aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* wusc whitelists /usr/share/perl{,5} nowLibravatar rusty-snake2020-08-25
| | | | | | | This commit removes it from profile which have it. /usr/share/perl* is still inaccessible for profiles with wusc and disable-interpreters.inc w/o allow-perl.inc.
* add whitelist items for uim (#3587)Libravatar Anton Shestakov2020-08-24
| | | | | | | | | * add ~/.uim.d directory to whitelist-common.inc uim is a multilingual input method framework (similar to ibus, which has its own entry in this file). * add /var/lib/uim to whitelist-var-common.inc When user installs an uim module (for example, an input method like anthy or mozc), it gets registered in a file in this directory.
* fix --join for sandboxes with xdg-dbuss-proxyLibravatar netblue302020-08-22
|
* firemon fix for xdg-bus-proxyLibravatar netblue302020-08-22
|
* minor cleanup: move pid functions from main.c to util.cLibravatar netblue302020-08-22
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-08-22
|\
| * Merge pull request #3572 from smitsohu/dumpableLibravatar netblue302020-08-22
| |\ | | | | | | hardening: run plugins with dumpable flag cleared
| | * cleanupLibravatar smitsohu2020-08-17
| | |
| | * add dumpable warningsLibravatar smitsohu2020-08-17
| | |
| | * various x11 xorg enhancementsLibravatar smitsohu2020-08-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) copy xauth binary into the sandbox and set mode to 0711, so it runs with cleared dumpable flag for unprivileged users 2) run xauth in an sbox sandbox 3) generate Xauthority file in runtime directory instead of /tmp; this way xauth is able to connect to the X11 socket even if the abstract socket doesn't exist, for example because a new network namespace was instantiated
| | * hardening: run plugins with dumpable flag clearedLibravatar smitsohu2020-08-17
| | | | | | | | | | | | | | | | | | | | | the kernel clears the dumpable flag if a user has no read permission on an executable and it is owned by another user; I omitted faudit, fbuilder and ftee for now as they are not used to configure the sandbox itself, and as this commit is going to complicate debugging efforts to some extent
| * | Merge pull request #3594 from smitsohu/lsLibravatar netblue302020-08-22
| |\ \ | | | | | | | | cat option
| | * | harden cat optionLibravatar smitsohu2020-08-20
| | | |
| | * | Merge branch 'master' into lsLibravatar smitsohu2020-08-19
| | |\ \
| | * | | cat optionLibravatar smitsohu2020-08-19
| | | | |
| | * | | drop system(3) calls from sandbox.cLibravatar smitsohu2020-08-19
| | | | |
| | * | | refactor ls.c and prepare for new --cat optionLibravatar smitsohu2020-08-19
| | | |/ | | |/|
* | / | cleaning up POSTMORTEM codeLibravatar netblue302020-08-22
|/ / /
* | / renamed /etc/apparmor.d/local/firejail-local to ↵Libravatar netblue302020-08-22
| |/ |/| | | | | /etc/apparmor.d/local/firejail.default - merge form 0.9.62.4
* | Merge pull request #3592 from onovy/signal-audio-videoLibravatar Fred Barclay2020-08-18
|\ \ | | | | | | Allow video for Signal profile
| * | Allow video for Signal profile.Libravatar Ondřej Nový2020-08-17
| | | | | | | | | | | | | | | Signal is adding support for video calls on desktop, see https://signal.org/blog/desktop-calling-beta/
* | | tests: fix formatting in rlimit testsLibravatar Reiner Herrmann2020-08-18
|/ /
* | Fix missing mkfile in 5d741795c3bb2060730e282a8f512b999418e098Libravatar Fred Barclay2020-08-16
| |
* | Use whitelisting for video players (#3472)Libravatar Fred Barclay2020-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use whitelisting for video players See https://github.com/netblue30/firejail/pull/3469 * Update media player whitelists See reviews at https://github.com/netblue30/firejail/pull/3472 Block $DOCUMENTS Make $DESKTOP read-only * Review fixes: include read-only Desktop in whitelist
* | Merge pull request #3559 from smitsohu/smitsohu-bandwidthLibravatar smitsohu2020-08-14
|\ \ | | | | | | harden bandwidth command
| * | harden bandwidth commandLibravatar smitsohu2020-07-14
| | | | | | | | | add extra checks to defend against command injection (respective strings are controlled by Firejail, so this should be redundant and only for the paranoid), run shell in a minimal sandbox
* | | tests: fix check for modules directoryLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | | | | 'modules' can also be seen as a sub-directory, e.g. ./powerpc64le-linux-gnu/gio/modules/libgiolibproxy.so
* | | tests: fix rlimit test for 32bit archsLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | | | | On 32bit architectures like armhf, the output was "unlimited" instead of the expected value.
