aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* tests: improve check for sound capabilities (#3929)Libravatar Reiner Herrmann2021-01-30
| | | Fixes: #3928
* Merge pull request #3885 from kmk3/fix-sshLibravatar glitsj162021-01-30
|\ | | | | ssh: Refactor, fix bugs & harden
| * disable-common.inc: add missing openssh pathsLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The paths are taken from ssh(1) and sshd(8). $ pacman -Q openssh openssh 8.4p1-2 These are only used by sshd(8), so always blacklist them: * ~/.rhosts: controls remote access to the local machine * ~/.shosts: same as above * ~/.ssh/authorized_keys: same as above * ~/.ssh/authorized_keys2: same as above * ~/.ssh/environment: potentially allows arbitrary command execution on the local machine * ~/.ssh/rc: allows arbitrary command execution on the local machine * /etc/hosts.equiv: system-wide equivalent of ~/.rhosts Note: There are files in /etc/ssh that are equivalent to some of the above ones, but they are already blocked by `blacklist /etc/ssh/*`. Note2: From sshd(8): > If the file ~/.ssh/rc exists, sh(1) runs it after reading the > environment files but before starting the user's shell or command. So even if the user shell is set to /usr/bin/firejail and disable-common.inc is loaded, this patch shouldn't interfere with sshd. This file is actually used by ssh(1), so just mark it read-only: * ~/.ssh/config: allows arbitrary command execution on the remote machine (with e.g.: RemoteCommand) and also defines the connection strength Since version 7.3p1 (released on 2016-08-01), openssh supports including other config files on ssh_config(5)[1][2]. This is the conventional path for storing them[3], so mark it read-only: * ~/.ssh/config.d: same as above P.S. See also the explanation on the commit b5542fc94 ("disable-common.inc: read-only access to ~/.ssh/authorized_keys"), which last touched/added the "Remote access" section. [1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37 [2]: https://www.openssh.com/txt/release-7.3 [3]: https://superuser.com/a/1142813
| * allow-ssh.inc: allow access to ssh-agent(1)Libravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh
| * ssh: deny access to the rest of /etc/ssh/*Libravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that is used by ssh(1). The other paths are only used by sshd(8), so stop allowing them on ssh.profile and ssh-agent.profile. Path examples from sshd(8): * /etc/ssh/moduli * /etc/ssh/ssh_host_ecdsa_key * /etc/ssh/ssh_host_ecdsa_key.pub * /etc/ssh/ssh_known_hosts * /etc/ssh/sshd_config * /etc/ssh/sshrc $ pacman -Q openssh openssh 8.4p1-2
| * allow-ssh.inc: allow /etc/ssh/ssh_configLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the system-wide equivalent of ~/.ssh/config. $ pacman -Q openssh openssh 8.4p1-2 Reasons for blacklisting both /etc/ssh and /etc/ssh/* on disable-common.inc: Leave /etc/ssh that way so that profiles without allow-ssh.inc remain unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that profiles with allow-ssh.inc are able to access only nonblacklisted files inside of /etc/ssh.
| * etc: add allow-ssh.incLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
| * git-cola.profile: add missing python template commentLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | See etc/templates/profile.template.
| * ssh: move auth socket blacklist to disable-common.incLibravatar Kelvin M. Klann2021-01-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | That was added on the commit e93fbf3bd ("disable ssh-agent sockets in disable-programs.inc"). Currently, it's the only ssh-related entry on disable-programs.inc. Further, it seems that all the other socket blacklists live on disable-common.inc. Also, even though this socket does not necessarily allow arbitrary command execution on the local machine (like some paths on disable-common.inc do), it could still do so for remote systems. Put it above the "top secret" section, like the terminal sockets are above the terminal server section.
* | Fix #3925 -- telegram-desktop launch browser for …Libravatar rusty-snake2021-01-29
| | | | | | | | …open URL (after update to 0.9.64.2)
* | Add gfeeds directory for saved articlesLibravatar rusty-snake2021-01-29
| |
* | Merge pull request #3897 from nidamanx/patch-1Libravatar rusty-snake2021-01-28
|\ \ | | | | | | Update telegram.profile
| * | Profile ordering/sorting as in profile.templateLibravatar Nicola Davide Mannarelli2021-01-25
| | |
| * | Enhance securityLibravatar Nicola Davide Mannarelli2021-01-25
| | |
| * | Update telegram.profileLibravatar Nicola Davide Mannarelli2021-01-17
| | | | | | | | | Optimized "include whitelist-common.inc"
| * | Update telegram.profileLibravatar Nicola Davide Mannarelli2021-01-17
| | | | | | | | | Allow Telegram ONLY in .TelegramDesktop, .local/share/TelegramDesktop and Downloads
* | | add extensive comment on sandboxing google-earth-pro (#3923)Libravatar glitsj162021-01-28
| | |
* | | streamline 'Allow xxx' comments (#3922)Libravatar glitsj162021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add comment: allow python * add comment: allow python * reorder allow comments * fix perl allow comment * add comment: allow python * add comment: allow lua, perl & python * reorder allow comments * add comment: allow python * add comment: allow python * add comment: allow lua, perl & python * fix allow comments * add comment: allow python * add comment: allow python * fix spacing in comments * add comment: allow python * add comment: allow python * fix comment * add comment: allow perl & python * add comment: allow lua & python * add comment: allow lua, perl & python * fix allow comments * add comment: allow perl & python * streamline allow python comments
* | | readme.mdLibravatar netblue302021-01-27
|\ \ \
| * | | revert #3920 (#3921)Libravatar glitsj162021-01-27
| | | | | | | | | | | | | | | | | | | | * revert #3920 * revert #3920
| * | | remove noblacklist without blacklist (#3920)Libravatar glitsj162021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * remove noblacklist without blacklist in aosp ${HOME}/.bash_history is not blacklisted anywhere. Hence a noblacklist doesn't make sense here. * remove noblacklist without blacklist in gnome-builder ${HOME}/.bash_history is not blacklisted anywhere. Hence a noblacklist doesn't make sense here.
