aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
...
* | drop newline in cower.profileLibravatar glitsj162020-11-23
| |
* | disable mdweLibravatar glitsj162020-11-23
| |
* | harden xfce4-mixer.profileLibravatar glitsj162020-11-23
| |
* | Merge pull request #3766 from kris7t/runuser-fixesLibravatar netblue302020-11-22
|\ \ | | | | | | Miscellaneous whitelist-runuser-common fixes
| * | Whitelist wayland-1 socketLibravatar Kristóf Marussy2020-11-22
| | | | | | | | | | | | | | | | | | If the GDM display manager runs with Wayland support, and it starts a desktop environment other than (?) GNOME, the desktop environment will use the `wayland-1` socket instead of the `wayland-0` socket.
| * | Fix typo in thunderbird.profileLibravatar Kristóf Marussy2020-11-22
| | | | | | | | | | | | | | | We must ignore include `whitelist-runuser-common.profile`, because it breaks Enigmail (TB 68) and GnuPG smartcard (TB 78) support.
* | | Merge pull request #3762 from smitsohu/smitsohu-private-cacheLibravatar netblue302020-11-22
|\ \ \ | | | | | | | | reimplement --private-cache using --tmpfs
| * | | reimplement --private-cache using --tmpfsLibravatar smitsohu2020-11-20
| | | |
* | | | Merge pull request #3752 from smitsohu/smitsohu-get-to-catLibravatar netblue302020-11-22
|\ \ \ \ | | | | | | | | | | reimplement --get using --cat
| * | | | reimplement --get using --catLibravatar smitsohu2020-11-18
| | | | |
* | | | | drop deprecated pathLibravatar glitsj162020-11-22
| |_|/ / |/| | | | | | | Cfr. https://github.com/netblue30/firejail/pull/3517#issuecomment-664715880: element-desktop no longer uses ${HOME}/.config/Element (Riot).
* | | | minetest: Enable rm (#3764)Libravatar Liorst42020-11-21
| | | | | | | | | | | | rm is needed to uninstall mods and delete game saves (worlds).
* | | | various profilesLibravatar rusty-snake2020-11-20
| |/ / |/| | | | | | | | | | | | | | - disable-common: read-only ${HOME}/.zfunc - fix #3761 -- w3m with w3m-img installed does not display images when on virtual console/framebuffer - yelp can be used to display manpages
* | | tmpfs testingLibravatar smitsohu2020-11-19
| | |
* | | tmpfs testingLibravatar smitsohu2020-11-19
| | |
* | | add macro, globbing support to --tmpfs optionLibravatar smitsohu2020-11-19
| | |
* | | Merge pull request #3746 from netblue30/private-lib-fcopyLibravatar Reiner Herrmann2020-11-18
|\ \ \ | | | | | | | | install libraries needed by fcopy when using private-lib
| * | | ci: test also transmission profileLibravatar Reiner Herrmann2020-11-12
| | | |
| * | | install libraries needed by fcopy when using private-libLibravatar Reiner Herrmann2020-11-12
| | | | | | | | | | | | | | | | Fixes #3741
* | | | Add profile for straw-viewer (#3742)Libravatar kortewegdevries2020-11-18
| | | | | | | | | | | | | | | | | | | | * Add profile for straw-viewer * Remove blacklist, fixes
* | | | Merge pull request #3757 from rusty-snake/overrides2upstreamLibravatar rusty-snake2020-11-17
|\ \ \ \ | | | | | | | | | | from my overrides
| * | | | from my overridesLibravatar rusty-snake2020-11-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - add seccomp.block-secondary to a lot profiles - add wruc to firefox-common and ignore it in TB and firefox-common-addons - harden dia, gnome-keyring, libreoffice, megaglest, pngquant, ghostwriter, rhythmbox, sqlitebrowser
* | | | | document protocol=bluetoothLibravatar rusty-snake2020-11-16
| |_|_|/ |/| | |
* | | | add read-only items for ksh and mkshLibravatar glitsj162020-11-14
| | | | | | | | | | | | Follow-up from discussion in https://github.com/netblue30/firejail/pull/3751.
