aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
| * | zoom.profile: fix zoom SSO workflowLibravatar Peter Sanford2020-03-10
|/ / | | | | | | | | | | | | The zoom SSO workflow launches an embedded sandboxed browser (QtWebEngineProcess) which requires chroot and netlink to work. Fixes #3272
* | profiles: firefox-esr has default configs somewhere elseLibravatar Reiner Herrmann2020-03-08
| |
* | profiles: whitelist firefox/thunderbird default directories (#3271)Libravatar Reiner Herrmann2020-03-08
| | | | | | See also: https://bugs.debian.org/948656
* | integrate AppArmor with join options (#3242)Libravatar smitsohu2020-03-02
| | | | | | | | | | add AppArmor confinement to processes started with --join and, more importantly, --join-or-start
* | Merge pull request #3255 from curiosityseeker/masterLibravatar rusty-snake2020-02-29
|\ \ | | | | | | conky needs lua
| * | Update conky.profileLibravatar curiosityseeker2020-02-29
| | | | | | | | | Place `include allow-lua.inc` above the other includes
| * | Update conky.profileLibravatar curiosityseeker2020-02-29
| | | | | | | | | Replace `noblacklist /usr/lib/liblua*` by including `allow-lua.inc`
| * | conky needs lua Libravatar curiosityseeker2020-02-28
|/ / | | | | See issue #3250
* | Merge pull request #3251 from eighthave/masterLibravatar rusty-snake2020-02-27
|\ \ | | | | | | add xournal.profile
| * | add xournal.profileLibravatar Hans-Christoph Steiner2020-02-27
|/ /
* | revive 'net none' in openshot.profileLibravatar glitsj162020-02-27
| | | | | | Fixes #3221.
* | minor sbox hardeningLibravatar smitsohu2020-02-26
| | | | | | | | blacklist process_vm_readv and process_vm_writev while we're at it also remove duplicate iopl blacklisting
* | Update allow-lua.incLibravatar glitsj162020-02-24
| | | | | | See discussion in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a.
* | Fix Lua in disable-interpreters.incLibravatar glitsj162020-02-24
| | | | | | Thanks to @rusty-snake in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a#r37460831.
* | additional Lua blacklisting (#3246)Libravatar glitsj162020-02-24
| | | | | | | | | | | | | | | | | | | | * more lua blacklisting in disable-interpreters.inc * add some paths to allow-lua.inc * Revert blacklisting /usr/include/lauxlib.h in disable-interpreters.inc /usr/include/lauxlib.h is handled in disable-devel.inc. Thanks to @rusty-snake for pointing that out.
* | add lua support for mpv (#3243)Libravatar glitsj162020-02-24
| | | | | | | | | | | | | | | | * allow lua in mpv.profile * fix allow-lua.inc for mpv * extra lua blacklisting for mpv
* | private-dev: bringing back stdin, stdout, stderr, fd symbolic linksLibravatar smitsohu2020-02-24
|/
* Merge pull request #3241 from kris7t/sbox-harden-execLibravatar Kristóf Marussy2020-02-23
|\ | | | | Harden sbox_run by using fexecve instead of execvp
| * Remove redundant permission check from dhcp_startLibravatar Kristóf Marussy2020-02-23
| | | | | | | | The check is already performed by sbox_run
| * Harden sbox_run by using fexecve instead of execvpLibravatar Kristóf Marussy2020-02-23
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | We require the command passed to sbox_run to be an absolute path, and avoid resolving PATH. Note that PATH-based attacks were already difficult to pull of, because sbox_run clears the environment before executing the command. This patch hopefully makes then impossible. As an additional precaution, we check that the executable is owned by either the root user or the root group, and is not world-writable. The use of O_PATH, fstat and fexecve aims to prevent a race condition when the invoked path (e.g., /usr/lib/firejail/fnet) is owned by root or is a symlink to a binary owned by root, but the containing directory (e.g., /usr/lib/firejail) is somehow owned by a user. This is quite unlikely (but may be possible by abusing some other setuid executable is a specific way), and would allow swapping the binary or symlink to a malicious one after we checked ownership. "Locking in" the file descriptor gets rid of the race condition. We have to get rid of the `/proc/[pid]/comm` check in dhcp_read_pidfile, because fexecve sets the comm value to the fd being exec'd (e.g., 3) instead of the name of the file. This is not a problem, unless by the time we pick up the pidfile of dhclient, it has already crashed, and the pid number have wrapper around. Needless to say, this is extremely unlikely (and does not cause a security issue, anyways).
* Merge pull request #3239 from kris7t/dhcp-clientLibravatar smitsohu2020-02-23
|\ | | | | Harden dhcp by checking for /sbin/dhclient
| * Harden dhcp by checking for /sbin/dhclientLibravatar Kristóf Marussy2020-02-23
| | | | | | | | | | | | | | Running /sbin/dhclient or /usr/sbin/dhclient avoids PATH-based vulnerabilities. We also check that the dhclient is owned by root. We take an approach similar to netfiler.c and assume that the required binary ar in /sbin or /usr/sbin, or (like on Arch) /sbin is a symlink to /usr/bin.
