| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | |
|
| | | |
|
| | | |
|
| |\ \ |
|
| | | | |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.1.5 to 2.1.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/883476649888a9e8e219d5b2e6b789dc024f690c...28eead240834b314f7def40f6fcba65d100d99b1)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
docs: mention capabilities(7) on --caps
|
| | |
| |
| |
| |
| |
| | |
As hinted by @rusty-snake[1].
[1] https://github.com/netblue30/firejail/discussions/5064#discussioncomment-2417395
|
| |\ \
| | |
| | | |
disable-common.inc: make ~/.config/pkcs11 read-only
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
|
| |\ \
| |/
|/| |
appimage: blacklist and make ~/Applications dir read-only
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is used for storing AppImages.
Note that even when blacklisting a directory, it is possible to execute
an AppImage from it. For example, the following works:
firejail --noprofile --blacklist='${HOME}/Applications' --appimage \
~/Applications/foo.AppImage
While the resulting process does not appear to have access to the
blacklisted directory.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This directory is monitored by both appimaged[1] and
AppImageLauncher[2]. Also, when opening an AppImage with
AppImageLauncher, it may prompt the user to move the AppImage to
~/Applications.
[1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories
[2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
|
| | |
| |
| |
| |
| | |
* megaglest.profile: Add allow-lua.inc
* Move comment to line above
|
| |/
|
| |
Fixes #5068.
|
| |
|
|
| |
Relates to #5028 #5043 #5052.
|
| | |
|
| |\ |
|
| | |\
| | |
| | | |
ping: (extra) hardening
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |\ \
| | | |
| | | | |
Node.js stack refactoring
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | | |
[nvm](https://github.com/nvm-sh/nvm) is implemented as a sourced shell function, not an executable binary. Regular sandboxing doesn't work but we can add nvm support to the applications used by it internally (curl, sha256sum, tar & wget).
|
| | | | | |
|
| | | |/ |
|
| | |\ \
| | | |
| | | | |
docs: mention inconsistent homedir bug involving --private=dir
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
And the workaround suggested by @smitsohu[1] and @rusty-snake[2].
Relates to #903 #5048.
[1] https://github.com/netblue30/firejail/issues/903#issuecomment-946673346
[2] https://github.com/netblue30/firejail/discussions/5048#discussioncomment-2360034
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It's currently only present on firejail.txt.
This amends commit 340699fbd ("misc things", 2020-02-22).
|
| | |\ \ \
| | | | |
| | | | | |
man: mention that the protocol command accumulates
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As mentioned by @rusty-snake[1].
This amends commit 39654d016 ("adding netlink to --protocol list
(#4605)", 2022-01-21).
See also commit 75073e0e4 ("man: mention that private-bin and
private-etc are cumulative", 2022-01-22) and issue #4078.
[1] https://github.com/netblue30/firejail/pull/5042/files#r825477891
|
| |/ / / / |
|
| | |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.1.4 to 1.1.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f5d822707ee6e8fb81b04a5c0040b736da22e587...883476649888a9e8e219d5b2e6b789dc024f690c)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ocenaudio: blacklist cache dir
* ocenaudio: hardenings
* ocenaudio: fix protocol comment
|
| | | |
| | |
| | |
| | |
| | | |
* cmake: fix local override & wusc
* cmake: another wusc fix
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* pip: fix including local override
* pip: allow access to cache
The shared build-systems-common.profile (to which pip.profile redirects) blacklists ${HOME}/.cache/pip. Override that here.
* pip: add cache support in commented whitelist
|
netblue30
smitsohu
dependabot[bot]
glitsj16
Kelvin M. Klann
NetSysFire
Jose Riha