| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* calibre: add netlink protocol (FB note: removed before merge)
calibre started without netlink protocol throws following error in console:
Exception in thread Thread-8:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/calibre/calibre/utils/mdns.py", line 43, in run
_all_ip_addresses = self.get_all_ips()
File "/usr/lib/calibre/calibre/utils/mdns.py", line 27, in get_all_ips
for x in netifaces.interfaces():
OSError: [Errno 95] Operation not supported
* mpv: add nogroups, tracelog, ipc-namespace, private-dev
I used testes all above options and didn't noticed any breakage.
* qbittorrent: add netlink protocol, private-etc
Netlink protocol is needed if user select to bind specific network interface in config. Otherwise it throws an error in qbittorent log:
The network interface defined is invalid: tun0
Example private-etc is added but commented out by default. It's tested but as there are many different system configurations users should enable it manually.
* vlc: disable memory-deny-write-execute
With memory-deny-write-execute vlc freezes after loading video file. According to https://github.com/VladimirSchowalter20/firejail/commit/b18f42ab0236de7eed5888f43ba36cdaf990cbca memory-deny-write-execute is similar to PAX mprotect feature and linked github project explicitly disables that feature for vlc binary, see https://github.com/copperhead/paxd-archive/commit/deb39e0b91996e2e9c7917b3543030880cd476f4
* Update vlc.profile
* wine: add nogroups
Nogroups should be safe addition for wine
* wireshark: allow users to run wireshark as non-root
Wireshark can be run unprivileged when user is part of wireshark group. Unfortunately enabling nogroups,nonewprivs and seccomp will break it with permissions errors.
Also added example private-etc option which is commented out by default for now.
* cosmetic fix
* mpv: comment out ipc-namespace for now
As requested in review https://github.com/netblue30/firejail/pull/1433#discussion_r131550515
* calibre: disable netlink protocol
It throws an error but actual breakage isn't observed for now.
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Change KDE4 services folder to read-only
|
| | | |
|
| | |
| |
| | |
Configurations in this folder are not secret, but need to be protected from manipulation. Let's make it available to all KDE apps for legitimate use. Discussion in #1428
|
| |\ \
| | |
| | | |
fix steam startup with >=llvm-4
|
| | |/ |
|
| | | |
|
| | | |
|
| |/
|
|
| |
Example:firejail --private-lib --private-bin=bash,ls,find,pwd,grep
|
| | |
|
| |
|
|
|
|
| |
Helps in more complex cases like this: libpulse.so wants libpulsecommon-10.0.so,
which is located in
/usr/lib/x86_64-linux-gnu/pulseaudio. This path is specified with DT_RUNPATH.
|
| |\
| |
| | |
Add a profile for Gnome Twitch
|
| | | |
|
| |/ |
|
| |\
| |
| | |
Update firecfg.config and add a wireshark-* alias
|
| |/ |
|
| | |
|
| | |
|
| |\ |
|
| | |\
| | |
| | | |
Gwenview: drop kbuildsycoca5 from private-bin
|
| | |/ |
|
| | | |
|
| | | |
|
| |\| |
|
| | |\
| | |
| | | |
Add 8 new profiles
|
| | |/
| |
| |
| | |
apktool, Baobab, dex2jar, gitg, Hashcat, MusicBrainz Picard, OBS Studio, Remmina, sdat2img, Sound Converter, SQLiteBrowser, Truecraft
|
| |\| |
|
| | |\
| | |
| | | |
profile fixes
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
* Update qbittorrent.profile
* Update gwenview.profile
* Update disable-programs.inc
|
| | |\
| | |
| | | |
Change ${HOME}/.local/share/kservices5 to read-only
|
| | |/ |
|
| |/ |
|
| |\
| |
| | |
Apparmor: add local configuration
|
| | | |
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | | |
VladimirSchowalter20/VladimirSchowalter20-apparmor-kde-fix
Apparmor: update whitelist path for kde
|
| | |/ |
|
| | | |
|
| | | |
|
| |\ \
| |/
|/| |
Harden profiles
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
See https://github.com/netblue30/firejail/pull/1367#issuecomment-315793729
|
| | |
| |
| |
| |
| |
| |
| |
| | |
- mdwe breaks most vm-based languages so python/java/javascript and some mono programs are not compatible
- mdwe also breaks most 3d accelerated programs such as 3d games
- mdwe is similar to PaX's mprotect meaning PaX flag managers can be used as reference
-- See https://github.com/copperhead/paxd-archive/blob/master/paxd.conf
-- See https://github.com/nning/linux-pax-flags
|
| | |
| |
| |
| |
| |
| |
| |
| | |
- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
|
| |/
|
|
|
|
| |
It seems to break
playing youtube videos on Firefox Nightly - #1414
|
Vladimir Schowalter
Topi Miettinen
netblue30
Fred Barclay
smitsohu
soredake
startx2017
Tad