aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* Add 32bit ARM syscallsLibravatar Andrew Branson2020-04-15
|
* Revert ↵Libravatar glitsj162020-04-15
| | | | | https://github.com/netblue30/firejail/commit/ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b As per discussion in #3333, thanks to @rusty-snake for coming up with an alternative.
* fix make dependenciesLibravatar netblue302020-04-14
|
* add sthortwave (#1139) and remove gjs from firecf…Libravatar rusty-snake2020-04-13
| | | | …g.config (#3333).
* misc fixesLibravatar rusty-snake2020-04-13
| | | | | | - Makefile.in: loops are slow - Makefile.in: firecfg.config wasn't installed - allow-gjs.inc: gjs uses libmozjs, forgotten to commit
* suport mkdir and mkfile for /run/user/<PID> directory (#3346)Libravatar netblue302020-04-13
|
* Merge pull request #3347 from aerusso/pulls/documentation-globbingLibravatar rusty-snake2020-04-12
|\ | | | | Clarify that file globbing occurs only at start
| * Clarify that file globbing occurs only at startLibravatar Antonio Russo2020-04-11
| | | | | | | | | | | | firejail can blacklist (and now also whitelist) files based on glob pattern. This pattern is evaluated at firejail start, and not updated at run time. This patch documents this behavior.
* | Fix shell in firefox-common.profileLibravatar glitsj162020-04-12
|/ | | This fixes #3333.
* Fix (fatal-warnings) warning by adding bracesLibravatar Topi Miettinen2020-04-11
|
* misc profilesLibravatar rusty-snake2020-04-11
| | | | | | | | | | | - disable-interpreters: blacklist /usr/lib64/libmozjs-* - fdns: - fix .local name - remove server.profile comment (do we need /sbin and /usr/sbin?) - add wusc and wvc (commented because untested) - minimize caps.keep (based on fdns.service) - fix protocol position - add private-etc (based on fdns.service)
* Move autoconfigured lines up in Makefile.inLibravatar Topi Miettinen2020-04-11
| | | | | | | Move autoconfigured lines up in Makefile.in so that they are defined before they are used . Closes #3341 #3344.
* Fix build with --enable-fatal-warningsLibravatar Topi Miettinen2020-04-10
| | | | Delete two unused variables.
* Strip all binariesLibravatar Topi Miettinen2020-04-10
| | | | Closes #3341.
* fix #3343Libravatar glitsj162020-04-10
|
* add description to rambox.profileLibravatar glitsj162020-04-10
|
* Merge pull request #3337 from topimiettinen/build-fixingLibravatar netblue302020-04-09
|\ | | | | Build improvements
| * Build improvementsLibravatar Topi Miettinen2020-04-09
| | | | | | | | | | Sometimes concurrent build could fail if the filter apps were not made before attempting to make the filters.
* | Add /usr/share/games to whitelistLibravatar Fred Barclay2020-04-09
| | | | | | | | | | | | | | | | | | | | Otherwise, fails with error CreateDirectories: failed to mkdir /usr/share/games (mode 448) file_system.cpp(158): Function call failed: return value was -110300 (Insufficient access rights to open file) Function call failed: return value was -110300 (Insufficient access rights to open file) Location: file_system.cpp:158 (CreateDirectories) Observed on Debian 10, 0ad 0.0.23
* | Merge pull request #3339 from matu3ba/docsfixLibravatar Fred Barclay2020-04-09
|\ \ | | | | | | early decision in bug report if using git version
| * | early decision if git masterLibravatar Jan2020-04-09
| | |
* | | Merge pull request #3340 from avilum/patch-1Libravatar rusty-snake2020-04-09
|\ \ \ | |_|/ |/| | Improvements for syscalls.sh contib file
| * | Improvements for syscalls.sh contib fileLibravatar Avi Lumelsky2020-04-09
|/ / | | | | Fixed the identation for copy/past problems and added a console character that returns the console to it's original colour after the SYSCALLS_OUTPUT_FILE param is printed.
