aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
* fix alphabetical ordering in fdns.profileLibravatar glitsj162020-04-08
|
* add example for overriding individiual DBus filter to firejail-profile.txtLibravatar glitsj162020-04-08
| | | See discussion in https://github.com/netblue30/firejail/pull/3326.
* fix typos in dbus-{system,user}.talk [usage.c]Libravatar glitsj162020-04-07
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-04-07
|\
| * fix typo in firejail-profile.txtLibravatar glitsj162020-04-07
| |
* | fdns profileLibravatar netblue302020-04-07
|/
* Update support/EOL informationLibravatar Fred Barclay2020-04-07
|
* Merge pull request #3327 from netblue30/bugreports_templateLibravatar Fred Barclay2020-04-07
|\ | | | | Add bug report template
| * Add bug report templateLibravatar Fred Barclay2020-04-07
| | | | | | (Mostly) auto-generated with GitHub, will need tweaking over time
* | Ignore `caps.drop all` import from transmission-common.profileLibravatar Fred Barclay2020-04-07
|/ | | | caps are already handled by caps.keep ... in this profile
* Replace `nodbus` with dbus-* filtersLibravatar Fred Barclay2020-04-07
| | | | | | | | | | | | | See - 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters - https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183 Except for ocenaudio, access/restrictions on dbus options should be unchanged Ocenaudio profile: dbus filters were sandboxed (initially `nodbus` was enabled) since comments indicated blocking dbus meant preferences were broken
* dbus-proxy (gnome_games)Libravatar rusty-snake2020-04-07
|
* Alphabetically order firejail.config (#3324)Libravatar glitsj162020-04-07
|
* Merge pull request #3265 from kris7t/dbus-proxyLibravatar Kristóf Marussy2020-04-07
|\ | | | | Fine-grained DBus sandboxing
| * Deprecate --nodbus optionLibravatar Kristóf Marussy2020-04-07
| |
| * Turn DBus profile errors into warningsLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | This patch also allows setting the DBus policies to filter even if xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is allowed, but a warning is emitted.
| * xdg-dbus-proxy socket finding and mount hardeningLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root. Instead of relying on the default locations of the DBus sockets, the environment variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set accordingly. User sockets are tried in the following order when starting the proxy: * DBUS_SESSION_BUS_ADDRES * /run/user/<pid>/bus * /run/user/<pid>/dbus/user_bus_socket These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active. System sockets are tried in the following order: * DBUS_SYSTEM_BUS_ADDRESS * /run/dbus/system_bus_socket These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active.
| * xdg-dbus-proxy hardeningLibravatar Kristóf Marussy2020-04-06
| |
| * Add documentation for DBus filteringLibravatar Kristóf Marussy2020-04-06
| |
| * Add dbus filter optionsLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and --dbus-system.own control which names can be accessed and owned on the user and system buses.
| * Add xdg-dbus-proxy supportLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | * The proxy is forked off outside the sandbox namespace to protect the fds of the original buses from the sandboxed process. * The /run/firejail/dbus directory (with the sticky bit set) holds the proxy sockets. The sockets are <parent pid>-user and <parent pid>-system for the user and system buses, respectively. Each socket is owned by the sandbox user. * The sockets are bind-mounted over their expected locations and the /run/firejail/dbus directory is subsequently hidden from the sandbox. * Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets are cleaned up. * Filter rules will be added in a future commit.
| * Add sbox_exec_v and SBOX_KEEP_FDSLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | To contain processes forked for long time, such as the xdg-dbus-proxy, sbox_exec_v can be used, which is the non-forking version of sbox_run_v. Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds, so fds needed by the subordinate process can be left open before calling sbox_exec_v. This flag does not makes sense for sbox_run_v, and causes an assertion failure.
| * Add --dbus-user and --dbus-system optionsLibravatar Kristóf Marussy2020-04-06
|/ | | | | | Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
* Allow changing error action in seccomp filtersLibravatar Topi Miettinen2020-04-06
| | | | | | | | | | | | | | Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call.
