aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* Try to fix #2310 -- Can't create run directory without suid-rootLibravatar rusty-snake2021-05-14
|
* Fix bijibenLibravatar rusty-snake2021-05-08
| | | | | | | | bijiben crashes without access to /usr/share/tracker3 in Fedora 34 with: ** (bijiben:14): WARNING **: 21:48:08.394: Unable to connect to Tracker: 'file:///usr/share/tracker3/ontologies/nepomuk' is not a ontology location ** (bijiben:14): WARNING **: 21:48:08.394: Cannot initialize BijiManager: 'file:///usr/share/tracker3/ontologies/nepomuk' is not a ontology location
* Node.js stack refactoring (#4255)Libravatar glitsj162021-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create node.profile * Create node-gyp.profile * refactor npm as redirect * Create npx.profile * Create nvm.profile * Create semver.profile * refactor yarn as redirect * collect node.js stack configuration in common profile * add ~/.nvm to node section * account for node-gyp python dependency * read-only ~/.nvm for node.js stack * blacklist ~/.nvm for node.js stack * move env var comment cfr. profile.template * Delete node-gyp.profile node-gyp is a shell script with a node shebang. We've got that covered via node.profile. * Delete npx.profile npx is a shell script with a node shebang. We've got that covered via node.profile. * Delete semver.profile semver is a shell script that calls node. We've got that covered via node.profile. * add node and nvm to new profiles section
* revert comment changes from #4257 (#4258)Libravatar glitsj162021-05-07
| | | | | | | | | * revert comment changes from #4257 * revert comment changes from #4257 * revert comment changes from #4257 * revert comment changes from #4257
* read-write fixes (#4257)Libravatar glitsj162021-05-07
| | | | | | | | | * [comment] use 'read-write' instead of 'ignore read-only' * [comment] use 'read-write' instead of 'ignore read-only' * [comment] use 'read-write' instead of 'ignore read-only' * [comment] use 'read-write' instead of 'ignore read-only'
* Merge pull request #4251 from pirate486743186/patch-2Libravatar glitsj162021-05-07
|\ | | | | whitelist /var/lib/aspell in whitelist-var-common.inc
| * whitelist /var/lib/aspellLibravatar pirate4867431862021-05-06
| |
* | pluma broken with memory-deny-write-executeLibravatar pirate4867431862021-05-07
|/
* more --buildLibravatar netblue302021-05-06
|
* some wireshark hardening (#4245)Libravatar glitsj162021-05-05
| | | | | * restrict D-Bus access in wireshark * add private-cache to wireshark
* Merge pull request #4242 from aminvakil/wireshark_seccomp_disableLibravatar Reiner Herrmann2021-05-05
|\ | | | | Disable seccomp in wireshark profile
| * Disable seccomp in wireshark profileLibravatar Amin Vakil2021-05-05
| |
* | Stying fixes (mrrescue.profile, pingus.profile, profile.template)Libravatar rusty-snake2021-05-05
| |
* | steam.profile: Allow input devicesLibravatar rusty-snake2021-05-05
| |
* | Add noinput to all profiles with private-devLibravatar rusty-snake2021-05-05
| |
* | mergeLibravatar netblue302021-05-04
|\|
| * Merge pull request #4240 from netblue30/chromium-webextLibravatar Reiner Herrmann2021-05-04
| |\ | | | | | | profiles: whitelist mozilla (webext) extensions in chromium profile
| | * profiles: whitelist mozilla (webext) extensions in chromium profileLibravatar Reiner Herrmann2021-05-04
| |/
| * Update RELNOTESLibravatar rusty-snake2021-05-04
| |
* | --build fixesLibravatar netblue302021-05-04
|/
* Merge pull request #4209 from ↵Libravatar netblue302021-05-04
|\ | | | | | | | | davidebeatrici/private-dev-input-support-and-noinput-option Map /dev/input with "--private-dev", add "--no-input" option to disable it
| * Map /dev/input with "--private-dev", add "--no-input" option to disable itLibravatar Davide Beatrici2021-04-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default only joystick devices ("/dev/input/js*") can be accessed. At least, that's the case on Debian: the other entries have more restrictive permissions. The original owner and group are "root" and "input", respectively. However, until we have granular input control options, allowing access to joysticks only is better than nothing. $ ls -l /dev total 0 lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrom -> /dev/sr0 lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrw -> /dev/sr0 drwxr-xr-x 3 nobody nogroup 100 22 apr 19.18 dri lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvd -> /dev/sr0 lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvdrw -> /dev/sr0 lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 fd -> /proc/self/fd crw-rw-rw- 1 nobody nogroup 1, 7 23 apr 07.22 full crw-rw----+ 1 nobody nogroup 244, 0 22 apr 19.18 hidraw0 crw-rw----+ 1 nobody nogroup 244, 1 22 apr 19.18 hidraw1 crw-rw----+ 1 nobody nogroup 244, 2 22 apr 19.18 hidraw2 crw-rw----+ 