| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
| |
* fix #3859
* fix #3859
* fix #3859
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* really fix running kernel config check
archiver-common.inc includes `disable-shell.inc`, breaking
$ zcat /proc/config.gz
Cannot start application: Permission denied
* really fix running kernel config check
archiver-common.inc includes `disable-shell.inc`, breaking
$ zgrep -c "CONFIG_USER_NS=y" /proc/config.gz
Cannot start application: Permission denied
|
|\
| |
| | |
keepassxc.profile: Fix hang due to seccomp
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the current profile, keepassxc hangs on startup, before showing the
main window:
$ uname -r -m
5.9.1-artix1-1 x86_64
$ firejail --version | head -n 1
firejail version 0.9.64
$ firejail --quiet keepassxc --version
KeePassXC 2.6.2
$ firejail --quiet keepassxc
# (nothing happens)
^C
Seccomp debugging as explained on etc/templates/syscalls.txt:
$ sudo grep -Eo 'keepassxc.* syscall=[0-9]+' /var/log/messages.log | tail -n 1
keepassxc" exe="/usr/bin/keepassxc" sig=31 arch=c000003e syscall=303
$ firejail --debug-syscalls | grep 303
303 - name_to_handle_at
So allow the name_to_handle_at syscall.
Relates to #3549.
|
|\ \
| | |
| | | |
join: add fexecve fallback for shells
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allows users to join a sandbox and get a shell even
if there is none in the sandbox mount namespace.
There are few limitations:
1. This will fail with scripted shells (see man 3 fexecve for an explanation)
2. Shell process names are not user friendly
|
|\ \ \
| | | |
| | | | |
Implement netns in profiles, closes #3846
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Add profiles for MS Edge dev build for Linux and Librewolf
|
| |\ \ \ \
| |/ / / /
|/| | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Small fixes
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
We do not start /bin/bash in the sandbox, we use $SHELL (which is
usually /bin/bash). See #3434 and #3844. This commit updates the
manpage accordingly until #3434 is resolved with a final solution like
using /bin/bash or /bin/sh as hardcoded default. Close #3844.
The descriptions of --join* are not updated as there is currenly some
work, see #2934 and #3850.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
- split notifications and tray
- fix tray policy
|
|/ / / / /
| | | | |
| | | | | |
case is handled in guess_shell()
|
| | | | | |
|
|/ / / / |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
issue #3604
follow-up to a7607e423f3336f67daf2ec296414d55c6740f84
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If firejail is the login shell, the SHELL environment variable
is set to the path of the firejail executable. This leads to execution of a
'firejail -l' command, but firejail inside the sandbox does
not know what to do with the -l option and just starts bash without
forwarding this option.
Fix this by not checking $SHELL when guessing which shell should be used.
run_no_sandbox(), which relies on reading the environment, runs before
setting the login_shell variable, and is not affected.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
issue #3784
related commit 4bc92b8fd0a5c22c7d4c6f9323378501c60ff149
|
|/ / / |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
…on to chromium, remove the nowhlist from min and
its whlist from riot-web.
TODO: remove the 'ignore whitelist /usr/share/chomium' from the most
profiles with it.
|
| | | |
|
|\ \ \
| | | |
| | | | |
x11=none: don't fail on abstract socket if netns …
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
…is used.
fix #3838 -- --x11=none --netns=isolated invalidly errors on the abstract X11 socket being accessible
|
| | | |
| | | |
| | | |
| | | | |
plus very minor cosmetic improvements
|
| | | |
| | | |
| | | |
| | | |
| | | | |
see suggested setup in man 5 firejail-users
also related to issue #3604
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add the missing binaries in the DNS section, as suggested by @glitsj16:
https://github.com/netblue30/firejail/pull/3810#issuecomment-742920539
Packages and their relevant binaries:
* bind: dnssec-*
* knot: khost
* unbound: unbound-host
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* limit file system access with comments in archiver-common.inc
* note wording
* Warn against overtightening file system access
Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* disable private-lib in tar.profile
Removing private-bin caused a test to fail - see discussion in https://github.com/netblue30/firejail/pull/3832. Thanks to @reinerh for explaining why I broke things!
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"Portable OpenBSD ksh, based on the Public Domain Korn Shell (pdksh)."
Project page: https://github.com/ibara/oksh
$ pacman -Q oksh
oksh 6.8.1-1
$ pacman -Qlq oksh | grep bin/
/usr/bin/
/usr/bin/oksh
|
| |
| |
| |
| |
| |
| |
| | |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| |
| |
| |
| |
| | |
* fix gzip
* fix tar
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* harden 7z.profile
* harden atool.profile
* harden bsdtar.profile
* harden cpio.profile
* harden gzip.profile
* harden tar.profile
* harden unrar.profile
* harden unzip.profile
* harden xzdec.profile
* harden zstd.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create archiver-common.inc
* add apparmor to archiver-common.inc
* refactor 7z.profile
* refactor ar.profile
* refactor atool.profile
* refactor bsdtar.profile
* refactor cpio.profile
* refactor gzip.profile
* refactor tar.profile
* refactor unrar.profile
* refactor unzip.profile
* refactor xzdec.profile
* refactor zstd.profile
* rewording
* blacklist ${RUNUSER} in archiver-common.inc
Thanks to @rusty-snake for suggesting this.
* drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc
See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
|