* | | | back to 0.9.65; rel 0.9.64.2 moved on a different branch, out in the next ↵Libravatar netblue302021-01-27
|/ / / | | | | | | | | | two days
* | | rel 0.9.64.2 testing - make test-compileLibravatar netblue302021-01-26
| | |
* | | rel 0.9.24.2 testingLibravatar netblue302021-01-26
| | |
* | | release 0.9.64.2 testingLibravatar netblue302021-01-26
| | |
* | | merge/readme updateLibravatar netblue302021-01-25
| | |
* | | Merge pull request #3853 from botherder/masterLibravatar netblue302021-01-25
|\ \ \ | | | | | | | | New profile for CoyIM
| * | | Added additional whitelistsLibravatar Nex2021-01-06
| | | |
| * | | Implementing some of the suggested changes from #3853Libravatar Nex2020-12-29
| | | |
| * | | Added some more restrictions to coyim profileLibravatar Nex2020-12-29
| | | |
| * | | Added first profile for coyimLibravatar Nex2020-12-29
| | | |
* | | | Merge pull request #3899 from rootalc/nolocal6Libravatar netblue302021-01-25
|\ \ \ \ | | | | | | | | | | Create nolocal6.net
| * | | | Create nolocal6.netLibravatar rootalc2021-01-18
| | |/ / | |/| |
* | | | Merge pull request #3918 from Neo00001/masterLibravatar netblue302021-01-25
|\ \ \ \ | | | | | | | | | | Add profile for kdiff3
| * | | | Update kdiff3.profileLibravatar Neo000012021-01-24
| | | | |
| * | | | Create kdiff3.profileLibravatar Neo000012021-01-24
| | | | |
| * | | | Update firecfg.configLibravatar Neo000012021-01-24
| | | | |
| * | | | Update disable-programs.incLibravatar Neo000012021-01-24
| | | | |
* | | | | fix #3914Libravatar netblue302021-01-24
| | | | |
* | | | | profstatsLibravatar netblue302021-01-24
|/ / / /
* | | | Update vmware.profile (#3913)Libravatar Neo000012021-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Update vmware.profile `private-etc` can be uncommented. * Update vmware.profile
* | | | misc comment fixes (#3916)Libravatar glitsj162021-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fix comment in blackbox.profile * fix comment in fluxbox.profile * fix comment in i3.profile * fix comment in krunner.profile * fix comment in openbox.profile
* | | | refactor google-earth{-pro} (#3915)Libravatar glitsj162021-01-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refactor google-earth{-pro} blacklisting * fix google-earth-pro.profile I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's. * unbreak google-earth.profile Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
* | | | Update bibletime.profile, add new whitelist (#3908)Libravatar hhzek00142021-01-22
| | | | | | | | | | | | | | | | | | | | | | | | To solve issue#3907, doc directory of the bibletime has to be whitelisted. Otherwise, it always fails to start. Co-authored-by: hhnb <hhnb@nanenient.cc>
* | | | refactoringLibravatar smitsohu2021-01-20
| | | |
* | | | Merge pull request #3900 from smitsohu/privatelibLibravatar smitsohu2021-01-20
|\ \ \ \ | | | | | | | | | | Add $PATH expansion to private-lib
| * | | | private-lib: search executables in $PATHLibravatar smitsohu2021-01-20
| | | | |
* | | | | Merge pull request #3903 from smitsohu/privatelib3Libravatar smitsohu2021-01-20
|\ \ \ \ \ | | | | | | | | | | | | private-lib: add new timetrace
| * | | | | private-lib: add timetrace for Firejail librariesLibravatar smitsohu2021-01-18
| |/ / / /
* | | | | misc fcopy fixesLibravatar smitsohu2021-01-20
| | | | |
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-19 19:20:24 +0000