| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
'modules' can also be seen as a sub-directory, e.g.
./powerpc64le-linux-gnu/gio/modules/libgiolibproxy.so
|
| |
|
|
|
| |
On 32bit architectures like armhf, the output was "unlimited" instead
of the expected value.
|
| |
|
|
| |
on Ubuntu autopkgtest runs on armhf, /dev/zero creation fails.
|
| |
|
|
|
|
| |
The systemd service file ./systemd/system/sysinit.target.wants/systemd-modules-load.service
can exist which will lead to a match for "modules", though we are
only looking for the modules directory.
|
| |\
| |
| | |
Fix nomacs
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
```
Aug 11 16:32:32 korte audit[29004]: SECCOMP auid=1000 uid=1000 gid=1000
ses=2 subj==firejail-default (enforce) pid=29004 comm="nomacs"
exe="/usr/bin/nomacs" sig=31 arch=c000003e syscall=9 compat=0
ip=0x7fa2a1cc98c6 code=0x0
```
|
| | | |
|
| |\ \
| | |
| | | |
mkdeb.sh should not use files outside $CODE_DIR
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
seccomp: logging
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Allow `log` as an alternative seccomp error action instead of killing
or returning an errno code.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| | |_|/
|/| |
| | |
| | |
| | | |
Initial,amend: wrong dir,delete gtk-*,added new files
Co-authored-by: kortewegdevries <k0rtic_dv@aol.com>
|
| | | |
| | |
| | |
| | | |
add check so that environment variable FIREJAIL_CHROOT_X11 can be used
to mount /tmp/.X11-unix into the chroot; issue #3568
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When redirecting output via --output or --output-stderr, firejail was
concatenating all command line arguments into a single string
that was passed to a shell. As the arguments were no longer escaped,
the shell was able to interpret them.
Someone who has control over the command line arguments of the
sandboxed application could use this to run arbitrary other commands.
Instead of passing it through a shell for piping the output to ftee,
the pipeline is now manually created and the processes are executed
directly.
Fixes: CVE-2020-17368
Reported-by: Tim Starling <tstarling@wikimedia.org>
|
| |/
|
|
|
|
|
|
|
|
|
| |
Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.
Fixes: CVE-2020-17367
Reported-by: Tim Starling <tstarling@wikimedia.org>
|
| |
|
|
| |
closes #1139
|
| |
|
|
|
|
|
| |
* Add profile for otter-browser
Initial
* private-bin,sorting
|
| |
|
|
|
|
| |
Ensure that all standard streams are open and we don't inadvertently print to files opened for a different reason; in general we can expect glibc
to take care of this, but it doesn't cover the case where a sandbox is started by root. The added code also serves as a fallback.
Unrelated: For what it's worth, shift umask call closer to main start, so it runs before lowering privileges and before anything can really go wrong.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Added git-cola profile
Initial
* Edit private-etc
Add alternatives,pki
* Add disable-xdg
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Added lyx profile
Initial
* Rmoved whitelists
Make home directory more accessible
|
| |
|
|
|
|
|
|
|
| |
* Added minitube profile
Initial
* Second
Removed no3d,added novideo
|
| |
|
| |
Initial
|
| |
|
|
|
|
|
|
|
| |
* Added mtpaint profile
Initial
* Second
Remove IPC-namespace,netfilter
|
| | |
|
| |\
| |
| | |
integrate join(-or-start) with dbus options (partial fix)
|
| | |
| |
| |
| |
| | |
update D-Bus environment variables during join, so that
a joining process is able to use D-Bus, too
|
| | |
| |
| | |
Fixes for #3554.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Added minecraft-launcher-profile
Initial
* Changed minecraft-launcher profile
Added space,tracelog,nodvd
* Third
Fixed private-etc,added notes about path,java
* Sorting
|
| | | |
|
| |\ \
| | |
| | | |
Added xfce4-screenshooter profile
|
| | | |
| | |
| | |
| | | |
Initial,removed common blaclist,add netfilter,private-etc
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
fix typo in multicast CIDR
|
| |/ / / |
|
| |\ \ \
| |/ /
|/| | |
Ignore SIGTTOU during flush_stdin()
|
| | | |
| | |
| | |
| | | |
fixes #3500
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Update virtualbox.profile
* Update virtualbox.profile
* Update virtualbox.profile
* Update virtualbox.profile
* Update virtualbox.profile
* Update virtualbox.profile
|
| |\ \ \
| | | |
| | | | |
Github-desktop: Add chroot to seccomp
|
| |/ / /
| | |
| | |
| | | |
Add chroot
|
| | | | |
|
Reiner Herrmann
Fred Barclay
kortewegdevries
smitsohu
startx2017
dandelionred
Topi Miettinen
kortewegdevries
netblue30
rusty-snake
glitsj16
Neo00001
kortewegdevries
Emil Gedda
Arne Welzel