aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* Switch kmail to whitelistingLibravatar kortewegdevries2020-08-29
|
* GPG default, fixes...Libravatar kortewegdevries2020-08-28
|
* Switch Evolution to whitelistingLibravatar kortewegdevries2020-08-28
|
* expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is setLibravatar smitsohu2020-08-27
| | | | issue #3568
* chroot: little tweaksLibravatar smitsohu2020-08-27
|
* mask writable pulseaudio runtime dirLibravatar smitsohu2020-08-27
| | | | ... and don't fail hard without need if there is a FUSE mount
* improve copy_fileLibravatar smitsohu2020-08-27
| | | | don't report success if read failed
* whitelist-var-common.inc: fix certificate verificationLibravatar smitsohu2020-08-26
|
* cat fixesLibravatar smitsohu2020-08-25
|
* wusc whitelists /usr/share/perl{,5} nowLibravatar rusty-snake2020-08-25
| | | | | | | This commit removes it from profile which have it. /usr/share/perl* is still inaccessible for profiles with wusc and disable-interpreters.inc w/o allow-perl.inc.
* add whitelist items for uim (#3587)Libravatar Anton Shestakov2020-08-24
| | | | | | | | | * add ~/.uim.d directory to whitelist-common.inc uim is a multilingual input method framework (similar to ibus, which has its own entry in this file). * add /var/lib/uim to whitelist-var-common.inc When user installs an uim module (for example, an input method like anthy or mozc), it gets registered in a file in this directory.
* fix --join for sandboxes with xdg-dbuss-proxyLibravatar netblue302020-08-22
|
* firemon fix for xdg-bus-proxyLibravatar netblue302020-08-22
|
* minor cleanup: move pid functions from main.c to util.cLibravatar netblue302020-08-22
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-08-22
|\
| * Merge pull request #3572 from smitsohu/dumpableLibravatar netblue302020-08-22
| |\ | | | | | | hardening: run plugins with dumpable flag cleared
| | * cleanupLibravatar smitsohu2020-08-17
| | |
| | * add dumpable warningsLibravatar smitsohu2020-08-17
| | |
| | * various x11 xorg enhancementsLibravatar smitsohu2020-08-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) copy xauth binary into the sandbox and set mode to 0711, so it runs with cleared dumpable flag for unprivileged users 2) run xauth in an sbox sandbox 3) generate Xauthority file in runtime directory instead of /tmp; this way xauth is able to connect to the X11 socket even if the abstract socket doesn't exist, for example because a new network namespace was instantiated
| | * hardening: run plugins with dumpable flag clearedLibravatar smitsohu2020-08-17
| | | | | | | | | | | | | | | | | | | | | the kernel clears the dumpable flag if a user has no read permission on an executable and it is owned by another user; I omitted faudit, fbuilder and ftee for now as they are not used to configure the sandbox itself, and as this commit is going to complicate debugging efforts to some extent
| * | Merge pull request #3594 from smitsohu/lsLibravatar netblue302020-08-22
| |\ \ | | | | | | | | cat option
| | * | harden cat optionLibravatar smitsohu2020-08-20
| | | |
| | * | Merge branch 'master' into lsLibravatar smitsohu2020-08-19
| | |\ \
| | * | | cat optionLibravatar smitsohu2020-08-19
| | | | |
| | * | | drop system(3) calls from sandbox.cLibravatar smitsohu2020-08-19
| | | | |
| | * | | refactor ls.c and prepare for new --cat optionLibravatar smitsohu2020-08-19
| | | |/ | | |/|
* | / | cleaning up POSTMORTEM codeLibravatar netblue302020-08-22
|/ / /
* | / renamed /etc/apparmor.d/local/firejail-local to ↵Libravatar netblue302020-08-22
| |/ |/| | | | | /etc/apparmor.d/local/firejail.default - merge form 0.9.62.4
* | Merge pull request #3592 from onovy/signal-audio-videoLibravatar Fred Barclay2020-08-18
|\ \ | | | | | | Allow video for Signal profile
| * | Allow video for Signal profile.Libravatar Ondřej Nový2020-08-17
