aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* Fix chromium browsers in firejail 0.9.68Libravatar rusty-snake2022-04-14
| | | | closes #4965
* fix --writable-etcLibravatar netblue302022-04-12
|
* Merge branch 'master' of ssh://github.com/netblue30/firejailLibravatar netblue302022-04-12
|\
| * build(deps): bump github/codeql-action from 2.1.6 to 2.1.8Libravatar dependabot[bot]2022-04-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.6 to 2.1.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/28eead240834b314f7def40f6fcba65d100d99b1...1ed1437484560351c5be56cf73a48a279d116b78) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | small fixesLibravatar netblue302022-04-10
|/
* Merge pull request #5092 from smitsohu/vlcLibravatar smitsohu2022-04-10
|\ | | | | harden vlc
| * harden vlcLibravatar smitsohu2022-04-10
| | | | | | | | | | apparmor doesn't disable D-Bus anymore, so add it back remove memory-deny-write-execute comment, as this also breaks JIT compiled QtQuick nowadays
* | libvirt dnsmasq: more fixes (#5089)Libravatar smitsohu2022-04-10
| | | | | | | | | | | | | | following up ce6f792efd0af09b95050864b71f79c46359fa49 /var/lib/libvirt is blacklisted in disable-common.inc so merely whitelisting the directory is not enough
* | harden dnsmasqLibravatar smitsohu2022-04-10
| | | | | | | | | | private option implies private-cache, so it is safe to remove
* | libvirt dnsmasq fix (#5089)Libravatar smitsohu2022-04-10
| |
* | unbound: fixes, blacklist all of ${RUNUSER}Libravatar smitsohu2022-04-10
| |
* | steam: add HotLine Miami (#5097)Libravatar Kelvin M. Klann2022-04-08
| | | | | | https://store.steampowered.com/app/219150/Hotline_Miami/
* | compile fixLibravatar netblue302022-04-08
| |
* | nettraceLibravatar netblue302022-04-08
| |
* | nettrace dns and sniLibravatar netblue302022-04-08
| |
* | Merge branch 'master' of ssh://github.com/netblue30/firejailLibravatar netblue302022-04-07
|\ \
| * | more snap blacklisting (#5093)Libravatar smitsohu2022-04-04
| | |
| * | build(deps): bump github/codeql-action from 1.1.5 to 2.1.6Libravatar dependabot[bot]2022-04-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.1.5 to 2.1.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/883476649888a9e8e219d5b2e6b789dc024f690c...28eead240834b314f7def40f6fcba65d100d99b1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
* / nettrace fixesLibravatar netblue302022-04-05
|/
* teams: drop doubled option (#5087)Libravatar glitsj162022-04-01
|
* man: typo fixes (#5084)Libravatar glitsj162022-03-31
|
* mergesLibravatar netblue302022-03-29
|
* Merge pull request #5078 from kmk3/docs-mention-caps-manLibravatar netblue302022-03-29
|\ | | | | docs: mention capabilities(7) on --caps
| * docs: mention capabilities(7) on --capsLibravatar Kelvin M. Klann2022-03-27
| | | | | | | | | | | | As hinted by @rusty-snake[1]. [1] https://github.com/netblue30/firejail/discussions/5064#discussioncomment-2417395
* | Merge pull request #5077 from kmk3/dc-add-pkcs11Libravatar netblue302022-03-29
|\ \ | | | | | | disable-common.inc: make ~/.config/pkcs11 read-only
| * | disable-common.inc: make ~/.config/pkcs11 read-onlyLibravatar Kelvin M. Klann2022-03-27
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It looks like it allows arbitrary command execution. From pkcs11.conf(5): > remote: > Instead of loading the PKCS#11 module locally, run the module > remotely. > > Specify a command to run, prefixed with | a pipe. The command > must speak the p11-kit remoting protocol on its standard in > and standard out. For example: > > remote: |ssh user@remote p11-kit remote /path/to/module.so > > Other forms of remoting will appear in later p11-kit releases. Environment: p11-kit 0.24.1-1 on Artix Linux. Currently this entry only exists on whitelist-common.inc, added on commit f74cfd07c ("add p11-kit support - #1646"). With this commit applied, all read-only entries on whitelist-commons.inc are also part of disable-common.inc. See also the discussion on #5069.
