aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
* | fbuilder: don't suggest to whitelist strace output fileLibravatar smitsohu2021-01-15
| |
* | fbuilder: undo variable shadowingLibravatar smitsohu2021-01-15
| |
* | private-lib: install dhclient librariesLibravatar smitsohu2021-01-15
| |
* | Merge pull request #3867 from smitsohu/non-dumpableLibravatar smitsohu2021-01-15
|\ \ | | | | | | return to non-dumpable plugins
| * | fix broken tests and regression on 45304621a6c600d8e30e98bfbef05149caaf56c5Libravatar smitsohu2021-01-06
| | |
| * | non-dumpable pluginsLibravatar smitsohu2021-01-04
| | | | | | | | | | | | | | | (hopefully) fixes the issues that led to reverting commits 6abb65d328af61d67361890743190bd4c57f8e3c and 98e42dc6da4e4b1e47ed2aa020012d4dedc1e80e
* | | bug_report.md: improve wording (upstream/duplicates)Libravatar Kelvin M. Klann2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Clarify that: * "upstream profile" means the profile version on the master branch * "duplicates" refer to duplicate issues As suggested by @scruloose on https://github.com/netblue30/firejail/issues/3884#issue-784605766 https://github.com/netblue30/firejail/issues/3884#issuecomment-759528185
* | | fix mdr.profileLibravatar glitsj162021-01-13
| | | | | | | | | Thanks @rusty-snake for [spotting](https://github.com/netblue30/firejail/commit/662ebd214b0a7874072381f5aaf3fbd322f0e460) this!
* | | add qnapi to new profilesLibravatar glitsj162021-01-13
| | |
* | | new profile: qnapi (#3890)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add new profile: qnapi * add new profile: qnapi * Create qnapi.profile * add qnapi configs * Update README.md * Update README.md
* | | add new profile: shotwell (#3889)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | * new profile: shotwell * Create shotwell.profile * new profile: shotwell * add shotwell blacklists
* | | new profile: mdr (#3888)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | * add new profile: mdr * Create mdr.profile
* | | new profile: agetpkg (#3887)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | * Create agetpkg.profile * new profile: agetpkg
* | | add new profiles: lsar & unar (ar redirects) (#3886)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | | | | | | | * Create lsar.profile * Create unar.profile * new profiles lsar & unar
* | | refactor nodejs applications (npm & yarn) (#3876)Libravatar glitsj162021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add yarn & reorder * add node-gyp & yarn files * Create nodejs-common.profile * Create yarn.profile * refactor npm.profile * add new profile: yarn * read-only's for npm/yarn Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3. * ignore read-only's for npm As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3. * ignore read-only for yarn As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3. * remove quiet from nodejs-common.profile quiet should go into the caller profiles instead * add quiet to npm.profile Thanks @rusty-snake for the review. * re-ordering some options * re-ordering
* | | fix ordering in ssh.profile (#3882)Libravatar glitsj162021-01-11
| | |
* | | Improvements to balsa,fractal,gajim,trojita (#3791)Libravatar bbhtt2021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Improvements to balsa,fractal,gajim,trojita * sort * Add gpg plugin support to gajim,remove notifications dbus from trojita * Add dbus policy from flatpak per @rusty-snake * Add python* to private-bin; remove some dbus Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
* | | Merge pull request #3879 from aidalgol/steam-arma3-fixLibravatar SkewedZeppelin2021-01-11
|\ \ \ | | | | | | | | Whitelist Bohemia Interactive config dir for Steam
| * | | Add blacklist line for Bohemia Interactive to disable-programsLibravatar Aidan Gauland2021-01-10
| | | |
| * | | Whitelist Bohemia Interactive config dir for SteamLibravatar Aidan Gauland2021-01-10
| | | | | | | | | | | | | | | | | | | | At least Arma 3 stores its config directory under ~/.local/share/bohemiainteractive
* | | | discord-common.profile: Fix audio support (#3880)Libravatar Nikos Chantziaras2021-01-10
|/ / / | | | | | | Discord needs PulseAudio. Without it, it's unable to play any audio.
* | | evince.profile: optionally allow bookmark/metadata accessLibravatar Samtinel2021-01-09
| | | | | | | | | | | | | | | | | | | | | bookmarks are saved unter $HOME/.local/share/gvfs-metadata since evince is the primary pdf reader, a firejailed evince can't read or write those this commit adds instructions to enable metadata writing and reading
* | | Add new profile for markerLibravatar rusty-snake2021-01-08
| | |
* | | Harden openshot.profileLibravatar rusty-snake2021-01-08
| | | | | | | | | | | | | | | 'dbus-user none' freeze openshot when clicking on open project, 'dbus-user filter' works.