1 nobody nogroup 244, 3 22 apr 19.18 hidraw3 crw-rw----+ 1 nobody nogroup 244, 4 22 apr 19.18 hidraw4 crw-rw----+ 1 nobody nogroup 244, 5 22 apr 19.18 hidraw5 drwxr-xr-x 4 nobody nogroup 760 23 apr 07.22 input srw-rw-rw- 1 nobody nogroup 0 22 apr 19.18 log crw-rw-rw- 1 nobody nogroup 1, 3 23 apr 07.22 null lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 ptmx -> /dev/pts/ptmx drwxr-xr-x 2 nobody nogroup 0 23 apr 07.22 pts crw-rw-rw- 1 nobody nogroup 1, 8 23 apr 07.22 random drwxrwxrwt 2 nobody nogroup 40 23 apr 07.22 shm drwxr-xr-x 4 nobody nogroup 500 22 apr 19.18 snd brw-rw----+ 1 nobody nogroup 11, 0 23 apr 00.24 sr0 lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stderr -> /proc/self/fd/2 lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdin -> /proc/self/fd/0 lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdout -> /proc/self/fd/1 crw-rw-rw- 1 nobody nogroup 5, 0 23 apr 07.22 tty crw-rw-rw- 1 nobody nogroup 1, 9 23 apr 07.22 urandom drwxr-xr-x 2 nobody nogroup 120 22 apr 19.18 usb crw-rw----+ 1 nobody video 81, 0 22 apr 19.18 video0 crw-rw----+ 1 nobody video 81, 1 22 apr 19.18 video1 crw-rw----+ 1 nobody video 81, 2 22 apr 19.18 video2 crw-rw----+ 1 nobody video 81, 3 22 apr 19.18 video3 crw-rw-rw- 1 nobody nogroup 1, 5 23 apr 07.22 zero $ ls -l /dev/input total 0 drwxr-xr-x 2 nobody nogroup 280 23 apr 07.22 by-id drwxr-xr-x 2 nobody nogroup 300 23 apr 07.22 by-path crw-rw---- 1 nobody nogroup 13, 64 22 apr 19.18 event0 crw-rw---- 1 nobody nogroup 13, 65 22 apr 19.18 event1 crw-rw---- 1 nobody nogroup 13, 74 22 apr 19.18 event10 crw-rw---- 1 nobody nogroup 13, 75 22 apr 19.18 event11 crw-rw---- 1 nobody nogroup 13, 76 22 apr 19.18 event12 crw-rw---- 1 nobody nogroup 13, 77 22 apr 19.18 event13 crw-rw---- 1 nobody nogroup 13, 78 22 apr 19.18 event14 crw-rw---- 1 nobody nogroup 13, 79 22 apr 19.18 event15 crw-rw---- 1 nobody nogroup 13, 80 22 apr 19.18 event16 crw-rw---- 1 nobody nogroup 13, 81 22 apr 19.18 event17 crw-rw---- 1 nobody nogroup 13, 82 22 apr 19.18 event18 crw-rw---- 1 nobody nogroup 13, 83 22 apr 19.18 event19 crw-rw---- 1 nobody nogroup 13, 66 22 apr 19.18 event2 crw-rw---- 1 nobody nogroup 13, 84 22 apr 19.18 event20 crw-rw---- 1 nobody nogroup 13, 85 22 apr 19.18 event21 crw-rw---- 1 nobody nogroup 13, 86 22 apr 19.18 event22 crw-rw---- 1 nobody nogroup 13, 87 22 apr 19.18 event23 crw-rw---- 1 nobody nogroup 13, 88 22 apr 19.18 event24 crw-rw---- 1 nobody nogroup 13, 89 22 apr 19.18 event25 crw-rw---- 1 nobody nogroup 13, 90 22 apr 19.18 event26 crw-rw---- 1 nobody nogroup 13, 91 22 apr 19.18 event27 crw-rw----+ 1 nobody nogroup 13, 92 23 apr 07.22 event28 crw-rw---- 1 nobody nogroup 13, 67 22 apr 19.18 event3 crw-rw---- 1 nobody nogroup 13, 68 22 apr 19.18 event4 crw-rw---- 1 nobody nogroup 13, 69 22 apr 19.18 event5 crw-rw---- 1 nobody nogroup 13, 70 22 apr 19.18 event6 crw-rw---- 1 nobody nogroup 13, 71 22 apr 19.18 event7 crw-rw---- 1 nobody nogroup 13, 72 22 apr 19.18 event8 crw-rw---- 1 nobody nogroup 13, 73 22 apr 19.18 event9 crw-rw-r-- 1 nobody nogroup 13, 0 22 apr 19.18 js0 crw-rw-r--+ 1 nobody nogroup 13, 1 23 apr 07.22 js1 crw-rw---- 1 nobody nogroup 13, 63 22 apr 19.18 mice crw-rw---- 1 nobody nogroup 13, 32 22 apr 19.18 mouse0 crw-rw---- 1 nobody nogroup 13, 33 22 apr 19.18 mouse1 $ ls -l /dev/input/by-id total 0 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-if01 -> ../event9 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-kbd -> ../event8 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-kbd -> ../event11 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-mouse -> ../event12 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-if01-mouse -> ../mouse1 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-if01 -> ../event5 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-mouse -> ../event2 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-if01-event-kbd -> ../event3 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-mouse -> ../mouse0 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-Sonix_Technology_Co.__Ltd._H264_USB_Camera_SN0001-event-if00 -> ../event27 lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-event-joystick -> ../event28 lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-joystick -> ../js1 $ ls -l /dev/input/by-path total 0 lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-event-joystick -> ../event28 lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-joystick -> ../js1 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-event-mouse -> ../event2 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-mouse -> ../mouse0 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event -> ../event5 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event-kbd -> ../event3 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.0-event-kbd -> ../event8 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event -> ../event9 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-kbd -> ../event11 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-mouse -> ../event12 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-mouse -> ../mouse1 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:0c:00.3-usb-0:4:1.0-event -> ../event27 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 platform-pcspkr-event-spkr -> ../event13
