| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* hardening some profiles
- harden and fix flameshot
- wruc: frogatto, ghostwriter
- harden gnome-latex
- add whitelist opt-in note to keepassxc
- add comment to minetest
- harden openarena, tremulous, xonotic
- add profile for xonotic-sdl-wrapper
* followup
|
|
|
|
|
|
|
| |
* Update disable-common.inc
* Update disable-common.inc
[skip ci]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Whitelist some config files used by Okular.
These files are used to store the toolbar configurations.
* Whitelist files required for okular in firefox-common-addons.inc
Without this, okular does not follow the user configuration for toolbars
and keyboard shortcuts when launched inside the firefox sandbox (for
eg., while opening a downloaded PDF).
* Alphabetical sort
* Remove noblacklist for files which are not actually blacklisted.
I have blacklisted them in a separate pull request.
|
|
|
| |
Co-authored-by: noir <noir@neire.dev>
|
|
|
| |
hplip is required for scanning using HP printer/scanners.
|
| |
|
| |
|
|
|
|
| |
configuration. (#3490)
|
|
|
|
|
|
| |
(#3490)
Without this, konversation doesn't remember the settings for
notifications.
|
|
|
| |
Blender autosaves to /tmp.
|
|
|
| |
This should clarify how to configure for reading local mail after https://github.com/netblue30/firejail/commit/dfaf7a7660689c055ba45a935e42b1b548669c57.
|
|
|
|
|
|
|
| |
* clarify writing to /var/mail and /var/spool/mail in apparmor
Thunderbird seems to be our only mail client profile that enables the `apparmor` option. Users need this when they follow instructions on how to allow reading local mail.
* fix mail clients rule in firejail-default
|
|
|
|
|
|
|
| |
2345cc4 broke environment variable passing for seccomp error action
for fseccomp.
Closes #3488.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* fix comment in email-common
* add writable-var to evolution.profile
* add writable-var to mutt.profile
* remove newline above writable-var in evolution.profile
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Totem saves screenshots of video to ${PICTURES}. Also adding tracelog to slightly harden things a bit.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backporting fixes for Atom 1.48 to firejail 0.9.52, 0.9.58, and 0.9.60
Summary:
- remove nonewprivs, noroot, protocol, and seccomp
- update caps filter to keep sys_admin and sys_chroot
Without these changes Atom 1.48 breaks and refuses to start (due to
Electron sandboxing)
|
|
|
|
|
|
|
| |
Atom 1.48 requires a looser sandbox and no longer works with
noroot, nonewprivs, protocol, and seccomp
caps filter needed adjusting to keep sys_admin and sys_chroot
|
|
|
|
|
|
|
| |
* enable apparmor support by default in update_deb.sh
* Add fix for Debian bug 916920
This should bring the script in sync with packages installed from PPA.
|
|
|
|
| |
https://github.com/hannob/mmapfail
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
|
|
|
| |
Applications using Qt5 need this to be whitelisted if the user is using a qt5ct colour scheme (such as "darker") or custom QSS.
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Fixes #3454
|
|/
|
|
| |
solves #3454
|
|
|
| |
See https://github.com/netblue30/firejail/issues/3219#issuecomment-638823377
|
|
|
|
|
|
|
| |
* prioritize installing via OS
* Update README.md
Bring in changes discussed in #3442.
|
|
|
|
|
|
|
|
|
| |
* Man pages: link to .profile resolution, urls
* Man pages: firejail-profile add link to wiki profile creation
* Man pages: line break, slash in path
* Man pages remove space before dots
|
|
|
|
|
|
|
|
| |
Add verbiage to the man pages clarifying that the files/directories in
the lists given to options such as --private-bin must be relative to
the directory that is being limited (e.g., --private-opt requires a
list of files/directories that are relative to /opt).
Signed-off-by: Jeff Squyres <jeff@squyres.com>
|
|
|
|
|
| |
* firecfg: Only use fix_desktop_files when --fix is specified
* firecfg: Only use fix_desktop_files automatically when run through sudo
|
|
|
|
|
|
|
|
|
|
|
|
| |
* disable-shell.inc
* add disable-shell.inc to all profiles with a …
… private-bin line without bash/sh except profiles with redirect
profiles.
* add it to some more profiles
* exclude aria2c.profile
|
|
|
|
| |
revert long-line split and fix bash-completion
|