* | Merge pull request #5071 from kmk3/add-appimage-dirLibravatar netblue302022-03-29
|\ \ | |/ |/| appimage: blacklist and make ~/Applications dir read-only
| * disable-programs.inc: blacklist ~/Applications dirLibravatar Kelvin M. Klann2022-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | It is used for storing AppImages. Note that even when blacklisting a directory, it is possible to execute an AppImage from it. For example, the following works: firejail --noprofile --blacklist='${HOME}/Applications' --appimage \ ~/Applications/foo.AppImage While the resulting process does not appear to have access to the blacklisted directory.
| * disable-common.inc: make ~/Applications dir read-onlyLibravatar Kelvin M. Klann2022-03-24
| | | | | | | | | | | | | | | | | | | | This directory is monitored by both appimaged[1] and AppImageLauncher[2]. Also, when opening an AppImage with AppImageLauncher, it may prompt the user to move the AppImage to ~/Applications. [1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories [2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
* | megaglest.profile: Add allow-lua.inc (#5066)Libravatar NetSysFire2022-03-25
| | | | | | | | | | * megaglest.profile: Add allow-lua.inc * Move comment to line above
* | Fix Hugin profile. (#5072)Libravatar Jose Riha2022-03-25
|/ | | Fixes #5068.
* RELNOTES: add gcov dummy functions bugfix and docsLibravatar Kelvin M. Klann2022-03-24
| | | | Relates to #5028 #5043 #5052.
* adding ping in firecfg list (#1912)Libravatar netblue302022-03-24
|
* Merge branch 'master' of ssh://github.com/netblue30/firejailLibravatar netblue302022-03-24
|\
| * Merge pull request #5061 from glitsj16/ping-fixesLibravatar netblue302022-03-24
| |\ | | | | | | ping: (extra) hardening
| | * ping: fix hardening commentLibravatar glitsj162022-03-21
| | |
| | * Create ping-hardened.inc.profileLibravatar glitsj162022-03-21
| | |
| | * ping: extra hardeningLibravatar glitsj162022-03-21
| | |
| * | Merge pull request #5058 from glitsj16/nodejs-nvmLibravatar netblue302022-03-24
| |\ \ | | | | | | | | Node.js stack refactoring
| | * | nodejs-common: fix noteLibravatar glitsj162022-03-21
| | | |
| | * | Create semver.profileLibravatar glitsj162022-03-20
| | | |
| | * | Create npx.profileLibravatar glitsj162022-03-20
| | | |
| | * | Create node-gyp.profileLibravatar glitsj162022-03-20
| | | |
| | * | nodejs-common: add comment & minor hardeningLibravatar glitsj162022-03-20
| | | |
| | * | wget: add nvm support commentLibravatar glitsj162022-03-20
| | | |
| | * | webui-aria2: add nvm supportLibravatar glitsj162022-03-20
| | | |
| | * | webstorm: fix orderingLibravatar glitsj162022-03-20
| | | |
| | * | tar: add nvm support commentLibravatar glitsj162022-03-20
| | | |
| | * | sha256sum: add nvm support commentLibravatar glitsj162022-03-20
| | | |
| | * | nvm: remove profileLibravatar glitsj162022-03-20
| | | | | | | | | | | | [nvm](https://github.com/nvm-sh/nvm) is implemented as a sourced shell function, not an executable binary. Regular sandboxing doesn't work but we can add nvm support to the applications used by it internally (curl, sha256sum, tar & wget).
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-05 12:37:06 +0000