aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* manpage: /bin/bash -> user's perferred shellLibravatar rusty-snake2020-12-29
| | | | | | | | | | We do not start /bin/bash in the sandbox, we use $SHELL (which is usually /bin/bash). See #3434 and #3844. This commit updates the manpage accordingly until #3434 is resolved with a final solution like using /bin/bash or /bin/sh as hardcoded default. Close #3844. The descriptions of --join* are not updated as there is currenly some work, see #2934 and #3850.
* Update keepassxc.profile dbus commentsLibravatar rusty-snake2020-12-29
| | | | | - split notifications and tray - fix tray policy
* cleanupLibravatar smitsohu2020-12-28
| | | case is handled in guess_shell()
* shell autoselection fixupLibravatar smitsohu2020-12-22
|
* rework previous commit 45c28b808df9529aca32fdd755ac14e8101af3c1Libravatar smitsohu2020-12-22
|
* noroot option: create mapping of firejail groupLibravatar smitsohu2020-12-21
| | | | | issue #3604 follow-up to a7607e423f3336f67daf2ec296414d55c6740f84
* fix forwarding of login option to restricted shellLibravatar smitsohu2020-12-21
| | | | | | | | | | | | If firejail is the login shell, the SHELL environment variable is set to the path of the firejail executable. This leads to execution of a 'firejail -l' command, but firejail inside the sandbox does not know what to do with the -l option and just starts bash without forwarding this option. Fix this by not checking $SHELL when guessing which shell should be used. run_no_sandbox(), which relies on reading the environment, runs before setting the login_shell variable, and is not affected.
* add mac multicast address check to profile_check_lineLibravatar smitsohu2020-12-21
| | | | | issue #3784 related commit 4bc92b8fd0a5c22c7d4c6f9323378501c60ff149
* minor cleanup, cosmeticsLibravatar smitsohu2020-12-21
|
* remove trailing whitespacesLibravatar rusty-snake2020-12-21
|
* brave: enable wruc and wuscLibravatar rusty-snake2020-12-21
|
* move whlist /usr/share/chromium from chomium-comm…Libravatar rusty-snake2020-12-21
| | | | | | | | …on to chromium, remove the nowhlist from min and its whlist from riot-web. TODO: remove the 'ignore whitelist /usr/share/chomium' from the most profiles with it.
* new profile: servoLibravatar rusty-snake2020-12-21
|
* Merge pull request #3839 from rusty-snake/fix-3838Libravatar smitsohu2020-12-21
|\ | | | | x11=none: don't fail on abstract socket if netns …
| * x11=none: don't fail on abstract socket if netns …Libravatar rusty-snake2020-12-19
| | | | | | | | | | | | …is used. fix #3838 -- --x11=none --netns=isolated invalidly errors on the abstract X11 socket being accessible
* | increase verbosity if masking ~/.config/pulse failsLibravatar smitsohu2020-12-21
| | | | | | | | plus very minor cosmetic improvements
* | noroot option: don't drop firejail supplementary groupLibravatar smitsohu2020-12-21
| | | | | | | | | | see suggested setup in man 5 firejail-users also related to issue #3604
* | declare seccomp_debug function staticLibravatar smitsohu2020-12-21
| |
* | simplify private option codeLibravatar smitsohu2020-12-21
| |
* | disable-common.inc: add missing dns tools (#3828)Libravatar Kelvin2020-12-20
| | | | | | | | | | | | | | | | | | | | Add the missing binaries in the DNS section, as suggested by @glitsj16: https://github.com/netblue30/firejail/pull/3810#issuecomment-742920539 Packages and their relevant binaries: * bind: dnssec-* * knot: khost * unbound: unbound-host
* | archivers: limiting file system access (#3834)Libravatar glitsj162020-12-19
|/ | | | | | | | | * limit file system access with comments in archiver-common.inc * note wording * Warn against overtightening file system access Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834.
* Refactor electron.profile and electron based programs (#3807)Libravatar rusty-snake2020-12-17
| | | | | | | | | | | | | | | | | * Refactor electron.profile and electron based programs (1) * Refactor electron.profile and electron based programs (2) * Refactor electron.profile and electron based programs (3) * Refactor electron.profile and electron based programs (4) * Refactor electron.profile and electron based programs (5) * Refactor electron.profile and electron based programs (6) * Refactor electron.profile and electron based programs (7) * Refactor electron.profile and electron based programs (8)
* Archiver fixes - drop private-bin (#3832)Libravatar glitsj162020-12-16
| | | | | | | | | | | | | | | * drop private-bin * drop private-bin * drop private-bin * drop private-bin * drop private-bin * disable private-lib in tar.profile Removing private-bin caused a test to fail - see discussion in https://github.com/netblue30/firejail/pull/3832. Thanks to @reinerh for explaining why I broke things!
