| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Add examples how to allow browser access to Gnome extensions connector
|
| |
| |
| |
| | |
Fixes #4177.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add firedragon profile
* Point private-etc to firefox-common.local
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add to firecfg.config
* Add firedragon to disable-programs.inc
* Correct dir
* Remove private-etc
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
as pointed out by @glitsj16 in 51e67fd4.
> FYI, a quick check shows atool,bsdtar,xzdec,unzstd are still missing
> from private-bin. Not sure if we actually need to bring those in too.
They add virtually no new permissions fr has already a long private-bin
with dozens of archivers. Before we break anything I add them.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
README.md/RELNOTES:
- Add new profiles
etr.profile:
- adding passwd to private-etc makes it work for me
file-roller.profile
- add netfilter
- add zstd to private-bin
- add cp,mv,rm to private-bin which seems to be necessary in some
cases.
#4113 is likely fixed with this but wait for OP.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* well..
Revert `include whitelist-usr-share-common.inc`
Sync with Firefox profile
* 😄 What just hapened
* 🔄 Sync with upstream
* Merge tested from PR
* 🔄 Sync with upstream
* Merge tested from PR
* Revert changes
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* 🔄 Rebase
* 😄 What just hapened
* Merge tested from PR
* 🔄 Sync with upstream
* Merge tested from PR
* Revert changes
* Update
* Update librewolf.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* opt-in for brave's native tor support
* fix brave's native tor support
* warn about potential tor breakage when using apparmor
* update comment for opting in to tor
* move brave's tor apparmor fix in brave.profile
|
| |
| |
| | |
Follow-up for https://github.com/netblue30/firejail/commit/692311bcc6fe0744d7831459ad7ec0bc5811b9a9. Thanks to @rusty-snake for tracking this down in #4202.
|
| |
| |
| | |
Fixes #4202 until we have tooling to generate system-specific lists at install time, as suggested by @loveshack.
|
| |
| |
| |
| | |
[skip ci]
|
|\ \
| | |
| | | |
profstats - fix printf for include globals
|
|/ /
| |
| | |
profstats - correct variable for include global
|
| | |
|
| |
| |
| | |
requested in #1139 by @vatonbero
|
| |
| |
| |
| |
| | |
* New profile: Quodlibet
* New profile: Quodlibet
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
discord-canary.profile:
fix #4175
flameshot.profile:
- private-tmp break flameshot (wayland only?)
- Screengrabbing (under wayland) is done via dbus, the following names
must be allowed:
- GNOME: org.gnome.Shell
- KDE: org.kde.KWin
- Sway: org.freedesktop.portal.Desktop
- Allow notifications and tray too, because org.gnome.Shell (for
example) is already totaly unsafe.
mumble.profile:
fix #4181
|
|\ \
| |/
|/| |
Fix typo (adivsory -> advisory)
|
|/ |
|
| |
|
|\
| |
| | |
Minor Fixes
|
|/ |
|
| |
|
|\
| |
| | |
steam: some more games added
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Games added:
* Don't Starve
* Dungeons of Dredmor
* Epic
* Loop Hero
* Pillars of Eternity I
* Rogue Legacy I
* Slay the Spire modding
* Steam World Dig I & II
|
| | |
|
|\ \
| | |
| | | |
WebStorm: allow Dolphin to access its config file
|
| |/ |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
|
|\
| |
| | |
allow notifications + comment fixes
|
| | |
|
|/ |
|
|\
| |
| | |
New profile: Librewolf Nightly
|
|/ |
|
|\
| |
| | |
dropbox: allow python3, fix for issue #4150
|
|/
|
|
|
|
| |
/usr/bin/dropbox needs access to python3, at least for dropbox
command-line interface version 2020.03.04 as packaged by the RPM Fusion
project. Fixes issue #4150
|
|\
| |
| | |
Improve comments in apparmor files
|
| | |
|
| | |
|
|\ \
| |/
|/| |
Add localtime to signal-desktop's profile.
|
|/
|
|
| |
Without it, all chat timestamps are in UTC.
|
| |
|
|
|
|
| |
- Avoid confusing on "What changed calling the program by path"
- Checklist: Questions should be asked in discussions
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently pathological endings like in
/foo/bar/./. are mapped to RUN_LIB_DIR,
with the effect that the mount is skipped
because this directory always exists at
this point in time.
Even though it's harmless, it is wrong
behaviour, so handle trailing slashes and
dots before doing the mounts. Also avoids
running into an assertion if there is a trailing
slash.
Plus few small cosmetic changes to make
things more explicit.
|
|
|
|
| |
[skip ci]
|
|\
| |
| | |
Follow up for #4126
|
| | |
|
|/ |
|
|\
| |
| | |
Rename chromium-common-hardened and feh-network …
|