| Commit message (Collapse) | Author | Age |
... | |
|\ |
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
|/ |
|
|
|
| |
fixes e.g. --shell=none --seccomp.drop=write --seccomp-error-action=kill
|
|\ |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1) close #3612
2) remove an implicit limitation on rlimit-fsize option
(could not set limit to smaller than 6 bytes without affecting
the ability to join a sandbox)
3) rename 'join-or-start' file to just 'join'
4) when waiting for a sandbox that is not fully configured yet,
increase polling frequency from 10 per second to 100 per second
|
|/ |
|
|
|
| |
closes #3356
|
|
|
| |
closes #3584
|
|
|
|
| |
issue #3568
|
| |
|
|
|
|
| |
... and don't fail hard without need if there is a FUSE mount
|
|
|
|
| |
don't report success if read failed
|
| |
|
| |
|
|
|
|
|
|
|
| |
This commit removes it from profile which have it.
/usr/share/perl* is still inaccessible for profiles with wusc and
disable-interpreters.inc w/o allow-perl.inc.
|
|
|
|
|
|
|
|
|
| |
* add ~/.uim.d directory to whitelist-common.inc
uim is a multilingual input method framework (similar to ibus, which has its own entry in this file).
* add /var/lib/uim to whitelist-var-common.inc
When user installs an uim module (for example, an input method like anthy or mozc), it gets registered in a file in this directory.
|
| |
|
| |
|
| |
|
|\ |
|
| |\
| | |
| | | |
hardening: run plugins with dumpable flag cleared
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
1) copy xauth binary into the sandbox and set mode to 0711, so it runs
with cleared dumpable flag for unprivileged users
2) run xauth in an sbox sandbox
3) generate Xauthority file in runtime directory instead of /tmp;
this way xauth is able to connect to the X11 socket even if the
abstract socket doesn't exist, for example because a new network
namespace was instantiated
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
the kernel clears the dumpable flag if a user has no read permission on an
executable and it is owned by another user; I omitted faudit, fbuilder and
ftee for now as they are not used to configure the sandbox itself, and as
this commit is going to complicate debugging efforts to some extent
|
| |\ \
| | | |
| | | | |
cat option
|
| | | | |
|
| | |\ \ |
|
| | | | | |
|
| | | | | |
|
| | | |/
| | |/| |
|
|/ / / |
|
| |/
|/|
| |
| | |
/etc/apparmor.d/local/firejail.default - merge form 0.9.62.4
|
|\ \
| | |
| | | |
Allow video for Signal profile
|
| | |
| | |
| | |
| | |
| | | |
Signal is adding support for video calls on desktop, see
https://signal.org/blog/desktop-calling-beta/
|
|/ / |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Use whitelisting for video players
See https://github.com/netblue30/firejail/pull/3469
* Update media player whitelists
See reviews at https://github.com/netblue30/firejail/pull/3472
Block $DOCUMENTS
Make $DESKTOP read-only
* Review fixes: include read-only Desktop in whitelist
|
|\ \
| | |
| | | |
harden bandwidth command
|
| | |
| | |
| | | |
add extra checks to defend against command injection (respective strings are controlled by Firejail, so this should be redundant and only for the paranoid), run shell in a minimal sandbox
|
| | |
| | |
| | |
| | |
| | | |
'modules' can also be seen as a sub-directory, e.g.
./powerpc64le-linux-gnu/gio/modules/libgiolibproxy.so
|
| | |
| | |
| | |
| | |
| | | |
On 32bit architectures like armhf, the output was "unlimited" instead
of the expected value.
|
| | |
| | |
| | |
| | | |
on Ubuntu autopkgtest runs on armhf, /dev/zero creation fails.
|
| | |
| | |
| | |
| | |
| | |
| | | |
The systemd service file ./systemd/system/sysinit.target.wants/systemd-modules-load.service
can exist which will lead to a match for "modules", though we are
only looking for the modules directory.
|