gdm/Xauthority * IMPORTANT: ATM we can only enable this for non-graphical and GTK3 programs because mutter (GNOMEs window-manger) stores the Xauthority file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX where XXXXXX is random. Until we have whitelist globbing we can't whitelist this file. QT/KDE and other toolkits without full wayland support won't be able to start. * wru update 1 - add wru to more profiles. - blacklist ${RUNUSER} works for the most cli programs too. * add wruc to more profiles * fixes * fixes * wruc: hide pulse pid * update * remove wruc from all the x11 profiles * fixes * fix ordering * read-only * revert read-only * update *
* | | | Mention --seccomp.32 etc in usageLibravatar Topi Miettinen2020-03-31
| | | |
* | | | mergesLibravatar smitsohu2020-03-31
| | | |
* | | | extra x11 hardeningLibravatar smitsohu2020-03-31
|/ / /
* | | abiword and more gnome-gamesLibravatar rusty-snake2020-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - four-in-a-row - gnome-mahjongg - gnome-robots - gnome-sudoku - gnome-taquin - gnome-tetravex harden gnome-chess
* | | Merge pull request #3296 from 0x7969/masterLibravatar rusty-snake2020-03-29
|\ \ \ | | | | | | | | Create ferdi.profile
| * | | Added paths for ferdiLibravatar 0x79692020-03-29
| | | |
| * | | Added ferdi to firecfg.configLibravatar 0x79692020-03-29
| | | |
| * | | Create ferdi.profileLibravatar 0x79692020-03-25
| | |/ | |/| | | | Exact copy of franz.profile, simply renamed franz to ferdi.
* | | blacklist libvirt and flatpak [skip ci]Libravatar rusty-snake2020-03-29
| | |
* | | more game profilesLibravatar rusty-snake2020-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - frogatto - gnome_games-common.profile - gnome-2048 (make redirect) - gnome-mines - gnome-nibbles - lightsoff - ts3client_runscript.sh (fix #3279) - warmux (don't get confused with the warmux/wormux thing)
* | | support GTK2 apps in wuscLibravatar glitsj162020-03-28
| | |
* | | seccomp: allow defining separate filters for 32-bit archLibravatar Topi Miettinen2020-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* | | Added compatibility with BetterDiscord (#3300)Libravatar Atrate2020-03-27
| | | | | | | | | Signed-off-by: Atrate <Atrate@protonmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-16 00:48:24 +0000