| | | | | | | | | | | | | | | Signal is adding support for video calls on desktop, see https://signal.org/blog/desktop-calling-beta/
* | | tests: fix formatting in rlimit testsLibravatar Reiner Herrmann2020-08-18
|/ /
* | Fix missing mkfile in 5d741795c3bb2060730e282a8f512b999418e098Libravatar Fred Barclay2020-08-16
| |
* | Use whitelisting for video players (#3472)Libravatar Fred Barclay2020-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use whitelisting for video players See https://github.com/netblue30/firejail/pull/3469 * Update media player whitelists See reviews at https://github.com/netblue30/firejail/pull/3472 Block $DOCUMENTS Make $DESKTOP read-only * Review fixes: include read-only Desktop in whitelist
* | Merge pull request #3559 from smitsohu/smitsohu-bandwidthLibravatar smitsohu2020-08-14
|\ \ | | | | | | harden bandwidth command
| * | harden bandwidth commandLibravatar smitsohu2020-07-14
| | | | | | | | | add extra checks to defend against command injection (respective strings are controlled by Firejail, so this should be redundant and only for the paranoid), run shell in a minimal sandbox
* | | tests: fix check for modules directoryLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | | | | 'modules' can also be seen as a sub-directory, e.g. ./powerpc64le-linux-gnu/gio/modules/libgiolibproxy.so
* | | tests: fix rlimit test for 32bit archsLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | | | | On 32bit architectures like armhf, the output was "unlimited" instead of the expected value.
* | | print errno if char device creation failsLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | on Ubuntu autopkgtest runs on armhf, /dev/zero creation fails.
* | | tests: fix false-positive match on modulesLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | | | | | | | The systemd service file ./systemd/system/sysinit.target.wants/systemd-modules-load.service can exist which will lead to a match for "modules", though we are only looking for the modules directory.
* | | Merge pull request #3583 from kortewegdevries/fixnomacsLibravatar Fred Barclay2020-08-13
|\ \ \ | | | | | | | | Fix nomacs
| * | | Fix nomacsLibravatar kortewegdevries2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` Aug 11 16:32:32 korte audit[29004]: SECCOMP auid=1000 uid=1000 gid=1000 ses=2 subj==firejail-default (enforce) pid=29004 comm="nomacs" exe="/usr/bin/nomacs" sig=31 arch=c000003e syscall=9 compat=0 ip=0x7fa2a1cc98c6 code=0x0 ```
* | | | shutdown option hidepid fixLibravatar smitsohu2020-08-13
| | | |
* | | | Merge pull request #3573 from dandelionred/masterLibravatar startx20172020-08-12
|\ \ \ \ | | | | | | | | | | mkdeb.sh should not use files outside $CODE_DIR
| * | | | mkdeb.sh should not use files outside $CODE_DIRLibravatar dandelionred2020-08-07
| | |_|/ | |/| |
* | | | Merge pull request #3569 from topimiettinen/seccomp-logLibravatar startx20172020-08-12
|\ \ \ \ | | | | | | | | | | seccomp: logging
| * | | | seccomp: loggingLibravatar Topi Miettinen2020-08-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow `log` as an alternative seccomp error action instead of killing or returning an errno code. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* | | | | Added youtube-viewer profile with Gtk frontends (#3542)Libravatar kortewegdevries2020-08-11
| |_|/ / |/| | | | | | | | | | | | | | | Initial,amend: wrong dir,delete gtk-*,added new files Co-authored-by: kortewegdevries <k0rtic_dv@aol.com>
* | | | chroot: expose x11 session if FIREJAIL_CHROOT_X11 is setLibravatar smitsohu2020-08-10
| | | | | | | | | | | | | | | | add check so that environment variable FIREJAIL_CHROOT_X11 can be used to mount /tmp/.X11-unix into the chroot; issue #3568
* | | | mount sandbox lib directory ro,nosuid,nodevLibravatar smitsohu2020-08-08
| | | |
* | | | fix for older compilers (gcc 4.9.2, Debian 8)Libravatar netblue302020-08-08
| | | |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-18 01:01:33 +0000