| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
| |
Even when `nogroups` is not used, avoid keeping the audio and video
groups when `nosound` and `novideo` are used, respectively.
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
Relates to #4603.
|
|
|
|
| |
Check if new_groups already is full before trying to add to it.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the logic from clean_supplementary_groups into the following new
functions:
* find_group
* copy_group_ifcont
These will be reused later.
Misc: The latter function's signature is based on getgrouplist(2), which
is used on clean_supplementary_groups.
|
| |
|
| |
|
|\
| |
| | |
add basic Firejail support to AppArmor base abstraction (#3226)
|
| | |
|
|\ \
| | |
| | | |
Add profiles for imv, retroarch, and torbrowser
|
| | |
| | |
| | |
| | |
| | | |
imv, retroarch, and torbrowser are also added to
firecfg.config
|
|\ \ \
| | | |
| | | | |
blobwars: add path to game assets compatible with Arch
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Drop noinput for games with joystick/gamepad support
|
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes #4608
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix tremulous profile for Arch users
|
| | | | | |
| | | | | |
| | | | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | | | |
| | | | | |
| | | | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | | | |
| | | | | |
| | | | | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix jumpnbump for Arch users
|
| |/ / / / /
| | | | | |
| | | | | |
| | | | | | |
Fixes #4611.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix warsow profile for Arch users
|
| | | | | | |
| | | | | | |
| | | | | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | | | | |
| | | | | | |
| | | | | | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | | | | | |
| | | | | | |
| | | | | | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Warsow uses a shell wrapper hence requires some modifications. Netlink
was added to protocols as the game was segfaulting after changing
resolution and saving the setting.
|
| | | | | | |
|
| | | | | | |
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Create disable-proc.inc
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Removes the inconsistency that some blacklisted
paths could be remounted (files specified explicitly)
and some could not. Now all blacklisted paths can
be mounted nosuid, nodev, noexec if users
specify this.
Also fixes the bug that mount id can indeed be 0.
Other than that no functional or algorithmic changes,
only readability improvements.
|
| | | | | | |
|
| | | | | | |
|
| |/ / / /
|/| | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix misc in get_group_id
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
To make things clearer, since there is already a `struct group` in the
same function.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
gr_gid is of type gid_t (not uid_t). From grp.h(0p) of POSIX.1-2017:
> DESCRIPTION
>
> The <grp.h> header shall declare the group structure, which shall
> include the following members:
>
> char *gr_name The name of the group.
> gid_t gr_gid Numerical group ID.
> char **gr_mem Pointer to a null-terminated array of character
> pointers to member names.
>
> The <grp.h> header shall define the gid_t and size_t types as
> described in <sys/types.h>.
Note: The callers already store the result in gid_t variables.
First caused by commit dc3564b18 ("fixes", 2016-03-09).
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | | |
This amends commit 40ed53c20 ("nvidia fix", 2016-10-08) and commit
74149d248 ("fixes", 2016-03-20).
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
libtrace.c: use realpath instead of readlink to avoid PATH_MAX
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
PATH_MAX is not guaranteed to be defined and it may be defined to -1.
Avoid depending on it by getting the result directly from realpath. See
commit 579f856c5 ("firejail.h: add missing linux/limits.h include") /
PR #4583 for details.
Note: This replaces the static char array currently used with a dynamic
one returned from realpath.
Misc: This is a continuation of #4583.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
found in Debian Bullseye.
/run/shm is a symbolic link to /dev/shm,
and whitelisting it will just recreate
the symbolic link.
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Adds minimal cgroupv2 support, and fixes
an effective user id assertion in --join
(instead of asserting effective user id
of the user, drop privileges completely
in a child process).
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Use ?ALLOW_TRAY: (#4510) in profiles
|
| | |/ /
| |/| | |
|
| | | | |
|
| | | | |
|
| | | | |
|