aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
| * | | | | lutris.profile: allow more syscallsLibravatar duevo2023-11-01
| | |_|_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work. journalctl did list `process_vm_readv` when a game was running, but it didn't crash the game. Fixes #6035.
* | | | | Merge pull request #6066 from nutta-git/patch-1Libravatar netblue302023-11-24
|\ \ \ \ \ | | | | | | | | | | | | steam.profile: allow process_vm_readv syscall
| * | | | | steam.profile: allow process_vm_readv syscallLibravatar duevo2023-10-31
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | EA Origin (game launcher) won't launch without this. See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
* | | | | Merge pull request #5957 from gerasiov/fcopy-fix-size-calculationLibravatar netblue302023-11-24
|\ \ \ \ \ | | | | | | | | | | | | fcopy: Use lstat when copy directory.
| * | | | | fcopy: Use lstat when copy directory.Libravatar Alexander Gerasiov2023-08-14
| | | | | | | | | | | | | | | | | | | | | | | | When copying directories use lstat when reading info about source files.
* | | | | | Fix displaying of large file sizes. (#6086)Libravatar Dmitriy Chestnykh2023-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The most generic way is to use `intmax_t` because we dont't know what is the "parent" type of `off_t`. This fixes https://github.com/netblue30/firejail/issues/5982 .
* | | | | | build(deps): bump step-security/harden-runner from 2.6.0 to 2.6.1Libravatar dependabot[bot]2023-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/1b05615854632b887b69ae1be8cbefe72d3ae423...eb238b55efaa70779f274895e782ed17c84f2895) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | | build(deps): bump github/codeql-action from 2.22.5 to 2.22.7Libravatar dependabot[bot]2023-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/74483a38d39275f33fcff5f35b679b5ca4a26a99...66b90a5db151a8042fa97405c6cf843bbe433f7b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | | profiles: whitelist alternative data directory for tesseractLibravatar Reiner Herrmann2023-11-18
| |_|_|/ / |/| | | | | | | | | | | | | | on Debian the data is in /usr/share/tesseract-ocr/
* | | | | New profile: tiny-rdm (#6083)Libravatar glitsj162023-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * disable-programs.inc: add support for tiny-rdm * Create tiny-rdm.profile * firecfg.config: add support for tiny-rdm
* | | | | clamtk: fix scanning (#6074)Libravatar glitsj162023-11-02
| | | | |
* | | | | freshclam: fix .local include (#6075)Libravatar glitsj162023-11-02
| | | | |
* | | | | build(deps): bump github/codeql-action from 2.22.4 to 2.22.5Libravatar dependabot[bot]2023-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/49abf0ba24d0b7953cb586944e918a0b92074c80...74483a38d39275f33fcff5f35b679b5ca4a26a99) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | | ci: run printenv.sh on codespell.ymlLibravatar Kelvin M. Klann2023-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's the only workflow missing it. See commit 339d395fb ("ci: print env-related settings in each job", 2023-04-22) / PR #5802.
* | | | | discord.profile: allow /usr/share/discord (#6072)Libravatar veloute2023-10-29
| |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | discord_arch_electron[1] stores its files in /usr/share/discord, rather than the usual /opt/discord. [1] https://aur.archlinux.org/packages/discord_arch_electron
* | | | sort.py: fix missing/duplicated commands in usageLibravatar Kelvin M. Klann2023-10-25
| | | |
* | | | profiles: Extend node stack support for pnpm (#6063)Libravatar glitsj162023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * nodejs-common: add pnpm support * disable-programs.inc: add pnpm support * Create pnpm.profile * Create pnpx.profile
* | | | Merge pull request #6064 from kmk3/profiles-dedup-dc-dpLibravatar Kelvin M. Klann2023-10-24
|\ \ \ \ | |_|/ / |/| | | disable-programs.inc: remove duplicated entries
| * | | disable-programs.inc: remove duplicated entriesLibravatar Kelvin M. Klann2023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They are already present in disable-common.inc. Added in the following commits: * 6bf6d5ed5 ("updated program files", 2016-12-02) / PR #951 * 49280197c ("various hardening (#3394)", 2020-05-02) * 2e2c2327f ("profiles: support more msmtp configuration paths (#6060)", 2023-10-22) Misc: This was noticed on PR #6060.
| * | | profiles: centralize gnome-boxes blacklisting in dcLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They are currently spread over disable-common.inc and disable-programs.inc. Added on commit 6f7ab41e4 ("blacklist gnome-boxes user files (VM-Images)", 2019-10-13) and commit 49280197c ("various hardening (#3394)", 2020-05-02).
* | | | enabled nettraces by default in the main build - you would need to be root ↵landlock-splitLibravatar netblue302023-10-24
| | | | | | | | | | | | | | | | to run these options
* | | | build(deps): bump github/codeql-action from 2.22.3 to 2.22.4Libravatar dependabot[bot]2023-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.3 to 2.22.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0116bc2df50751f9724a2e35ef1f24d22f90e4e1...49abf0ba24d0b7953cb586944e918a0b92074c80) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | build(deps): bump actions/checkout from 4.1.0 to 4.1.1Libravatar dependabot[bot]2023-10-23
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | profiles: support more msmtp configuration paths (#6060)Libravatar glitsj162023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since version 1.8.6 msmtp supports per-user configuration at either ~/.msmtprc (already supported by firejail) or `$XDG_CONFIG_HOME/msmtp/config`. System-wide support can be placed at /etc/msmtprc. This adds the missing paths to the relevant .inc and .profile files. Note that `blacklist ${HOME}/.msmtprc` is present on both disable-common.inc and disable-programs.inc, so the new paths are added to both files. References: https://wiki.archlinux.org/title/Msmtp#Basic_setup https://marlam.de/msmtp/msmtp.html#Configuration-files
* | | contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6059)Libravatar mammo02023-10-22
| | | | | | | | | | | | | | | | | | | | | | | | The `mimetypes` property contains the section `text/plain`. This causes for example the Gnome Editor to recognize every simple text file as a firejail profile file. See this issue: https://gitlab.gnome.org/GNOME/gnome-text-editor/-/issues/612 Fixes #6057.
