| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
fix #1792.
Brackets no longer opens without netlink in the protocol list, or with
chroot blacklisted by the seccomp filter (which this commit changes from
'seccomp' to 'seccomp.keep').
|
| |
|
| |
|
|
|
|
| |
fixes registration of d-bus services, closes #1391
|
| |
|
|
|
|
| |
63d455fbe6cfde2f97137f51b779d44f22cb4675
|
| |
|
|
|
|
|
|
| |
start-tor-browser.profile should stay seperate from torbrowser-launcher
for the case when downloaded manually. The other tor-browser-* are okay
to extend torbrowser-launcher because their paths are known.
|
| |
|
| |
|
| |
|
|\
| |
| | |
.Xauthority moved from blacklist to read-only
|
| | |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Add a profile for bitcoin-qt
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 254d2a9d9b6e752c0e3188fa90e4c5856eae5979.
Testnet blockchain is in ~/.bitcoin/testnet3/ no need for anything else.
|
| |/
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 254d2a9d9b6e752c0e3188fa90e4c5856eae5979.
Testnet blockchain is in ~/.bitcoin/testnet3/ no need for anything else.
And config is in ./.config/Bitcoin/Bitcoin-Qt-testnet.conf
|
| | |
|
| | |
|
| | |
|
| | |
|
|\|
| |
| | |
Add a profile for Vivaldi Snapshot
|
|/ |
|
| |
|
|
|
| |
After more testing we can disable logging gain.
|
|
|
|
|
| |
Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530
There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
|
|
|
|
|
|
|
| |
Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening.
In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor.
The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
|
| |
|
|
|
|
| |
for tranamission-gtk and transmission-qt
|
| |
|
| |
|
| |
|
|
|
| |
Playonlinux may uses perl internally: https://github.com/PlayOnLinux/POL-POM-4/search?utf8=%E2%9C%93&q=perl&type=
|
| |
|
| |
|
| |
|
|\
| |
| | |
fixes for the keepassxc 2.2.5 version
|
| | |
|
|\ \
| | |
| | | |
chromium canary (inox-family)
|
| | | |
|
|\ \ \
| | | |
| | | | |
Apparmor: fix various denials
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes following erros:
wine:
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d"
cups:
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
chromium:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
|
|\ \ \ \
| | | | |
| | | | | |
add localtime to private-etc to make qtox show correct time
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
While it is believed that blacklisting these files is a safe default,
it has the effect that untrusted certificates have to be acknowledged every
time they are encountered (with whitelisting it is possible to accept
them for the duration of an application session).
Where this causes usability issues, it will be necessary to noblacklist
these paths.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
while it is essential to deny manipulation of these files,
the information contained therein should be only of secondary value
by changing blacklist to read-only, notification functionality is
restored
|