firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	misc fixes	rusty-snake	2020-03-19
\| \| \| \| \| \| \| \| \|	remove netfilter from profiles with net none allow Viber to use dig, dig is in its private-bin, so I assume that it need it. blacklist resolvectl which can also be used for dns lookups
*	fix nslookup.profile header	glitsj16	2020-03-19
\|
*	fix host.profile header	glitsj16	2020-03-19
\|
*	nslookup, host profiles	netblue30	2020-03-18
\|
*	profile fixes	netblue30	2020-03-18
\|
*	fix mplayer profile	netblue30	2020-03-17
\|
*	remount fix - #3280	smitsohu	2020-03-16
\|
*	profile fixes	netblue30	2020-03-16
\|
*	some profile hardening	netblue30	2020-03-15
\|
*	fix freeoffice	netblue30	2020-03-15
\|
*	Merge pull request #3278 from rusty-snake/has-nosound-condition	smitsohu	2020-03-15
\|\ \| \| \| \|	new condition: HAS_NOSOUND
\| *	new condition: HAS_NOSOUND	rusty-snake	2020-03-15
\| \|
* \|	steam fixes; #841, #3267	rusty-snake	2020-03-15
\| \|
* \|	add gnome-screenshot.profile	rusty-snake	2020-03-15
\|/ \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	patch for xdg-dbus-proxy ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -45,3 +45,8 @@ private-bin gnome-screenshot private-dev private-etc dconf,fonts,gtk-3.0,localtime,machine-id private-tmp + +dbus-user filter +dbus-user.own org.gnome.Screenshot +dbus-user.talk org.gnome.Shell.Screenshot +dbus-system block ``` patch for whitelist-runuser-common.inc ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -17,11 +17,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${RUNUSER}/bus -whitelist ${RUNUSER}/pulse -whitelist ${RUNUSER}/gdm/Xauthority -whitelist ${RUNUSER}/wayland-0 include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor ```
*	Update file.profile	rusty-snake	2020-03-15
\| \| \| \| \| \| \| \|	* fix private-lib, closes #3233 * make private-etc and private-lib opt-in see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765 disable-devel.inc: remove duplicated line
*	allow ro access to .local/share/flatpak/exports	rusty-snake	2020-03-15
\| \| \| \| \| \| \| \| \| \| \| \|	$PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports, some applications crash if they cann't access these files. Layout on my system: ~/.local/share/flatpak/exports \|-bin \|-share \|-applications \|-icons
*	improve the previous fix: don't remount FUSE without permission	smitsohu	2020-03-14
\| \| \| \|	previous commit 3d35c039074cc11fbacf8de5bc8cb1a0952ceae4 issue #3277
*	tentative: don't remount FUSE without permission	smitsohu	2020-03-14
\| \| \|	issue #3277
*	Merge pull request #3268 from smitsohu/remount	startx2017	2020-03-13
\|\ \| \| \| \|	remount hardening: move to file descriptor based mounts
\| *	fail if opening the resolved path fails	smitsohu	2020-03-06
\| \|
\| *	remount hardening: move to file descriptor based mounts	smitsohu	2020-03-06
\| \|
* \|	Fix "Extraction not performed" on Debian 10	Fred Barclay	2020-03-13
\| \| \| \| \| \| \| \| \| \| \| \|	file-roller fails to extract archives without access to bash Noticed on LMDE 4 (Debian 10 base) with Cinnamon desktop
* \|	discord 0.10 \| fix #3247 (#3259)	rusty-snake	2020-03-13
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	* discord 0.10 \| fix #3247 * revert private-bin move & use disable-exec * fix slack, see https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
* \|	Merge pull request #3273 from psanford/fix-zoom-sso	rusty-snake	2020-03-10
\|\ \ \| \| \| \| \| \|	zoom.profile: fix zoom SSO workflow
\| * \|	zoom.profile: fix zoom SSO workflow	Peter Sanford	2020-03-10
\|/ / \| \| \| \| \| \| \| \| \| \| \| \|	The zoom SSO workflow launches an embedded sandboxed browser (QtWebEngineProcess) which requires chroot and netlink to work. Fixes #3272
* \|	profiles: firefox-esr has default configs somewhere else	Reiner Herrmann	2020-03-08
\| \|
* \|	profiles: whitelist firefox/thunderbird default directories (#3271)	Reiner Herrmann	2020-03-08
\| \| \| \| \| \|	See also: https://bugs.debian.org/948656
* \|	integrate AppArmor with join options (#3242)	smitsohu	2020-03-02
\| \| \| \| \| \| \| \| \| \|	add AppArmor confinement to processes started with --join and, more importantly, --join-or-start
* \|	Merge pull request #3255 from curiosityseeker/master	rusty-snake	2020-02-29
\|\ \ \| \| \| \| \| \|	conky needs lua
\| * \|	Update conky.profile	curiosityseeker	2020-02-29
\| \| \| \| \| \| \| \| \|	Place `include allow-lua.inc` above the other includes
\| * \|	Update conky.profile	curiosityseeker	2020-02-29
\| \| \| \| \| \| \| \| \|	Replace `noblacklist /usr/lib/liblua*` by including `allow-lua.inc`
\| * \|	conky needs lua	curiosityseeker	2020-02-28
\|/ / \| \| \| \|	See issue #3250
* \|	Merge pull request #3251 from eighthave/master	rusty-snake	2020-02-27
\|\ \ \| \| \| \| \| \|	add xournal.profile
\| * \|	add xournal.profile	Hans-Christoph Steiner	2020-02-27
\|/ /
* \|	revive 'net none' in openshot.profile	glitsj16	2020-02-27
\| \| \| \| \| \|	Fixes #3221.
