aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* seccomp: allow defining separate filters for 32-bit archLibravatar Topi Miettinen2020-03-28
| | | | | | | | | | | | | | | | | | | | | System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* Added compatibility with BetterDiscord (#3300)Libravatar Atrate2020-03-27
| | | Signed-off-by: Atrate <Atrate@protonmail.com>
* fsec-print: print address of BPF_JA jump in hexLibravatar Topi Miettinen2020-03-26
| | | | | Since target addresses for other (conditional) jumps are in hex, it's very confusing to have one jump address in decimal.
* Add a profile for X2GoClientLibravatar Tad2020-03-23
|
* penguin-commandLibravatar netblue302020-03-23
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-03-23
|\
| * fixup 255697bLibravatar rusty-snake2020-03-23
| |
* | penguin-commadLibravatar netblue302020-03-23
|/
* apparmorLibravatar netblue302020-03-23
|
* Merge pull request #3293 from 0x7969/masterLibravatar rusty-snake2020-03-23
|\ | | | | Update wire-desktop.profile
| * Update etc/wire-desktop.profileLibravatar 0x79692020-03-23
| | | | | | Co-Authored-By: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
| * Update wire-desktop.profileLibravatar 0x79692020-03-23
| |
* | replace tabs with spacesLibravatar rusty-snake2020-03-23
|/
* kmplayer etcLibravatar netblue302020-03-22
|
* fix profstats to print warning for nonexistent include filesLibravatar netblue302020-03-22
|
* fixesLibravatar rusty-snake2020-03-22
|
* new profiles: agenda, gnome-pomodoro, gnome-todoLibravatar rusty-snake2020-03-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | rules for xdg-dbus-proxy: dbus-user filter dbus-user.own org.gnome.Pomodoro dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.Shell dbus-system none dbus-user filter dbus-user.own org.gnome.Todo dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 dbus-user.talk org.gnome.evolution.dataserver.Calendar8 dbus-user.talk org.gnome.evolution.dataserver.Sources5 dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* dbus-user.talk org.gnome.OnlineAccounts dbus-user.talk org.gnome.SettingsDaemon.Color dbus-system filter dbus-system.talk org.freedesktop.login1 dbus-user filter dbus.own com.github.dahenson.agenda dbus.talk ca.desrt.dconf dbus-system block
* iagno profileLibravatar netblue302020-03-21
|
* Merge pull request #3275 from ↵Libravatar smitsohu2020-03-19
|\ | | | | | | | | dmfreemon/add-name-or-private-dir-to-xpra-window-title add name or private directory being used to the window title when xpra is being used
| * handle malloc() failures; use gnu_basename() instead of basenaem()Libravatar dmfreemon@users.noreply.github.com2020-03-15
| |
| * add name or basename of private directory being used to the window title ↵Libravatar dmfreemon@users.noreply.github.com2020-03-10
| | | | | | | | when xpra is being used
* | Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-03-19
|\ \
| * | extend default.profileLibravatar rusty-snake2020-03-19
| | |
| * | harden baobab and gitgLibravatar rusty-snake2020-03-19
| | |
* | | new profiles: ripperx, sound-juicerLibravatar netblue302020-03-19
|/ /
* | various profile fixesLibravatar netblue302020-03-19
| |
* | apparmor support for bind, nslookup, hostLibravatar netblue302020-03-19
| |
* | fix readme.mdLibravatar netblue302020-03-19
| |
* | fix readme.mdLibravatar netblue302020-03-19
| |
* | profile statsLibravatar netblue302020-03-19
| |
* | misc fixesLibravatar rusty-snake2020-03-19
| | | | | | | | | | | | | | | | | | remove netfilter from profiles with net none allow Viber to use dig, dig is in its private-bin, so I assume that it need it. blacklist resolvectl which can also be used for dns lookups
* | fix nslookup.profile headerLibravatar glitsj162020-03-19
| |
* | fix host.profile headerLibravatar glitsj162020-03-19
| |
* | nslookup, host profilesLibravatar netblue302020-03-18
| |
* | profile fixesLibravatar netblue302020-03-18
| |
* | fix mplayer profileLibravatar netblue302020-03-17
| |
* | remount fix - #3280Libravatar smitsohu2020-03-16
| |
* | profile fixesLibravatar netblue302020-03-16
| |
* | some profile hardeningLibravatar netblue302020-03-15
| |
* | fix freeofficeLibravatar netblue302020-03-15
| |
* | Merge pull request #3278 from rusty-snake/has-nosound-conditionLibravatar smitsohu2020-03-15
|\ \ | | | | | | new condition: HAS_NOSOUND
| * | new condition: HAS_NOSOUNDLibravatar rusty-snake2020-03-15
| | |
* | | steam fixes; #841, #3267Libravatar rusty-snake2020-03-15
| | |
* | | add gnome-screenshot.profileLibravatar rusty-snake2020-03-15
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | patch for xdg-dbus-proxy ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -45,3 +45,8 @@ private-bin gnome-screenshot private-dev private-etc dconf,fonts,gtk-3.0,localtime,machine-id private-tmp + +dbus-user filter +dbus-user.own org.gnome.Screenshot +dbus-user.talk org.gnome.Shell.Screenshot +dbus-system block ``` patch for whitelist-runuser-common.inc ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -17,11 +17,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${RUNUSER}/bus -whitelist ${RUNUSER}/pulse -whitelist ${RUNUSER}/gdm/Xauthority -whitelist ${RUNUSER}/wayland-0 include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor ```
* | Update file.profileLibravatar rusty-snake2020-03-15
| | | | | | | | | | | | | | | | * fix private-lib, closes #3233 * make private-etc and private-lib opt-in see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765 disable-devel.inc: remove duplicated line
* | allow ro access to .local/share/flatpak/exportsLibravatar rusty-snake2020-03-15
| | | | | | | | | | | | | | | | | | | | | | | | $PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports, some applications crash if they cann't access these files. Layout on my system: ~/.local/share/flatpak/exports |-bin |-share |-applications |-icons
* | improve the previous fix: don't remount FUSE without permissionLibravatar smitsohu2020-03-14
| | | | | | | | previous commit 3d35c039074cc11fbacf8de5bc8cb1a0952ceae4 issue #3277
* | tentative: don't remount FUSE without permissionLibravatar smitsohu2020-03-14
| | | | | | issue #3277
* | Merge pull request #3268 from smitsohu/remountLibravatar startx20172020-03-13
|\ \ | | | | | | remount hardening: move to file descriptor based mounts
| * | fail if opening the resolved path failsLibravatar smitsohu2020-03-06
| | |
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-05 15:53:06 +0000