* | Merge pull request #4230 from Kishore96in/neochat_profileLibravatar netblue302021-05-04
|\ \ | | | | | | New profile for neochat
| * | Correct name for local file.Libravatar Kishore Gopalakrishnan2021-05-04
| | |
| * | Update etc/inc/whitelist-1793-workaround.incLibravatar Kishore96in2021-05-04
| | | | | | | | | Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
| * | Add back the kwallet dbus stuff.Libravatar Kishore Gopalakrishnan2021-05-04
| | | | | | | | | | | | | | | The dev did say it may be required on some platforms. He didn't sound completely sure.
| * | Move the 1793 workaround stuff to a separate file.Libravatar Kishore Gopalakrishnan2021-05-04
| | |
| * | Remove unnecessary command.Libravatar Kishore Gopalakrishnan2021-05-03
| | | | | | | | | | | | Seems to detect currently running instance even without that.
| * | Remove kwallet dbus permissionLibravatar Kishore Gopalakrishnan2021-05-02
| | | | | | | | | | | | Confirmed on neochat Matrix group that it is not required.
| * | Add machine-idLibravatar Kishore Gopalakrishnan2021-05-02
| | | | | | | | | | | | Does not break dbus, despite the warning in the template.
| * | Add command suggested by rusty-snakeLibravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Leave the kwallet dbus stuff commented for now.Libravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Remove unnecessary permission.Libravatar Kishore Gopalakrishnan2021-05-02
| | | | | | | | | | | | | | | Signing in and so on works without this, so I'm not sure why it was enabled in the flatpak.
| * | Remove apparently unnecessary dbus permission.Libravatar Kishore Gopalakrishnan2021-05-02
| | | | | | | | | | | | | | | I had copied this from the flatpak listing, but the application works without this.
| * | Remove unnecessary include.Libravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Add cache directory to disable-programs.incLibravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Remove unnecessary noblacklist.Libravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Remove newlines and comments.Libravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Add neochat to enabled programs.Libravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Sort options using sort.pyLibravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Remove comments.Libravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Add neochat files to disable-programs.incLibravatar Kishore Gopalakrishnan2021-05-02
| | |
| * | Initial profile for neochatLibravatar Kishore Gopalakrishnan2021-05-02
| | |
* | | Merge pull request #4215 from brisad/masterLibravatar netblue302021-05-04
|\ \ \ | | | | | | | | Add support for subdirs in private-etc
| * | | Add support for subdirs in private-etcLibravatar Michael Hoffmann2021-04-26
| | | |
* | | | Merge pull request #4204 from jsquyres/pr/man-page-correctionsLibravatar rusty-snake2021-05-04
|\ \ \ \ | | | | | | | | | | man: corrections regarding --private-FOO options
| * | | | man: corrections regarding --private-FOO optionsLibravatar Jeff Squyres2021-04-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 0.9.60-1070-g40d3604f updated the man pages with respect to --private-opt, --private-etc, and --private-srv. It was made after testing firejail 0.9.52 (from Ubuntu 18.04). However, it unfortunately did not accurately reflect the the behavior of the current HEAD at the time, because commit 0.9.56-rc1-14-ga9242301 had previously slightly changed the behavior of these three options (after 0.9.52), and was released in 0.9.56. The man pages changes made in commit 40d3604f were therefore not entirely correct. This commit updates the man pages to describe the behavior as implemented in a9242301 (and is still the behavior as of the current HEAD: 0.9.64-737-g937815ba). Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
* | | | | discord-common.profile: allow webcamLibravatar rusty-snake2021-05-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | closes #4236 [skip ci]
* | | | | Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302021-05-03
|\ \ \ \ \
| * \ \ \ \ Merge pull request #4225 from kmk3/fix-steam-rm-roguelegacyLibravatar Kelvin M. Klann2021-05-03
| |\ \ \ \ \ | | | | | | | | | | | | | | steam.profile: fix rogue legacy paths and syntax
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 21:37:53 +0000