aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
* fix #3343Libravatar glitsj162020-04-10
|
* add description to rambox.profileLibravatar glitsj162020-04-10
|
* Merge pull request #3337 from topimiettinen/build-fixingLibravatar netblue302020-04-09
|\ | | | | Build improvements
| * Build improvementsLibravatar Topi Miettinen2020-04-09
| | | | | | | | | | Sometimes concurrent build could fail if the filter apps were not made before attempting to make the filters.
* | Add /usr/share/games to whitelistLibravatar Fred Barclay2020-04-09
| | | | | | | | | | | | | | | | | | | | Otherwise, fails with error CreateDirectories: failed to mkdir /usr/share/games (mode 448) file_system.cpp(158): Function call failed: return value was -110300 (Insufficient access rights to open file) Function call failed: return value was -110300 (Insufficient access rights to open file) Location: file_system.cpp:158 (CreateDirectories) Observed on Debian 10, 0ad 0.0.23
* | Merge pull request #3339 from matu3ba/docsfixLibravatar Fred Barclay2020-04-09
|\ \ | | | | | | early decision in bug report if using git version
| * | early decision if git masterLibravatar Jan2020-04-09
| | |
* | | Merge pull request #3340 from avilum/patch-1Libravatar rusty-snake2020-04-09
|\ \ \ | |_|/ |/| | Improvements for syscalls.sh contib file
| * | Improvements for syscalls.sh contib fileLibravatar Avi Lumelsky2020-04-09
|/ / | | | | Fixed the identation for copy/past problems and added a console character that returns the console to it's original colour after the SYSCALLS_OUTPUT_FILE param is printed.
* | Merge pull request #3334 from matu3ba/docsLibravatar rusty-snake2020-04-09
|\| | | | | Request behavior change description in bug reports
| * request change of behavior description on disabling firejail for specific ↵Libravatar Jan2020-04-09
|/ | | | program
* fix example in firejail-profile.txtLibravatar glitsj162020-04-08
|
* fix alphabetical ordering in fdns.profile (2)Libravatar glitsj162020-04-08
|
* fix alphabetical ordering in fdns.profileLibravatar glitsj162020-04-08
|
* add example for overriding individiual DBus filter to firejail-profile.txtLibravatar glitsj162020-04-08
| | | See discussion in https://github.com/netblue30/firejail/pull/3326.
* fix typos in dbus-{system,user}.talk [usage.c]Libravatar glitsj162020-04-07
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-04-07
|\
| * fix typo in firejail-profile.txtLibravatar glitsj162020-04-07
| |
* | fdns profileLibravatar netblue302020-04-07
|/
* Update support/EOL informationLibravatar Fred Barclay2020-04-07
|
* Merge pull request #3327 from netblue30/bugreports_templateLibravatar Fred Barclay2020-04-07
|\ | | | | Add bug report template
| * Add bug report templateLibravatar Fred Barclay2020-04-07
| | | | | | (Mostly) auto-generated with GitHub, will need tweaking over time
* | Ignore `caps.drop all` import from transmission-common.profileLibravatar Fred Barclay2020-04-07
|/ | | | caps are already handled by caps.keep ... in this profile
* Replace `nodbus` with dbus-* filtersLibravatar Fred Barclay2020-04-07
| | | | | | | | | | | | | See - 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters - https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183 Except for ocenaudio, access/restrictions on dbus options should be unchanged Ocenaudio profile: dbus filters were sandboxed (initially `nodbus` was enabled) since comments indicated blocking dbus meant preferences were broken
* dbus-proxy (gnome_games)Libravatar rusty-snake2020-04-07
|
* Alphabetically order firejail.config (#3324)Libravatar glitsj162020-04-07
|
* Merge pull request #3265 from kris7t/dbus-proxyLibravatar Kristóf Marussy2020-04-07
|\ | | | | Fine-grained DBus sandboxing
| * Deprecate --nodbus optionLibravatar Kristóf Marussy2020-04-07
| |
| * Turn DBus profile errors into warningsLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | This patch also allows setting the DBus policies to filter even if xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is allowed, but a warning is emitted.
