| Commit message (Collapse) | Author | Age |
|
|
|
|
|
| |
Update GitHub actions with Dependabot:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
|
|
|
|
|
|
| |
Pinning actions to SHAs instead of versions improves the supply chain
security:
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
|
|
|
|
| |
Signed-off-by: Tad <tad@spotco.us>
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Allow /opt/tor-browser for Tor Browser profile
|
| | |
|
| | |
|
|\ \ |
|
| | | |
|
| |\ \
| | | |
| | | | |
Allow telegram to open hyperlinks
|
| | | | |
|
|/ / / |
|
|/ / |
|
|\ \
| | |
| | | |
Whitelist /usr/share/nextcloud to allow access to translation files.
|
| | | |
|
|\ \ \
| | | |
| | | | |
Fix teams ignoring input sources e.g. microphones
|
| | | | |
|
| |/ / |
|
|\ \ \
| | | |
| | | | |
Whitelist ${HOME}/.local/opt/tor-browser to make tor-browser work
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
tor-browser 11.0.2-1 doesn't work without whitelisting this directory. The
following was the message I got before whitelisting this directory.
Reading profile /etc/firejail/tor-browser.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12653, child pid 12654
104 programs installed in 153.32 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 64.84 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 325.75 ms
/usr/bin/tor-browser: [Error] The tor-browser archive could not be extracted to your home directory.
Check the permissions of ~/.local/opt/tor-browser/app.
The error log can be found in ~/.local/opt/tor-browser/LOG.
/usr/bin/tor-browser: line 218: ~/.local/opt/tor-browser/app/Browser/start-tor-browser: No such file or directory
|
|\ \ \
| | | |
| | | | |
Revert allow/deny leftovers
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As of this commit, these are not of much use. Though later if a generic
profile search/replace tool with built-in rules is to be added, the
tools in question could be used as a starting point.
src/tools/profcleaner.c was added on commit fe0f975f4 ("move
whitelist/blacklist to allow/deny", 2021-07-05).
src/tools/profcleaner.sh was added on commit ed02ab57b ("Create
profcleaner.sh", 2021-07-07) / PR #4389.
Relates to #4410.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
whitelist/nowhitelist/blacklist/noblacklist"
This reverts commit 45f2ba544e9934b49e03b17c0a638dddc3a44734.
Note: This is not a clean revert.
Note2: This also reverts the changes to src/firejail/profile.c from
commit fe0f975f4 ("move whitelist/blacklist to allow/deny", 2021-07-05).
Relates to #4410.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit 1021fb9e5d32a48698c0c8c913d44a048b12db7f.
Relates to #4388 and #4410.
|
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As far as I know, to "deprecate" something usually means the following:
* It should not be used anymore
* It still works (even if it may not work 100%)
* It may be removed in a future release
But the features mentioned on RELNOTES were actually removed; see commit
c08414fdb ("deprecated --disable-whitelist at compile time", 2021-07-03)
and commit c32924b82 ("deprecated whitelist=yes/no in
/etc/firejail/firejail.config", 2021-07-04).
So to avoid confusion, just say that they were removed.
|
|\ \ \
| | | |
| | | | |
allow lua in highlight.profile
|
|/ / / |
|
| | |
| | |
| | |
| | | |
Relates to #4157 #4288 #4461 #4462.
|
| | |
| | |
| | |
| | | |
Relates to #4510 #4533 #4599 #4635.
|
|/ /
| |
| |
| |
| |
| |
| | |
As mentioned by @rusty-snake:
https://github.com/netblue30/firejail/discussions/4770#discussioncomment-1784210
Relates to #4607.
|
|/ |
|
|\
| |
| | |
README.md: Mention security situation on Ubuntu and recommend PPA
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add the information posted by @reinerh on #4666 (related to
CVE-2021-26910 and Ubuntu's security policy) and also the instructions
from #4663 for installing from the PPA.
See also https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767
|
| | |
|
|\ \
| | |
| | | |
elinks.profile: Fix missing access to liblua
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
By including allow-lua.inc.
Error log:
$ firejail elinks
elinks: error while loading shared libraries: liblua.so.5.4: cannot open shared object file: Permission denied
Environment: firejail-git (a82c8e021) and elinks 0.14.3-2 on Artix
Linux.
Fixes #4707.
Reported-by: @jose1711
|
|\ \ \
| | | |
| | | | |
Skype profile tweaks
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Tested these settings and they work fine, including a test call. I can't
explain why, but if the `org.kde.StatusNotifierWatcher` entry is
removed, Skype will immediately log out the previous session when
started.
|
| |/ /
| | |
| | |
| | | |
Without this, Skype's session isn't retained.
|
|\ \ \
| | | |
| | | | |
Add CachyBrowser profile
|
| | | | |
|
| | | | |
|
|\ \ \ \
| |_|/ /
|/| | | |
Fix keeping certain groups with nogroups
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This amends commit b828a9047 ("Keep audio and video groups regardless of
nogroups", 2021-11-28) from PR #4725.
The commit above did not change the behavior (the groups are still not
kept). With this commit, it appears to work properly:
$ groups | grep audio >/dev/null && echo kept
kept
# with check_can_drop_all_groups == 0
$ firejail --quiet --noprofile --nogroups groups |
grep audio >/dev/null && echo kept
kept
# with check_can_drop_all_groups == 1
$ firejail --quiet --noprofile --nogroups groups |
grep audio >/dev/null && echo kept
$
Add a new check_can_drop_all_groups function to check whether the
supplementary groups can be safely dropped without potentially causing
issues with audio, 3D hardware acceleration or input (and maybe more).
It returns false if nvidia (and no `no3d`) is used or if (e)logind is
not running, as in either case the supplementary groups might be needed.
Note: With this, the behavior from before #4725 is restored on (e)logind
systems (when not using nvidia), as it makes the supplementary groups
always be dropped on such systems.
Note2: Even with the static variable, these checks still happen at least
twice. It seems that it happens once per translation unit (and I think
that it may happen more times if there are multiple processes involved).
This also amends (/kind of reverts) commit 6ddedeba0 ("Make nogroups
work on nvidia again", 2021-11-29) from PR #4725, as it restores the
nvidia check from it into the new check_can_drop_all_groups function.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This amends commit 11418a46c ("dns fixes", 2019-10-31).
fwarning already prints "Warning: " at the beginning.
Kind of relates to commit 6ddedeba0 ("Make nogroups work on nvidia
again", 2021-11-29) / PR #4725, which removed code affected by this.
Command used to find the duplicates:
git grep -i -F 'fwarning("Warning:' -- src
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To not be confused with arg_nogroups, as in the vast majority of cases
drop_privs is called with either 0 or 1 rather than arg_nogroups. The
rename makes it clearer that what the parameter does is to drop all
groups without exception, unlike arg_nogroups, which may have certain
groups be kept.
|