* | merges & RELNOTESLibravatar rusty-snake2020-02-23
|/
* misc thingsLibravatar rusty-snake2020-02-22
| | | | | | - spelling suggestion from @glitsj16 on fda62527 - drop python2 from openshot it never has a python2 version - #3126 note in manpage: cannot combine --private with --private=
* Add profile for offical Linux Teams application (#3152)Libravatar Andreas Hunkeler2020-02-22
| | | | | | | | | | | | | | | | | | | | | | | | * Add profile for offical Linux Teams application * fix: add mkdir suggestions in Teams profile * Merge suggestions for Teams profile * Add suggestion to Teams profile * Add Teams to firecfg.config * Add paths from Teams profile to disable-programs * Remove the duplicated whitelist for downloads in Teams profile Co-Authored-By: rusty-snake <print_hello_world+GitHub@protonmail.com> * Cleanup teams profile after testing * Add comment to Teams profile Co-authored-by: rusty-snake <print_hello_world+GitHub@protonmail.com>
* Allow exec from /usr/libexec & co. with AppArmorLibravatar Quentin Minster2020-02-22
|
* Add support for SELinux labelingLibravatar Topi Miettinen2020-02-22
| | | | | | | | | | | | | | | | | | | | | | | Running `firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin` shows that the SELinux labels are not correct: ``` user_u:object_r:user_tmpfs_t:s0 . system_u:object_r:usr_t:s0 .. user_u:object_r:user_tmpfs_t:s0 bash user_u:object_r:user_tmpfs_t:s0 ls ``` After fixing this: ``` system_u:object_r:bin_t:s0 . system_u:object_r:usr_t:s0 .. system_u:object_r:shell_exec_t:s0 bash system_u:object_r:bin_t:s0 ls ``` Most copied files and created directories should now have correct labels (bind mounted objects keep their labels). This is useful to avoid having to change the SELinux rules when using Firejail.
* Whitelist more /usr/share for okular and othersLibravatar Antonio Russo2020-02-17
| | | | | | | | | Some distributions include fonts in the texmf and texlive subdirectories of /usr/share. This makes those fonts accessible, addressing buggy behavior in okular where some text fails to render. This also whitelists /usr/share/config.kcfg which contains default settings that should be available to many applications.
* add tool to dump seccomp filtersLibravatar smitsohu2020-02-17
|
* apparmor: minor enhancementsLibravatar Vincent432020-02-15
| | | Allow writing some proc paths used by browsers but restrict it to their owner.
* allow networking in openshot.profileLibravatar glitsj162020-02-13
| | | Openshot 2.5.0 needs networking. This fixes #3221.
* added by included profileLibravatar rusty-snake2020-02-10
|
* harden subdownloaderLibravatar rusty-snake2020-02-10
|
* firecfg notes in profilesLibravatar rusty-snake2020-02-10
|
* Add a lot of profilesLibravatar rusty-snake2020-02-10
|
* improve baloo hardening suggestionLibravatar smitsohu2020-02-09
|
* harden wineLibravatar smitsohu2020-02-09
|
* simplescreenrecorder.profileLibravatar rusty-snake2020-02-09
| | | | | - mdwe broken - ${HOME}/.ssr
* openSUSE fix: search login.defs in /usr/etc, tooLibravatar smitsohu2020-02-09
| | | | see issue #3145
* openSUSE fix: mount private-etc on /usr/etc as wellLibravatar smitsohu2020-02-09
| | | | see issue #3145
* include wvc to more profiles (#3209)Libravatar glitsj162020-02-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * include wvc in aria2c.profile * include wvc in clawsker.profile * include wvc in conky.profile * include wvc in dconf.profile * include wvc in dconf-editor.profile * include wvc in exiftool.profile * include wvc in font-manager.profile * include wvc in gconf.profile * include wvc in git.profile * include wvc in gjs.profile * include wvc in gpg.profile * include wvc in img2txt.profile * include wvc in mediainfo.profile * include wvc in mpd.profile * include wvc in nitroshare.profile * include wvc in ocenaudio.profile * include wvc to ping.profile * include wvc in simple-scan.profile * include wvc in simplescreenrecorder.profile * include wvc in sysprof.profile * include wvc in tshark.profile * include wvc in uget-gtk.profile * include wvc in viewnior.profile * include wvc in weechat.profile
* harden makepkg.profileLibravatar glitsj162020-02-08
|
* fix video play in liferea.profileLibravatar glitsj162020-02-08
|
* fix includes in mencoder.profileLibravatar glitsj162020-02-08
|
* harden mencoder.profileLibravatar glitsj162020-02-08
|
* harden gpg-agent.profileLibravatar glitsj162020-02-08
|
* refactor gnome-keyring.profile as whitelistLibravatar glitsj162020-02-07
|
* refactor geekbench.profile as whitelistLibravatar glitsj162020-02-07
|
* fix preview functionality in subdownloader.profileLibravatar glitsj162020-02-07
|
* Fixed formatting (autopep8 + black + manual postprocessing). (#3208)Libravatar KOLANICH2020-02-07
| | | | | | Added typing. Replaced os.path with pathlib. Made it work. Fixes in .gitignore.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 22:54:18 +0000