| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backporting fixes for Atom 1.48 to firejail 0.9.52, 0.9.58, and 0.9.60
Summary:
- remove nonewprivs, noroot, protocol, and seccomp
- update caps filter to keep sys_admin and sys_chroot
Without these changes Atom 1.48 breaks and refuses to start (due to
Electron sandboxing)
|
|
|
|
|
|
|
| |
Atom 1.48 requires a looser sandbox and no longer works with
noroot, nonewprivs, protocol, and seccomp
caps filter needed adjusting to keep sys_admin and sys_chroot
|
|
|
|
|
|
|
| |
* enable apparmor support by default in update_deb.sh
* Add fix for Debian bug 916920
This should bring the script in sync with packages installed from PPA.
|
|
|
|
| |
https://github.com/hannob/mmapfail
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
|
|
|
| |
Applications using Qt5 need this to be whitelisted if the user is using a qt5ct colour scheme (such as "darker") or custom QSS.
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Fixes #3454
|
|/
|
|
| |
solves #3454
|
|
|
| |
See https://github.com/netblue30/firejail/issues/3219#issuecomment-638823377
|
|
|
|
|
|
|
| |
* prioritize installing via OS
* Update README.md
Bring in changes discussed in #3442.
|
|
|
|
|
|
|
|
|
| |
* Man pages: link to .profile resolution, urls
* Man pages: firejail-profile add link to wiki profile creation
* Man pages: line break, slash in path
* Man pages remove space before dots
|
|
|
|
|
|
|
|
| |
Add verbiage to the man pages clarifying that the files/directories in
the lists given to options such as --private-bin must be relative to
the directory that is being limited (e.g., --private-opt requires a
list of files/directories that are relative to /opt).
Signed-off-by: Jeff Squyres <jeff@squyres.com>
|
|
|
|
|
| |
* firecfg: Only use fix_desktop_files when --fix is specified
* firecfg: Only use fix_desktop_files automatically when run through sudo
|
|
|
|
|
|
|
|
|
|
|
|
| |
* disable-shell.inc
* add disable-shell.inc to all profiles with a …
… private-bin line without bash/sh except profiles with redirect
profiles.
* add it to some more profiles
* exclude aria2c.profile
|
|
|
|
| |
revert long-line split and fix bash-completion
|
|
|
|
|
|
| |
- remove -c, the manpage says it is ignored
- $(DESTDIR)/$(bindir)/. -> $(DESTDIR)$(bindir) and so on
- install contrib by file glob (*.py, *.sh)
- split long lines
|
|
|
|
|
| |
w3m is a text-based web browser as well as a pager like `more' or `less'. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that).
As it outputs I suppose setting quiet in its profile is appropriate.
|
| |
|
|\
| |
| | |
DBus filtering enhancements
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
D-Bus audit is now more in line with D-Bus filtering settings:
* Checks both the DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS
environment variables.
* Also checks common paths for fallback sockets in /run.
* Will report GOOD when D-Bus filtering is enabled.
|
| |
| |
| |
| |
| |
| |
| | |
--dbus-user.log and --dbus-system.log instruct xdg-dbus-proxy to log
interactions with the session and system buses, respectively.
--dbus-log= can specify the location of the log file. If no location is
specified, log output is written to stdout.
|
| |
| |
| |
| |
| | |
This allows setting per-member and per-object path policies for
xdg-dbus-proxy.
|
| |
| |
| |
| |
| |
| |
| | |
The SEE policy of xdg-dbus-proxy allows clients to see objects and bus
names, but not interact with them. The --call and --broadcast can allow
interactions with objects that have the SEE policy set. Profile support
for these proxy options will be added in a future commit.
|
| | |
|
| |
| |
| |
| |
| | |
* harden mpg123.profile
* drop nodvd from mpg123.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create mocp.profile
* add mocp support to disable-programs.inc
* add mocp support in firecfg.config
* update RELNOTES for mocp
* fix configuration access for mocp
Thanks to @rusty-snake for spotting this.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update dino-im.profile
comment out the globals.local so it's not included twice
* Update dino-im.profile
add comment
|
| | |
|
| |
| |
| |
| |
| | |
See
87e7b313997b1d2be6553cfb22fef71b74c84ea6
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Add Ubuntu's renamed version of dino
|
| | |
| | |
| | | |
Ubuntu packages dino as dino-im
|
|/ /
| |
| | |
Ubuntu named the dino instant messenger's binary ``dino-im``, so it needs to be present as profile and added to private-bin.
|
| |
| |
| | |
After https://github.com/netblue30/firejail/commit/76127399a5811a0b5ae3fffbd999bf22fba032e1 the caps workaround is no longer needed.
|
| | |
|
| |
| |
| | |
Fixes #3423.
|
| | |
|
| | |
|