| * xdg-dbus-proxy socket finding and mount hardeningLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root. Instead of relying on the default locations of the DBus sockets, the environment variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set accordingly. User sockets are tried in the following order when starting the proxy: * DBUS_SESSION_BUS_ADDRES * /run/user/<pid>/bus * /run/user/<pid>/dbus/user_bus_socket These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active. System sockets are tried in the following order: * DBUS_SYSTEM_BUS_ADDRESS * /run/dbus/system_bus_socket These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active.
| * xdg-dbus-proxy hardeningLibravatar Kristóf Marussy2020-04-06
| |
| * Add documentation for DBus filteringLibravatar Kristóf Marussy2020-04-06
| |
| * Add dbus filter optionsLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and --dbus-system.own control which names can be accessed and owned on the user and system buses.
| * Add xdg-dbus-proxy supportLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | * The proxy is forked off outside the sandbox namespace to protect the fds of the original buses from the sandboxed process. * The /run/firejail/dbus directory (with the sticky bit set) holds the proxy sockets. The sockets are <parent pid>-user and <parent pid>-system for the user and system buses, respectively. Each socket is owned by the sandbox user. * The sockets are bind-mounted over their expected locations and the /run/firejail/dbus directory is subsequently hidden from the sandbox. * Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets are cleaned up. * Filter rules will be added in a future commit.
| * Add sbox_exec_v and SBOX_KEEP_FDSLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | To contain processes forked for long time, such as the xdg-dbus-proxy, sbox_exec_v can be used, which is the non-forking version of sbox_run_v. Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds, so fds needed by the subordinate process can be left open before calling sbox_exec_v. This flag does not makes sense for sbox_run_v, and causes an assertion failure.
| * Add --dbus-user and --dbus-system optionsLibravatar Kristóf Marussy2020-04-06
|/ | | | | | Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
* Allow changing error action in seccomp filtersLibravatar Topi Miettinen2020-04-06
| | | | | | | | | | | | | | Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call.
* cleanup, fixes, more profstatsLibravatar netblue302020-04-06
|
* Update bitwarden.profileLibravatar rusty-snake2020-04-06
| | | fix #3321
* Fix `man` break - remove less from firecfg by defaultLibravatar Fred Barclay2020-04-05
| | | | | | | | | | | | | | If `less` is sandboxed, then we get a similar message to below when calling `man <anything>` Error clone: main.c:2743 main: Operation not permitted man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143 https://github.com/netblue30/firejail/issues/1856 Noticed on Debian 10, firejail 0.9.63
* Merge pull request #3319 from topimiettinen/sanity-check-for-args-envsLibravatar netblue302020-04-05
|\ | | | | Simple sanity checks for arguments and environment
| * Simple sanity checks for arguments and environmentLibravatar Topi Miettinen2020-04-05
| | | | | | | | | | Restrict number of program arguments and their length as well as number of environment variables and their length.
* | travis make install testLibravatar netblue302020-04-05
| |
* | fix make installLibravatar netblue302020-04-05
| |
* | compile cleanupLibravatar netblue302020-04-05
| |
* | fixing my previous commitLibravatar netblue302020-04-05
| |
* | Merge pull request #3317 from rusty-snake/speedup-buildLibravatar rusty-snake2020-04-05
|\ \ | |/ |/| Speedup the buildsystem
| * Speedup the buildsystemLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | - replaing 'include /etc/firejail/foobar.inc' with 'include $(sysconfdir)/firejail/foobar.inc' is useless since 0.9.58 - onetime calling install with globbing is faster the a loop calling install nearly 1000 times
* | profile fixesLibravatar netblue302020-04-04
| |
* | fix alphabetical ordering of caps.keep in slack.profileLibravatar glitsj162020-04-04
| |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 12:38:52 +0000