* | Merge pull request #3334 from matu3ba/docsLibravatar rusty-snake2020-04-09
|\| | | | | Request behavior change description in bug reports
| * request change of behavior description on disabling firejail for specific ↵Libravatar Jan2020-04-09
|/ | | | program
* fix example in firejail-profile.txtLibravatar glitsj162020-04-08
|
* fix alphabetical ordering in fdns.profile (2)Libravatar glitsj162020-04-08
|
* fix alphabetical ordering in fdns.profileLibravatar glitsj162020-04-08
|
* add example for overriding individiual DBus filter to firejail-profile.txtLibravatar glitsj162020-04-08
| | | See discussion in https://github.com/netblue30/firejail/pull/3326.
* fix typos in dbus-{system,user}.talk [usage.c]Libravatar glitsj162020-04-07
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-04-07
|\
| * fix typo in firejail-profile.txtLibravatar glitsj162020-04-07
| |
* | fdns profileLibravatar netblue302020-04-07
|/
* Update support/EOL informationLibravatar Fred Barclay2020-04-07
|
* Merge pull request #3327 from netblue30/bugreports_templateLibravatar Fred Barclay2020-04-07
|\ | | | | Add bug report template
| * Add bug report templateLibravatar Fred Barclay2020-04-07
| | | | | | (Mostly) auto-generated with GitHub, will need tweaking over time
* | Ignore `caps.drop all` import from transmission-common.profileLibravatar Fred Barclay2020-04-07
|/ | | | caps are already handled by caps.keep ... in this profile
* Replace `nodbus` with dbus-* filtersLibravatar Fred Barclay2020-04-07
| | | | | | | | | | | | | See - 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters - https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183 Except for ocenaudio, access/restrictions on dbus options should be unchanged Ocenaudio profile: dbus filters were sandboxed (initially `nodbus` was enabled) since comments indicated blocking dbus meant preferences were broken
* dbus-proxy (gnome_games)Libravatar rusty-snake2020-04-07
|
* Alphabetically order firejail.config (#3324)Libravatar glitsj162020-04-07
|
* Merge pull request #3265 from kris7t/dbus-proxyLibravatar Kristóf Marussy2020-04-07
|\ | | | | Fine-grained DBus sandboxing
| * Deprecate --nodbus optionLibravatar Kristóf Marussy2020-04-07
| |
| * Turn DBus profile errors into warningsLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | This patch also allows setting the DBus policies to filter even if xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is allowed, but a warning is emitted.
| * xdg-dbus-proxy socket finding and mount hardeningLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root. Instead of relying on the default locations of the DBus sockets, the environment variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set accordingly. User sockets are tried in the following order when starting the proxy: * DBUS_SESSION_BUS_ADDRES * /run/user/<pid>/bus * /run/user/<pid>/dbus/user_bus_socket These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active. System sockets are tried in the following order: * DBUS_SYSTEM_BUS_ADDRESS * /run/dbus/system_bus_socket These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active.
| * xdg-dbus-proxy hardeningLibravatar Kristóf Marussy2020-04-06
| |
| * Add documentation for DBus filteringLibravatar Kristóf Marussy2020-04-06
| |
| * Add dbus filter optionsLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and --dbus-system.own control which names can be accessed and owned on the user and system buses.
| * Add xdg-dbus-proxy supportLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | * The proxy is forked off outside the sandbox namespace to protect the fds of the original buses from the sandboxed process. * The /run/firejail/dbus directory (with the sticky bit set) holds the proxy sockets. The sockets are <parent pid>-user and <parent pid>-system for the user and system buses, respectively. Each socket is owned by the sandbox user. * The sockets are bind-mounted over their expected locations and the /run/firejail/dbus directory is subsequently hidden from the sandbox. * Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets are cleaned up. * Filter rules will be added in a future commit.
| * Add sbox_exec_v and SBOX_KEEP_FDSLibravatar Kristóf Marussy2020-04-06
| | | | | | | | | | | | | | | | | | To contain processes forked for long time, such as the xdg-dbus-proxy, sbox_exec_v can be used, which is the non-forking version of sbox_run_v. Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds, so fds needed by the subordinate process can be left open before calling sbox_exec_v. This flag does not makes sense for sbox_run_v, and causes an assertion failure.
| * Add --dbus-user and --dbus-system optionsLibravatar Kristóf Marussy2020-04-06
|/ | | | | | Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-21 14:07:30 +0000