aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* CI: enable Dependabot for updating SHAsLibravatar Topi Miettinen2021-12-26
| | | | | | Update GitHub actions with Dependabot: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
* CI: pin GitHub actions to SHAsLibravatar Topi Miettinen2021-12-26
| | | | | | Pinning actions to SHAs instead of versions improves the supply chain security: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
* Fix a typoLibravatar Tad2021-12-21
| | | | Signed-off-by: Tad <tad@spotco.us>
* firecfg fix (#4235)Libravatar netblue302021-12-21
|
* fix bug: firejail rejects empty arguments (#4395)Libravatar netblue302021-12-21
|
* updateLibravatar netblue302021-12-19
|
* updatesLibravatar netblue302021-12-19
|
* Merge pull request #4759 from fenuks/tor-browser-update-fixLibravatar netblue302021-12-19
|\ | | | | Allow /opt/tor-browser for Tor Browser profile
| * Allow /opt/tor-browser for Tor Browser profileLibravatar fenuks2021-12-09
| |
* | fix --private-cwd problemLibravatar netblue302021-12-19
| |
* | Merge branch 'master' of ssh://github.com/netblue30/firejailLibravatar netblue302021-12-19
|\ \
| * | add credit for #4783Libravatar glitsj162021-12-19
| | |
| * | Merge pull request #4783 from YorkZ/prLibravatar glitsj162021-12-19
| |\ \ | | | | | | | | Allow telegram to open hyperlinks
| | * | Allow telegram to open hyperlinksLibravatar York Zhao2021-12-18
| | | |
* | | | fix make test-filterLibravatar netblue302021-12-19
|/ / /
* / / testingLibravatar netblue302021-12-18
|/ /
* | Merge pull request #4782 from jose1711/nextcloud_usrshareLibravatar netblue302021-12-18
|\ \ | | | | | | Whitelist /usr/share/nextcloud to allow access to translation files.
| * | Whitelist /usr/share/nextcloud to allow access to translation files.Libravatar Jose Riha2021-12-17
| | |
* | | Merge pull request #4779 from seonwoolee/fix-teamsLibravatar netblue302021-12-18
|\ \ \ | | | | | | | | Fix teams ignoring input sources e.g. microphones
| * | | Move noinput outside of disabled until someone reported positive feedback blockLibravatar Seonwoo2021-12-14
| | | |
| * | | Fix teams ignoring input sources e.g. microphonesLibravatar Seonwoo2021-12-14
| |/ /
* | | Merge pull request #4781 from YorkZ/prLibravatar netblue302021-12-18
|\ \ \ | | | | | | | | Whitelist ${HOME}/.local/opt/tor-browser to make tor-browser work
| * | | Whitelist ${HOME}/.local/opt/tor-browser to make tor-browser workLibravatar York Zhao2021-12-17
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tor-browser 11.0.2-1 doesn't work without whitelisting this directory. The following was the message I got before whitelisting this directory. Reading profile /etc/firejail/tor-browser.profile Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Warning: Warning: NVIDIA card detected, nogroups command disabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 12653, child pid 12654 104 programs installed in 153.32 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode Warning: skipping pki for private /etc Private /etc installed in 64.84 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 325.75 ms /usr/bin/tor-browser: [Error] The tor-browser archive could not be extracted to your home directory. Check the permissions of ~/.local/opt/tor-browser/app. The error log can be found in ~/.local/opt/tor-browser/LOG. /usr/bin/tor-browser: line 218: ~/.local/opt/tor-browser/app/Browser/start-tor-browser: No such file or directory
* | | Merge pull request #4771 from kmk3/revert-allow-deny-leftoversLibravatar netblue302021-12-18
|\ \ \ | | | | | | | | Revert allow/deny leftovers
| * | | Remove profcleaner.c and profcleaner.shLibravatar Kelvin M. Klann2021-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of this commit, these are not of much use. Though later if a generic profile search/replace tool with built-in rules is to be added, the tools in question could be used as a starting point. src/tools/profcleaner.c was added on commit fe0f975f4 ("move whitelist/blacklist to allow/deny", 2021-07-05). src/tools/profcleaner.sh was added on commit ed02ab57b ("Create profcleaner.sh", 2021-07-07) / PR #4389. Relates to #4410.
| * | | Revert "allow/noallow/deny/nodeny aliases for ↵Libravatar Kelvin M. Klann2021-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | whitelist/nowhitelist/blacklist/noblacklist" This reverts commit 45f2ba544e9934b49e03b17c0a638dddc3a44734. Note: This is not a clean revert. Note2: This also reverts the changes to src/firejail/profile.c from commit fe0f975f4 ("move whitelist/blacklist to allow/deny", 2021-07-05). Relates to #4410.
| * | | Revert "allow/deny in zsh completion"Libravatar Kelvin M. Klann2021-12-10
| | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 1021fb9e5d32a48698c0c8c913d44a048b12db7f. Relates to #4388 and #4410.
