Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | Merge branch 'master' of http://github.com/netblue30/firejail | netblue30 | 2018-03-12 |
|\ | |||
| * | Add a profile for gnome-builder | Tad | 2018-03-12 |
| | | |||
| * | Remove mdwe from viewnior - fix #1808 | Fred-Barclay | 2018-03-12 |
| | | |||
* | | bringing back private-lib in evince, and some fixes for Arch Linux | netblue30 | 2018-03-12 |
|/ | |||
* | private-lib bug: 32 bit libraries being copied instead of 64 bit versions; ↵ | startx2017 | 2018-03-12 |
| | | | | splitting common code for firejail and fldd in a common static library | ||
* | fix bash on CentOS 7 | startx2017 | 2018-03-12 |
| | |||
* | fix speller support in gedit profile | startx2017 | 2018-03-12 |
| | |||
* | Add a steam profile alias for steam-native | Tad | 2018-03-10 |
| | |||
* | fix private-dev | netblue30 | 2018-03-10 |
| | |||
* | disable symlinks for root user | netblue30 | 2018-03-10 |
| | |||
* | Add more necessary info in new issue template | Vincent43 | 2018-03-07 |
| | |||
* | Disable memory-deny-write-execute in evince profile | Vincent43 | 2018-03-07 |
| | | | It started breaking application in Archlinux, see https://github.com/netblue30/firejail/issues/1803 | ||
* | fix whitelist /dev/fd,stdin,stdout,stderr - #1778 | netblue30 | 2018-03-06 |
| | |||
* | bringing in /dev/fd,stdin,stdout,stderr in --private-dev | netblue30 | 2018-03-06 |
| | |||
* | Add falkon profile - see #1794 | Fred-Barclay | 2018-03-05 |
| | |||
* | Fix #1797 - Brave doesn't open with noexec /tmp | Fred-Barclay | 2018-03-05 |
| | |||
* | fix kioexec/krun for KDE authentication | netblue30 | 2018-03-05 |
| | |||
* | Merge branch 'master' of https://github.com/netblue30/firejail | smitsohu | 2018-03-05 |
|\ | |||
| * | Add VS Code profile - see request in #1139 | Fred-Barclay | 2018-03-03 |
| | | |||
| * | Add netlink to protocol list and drop chroot from seccomp filter - should ↵ | Fred-Barclay | 2018-03-02 |
| | | | | | | | | | | | | | | | | fix #1792. Brackets no longer opens without netlink in the protocol list, or with chroot blacklisted by the seccomp filter (which this commit changes from 'seccomp' to 'seccomp.keep'). | ||
* | | blacklist smartgit password file - #1796 | smitsohu | 2018-03-05 |
|/ | |||
* | let konsole access its settings - #1789 | smitsohu | 2018-03-02 |
| | |||
* | cleanup: remove empty private-bin and private-etc lines | smitsohu | 2018-03-01 |
| | |||
* | add join-or-start to dolphin, okular and kwrite | smitsohu | 2018-03-01 |
| | | | | fixes registration of d-bus services, closes #1391 | ||
* | fixed RELNOTES dates | netblue30 | 2018-03-01 |
| | |||
* | Fixup private-bin in start-tor-browser.profile after ↵ | Tad | 2018-02-27 |
| | | | | 63d455fbe6cfde2f97137f51b779d44f22cb4675 | ||
* | appimage enhancements | netblue30 | 2018-02-27 |
| | |||
* | Sync start-tor-browser with torbrowser-launcher profile' | Tad | 2018-02-27 |
| | | | | | | start-tor-browser.profile should stay seperate from torbrowser-launcher for the case when downloaded manually. The other tor-browser-* are okay to extend torbrowser-launcher because their paths are known. | ||
* | Add ld.so.cache to torbrowser-launcher.profile | Tad | 2018-02-26 |
| | |||
* | Add ld.so.cache to firefox-common.profile, fixes #1767 | smitsohu | 2018-02-26 |
| | |||
* | drop cap_mac_admin in apparmor profile | smitsohu | 2018-02-27 |
| | |||
* | Merge pull request #1787 from joelazar/master | Fred Barclay | 2018-02-26 |
|\ | | | | | .Xauthority moved from blacklist to read-only | ||
| * | .Xauthority moved from blacklist to read-only | joelazar | 2018-02-26 |
| | | |||
* | | Add join-or-start to kate (should fix #1784) | Fred-Barclay | 2018-02-24 |
| | | |||
* | | man page, README.md, RELNOTES | netblue30 | 2018-02-21 |
|/ | |||
* | Minor bitcoin-qt nitpicks and update README | Tad | 2018-02-20 |
| | |||
* | Merge pull request #1780 from baryluk/master | Fred Barclay | 2018-02-20 |
|\ | | | | | Add a profile for bitcoin-qt | ||
| * | Merge branch 'master' of github.com:baryluk/firejail | Witold Baryluk | 2018-02-20 |
| |\ | |||
| | * | Revert "Also whitelist .bitcoin-testnet just in case" | Witold Baryluk | 2018-02-20 |
| | | | | | | | | | | | | | | | | | | This reverts commit 254d2a9d9b6e752c0e3188fa90e4c5856eae5979. Testnet blockchain is in ~/.bitcoin/testnet3/ no need for anything else. | ||
| * | | Revert "Also whitelist .bitcoin-testnet just in case" | Witold Baryluk | 2018-02-20 |
| |/ | | | | | | | | | | | | | | | This reverts commit 254d2a9d9b6e752c0e3188fa90e4c5856eae5979. Testnet blockchain is in ~/.bitcoin/testnet3/ no need for anything else. And config is in ./.config/Bitcoin/Bitcoin-Qt-testnet.conf | ||
| * | Also whitelist .bitcoin-testnet just in case | Witold Baryluk | 2018-02-20 |
| | | |||
| * | Remove unecassary blacklist for bitcoin-qt config. Comment about private-lib | Witold Baryluk | 2018-02-20 |
| | | |||
| * | Add a profile for Bitcoin Core QT client / wallet | Witold Baryluk | 2018-02-20 |
| | | |||
* | | Update firecfg and README | Tad | 2018-02-20 |
| | | |||
* | | Merge pull request #1779 from baryluk/master | SkewedZeppelin | 2018-02-20 |
|\| | | | | | Add a profile for Vivaldi Snapshot | ||
| * | Add a profile for Vivaldi Snapshot | Witold Baryluk | 2018-02-20 |
|/ | |||
* | Apparmor: Allow log Firejail blacklist violations | Vincent43 | 2018-02-19 |
| | |||
* | Log denied write access for easier debugging | Vincent43 | 2018-02-19 |
| | | | After more testing we can disable logging gain. | ||
* | Apparmor: blacklist /proc and /sys access from firejail | Vincent43 | 2018-02-19 |
| | | | | | Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530 There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance. | ||
* | Apparmor: don't duplicate userspace /run/user restrictions | Vincent43 | 2018-02-19 |
| | | | | | | | Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening. In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor. The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do. |