| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 0.9.60-1070-g40d3604f updated the man pages with respect to
--private-opt, --private-etc, and --private-srv. It was made after
testing firejail 0.9.52 (from Ubuntu 18.04). However, it
unfortunately did not accurately reflect the the behavior of the
current HEAD at the time, because commit 0.9.56-rc1-14-ga9242301 had
previously slightly changed the behavior of these three options (after
0.9.52), and was released in 0.9.56. The man pages changes made in
commit 40d3604f were therefore not entirely correct.
This commit updates the man pages to describe the behavior as
implemented in a9242301 (and is still the behavior as of the current
HEAD: 0.9.64-737-g937815ba).
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
README.md/RELNOTES:
- Add new profiles
etr.profile:
- adding passwd to private-etc makes it work for me
file-roller.profile
- add netfilter
- add zstd to private-bin
- add cp,mv,rm to private-bin which seems to be necessary in some
cases.
#4113 is likely fixed with this but wait for OP.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* well..
Revert `include whitelist-usr-share-common.inc`
Sync with Firefox profile
* π What just hapened
* π Sync with upstream
* Merge tested from PR
* π Sync with upstream
* Merge tested from PR
* Revert changes
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* π Rebase
* π What just hapened
* Merge tested from PR
* π Sync with upstream
* Merge tested from PR
* Revert changes
* Update
* Update librewolf.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* opt-in for brave's native tor support
* fix brave's native tor support
* warn about potential tor breakage when using apparmor
* update comment for opting in to tor
* move brave's tor apparmor fix in brave.profile
|
| |
|
| |
Follow-up for https://github.com/netblue30/firejail/commit/692311bcc6fe0744d7831459ad7ec0bc5811b9a9. Thanks to @rusty-snake for tracking this down in #4202.
|
| |
|
| |
Fixes #4202 until we have tooling to generate system-specific lists at install time, as suggested by @loveshack.
|
| |
|
|
| |
[skip ci]
|
| |\
| |
| | |
profstats - fix printf for include globals
|
| |/
|
| |
profstats - correct variable for include global
|
| | |
|
| |
|
| |
requested in #1139 by @vatonbero
|
| |
|
|
|
| |
* New profile: Quodlibet
* New profile: Quodlibet
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
discord-canary.profile:
fix #4175
flameshot.profile:
- private-tmp break flameshot (wayland only?)
- Screengrabbing (under wayland) is done via dbus, the following names
must be allowed:
- GNOME: org.gnome.Shell
- KDE: org.kde.KWin
- Sway: org.freedesktop.portal.Desktop
- Allow notifications and tray too, because org.gnome.Shell (for
example) is already totaly unsafe.
mumble.profile:
fix #4181
|
| |\
| |
| | |
Fix typo (adivsory -> advisory)
|
| |/ |
|
| | |
|
| |\
| |
| | |
Minor Fixes
|
| |/ |
|
| | |
|
| |\
| |
| | |
steam: some more games added
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Games added:
* Don't Starve
* Dungeons of Dredmor
* Epic
* Loop Hero
* Pillars of Eternity I
* Rogue Legacy I
* Slay the Spire modding
* Steam World Dig I & II
|
| | | |
|
| |\ \
| | |
| | | |
WebStorm: allow Dolphin to access its config file
|
| | |/ |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
* refactor local override comments
|
| |\
| |
| | |
allow notifications + comment fixes
|
| | | |
|
| |/ |
|
| |\
| |
| | |
New profile: Librewolf Nightly
|
| |/ |
|
| |\
| |
| | |
dropbox: allow python3, fix for issue #4150
|
| |/
|
|
|
|
| |
/usr/bin/dropbox needs access to python3, at least for dropbox
command-line interface version 2020.03.04 as packaged by the RPM Fusion
project. Fixes issue #4150
|
| |\
| |
| | |
Improve comments in apparmor files
|
| | | |
|
| | | |
|
| |\ \
| |/
|/| |
Add localtime to signal-desktop's profile.
|
| |/
|
|
| |
Without it, all chat timestamps are in UTC.
|
| | |
|
| |
|
|
| |
- Avoid confusing on "What changed calling the program by path"
- Checklist: Questions should be asked in discussions
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently pathological endings like in
/foo/bar/./. are mapped to RUN_LIB_DIR,
with the effect that the mount is skipped
because this directory always exists at
this point in time.
Even though it's harmless, it is wrong
behaviour, so handle trailing slashes and
dots before doing the mounts. Also avoids
running into an assertion if there is a trailing
slash.
Plus few small cosmetic changes to make
things more explicit.
|
| |
|
|
| |
[skip ci]
|
| |\
| |
| | |
Follow up for #4126
|
| | | |
|
| |/ |
|
| |\
| |
| | |
Rename chromium-common-hardened and feh-network β¦
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
β¦again
I am still not really happy about the rename from #4028, #4029, #4030
and #4031. I've no problem with moving away .inc but I don't like the
result. So here's a proposal to make this better:
| NAME | DESCRIPTION |
| ------------------------- | ------------------------------------------------------------ |
| `*-addons.profile` | (include) Allow external addons |
| `*-common.profile` | (include) Common parts across multiple profiles |
| `*-hardened.inc.profile` | Further hardening which can not be made default |
| `*-network.inc.profile` | Allow optional network access |
| `*-whitelist.inc.profile` | Enabled whitelisting (which can not be made default) ΒΉ |
| `*.inc.profile` | Other profile specific includes |
| `*.profile` | A profile for a program |
| `allow-*.inc` | Multiple `noblacklist`s that should always be used together |
| `disable-*.inc` | `blacklist`ing |
| `whitelist-*-common.inc` | common `whitelist`s |
| `*.inc` | Other generic includes |
| `globals.local` | User overrides for all profiles |
| `*.local` | Per profile user overrides |
ΒΉ can be used for programs like KeePassXC or editors.
|
| |\ \
| | |
| | | |
Update vmware.profile & dbus-policy for amarok
|
| | | | |
|
Jeff Squyres
rusty-snake
Vladislav Nepogodin
glitsj16
pholodniak
Bundy01
Reiner Herrmann
Jose Riha
Neo00001
Matthew Cline
Ted Robertson
Nolan Leake
smitsohu
netblue30