* | | | Merge pull request #3751 from Ypnose/masterLibravatar rusty-snake2020-11-14
|\ \ \ \ | | | | | | | | | | disable-shell.inc: add mksh shell
| * | | | disable-shell.inc: add mksh shellLibravatar Ypnose2020-11-14
|/ / / /
* / / / Dbus fixes (#3750)Libravatar glitsj162020-11-13
|/ / / | | | | | | | | | | | | * add dbus comment * disable dbus
* | | Add XAUTHORITY file of sddm from openSUSE Tumblew…Libravatar rusty-snake2020-11-13
| | | | | | | | | | | | …eed to wruc
* | | add gvfs-metadata to disable-common.incLibravatar Tad2020-11-13
| | | | | | | | | | | | - this might need to be looked into
* | | fix dbusLibravatar glitsj162020-11-12
|/ / | | | | At least on Ubuntu 16.04 LTS we need an additional own.
* | minetest.profile: whitelist /usr/share/games/minetest (#3740)Libravatar Davide Beatrici2020-11-11
| | | | | | It's the path to the game's data in the official Debian package.
* | update konsole/plasma blacklistLibravatar smitsohu2020-11-11
| |
* | adding /dev/mqueue to disable-exec.incLibravatar smitsohu2020-11-11
| |
* | add alsa/group to private-etcLibravatar glitsj162020-11-10
| | | | | | fix for #3737.
* | fix #3736Libravatar glitsj162020-11-10
| | | | | | Added ${HOME}/.alsaequal.bin to fix #3736
* | fixes, closes, enhances, improvements, and so onLibravatar rusty-snake2020-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - .github/ISSUE_TEMPLATE/bug_report.md: get ride off spanish, french, ... error messages - etc/inc/firefox-common-addons.inc: support ff2mpv - etc/profile-a-l/gimp.profile: note about xsane - etc/profile-m-z/min.profile: prettify - etc/profile-m-z/mpsyt.profile: fix, add lua - etc/profile-m-z/qbittorrent.profile: add note for tray-icons; this will get a better note once I investigated and audited all the D-Bus tray stuff. - etc/profile-m-z/transmission-daemon.profile: fix, add protocol packet close #3686 - mps-youtube needs lua close #3701 - Firefox native messaging regression in 0.9.62.4 -> 0.9.64rc1 close #3636 - transmission-daemon fills log with error close #3640 - Gimp - add note how to enable scanning (xsane) close #3707 - qBittorrent tray icon missing from notification panel when running it with firejail
* | disable private-etc in zoom, close #3726Libravatar rusty-snake2020-11-09
| |
* | fix min.profileLibravatar glitsj162020-11-09
| | | | | | As per https://github.com/netblue30/firejail/pull/3688#discussion_r511290714 min needs wusc. Runs fine with wruc too so let's fix min for users.
* | rework chromium (#3688)Libravatar rusty-snake2020-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
* | adding test-profiles to ci testLibravatar netblue302020-11-08
| |
* | adding test-profiles to ci testLibravatar netblue302020-11-08
| |
* | full ci testLibravatar netblue302020-11-08
| |
* | mkdir ci testingLibravatar netblue302020-11-08
| |
* | mkdir ci testingLibravatar netblue302020-11-08
| |
* | testing mkdir.expLibravatar netblue302020-11-08
| |
* | Merge pull request #3719 from netblue30/testsLibravatar netblue302020-11-08
|\ \ | | | | | | ci: enable test-fs tests on github-ci
| * \ Merge branch 'master' into testsLibravatar netblue302020-11-08
| |\ \ | |/ / |/| |
* | | Update linphone profile (#3734)Libravatar Dara Adib2020-11-08
| | | | | | | | | | | | linphone 4.0 changed the location of config and database files to respect freedesktop standards.
* | | second #3728 [skip ci]Libravatar rusty-snake2020-11-06
| | |
* | | profile fixesLibravatar rusty-snake2020-11-06
| | | | | | | | | | | | | | | | | | | | | | | | - update README.md and RELNOTES - add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc - fix #3728, fonts in openSUSE KDE with wc / wusc - fix gnome-todo - fix xournalpp MathTeX whitelist
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 19:18:15 +0000