* | | print errno if char device creation failsLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | on Ubuntu autopkgtest runs on armhf, /dev/zero creation fails.
* | | tests: fix false-positive match on modulesLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | | | | | | | The systemd service file ./systemd/system/sysinit.target.wants/systemd-modules-load.service can exist which will lead to a match for "modules", though we are only looking for the modules directory.
* | | Merge pull request #3583 from kortewegdevries/fixnomacsLibravatar Fred Barclay2020-08-13
|\ \ \ | | | | | | | | Fix nomacs
| * | | Fix nomacsLibravatar kortewegdevries2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` Aug 11 16:32:32 korte audit[29004]: SECCOMP auid=1000 uid=1000 gid=1000 ses=2 subj==firejail-default (enforce) pid=29004 comm="nomacs" exe="/usr/bin/nomacs" sig=31 arch=c000003e syscall=9 compat=0 ip=0x7fa2a1cc98c6 code=0x0 ```
* | | | shutdown option hidepid fixLibravatar smitsohu2020-08-13
| | | |
* | | | Merge pull request #3573 from dandelionred/masterLibravatar startx20172020-08-12
|\ \ \ \ | | | | | | | | | | mkdeb.sh should not use files outside $CODE_DIR
| * | | | mkdeb.sh should not use files outside $CODE_DIRLibravatar dandelionred2020-08-07
| | |_|/ | |/| |
* | | | Merge pull request #3569 from topimiettinen/seccomp-logLibravatar startx20172020-08-12
|\ \ \ \ | | | | | | | | | | seccomp: logging
| * | | | seccomp: loggingLibravatar Topi Miettinen2020-08-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow `log` as an alternative seccomp error action instead of killing or returning an errno code. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* | | | | Added youtube-viewer profile with Gtk frontends (#3542)Libravatar kortewegdevries2020-08-11
| |_|/ / |/| | | | | | | | | | | | | | | Initial,amend: wrong dir,delete gtk-*,added new files Co-authored-by: kortewegdevries <k0rtic_dv@aol.com>
* | | | chroot: expose x11 session if FIREJAIL_CHROOT_X11 is setLibravatar smitsohu2020-08-10
| | | | | | | | | | | | | | | | add check so that environment variable FIREJAIL_CHROOT_X11 can be used to mount /tmp/.X11-unix into the chroot; issue #3568
* | | | mount sandbox lib directory ro,nosuid,nodevLibravatar smitsohu2020-08-08
| | | |
* | | | fix for older compilers (gcc 4.9.2, Debian 8)Libravatar netblue302020-08-08
| | | |
* | | | annotate some functions as non-returning (#3574)Libravatar Reiner Herrmann2020-08-08
| | | |
* | | | update release notesLibravatar Reiner Herrmann2020-08-08
| |/ / |/| |
* | | firejail: don't pass command line through shell when redirecting outputLibravatar Reiner Herrmann2020-08-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When redirecting output via --output or --output-stderr, firejail was concatenating all command line arguments into a single string that was passed to a shell. As the arguments were no longer escaped, the shell was able to interpret them. Someone who has control over the command line arguments of the sandboxed application could use this to run arbitrary other commands. Instead of passing it through a shell for piping the output to ftee, the pipeline is now manually created and the processes are executed directly. Fixes: CVE-2020-17368 Reported-by: Tim Starling <tstarling@wikimedia.org>
* | | firejail: don't interpret output arguments after end-of-options tagLibravatar Reiner Herrmann2020-08-06
|/ / | | | | | | | | | | | | | | | | | | | | Firejail was parsing --output and --output-stderr options even after the end-of-options separator ("--"), which would allow someone who has control over command line options of the sandboxed application, to write data to a specified file. Fixes: CVE-2020-17367 Reported-by: Tim Starling <tstarling@wikimedia.org>
* | Support to ingore a include foobar.incLibravatar rusty-snake2020-08-04
| | | | | | | | closes #1139
* | Add profile for otter-browser (#3564)Libravatar kortewegdevries2020-08-04
| | | | | | | | | | | | | | * Add profile for otter-browser Initial * private-bin,sorting
* | don't run with closed standard streamsLibravatar smitsohu2020-08-03
| | | | | | | | | | | | Ensure that all standard streams are open and we don't inadvertently print to files opened for a different reason; in general we can expect glibc to take care of this, but it doesn't cover the case where a sandbox is started by root. The added code also serves as a fallback. Unrelated: For what it's worth, shift umask call closer to main start, so it runs before lowering privileges and before anything can really go wrong.
* | Remove unused dummy source fileLibravatar Reiner Herrmann2020-08-01
| |
* | fix ordering in vmware.profileLibravatar glitsj162020-07-31
| |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 05:08:59 +0000