* disable-shell.inc: add oksh (#3829)Libravatar Kelvin2020-12-16
| | | | | | | | | | | "Portable OpenBSD ksh, based on the Public Domain Korn Shell (pdksh)." Project page: https://github.com/ibara/oksh $ pacman -Q oksh oksh 6.8.1-1 $ pacman -Qlq oksh | grep bin/ /usr/bin/ /usr/bin/oksh
* New profiles for alacarte,tootle,photoflare (#3816)Libravatar kortewegdevries2020-12-16
| | | | | | | * New profiles for alacarte,tootle,photoflare * Fix dbus Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
* archiver fixes (#3830)Libravatar glitsj162020-12-16
| | | | | * fix gzip * fix tar
* Refactor archivers ii (#3827)Libravatar glitsj162020-12-15
| | | | | | | | | | | | | | | | | | | | | * harden 7z.profile * harden atool.profile * harden bsdtar.profile * harden cpio.profile * harden gzip.profile * harden tar.profile * harden unrar.profile * harden unzip.profile * harden xzdec.profile * harden zstd.profile
* Refactor archivers (#3820)Libravatar glitsj162020-12-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create archiver-common.inc * add apparmor to archiver-common.inc * refactor 7z.profile * refactor ar.profile * refactor atool.profile * refactor bsdtar.profile * refactor cpio.profile * refactor gzip.profile * refactor tar.profile * refactor unrar.profile * refactor unzip.profile * refactor xzdec.profile * refactor zstd.profile * rewording * blacklist ${RUNUSER} in archiver-common.inc Thanks to @rusty-snake for suggesting this. * drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343
* Runuser fixes (#3826)Libravatar glitsj162020-12-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting * drop non-sensical ${RUNUSER}/wayland-* blacklisting
* rename softmaker-common.inc to softmaker-common.profile (#3825)Libravatar glitsj162020-12-15
| | | | | | | | | | | | | | | | | | | | | | | * Rename etc/inc/softmaker-common.inc to etc/profile-m-z/softmaker-common.profile As per suggestion by @rusty-snake in https://github.com/netblue30/firejail/pull/3819#issuecomment-745244982 * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change * softmaker-common.profile name change
* re-enable nogroups with a comment in zoom.profile (#3824)Libravatar glitsj162020-12-15
| | | Better fix for #3711, see discussion there.
* rename whitelist-players.inc to whitelist-player-common.inc (#3819)Libravatar glitsj162020-12-15
| | | | | | | | | | | | | | | | | * Update and rename whitelist-players.inc to whitelist-player-common.inc * renamed whitelist-player-common.inc * renamed whitelist-player-common.inc * renamed whitelist-player-common.inc * renamed whitelist-player-common.inc * renamed whitelist-player-common.inc * renamed whitelist-player-common.inc * renamed whitelist-player-common.inc
* Fix sound in games using FMOD (#3821)Libravatar fenuks2020-12-15
| | | Co-authored-by: fenuks <fenuks>
* streamline comments in inc files (#3818)Libravatar glitsj162020-12-14
| | | | | | | | | | | * streamline comments * streamline comments * streamline comments * streamline comments * streamline comments
* Merge pull request #3812 from rusty-snake/fix-3797--firejail-welcome.shLibravatar netblue302020-12-12
|\ | | | | Create firejail-welcome.s
| * Update firejail-welcome.shLibravatar rusty-snake2020-12-12
| | | | | | | | typos, spelling and other fixes. thanks @reinerh for all these
| * Create firejail-welcome.sLibravatar rusty-snake2020-12-11
| | | | | | | | fix #3797 -- Get ride of all these u2f and drm issues
* | drill profileLibravatar netblue302020-12-12
| |
* | Merge pull request #3810 from kmk3/dc-add-ldnsLibravatar netblue302020-12-12
|\ \ | | | | | | Dc add ldns
| * | disable-common.inc: blacklist ldns toolsLibravatar Kelvin M. Klann2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | drill(1) from ldns is the first tool suggested on the Arch Wiki for DNS lookup: https://wiki.archlinux.org/index.php/Domain_name_resolution#Lookup_utilities Home page: https://www.nlnetlabs.nl/projects/ldns/about/ $ pacman -Q ldns ldns 1.7.1-2 $ pacman -Qlq ldns | grep bin /usr/bin/ /usr/bin/drill /usr/bin/ldns-chaos /usr/bin/ldns-compare-zones /usr/bin/ldns-config /usr/bin/ldns-dane /usr/bin/ldns-dpa /usr/bin/ldns-gen-zone /usr/bin/ldns-key2ds /usr/bin/ldns-keyfetcher /usr/bin/ldns-keygen /usr/bin/ldns-mx /usr/bin/ldns-notify /usr/bin/ldns-nsec3-hash /usr/bin/ldns-read-zone /usr/bin/ldns-resolver /usr/bin/ldns-revoke /usr/bin/ldns-rrsig /usr/bin/ldns-signzone /usr/bin/ldns-test-edns /usr/bin/ldns-testns /usr/bin/ldns-update /usr/bin/ldns-verify-zone /usr/bin/ldns-version /usr/bin/ldns-walk /usr/bin/ldns-zcat /usr/bin/ldns-zsplit /usr/bin/ldnsd
| * | disable-common.inc: sort DNS / RUNUSER pathsLibravatar Kelvin M. Klann2020-12-10
| |/
* | curl HSTS cache support (#3813)Libravatar glitsj162020-12-12
| | | | | | | | | | * add curl HSTS support * add HSTS support
* | refactor playonlinux as wine redirect (#3811)Libravatar rusty-snake2020-12-12
| |
* | integrate relevant options into server.profile (#3808)Libravatar glitsj162020-12-11
|/ | | | | * integrate relevant options into server.profile * relax mdwe and dbus-system in server.profile
* fix audio/video play in yelp.profileLibravatar glitsj162020-12-10
|
* re-order private-etc in telegram.profileLibravatar glitsj162020-12-10
|
* fix private-etc in telegram.profileLibravatar glitsj162020-12-10
| | | Fixes #3805.
* minor hardenings and commentsLibravatar glitsj162020-12-10
|
* Update yelp.profile (#3803)Libravatar glitsj162020-12-09
|
* harden sysprof (#3802)Libravatar glitsj162020-12-09
|
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 00:49:13 +0000