| Commit message (Collapse) | Author | Age |
| |
|
|
|
| |
After more testing we can disable logging gain.
|
|
|
|
|
| |
Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530
There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
|
|
|
|
|
|
|
| |
Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening.
In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor.
The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
|
| |
|
|
|
|
| |
for tranamission-gtk and transmission-qt
|
| |
|
| |
|
| |
|
|
|
| |
Playonlinux may uses perl internally: https://github.com/PlayOnLinux/POL-POM-4/search?utf8=%E2%9C%93&q=perl&type=
|
| |
|
| |
|
| |
|
|\
| |
| | |
fixes for the keepassxc 2.2.5 version
|
| | |
|
|\ \
| | |
| | | |
chromium canary (inox-family)
|
| | | |
|
|\ \ \
| | | |
| | | | |
Apparmor: fix various denials
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes following erros:
wine:
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d"
cups:
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
chromium:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
|
|\ \ \ \
| | | | |
| | | | | |
add localtime to private-etc to make qtox show correct time
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
While it is believed that blacklisting these files is a safe default,
it has the effect that untrusted certificates have to be acknowledged every
time they are encountered (with whitelisting it is possible to accept
them for the duration of an application session).
Where this causes usability issues, it will be necessary to noblacklist
these paths.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
while it is essential to deny manipulation of these files,
the information contained therein should be only of secondary value
by changing blacklist to read-only, notification functionality is
restored
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Unify all Chromium and Firefox based browser profiles
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
firefox-common
|
|/ / / / / |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add seccomp filters for remmina, from an strace session connecting via RDP
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
quick test of ~50 profiles on Fedora 27
audacity - "An error occured while loading or saving configuration information"
soundconverter - fix crash on start by removing explicit dbus blacklist added in 55938d07a58d29ceb893e4554a4ddf3c41810fc9
many issues were found that were unfixed
evolution - cannot access ~/.evolution on first run, doesn't seem to ever be used/accessed again
gedit - many plugins (spell check) are broken by private-lib
gnome-contacts - "warning: wayland-egl: could not open /dev/dri/card0" due to no3d, don't know why it thinks it needs that
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This fixes "LibreOffice will attempt to recover the state of the files you were working on before it crashed." messages when you go to open a second document.
We should see if there are any other profile where we can use join-or-start to fix similar issues.
|
| | | | | | |
|
| |_|/ / /
|/| | | | |
|
| | | | | |
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Update remmina.profile
|
|/ / / /
| | | |
| | | | |
my profiles happened to be in ~/.remmina
|
|\| | | |
|
| |\ \ \
| | | | |
| | | | | |
Allow Spotify to run Zenity
|
| |/ / / |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
and whitelist some kio settings, because we don't know if slave processes will run inside or outside the sandbox.
also prevents weird bugs that depend on sequence in which applications were started.
|