* | | RELNOTES: reword profiles itemLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | | | | | | | | | | For extra clarity. Relates to #5987.
* | | RELNOTES: add profile itemsLibravatar Kelvin M. Klann2023-10-18
| | | | | | | | | | | | | | | | | | | | | | | | These profile-related changes seem significant enough to warrant entries, as #6021 adds some guidance on the use of private-opt and #5987 standardizes the format of commented code in all profiles. Relates to #5987 #6021.
* | | RELNOTES: add ci itemLibravatar Kelvin M. Klann2023-10-18
| | | | | | | | | | | | Relates to #6026.
* | | profiles: exchange private-opt with a whitelist (#6021)Libravatar glitsj162023-10-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * profiles: drop private-opt (existing whitelist) * profiles: replace private-opt with whitelist In most profiles. Kept private-opt for enpass (~85MB), mate-dictionary (<20MB), minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't check: xmr-stak. * docs: note potential issues with private-opt
* | | steam.profile: Allow Baba Is You (#6054)Libravatar Frostbyte46642023-10-16
| | |
* | | build(deps): bump github/codeql-action from 2.22.0 to 2.22.3Libravatar dependabot[bot]2023-10-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.0 to 2.22.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2cb752a87e96af96708ab57187ab6372ee1973ab...0116bc2df50751f9724a2e35ef1f24d22f90e4e1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | ssmtp: allow (SUID) binary (#6052)Libravatar glitsj162023-10-15
| | |
* | | disable-common.inc: more SUID binaries (#6051)Libravatar glitsj162023-10-15
| | |
* | | Merge pull request #6049 from kmk3/dc-add-more-suidLibravatar Kelvin M. Klann2023-10-15
|\ \ \ | | | | | | | | disable-common.inc: add more suid programs
| * | | disable-common.inc: add more suid programsLibravatar Kelvin M. Klann2023-10-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Programs: $ pacman -Qo fusermount3 groupmems mount.cifs wall write /usr/bin/fusermount3 is owned by fuse3 3.16.1-1 /usr/bin/groupmems is owned by shadow 4.14.0-4 /usr/bin/mount.cifs is owned by cifs-utils 7.0-3 /usr/bin/wall is owned by util-linux 2.39.2-1 /usr/bin/write is owned by util-linux 2.39.2-1
| * | | disable-common.inc: sort suid sectionLibravatar Kelvin M. Klann2023-10-11
|/ / /
* | | pavucontrol-qt: fix broken whitelisting in ${HOME} (#6045)Libravatar glitsj162023-10-09
| | |
* | | build(deps): bump github/codeql-action from 2.21.9 to 2.22.0Libravatar dependabot[bot]2023-10-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.9 to 2.22.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ddccb873888234080b77e9bc2d4764d5ccaaccf9...2cb752a87e96af96708ab57187ab6372ee1973ab) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | | build(deps): bump step-security/harden-runner from 2.5.1 to 2.6.0Libravatar dependabot[bot]2023-10-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/8ca2b8b2ece13480cda6dacd3511b49857a23c09...1b05615854632b887b69ae1be8cbefe72d3ae423) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | | tshark: CLI hardening (#6040)Libravatar glitsj162023-10-07
| | |
* | | New profile: termshark (#6039)Libravatar glitsj162023-10-07
| | | | | | | | | | | | | | | | | | | | | * Create termshark.profile * firecfg.config: add termshark support * termshark: CLI hardening
* | | wireshark: fix access to dumpcap (#6038)Libravatar glitsj162023-10-07
| | |
* | | nicotine: allow sound notifications (#6037)Libravatar glitsj162023-10-07
| | |
* | | nicotine: support Fcitx and dconf via dbus-user filter (#6036)Libravatar glu87162023-10-07
| | | | | | | | | | | | | | | * Update nicotine.profile * dbus.user set to filter
* | | Merge pull request #6009 from jtrv/tidal-hifiLibravatar netblue302023-10-05
|\ \ \ | | | | | | | | New profile: tidal-hifi
| * | | New profile: tidal-hifi (#6008)Libravatar jtrv2023-09-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | modified src/firecfg/firecfg.config to add tidal-hifi created etc/profile-m-z/tidal-hifi.profile closes: #6008 Apply suggestions from code review Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* | | | Merge pull request #6026 from kmk3/ci-allow-manual-runLibravatar netblue302023-10-05
|\ \ \ \ | | | | | | | | | | ci: allow running workflows manually
| * | | | ci: allow running workflows manuallyLibravatar Kelvin M. Klann2023-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add `on.workflow_dispatch`. See: * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch * https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
* | | | | Merge pull request #6030 from glitsj16/np-floorpLibravatar netblue302023-10-05
|\ \ \ \ \ | | | | | | | | | | | | New profile: floorp
| * | | | | disable-programs.inc: fix sortingLibravatar glitsj162023-10-02
| | | | | |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 08:25:52 +0000