| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Try to fix #2310 -- Can't create run directory without suid-root
|
| | |
|
|\ \
| | |
| | | |
Fix Lutris profile
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Add cargo.profile
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Whitelist2
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Summary: SDDM uses $XDG_RUNTIME_DIR/<UUID> as Xauthority.
In my tests (Fedora 32 KDE spin IIRC) it used /tmp/... so it was
irrelevant for wruc. So the Xauthority file created by SDDM sems to
depend on distro, version, config, ….
Future alternatives to this long, ugly line would be a ${XAUTHORITY}
macro or a private-run-user option.
|
|\ \ \ \
| | | | |
| | | | | |
rename noautopulse to keep-config-pulse
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Changes:
* add the keep-config-pulse option
* make noautopulse an alias for keep-config-pulse
* deprecate the noautopulse option
* misc: fix indentation of --keep-dev-shm on src/firejail/usage.c
Even though noautopulse is not intended for hardening, it looks like it
is, because it starts with "no", just like no3d, noroot, etc). In fact,
it is the only "no" option that differs in such a way.
And it has been accidentally misused as such before; see PR #4269 and
commit e4beaeaa8 ("drop noautopulse from agetpkg").
So effectively rename it to keep-config-pulse in order to avoid
confusion. This is similar to the keep-var-tmp and keep-dev-shm
options, which are used to "leave a path alone", just like noautopulse.
Note: The changes on this patch are based on the ones from commit
617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854.
See #4269 for the discussion.
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Cosmetics, align RUN_UTMP_FILE open flags
with others in 825ac9cdc38c4285584e69d6f29102b149914dfe
Fix fslogger
|
| | | | | |
|
| | | | | |
|
| |_|/ /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Dumb patch that adds O_CLOEXEC to all open/fopen
calls, even where it is obviously pointless.
While at it, also add O_EXCL where it might be
considered useful, for example to clear Coverity
warnings, or on files that subsequently are used
to configure a join sandbox.
Pure defense in depth, this patch should have no
observable effects.
|
| | | |
| | | |
| | | |
| | | | |
Make ${HOME}/.rustup read-only and blacklist ${HOME}/.cargo/credentials.toml
|
| | | | |
|
|/ / / |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
See #4274
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* fix noroot comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630981737).
* fix dbus-user comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630982527).
* fix private-dev comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630980029).
* fix private-etc comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630979698).
* move writable-var comment cfr. profile.template
|
| | |
| | |
| | |
| | | |
Subdirs for private-etc has been implemented since 6ebe8925.
|
| | |
| | |
| | |
| | | |
Clarify some options that supersede others.
|
| | |
| | |
| | |
| | | |
Profiles with private-dev behind BROWSER_DISABLE_U2F were missed by 0cee0ba5.
|
|\ \ \ |
|
| | | | |
|
|/ / /
| | |
| | |
| | | |
~/.config/pulse directory unchanged
|
| | | |
|
| | |
| | |
| | |
| | | |
It now features audio/video calling.
|
| | |
| | |
| | | |
It's a workaround option, not to be used in any profile by default. Thanks to @rusty-snake for pointing that out.
|
|\ \ \
| | | |
| | | | |
contrib/vim: add missing noinput command to syn match
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Added on commit a90386d77 ("Map /dev/input with "--private-dev", add
"--no-input" option to disable it") / PR #4209. See also commit
0cee0ba5a ("Add noinput to all profiles with private-dev") / PR #4239.
Misc: I noticed that it was missing due to the lack of syntax
highlighting on etc/profile-m-z/webstorm.profile.
|
| |_|/
|/| |
| | |
| | | |
Fixes #4256
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
bijiben crashes without access to /usr/share/tracker3 in Fedora 34 with:
** (bijiben:14): WARNING **: 21:48:08.394: Unable to connect to Tracker: 'file:///usr/share/tracker3/ontologies/nepomuk' is not a ontology location
** (bijiben:14): WARNING **: 21:48:08.394: Cannot initialize BijiManager: 'file:///usr/share/tracker3/ontologies/nepomuk' is not a ontology location
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create node.profile
* Create node-gyp.profile
* refactor npm as redirect
* Create npx.profile
* Create nvm.profile
* Create semver.profile
* refactor yarn as redirect
* collect node.js stack configuration in common profile
* add ~/.nvm to node section
* account for node-gyp python dependency
* read-only ~/.nvm for node.js stack
* blacklist ~/.nvm for node.js stack
* move env var comment cfr. profile.template
* Delete node-gyp.profile
node-gyp is a shell script with a node shebang. We've got that covered via node.profile.
* Delete npx.profile
npx is a shell script with a node shebang. We've got that covered via node.profile.
* Delete semver.profile
semver is a shell script that calls node. We've got that covered via node.profile.
* add node and nvm to new profiles section
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* revert comment changes from #4257
* revert comment changes from #4257
* revert comment changes from #4257
* revert comment changes from #4257
|