* cleanup, fixes, more profstatsLibravatar netblue302020-04-06
|
* Update bitwarden.profileLibravatar rusty-snake2020-04-06
| | | fix #3321
* Fix `man` break - remove less from firecfg by defaultLibravatar Fred Barclay2020-04-05
| | | | | | | | | | | | | | If `less` is sandboxed, then we get a similar message to below when calling `man <anything>` Error clone: main.c:2743 main: Operation not permitted man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143 https://github.com/netblue30/firejail/issues/1856 Noticed on Debian 10, firejail 0.9.63
* Merge pull request #3319 from topimiettinen/sanity-check-for-args-envsLibravatar netblue302020-04-05
|\ | | | | Simple sanity checks for arguments and environment
| * Simple sanity checks for arguments and environmentLibravatar Topi Miettinen2020-04-05
| | | | | | | | | | Restrict number of program arguments and their length as well as number of environment variables and their length.
* | travis make install testLibravatar netblue302020-04-05
| |
* | fix make installLibravatar netblue302020-04-05
| |
* | compile cleanupLibravatar netblue302020-04-05
| |
* | fixing my previous commitLibravatar netblue302020-04-05
| |
* | Merge pull request #3317 from rusty-snake/speedup-buildLibravatar rusty-snake2020-04-05
|\ \ | |/ |/| Speedup the buildsystem
| * Speedup the buildsystemLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | - replaing 'include /etc/firejail/foobar.inc' with 'include $(sysconfdir)/firejail/foobar.inc' is useless since 0.9.58 - onetime calling install with globbing is faster the a loop calling install nearly 1000 times
* | profile fixesLibravatar netblue302020-04-04
| |
* | fix alphabetical ordering of caps.keep in slack.profileLibravatar glitsj162020-04-04
| |
* | noblacklist ncat in ssh profileLibravatar Tad2020-04-04
| | | | | | | | nc is a symlink to ncat on some distros
* | steam profile fixesLibravatar Tad2020-04-04
| | | | | | | | see https://github.com/netblue30/firejail/pull/3292#issuecomment-603467884
* | Add netlink to mumble profileLibravatar SkewedZeppelin2020-04-04
| | | | | | | | Syslog is spammed with the following message otherwise: Could not create AF_NETLINK socket
* | gnome games: more + fixesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | - fix description - add gnome-klotski, five-or-more, swell-foop [skip ci]
* | more gamesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - blobwars - gravity-beams-and-evaporating-stars - hyperrogue - jumpnbump-menu (alias) - jumpnbump - magicor - mindless - mirrormagic - mrrescue - scorched3d-wrapper (alias) - scorchwentbonkers - seahorse-adventures - wordwarvi - xbill
* | Fixes for slack 4.4Libravatar Fred Barclay2020-04-04
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'd like to tighten this up more esp. for seccomp - caps.keep sys_chroot needed or fails with Cannot chroot into /proc/ directory: Operation not permitted 1. caps.drop all replaced with caps.keep - caps.keep sys_admin needed or fails with Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 2. nonewprivs dropped to avoid failure: The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 3. noroot dropped to avoid failure: [22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755. 4. Removed protocol filter to avoid: The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 5. Unable to get a working seccomp filter See https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520 seccomp !chroot seems to have worked for earlier versions of slack 6. private-tmp means no tray icon Observed on Debian 10, Slack 4.4.0
* Harden signal-desktop.profile and add rules for FirefoxLibravatar curiosityseeker2020-04-04
|
* Harden thunderbird.profileLibravatar curiosityseeker2020-04-04
| | | Access to ${HOME}/.cache/mozilla actually not necessary to let Firefox open links
* misc fixes & hardeningLibravatar rusty-snake2020-04-03
|
* allow using wruc on any programLibravatar rusty-snake2020-04-03
| | | | @glitsj16 thanks for the pointer that we now have whitelist globbing
* seccomp/join fixLibravatar netblue302020-04-03
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-04-02
|\
| * Merge pull request #3292 from davidebeatrici/steam-home-directory-privacyLibravatar netblue302020-04-02
| |\ | | | | | | steam.profile: correctly blacklist unneeded directories in user's home
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 13:44:59 +0000