Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | apparmor: misc fix for pcscd | Vincent43 | 2019-11-24 |
| | |||
* | apparmor: don't allow mounts and paths manipulation | Vincent43 | 2019-11-24 |
| | | | | | | | | | | | | | AppArmor security relies on path based rules and rewriting paths may allow to bypass them. Those actions are priveliged so vast majority of apps shouldn't need them anyway. If some app need those rules then it's better to consider them as unsuitable for apparmor option rather than weaken generic profile for all apps. See related issue reported by apparmor usage in snap: https://bugs.launchpad.net/snapd/+bug/1791711 | ||
* | apparmor: allow access to pcscd socket (smartcards) | Vincent43 | 2019-11-24 |
| | |||
* | Add new profile: unf (#3060) | glitsj16 | 2019-11-24 |
| | | | | | | * Create unf.profile * Add unf to firecfg.config | ||
* | Add new profile: gmpc (#3059) | glitsj16 | 2019-11-24 |
| | | | | | | | | * Create gmpc.profile * Add gmpc config to disable-programs.inc * Add gmpc to firecfg.config | ||
* | Add new profile: drawio (#3058) | glitsj16 | 2019-11-24 |
| | | | | | | | | * Create drawio.profile * Add drawio config to disable-programs.inc * Add drawio to firecfg.config | ||
* | Add new profile: ddgtk (#3057) | glitsj16 | 2019-11-24 |
| | | | | | | * Create ddgtk.profile * Add ddgtk to firecfg.config | ||
* | Add new profile: cameramonitor (#3056) | glitsj16 | 2019-11-24 |
| | | | | | | * Create cameramonitor.profile * Add cameramonitor to firecfg.config | ||
* | New profile: audio-recorder (#3055) | glitsj16 | 2019-11-24 |
| | | | | | | * Create audio-recorder.profile * Add audio-recorder to firecfg.config | ||
* | merges | Tad | 2019-11-24 |
| | |||
* | Merge pull request #3054 from adrianlshaw/profanity | SkewedZeppelin | 2019-11-24 |
|\ | | | | | Add profanity profile | ||
| * | profanity: reorder alphabetically | Adrian L. Shaw | 2019-11-24 |
| | | |||
| * | profanity: reorder alphabetically | Adrian L. Shaw | 2019-11-24 |
| | | |||
| * | profanity: allow Python plugins and reorder rules | Adrian L. Shaw | 2019-11-24 |
| | | |||
| * | Separate the whitelist section of profanity profile | Adrian L. Shaw | 2019-11-24 |
| | | |||
| * | Sort and harden profanity profile | Adrian L. Shaw | 2019-11-24 |
| | | |||
| * | Add profile for the Profanity chat client | Adrian L. Shaw | 2019-11-24 |
|/ | |||
* | Use seccomp ! syntax in electron-mail.profile | glitsj16 | 2019-11-23 |
| | |||
* | Add new electron-mail profile (#3053) | glitsj16 | 2019-11-23 |
| | | | | | | | | * Create electron-mail.profile * Add electron-mail to disable-programs.inc * Add electron-mail to firecfg.config | ||
* | Add lensfun support for gimp | glitsj16 | 2019-11-22 |
| | |||
* | Add babl/gegl support for gimp (#3051) | glitsj16 | 2019-11-22 |
| | | | | | | | | * Add babl/gegl caches for gimp * Add gir-1.0 to wusc * Add babl/gegl support to gimp.profile | ||
* | improving remount performance | smitsohu | 2019-11-19 |
| | |||
* | fix previous commit | netblue30 | 2019-11-15 |
| | |||
* | enable apparmor profile from firecfg | netblue30 | 2019-11-15 |
| | |||
* | fixing the fix | smitsohu | 2019-11-14 |
| | | | | | get previous commit acbf707889ae241bfd476f5371df4599103b6606 in line with treatment of other directories in /run/firejail/mnt | ||
* | blacklist private-home runtime directory | smitsohu | 2019-11-14 |
| | | | | | as far as possible avoid creating locations in the file system that are both writable and executable | ||
* | simplify private option ownership checks and make them more consistent | smitsohu | 2019-11-14 |
| | | | | | | allowing private and home directory to be owned by different users if the home directory is inside /home was thought to add flexibility, but the scenario is maybe a bit too exotic, and ignoring it paves the way for a simplification | ||
* | readme/relnotes updates | netblue30 | 2019-11-13 |
| | |||
* | Merge pull request #3044 from netblue30/ssh_nc | netblue30 | 2019-11-13 |
|\ | | | | | RFC: profiles: allow nc in ssh profile by default | ||
| * | profiles: allow nc in ssh profile by default | Reiner Herrmann | 2019-11-13 |
| | | |||
* | | Merge pull request #3037 from vutny/fix-3029 | netblue30 | 2019-11-13 |
|\ \ | | | | | | | Resolve #3029: drop outdated Skype profile | ||
| * | | Resolve #3029: drop outdated Skype profile | Denys Havrysh | 2019-11-12 |
| | | | |||
* | | | wine: propose allow-debuggers instead | smitsohu | 2019-11-13 |
| | | | |||
* | | | harden wine profile | smitsohu | 2019-11-13 |
| |/ |/| | |||
* | | add signal mediation to apparmor profile | smitsohu | 2019-11-13 |
| | | | | | | | | second line of defense, as there is always a pid namespace, too | ||
* | | some apparmor profile cleanup | smitsohu | 2019-11-12 |
| | | | | | | | | | | | | | | | | writing in /run/firejail/profile has always been restricted to root user, and in addition this folder is blacklisted since recently; @{profile_name} is built-in and adds a bit of flexibility; apparmor cannot be used to restrict directory search permission, so add more rules for sensitive paths | ||
* | | Merge branch 'master' of https://github.com/netblue30/firejail | smitsohu | 2019-11-12 |
|\ \ | |||
| * | | Fix dig.profile on Ubuntu | glitsj16 | 2019-11-11 |
| | | | | | | | | | Fixes #3038. | ||
* | | | blacklist .fscrypt directories | smitsohu | 2019-11-12 |
| | | | |||
* | | | private-options: add homedir ownership check | smitsohu | 2019-11-12 |
| | | | |||
* | | | private-cache warning messages - #2968 | smitsohu | 2019-11-12 |
|/ / | |||
* | | Merge branch 'master' of https://github.com/netblue30/firejail | smitsohu | 2019-11-11 |
|\| | |||
| * | rework strings.profile | rusty-snake | 2019-11-10 |
| | | | | | | | | close #2988 | ||
* | | tentatively fix k3b profile - #2989 | smitsohu | 2019-11-11 |
| | | |||
* | | add HAS_NET conditional | smitsohu | 2019-11-11 |
|/ | |||
* | add kfind profile | smitsohu | 2019-11-09 |
| | |||
* | fix nano support in git profile | smitsohu | 2019-11-09 |
| | |||
* | harden baloo | smitsohu | 2019-11-09 |
| | |||
* | Fix #3024 | rusty-snake | 2019-11-08 |
| | | | | html5, flash and widevine media support unavailable since vivaldi 2.9 | ||
* | dia profile: disable interpreters but allow python | netblue30 | 2019-11-08 |
| |