* | | refactor mattermost-desktop as electron redirect (#3806)Libravatar rusty-snake2021-01-08
| | |
* | | update manpages and RELNOTESLibravatar rusty-snake2021-01-08
| | |
* | | Update READMELibravatar glitsj162021-01-08
| | |
* | | Update README.mdLibravatar glitsj162021-01-08
| | |
* | | Add profile for npm (#3866)Libravatar Aidan Gauland2021-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add profile for npm * Apply suggestions from code review * Remove redundant blacklisting of Wayland. * Remove unnecessary noblacklist lines for nodejs. * Replace absolute paths to .inc files with filenames. * Remove unneeded dbus whitelisting. Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Remove empty line To keep consistent with other profiles, remove the blank line after the header comment. Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Add npm files to add-common-devel So that our addition of npm paths to disable-programs.inc dose not break IDEs, we need to unblacklist these same paths in allow-common-devel.inc. * Remove extra blank line * Add common whitelist includes to npm profile * Tighten npm profile Include disable-exec.inc, but allowing ${HOME}. * Remove whitelist-common.inc from npm profile whitelist-common breaks npm, and since we don't know where the user's npm projects will be, leave the whitelist-common include in a comment with a note about how to enable it for their setup. * Fix inverted commands Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Fixes for whitelisting * Add login.defs to npm profile's private-etc Co-authored-by: Aidan Gauland <aidalgol+git@fastmail.net> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* | | fbuilder: check Yama permissionsLibravatar smitsohu2021-01-08
| | | | | | | | | | | | closes #3237
* | | fbuilder: whitelist-common.inc processingLibravatar smitsohu2021-01-08
| | |
* | | simplify clean_pathname functionLibravatar smitsohu2021-01-08
| | |
* | | electron redirect fixes (#3875)Libravatar glitsj162021-01-07
| | | | | | | | | | | | | | | * drop doubled netfilter in atom.profile * drop doubled disable-mnt in tutanota-desktop.profile
* | | harden liferea (#3873)Libravatar glitsj162021-01-06
| | | | | | | | | | | | | | | | | | | | | * harden liferea * dbus fixes On closer investigation it seems wiser to tighten D-Bus filtering as Liferea implements stuff via plugins that are disabled by default.
* | | mount private-lib directories read-onlyLibravatar smitsohu2021-01-06
| | | | | | | | | | | | avoids creating holes in the basic read-only filesystem
* | | join: misc improvementsLibravatar smitsohu2021-01-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | * don't mess with umask of root, it could be more strict than user umask and relaxing it may catch root by surprise * join needs execveat syscall, need to drop it post-exec * make things more explicit
* | | fix preview in apostropheLibravatar rusty-snake2021-01-05
| | |
* | | new profile: tutanota-desktop (#3870)Libravatar glitsj162021-01-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | * new profile: tutanota-desktop * add tutanota-desktop to firecfg * blacklist tutanota-desktop files * Create tutanota-desktop.profile
* | | drop doubled disable-exec in signal-desktop (#3869)Libravatar glitsj162021-01-05
|/ /
* | fix #3859 (#3863)Libravatar glitsj162021-01-01
| | | | | | | | | | | | | | * fix #3859 * fix #3859 * fix #3859
* | really fix running kernel config check (#3859)Libravatar glitsj162020-12-31
| | | | | | | | | | | | | | | | | | | | | | | | | | * really fix running kernel config check archiver-common.inc includes `disable-shell.inc`, breaking $ zcat /proc/config.gz Cannot start application: Permission denied * really fix running kernel config check archiver-common.inc includes `disable-shell.inc`, breaking $ zgrep -c "CONFIG_USER_NS=y" /proc/config.gz Cannot start application: Permission denied
* | Merge pull request #3760 from kmk3/fix-keepassxcLibravatar netblue302020-12-30
|\ \ | | | | | | keepassxc.profile: Fix hang due to seccomp
| * | keepassxc.profile: Fix hang due to seccompLibravatar Kelvin M. Klann2020-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the current profile, keepassxc hangs on startup, before showing the main window: $ uname -r -m 5.9.1-artix1-1 x86_64 $ firejail --version | head -n 1 firejail version 0.9.64 $ firejail --quiet keepassxc --version KeePassXC 2.6.2 $ firejail --quiet keepassxc # (nothing happens) ^C Seccomp debugging as explained on etc/templates/syscalls.txt: $ sudo grep -Eo 'keepassxc.* syscall=[0-9]+' /var/log/messages.log | tail -n 1 keepassxc" exe="/usr/bin/keepassxc" sig=31 arch=c000003e syscall=303 $ firejail --debug-syscalls | grep 303 303 - name_to_handle_at So allow the name_to_handle_at syscall. Relates to #3549.
* | | Merge pull request #3850 from smitsohu/smitsohu-shellLibravatar netblue302020-12-30
|\ \ \ | | | | | | | | join: add fexecve fallback for shells
| * | | join: add fexecve fallback for shellsLibravatar smitsohu2020-12-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allows users to join a sandbox and get a shell even if there is none in the sandbox mount namespace. There are few limitations: 1. This will fail with scripted shells (see man 3 fexecve for an explanation) 2. Shell process names are not user friendly
* | | | Merge pull request #3852 from rusty-snake/fix-3846Libravatar netblue302020-12-30
|\ \ \ \ | | | | | | | | | | Implement netns in profiles, closes #3846
| * | | | Implement netns in profiles, closes #3846Libravatar rusty-snake2020-12-29
| | | | |
* | | | | Merge pull request #3848 from bbhtt/browsersLibravatar Reiner Herrmann2020-12-30
|\ \ \ \ \ | | | | | | | | | | | | Add profiles for MS Edge dev build for Linux and Librewolf
| * \ \ \ \ Merge branch 'master' into browsersLibravatar Reiner Herrmann2020-12-29
| |\ \ \ \ \ | |/ / / / / |/| | | | |
* | | | | | Merge pull request #3847 from bbhtt/small_fixesLibravatar Reiner Herrmann2020-12-29
|\ \ \ \ \ \ | | | | | | | | | | | | | | Small fixes
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-05-31 20:28:34 +0000