* \|	minor sbox hardening	smitsohu	2020-02-26
\| \| \| \| \| \| \| \|	blacklist process_vm_readv and process_vm_writev while we're at it also remove duplicate iopl blacklisting
* \|	Update allow-lua.inc	glitsj16	2020-02-24
\| \| \| \| \| \|	See discussion in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a.
* \|	Fix Lua in disable-interpreters.inc	glitsj16	2020-02-24
\| \| \| \| \| \|	Thanks to @rusty-snake in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a#r37460831.
* \|	additional Lua blacklisting (#3246)	glitsj16	2020-02-24
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* more lua blacklisting in disable-interpreters.inc * add some paths to allow-lua.inc * Revert blacklisting /usr/include/lauxlib.h in disable-interpreters.inc /usr/include/lauxlib.h is handled in disable-devel.inc. Thanks to @rusty-snake for pointing that out.
* \|	add lua support for mpv (#3243)	glitsj16	2020-02-24
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* allow lua in mpv.profile * fix allow-lua.inc for mpv * extra lua blacklisting for mpv
* \|	private-dev: bringing back stdin, stdout, stderr, fd symbolic links	smitsohu	2020-02-24
\|/
*	Merge pull request #3241 from kris7t/sbox-harden-exec	Kristóf Marussy	2020-02-23
\|\ \| \| \| \|	Harden sbox_run by using fexecve instead of execvp
\| *	Remove redundant permission check from dhcp_start	Kristóf Marussy	2020-02-23
\| \| \| \| \| \| \| \|	The check is already performed by sbox_run
\| *	Harden sbox_run by using fexecve instead of execvp	Kristóf Marussy	2020-02-23
\|/ \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	We require the command passed to sbox_run to be an absolute path, and avoid resolving PATH. Note that PATH-based attacks were already difficult to pull of, because sbox_run clears the environment before executing the command. This patch hopefully makes then impossible. As an additional precaution, we check that the executable is owned by either the root user or the root group, and is not world-writable. The use of O_PATH, fstat and fexecve aims to prevent a race condition when the invoked path (e.g., /usr/lib/firejail/fnet) is owned by root or is a symlink to a binary owned by root, but the containing directory (e.g., /usr/lib/firejail) is somehow owned by a user. This is quite unlikely (but may be possible by abusing some other setuid executable is a specific way), and would allow swapping the binary or symlink to a malicious one after we checked ownership. "Locking in" the file descriptor gets rid of the race condition. We have to get rid of the `/proc/[pid]/comm` check in dhcp_read_pidfile, because fexecve sets the comm value to the fd being exec'd (e.g., 3) instead of the name of the file. This is not a problem, unless by the time we pick up the pidfile of dhclient, it has already crashed, and the pid number have wrapper around. Needless to say, this is extremely unlikely (and does not cause a security issue, anyways).
*	Merge pull request #3239 from kris7t/dhcp-client	smitsohu	2020-02-23
\|\ \| \| \| \|	Harden dhcp by checking for /sbin/dhclient
\| *	Harden dhcp by checking for /sbin/dhclient	Kristóf Marussy	2020-02-23
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Running /sbin/dhclient or /usr/sbin/dhclient avoids PATH-based vulnerabilities. We also check that the dhclient is owned by root. We take an approach similar to netfiler.c and assume that the required binary ar in /sbin or /usr/sbin, or (like on Arch) /sbin is a symlink to /usr/bin.
* \|	merges & RELNOTES	rusty-snake	2020-02-23
\|/
*	misc things	rusty-snake	2020-02-22
\| \| \| \| \| \|	- spelling suggestion from @glitsj16 on fda62527 - drop python2 from openshot it never has a python2 version - #3126 note in manpage: cannot combine --private with --private=
*	Add profile for offical Linux Teams application (#3152)	Andreas Hunkeler	2020-02-22
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Add profile for offical Linux Teams application * fix: add mkdir suggestions in Teams profile * Merge suggestions for Teams profile * Add suggestion to Teams profile * Add Teams to firecfg.config * Add paths from Teams profile to disable-programs * Remove the duplicated whitelist for downloads in Teams profile Co-Authored-By: rusty-snake <print_hello_world+GitHub@protonmail.com> * Cleanup teams profile after testing * Add comment to Teams profile Co-authored-by: rusty-snake <print_hello_world+GitHub@protonmail.com>
*	Allow exec from /usr/libexec & co. with AppArmor	Quentin Minster	2020-02-22
\|