| Commit message (Collapse) | Author | Age |
|---|
| |
|
| |
Fixes #3135.
|
| | |
|
| | |
|
| |\
| |
| | |
Fix typos in fs_bin.c
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* unbreak audio-recorder
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their audio-recorder.local.
* unbreak ddgtk
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their ddgtk.local.
* unbreak and harden gconf-editor
Support both X11 and Wayland by default. Also whitelist /usr/share/gconf-editor for wusc.
* unbreak seahorse
Support both X11 and Wayland by default.
* add blacklist ${RUNUSER}/wayland-* to dnscrypt-proxy
|
| | |
|
| |
|
|
| |
@reinerh is this still right?
> :white_check_mark: Debian 11 (testing/unstable), 10 **backports**; Ubuntu 19.10
|
| |
|
|
| |
Thanks @Micha-Btz for all the testing.
|
| | |
|
| |
|
|
| |
https://github.com/netblue30/firejail/issues/3164#issuecomment-575892401
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* refactor claws-mail as whitelist profile
* refactor sylpheed as whitelist profile
* Create email-common.profile
* safeguard ${DOCUMENTS}
* Add disable-xdg to email-common.profile
Thanks @rusty-snake for the review.
|
| |\
| |
| | |
blacklist ${RUNUSER}/wayland-* in every profile with blacklist /tmp/.X11-unix or x11 none
|
| | | |
|
| | |
| |
| |
| | |
…les with 'x11 none'
|
| |/
|
|
| |
…les with 'blacklist /tmp/.X11-unix'
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* harden devilspie
* harden devilspie2
* harden curl
* harden wget
* harden curl
* harden dig
* harden claws-mail
* harden dnscrypt-proxy
* harden dnscrypt-proxy
* harden dnscrypt-proxy
* harden exfalso
* refactor easystroke as whitelist profile
* refactor enchant as whitelist profile
* safeguard ${DOCUMENTS}
Thanks @rusty-snake for the suggestion.
* drop x11-none
Thanks @rusty-snake for catching this.
* drop x11 none
Thanks @rusty-snake for saving the bacon...
* drop x11 none
Thanks @rusty-snake for catching this.
* drop x11 none
Thanks @rusty-snake for preventing breakage!
* drop ipc-namespace
Better safe than sorry...
|
| |
|
|
| |
issue #3130
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This is continuation of fixes needed after recent ffmpeg change in
Arch Linux. See https://github.com/netblue30/firejail/issues/3147
|
| |
|
|
| |
Reported at: https://bugs.debian.org/948993
|
| | |
|
| |
|
|
| |
[1]: https://github.com/netblue30/firejail/issues/2946#issuecomment-574861226
|
| |
|
|
| |
closes #3147
|
| | |
|
| |
|
| |
@rusty-snake For now I've fixed the sorting to let it pass CI. Do you think sort.py should put java-{8,9}-openjdk before java-10-openjdk?
|
| | |
|
| |
|
|
|
|
| |
* Support XDG_CONFIG_HOME for aria2c
* Fix aria2c.profile
|
| | |
|
| |
|
|
|
| |
…mon.profile to firefox.profile.
See https://github.com/netblue30/firejail/commit/c8f78d7b536ec2dce4cc74de2653ae6c8c99b553#commitcomment-36763119
|
| |
|
|
|
| |
directory is used for system-wide installed webext-addons.
Reported at: https://bugs.debian.org/948558
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
allow chroot syscall where apps depend on QtWebengine
|
| | |
| |
| |
| | |
derived from QtWebengine reverse dependencies
|
| |\ \
| | |
| | | |
cmus: allow access to resolv.conf
|
| |/ / |
|
| | | |
|
| |\ \
| | |
| | | |
DHCP client support
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
dhclient -6 fails if the interface to be configures has no link-local address.
This is especially problematic when only DHCPv6 is used
(e.g., --ip=none --ip6=dhcp), because the wait for a DHCPv4 lease is usually
ample time for the LL address to become available on the IPv6 link.
The LL address must not be tenative.
Therefore, this patch implements waiting for a non-tentative link-local
address in fnet for DHCPv6 configured interfaces.
The command fnet waitll <if> waits for an LL address on the interface <if>.
Currently, the maximum waiting time is 30 seconds,
and the kernel is polled through rtnetlink every 500 milliseconds.
These values seem sufficient for virtual bridged networks,
e.g., libvirt NAT networks.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* In order to ensure that network interfaces are already configured when
the sandboxed launches, we run dhclient in forking mode (no -d switch),
which makes the dhclient command exit when it successfully acquired a lease.
The dhclient daemon process keeps running in the background.
* We read the pid file for dhclient to find out the pid of the daemon process.
Because dhclient only writes the pid file in the child process potentially
after the forking parent process exits, there is some handling for possible
race conditions.
* All lease files and pid files are under /run/firejail/dhclient/
* The v4 and v6 dhclient has a separate lease as recommended.
* The v4 client is set to generate a DUID, which is also used by the v6 client
so that the server can associate the two leases if needed.
* /etc/resolv.conf is created in the sandbox just like with the --dns option,
by mirroring /etc. When DHCP is used, /etc/resolv.conf is normally empty so
that dhclient can overwrite it the nameservers from the DHCP server.
Current limitations:
* The dhclient processes in the background are not terminated properly
(by SIGTERM or dhclient -x), nor is the DHCP lease released (by dclient -r).
The reason for this is that firejail drops all capabilities and privileges
before the application in the sandbox is launched, which makes it impossible
to launch dhclient to release the lease or kill the dhclient processes still
running with the effective user id of root. Instead the dhclient daemons
die with the sandbox. According to the dhclient man page, releasing the lease
is not required by the DHCP specification, so this is not a problem, however
some ISPs may require releasing leases.
A possible workaround would be to fork another process upon sandbox
initialization that invokes dhclient -r when the sandbox is ready to exit.
This would require communication with the main firejail process through
a pipe, while keeping and required privileges. As this would add some
complexity but the benefits have limited applicability (compatibility with
esoteric DHCP server configurations), I chose not to implement this.
* When only an IPv6 address is requested, the interface may possible not have
a link-local address when we run dhclient. This causes dhclient -6 fail,
since DHCPv6 uses link-local addressing instead of layer 2 addressing,
see e.g., https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783387
In a future commit, waiting for a link-local address will be added.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The new capability filter SBOX_CAPS_NET_SERVICE allows forked processes
to bind to low ports (privileged network services).
Because dhcp clients require both low ports and network administration
privileges, this patch also allows (bitwise) combination of capability filters
(except SBOX_CAPS_NONE, which completely drops any capabilities)
to grant both SBOX_CAPS_NETWORK and SBOX_CAPS_NET_SERVICE to a dhcp client.
This way, fnet and fnetfilter calls still do not get CAP_NET_BIND_SERVICE.
|
glitsj16
rusty-snake
Reiner Herrmann
smitsohu
Vincent43
Florian Begusch
corecontingency
netblue30
Fred Barclay
Florian Preinstorfer
Kristóf Marussy