| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|\
| |
| | |
Revert "allow/deny fbuilder"
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 4438f14f2892b5c88d158ae8fad0a80a2eebfd44.
Also, partially revert related commit e4307b409 ("fix whitelist/allow in
make test-utils") to keep the tests working.
The profiles are being generated using aliases, which are not used on
the profiles in the repository. So generate them using the normal
commands for consistency. See also commit dd13595b8 ("Revert
"allow/deny help and man pages"") / PR #4502.
Relates to #4410.
Misc: I noticed this on issue #4592.
|
| |
| |
| |
| | |
Added on commit 9af2c1472 ("Better debug handling.").
|
|\ \
| | |
| | | |
Fix vscodium
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Both base names are valid:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
$ pacman -Qlq vscodium-bin | grep -v -e '/$' -e /resources/ |
grep /bin/
/usr/bin/codium
/usr/bin/vscodium
/usr/share/vscodium-bin/bin/codium
Note: The first two paths are symlinks to the third one.
Fixes #3871.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It creates the following directories on startup:
* ~/.config/VSCodium
* ~/.vscode-oss
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
Note: The following entry is already on disable-programs.inc:
noblacklist ${HOME}/.vscode-oss
It was added on commit de90834a8 ("Update disable-programs.inc",
2019-03-02).
Relates to #3871.
|
| |/
| |
| |
| | |
Added on commit 4bb7dee49 ("small changes", 2019-02-07).
|
|\ \
| | |
| | | |
trace, tracelog: don't truncate /etc/ld.so.preload in sandbox
|
| | | |
|
|\ \ \
| | | |
| | | | |
Issue template improvements2
|
| | | |
| | | |
| | | |
| | | | |
As suggested by @rusty-snake.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It is not uncommon for people to use other characters to try to mark an
item as checked (which usually screws up the html output), so be sure to
include an example with "[x]".
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This overrides all `LC_*` variables (and LANG) rather than just LANG.
From Section 8.2, Internationalization Variables of POSIX.1-2017[1]:
> LANG
> This variable shall determine the locale category for native
> language, local customs, and coded character set in the absence of
> the LC_ALL and other LC_* (LC_COLLATE, LC_CTYPE, LC_MESSAGES,
> LC_MONETARY, LC_NUMERIC, LC_TIME) environment variables. This can
> be used by applications to determine the language to use for error
> messages and instructions, collating sequences, date formats, and
> so on.
>
> LC_ALL
> This variable shall determine the values for all locale
> categories. The value of the LC_ALL environment variable has
> precedence over any of the other environment variables starting
> with LC_ (LC_COLLATE, LC_CTYPE, LC_MESSAGES, LC_MONETARY,
> LC_NUMERIC, LC_TIME) and the LANG environment variable.
[1] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html
|
|\ \ \ \
| | | | |
| | | | | |
Add new condition ALLOW_TRAY
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add profiles for build-systems (/package-managers)
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip
All redirect to build-systems-common.profile
Other fixes:
- blacklist ${HOME}/.bundle
- blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo
- blacklist /usr/lib64/ruby
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
results from a systematic search for strncmp
calls with a suspicious (non-fitting) integer
literal as third argument
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Read mount id also on legacy kernels
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Enables recursive remounting on very old kernels, which has some relevance
for SailfishOS community ports.
|
| | |_|_|_|/
| |/| | | | |
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Correct amule.profile for upnp
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
In order UPnP to work netlink protocol must be enabled.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
add more EUID improvements
|
| | |_|_|_|/
| |/| | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* cheese
- fix: dbus-user.own org.gnome.Cheese
- fix: whitelist /usr/share/gstreamer-1.0
- fix: include allow-python3.inc
- hardening: include disable-shell.inc
- hardening: include whitelist-run-common.inc and whitelist /run/udev/data
- hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
- hardening: noinput
- hardening: nosound
- hardening: seccomp.block-secondary
- hardening: private-dev
* geekbench (closes #4576)
- fix: noblacklist /sbin and noblacklist /usr/sbin
- fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
- fix: comment/remove private-bin, private-lib, private-opt
* inkscape
- add quiet for cli usage
* musixmatch (#4518)
- allow chroot
* pandoc
- fix: include allow-bin-sh.inc
- fix: drop private-bin
- hardening: include whitelist-runuser-common.inc
- hardening: seccomp.block-secondary
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
- Allow org.freedesktop.secrets, fixes #4584
- Improve comments about notifications and systray
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Trim excess whitespace
|
|/ / / / / |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
don't try to read /usr/bin/firejail if private-bin removed it
from the sandbox filesystem
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
users, and fldd in particular, might have no read permission
on the firejail executable, make that ok by running fldd
as root
|
| | | | | |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
telegram: Enable private-bin
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Add ld.so.preload to all private-etc lines
|
| | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Command:
sed -i -E "s/^private-etc /private-etc ld.so.preload,/" \
$(grep -LE "^private-etc .*ld.so.preload" etc/profile-*/*) \
&& python3 contrib/sort.py etc/profile-*/*
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Create goldendict.profile
|
| | | | | | | |
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
Add missing final newlines
|
| | | | | | | | |
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Remove /etc/hosts is_link check
|
| | | | | | | | | |
|
| | | | | | | | | |
|