* | | | disable curl and wget in browsers based on firefox and chromiumLibravatar netblue302021-12-18
| |/ / |/| |
* | | RELNOTES: s/deprecated/removed/Libravatar Kelvin M. Klann2021-12-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As far as I know, to "deprecate" something usually means the following: * It should not be used anymore * It still works (even if it may not work 100%) * It may be removed in a future release But the features mentioned on RELNOTES were actually removed; see commit c08414fdb ("deprecated --disable-whitelist at compile time", 2021-07-03) and commit c32924b82 ("deprecated whitelist=yes/no in /etc/firejail/firejail.config", 2021-07-04). So to avoid confusion, just say that they were removed.
* | | Merge pull request #4776 from glitsj16/highlightLibravatar glitsj162021-12-13
|\ \ \ | | | | | | | | allow lua in highlight.profile
| * | | allow luaLibravatar glitsj162021-12-13
|/ / /
* | | RELNOTES: add more missing pr/issue referencesLibravatar Kelvin M. Klann2021-12-11
| | | | | | | | | | | | Relates to #4157 #4288 #4461 #4462.
* | | RELNOTES: add missing pull request referencesLibravatar Kelvin M. Klann2021-12-11
| | | | | | | | | | | | Relates to #4510 #4533 #4599 #4635.
* | | RELNOTES: add noprinters commandLibravatar Kelvin M. Klann2021-12-11
|/ / | | | | | | | | | | | | As mentioned by @rusty-snake: https://github.com/netblue30/firejail/discussions/4770#discussioncomment-1784210 Relates to #4607.
* / profstats fix (#4733)Libravatar netblue302021-12-10
|/
* Merge pull request #4748 from kmk3/readme-clarify-ubuntuLibravatar netblue302021-12-08
|\ | | | | README.md: Mention security situation on Ubuntu and recommend PPA
| * README.md: Mention security situation on Ubuntu and recommend PPALibravatar Kelvin M. Klann2021-12-07
| | | | | | | | | | | | | | | | Add the information posted by @reinerh on #4666 (related to CVE-2021-26910 and Ubuntu's security policy) and also the instructions from #4663 for installing from the PPA. See also https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767
* | updatesLibravatar netblue302021-12-08
| |
* | Merge pull request #4752 from kmk3/elinks-fix-liblua-accessLibravatar netblue302021-12-08
|\ \ | | | | | | elinks.profile: Fix missing access to liblua
| * | elinks.profile: Fix missing access to libluaLibravatar Kelvin M. Klann2021-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By including allow-lua.inc. Error log: $ firejail elinks elinks: error while loading shared libraries: liblua.so.5.4: cannot open shared object file: Permission denied Environment: firejail-git (a82c8e021) and elinks 0.14.3-2 on Artix Linux. Fixes #4707. Reported-by: @jose1711
* | | Merge pull request #4747 from WhyNotHugo/skype-configLibravatar netblue302021-12-08
|\ \ \ | | | | | | | | Skype profile tweaks
| * | | skype: Harden D-Bus profileLibravatar Hugo Osvaldo Barrera2021-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Tested these settings and they work fine, including a test call. I can't explain why, but if the `org.kde.StatusNotifierWatcher` entry is removed, Skype will immediately log out the previous session when started.
| * | | skype: Create and whitelist config dirLibravatar Hugo Osvaldo Barrera2021-12-06
| |/ / | | | | | | | | | Without this, Skype's session isn't retained.
* | | Merge pull request #4743 from vnepogodin/masterLibravatar netblue302021-12-08
|\ \ \ | | | | | | | | Add CachyBrowser profile
| * | | keep in sync with librewolf.profile from master branchLibravatar Vladislav Nepogodin2021-12-06
| | | |
| * | | Add new cachy-browser profileLibravatar Vladislav Nepogodin2021-12-06
| | | |
* | | | Merge pull request #4732 from kmk3/fix-groups-misc3Libravatar netblue302021-12-08
|\ \ \ \ | |_|/ / |/| | | Fix keeping certain groups with nogroups
| * | | Fix keeping certain groups with nogroupsLibravatar Kelvin M. Klann2021-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This amends commit b828a9047 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR #4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before #4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped on such systems. Note2: Even with the static variable, these checks still happen at least twice. It seems that it happens once per translation unit (and I think that it may happen more times if there are multiple processes involved). This also amends (/kind of reverts) commit 6ddedeba0 ("Make nogroups work on nvidia again", 2021-11-29) from PR #4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function.
| * | | Fix duplicated fwarning warningsLibravatar Kelvin M. Klann2021-12-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This amends commit 11418a46c ("dns fixes", 2019-10-31). fwarning already prints "Warning: " at the beginning. Kind of relates to commit 6ddedeba0 ("Make nogroups work on nvidia again", 2021-11-29) / PR #4725, which removed code affected by this. Command used to find the duplicates: git grep -i -F 'fwarning("Warning:' -- src
| * | | util.c: Rename nogroups to force_nogroups on drop_privsLibravatar Kelvin M. Klann2021-12-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To not be confused with arg_nogroups, as in the vast majority of cases drop_privs is called with either 0 or 1 rather than arg_nogroups. The rename makes it clearer that what the parameter does is to drop all groups without exception, unlike arg_nogroups, which may have certain groups be kept.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 17:57:46 +0000