| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
| |
closes #1139
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Create element-desktop.profile
* add element-desktop dirs to disable-programs.inc
* add element-desktop to firecfg.config
* Update RELNOTES
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* hardening some profiles
- harden and fix flameshot
- wruc: frogatto, ghostwriter
- harden gnome-latex
- add whitelist opt-in note to keepassxc
- add comment to minetest
- harden openarena, tremulous, xonotic
- add profile for xonotic-sdl-wrapper
* followup
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Create mocp.profile
* add mocp support to disable-programs.inc
* add mocp support in firecfg.config
* update RELNOTES for mocp
* fix configuration access for mocp
Thanks to @rusty-snake for spotting this.
|
| |
|
|
|
|
|
|
|
|
|
| |
Also fixed a typo for new profiles: nicontine --> nicotine
* add plv to firecfg
* add plv to disable-programs.inc
* Create plv.profile
* Update plv.profile
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
|
|
| |
- fix description
- add gnome-klotski, five-or-more, swell-foop
[skip ci]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- blobwars
- gravity-beams-and-evaporating-stars
- hyperrogue
- jumpnbump-menu (alias)
- jumpnbump
- magicor
- mindless
- mirrormagic
- mrrescue
- scorched3d-wrapper (alias)
- scorchwentbonkers
- seahorse-adventures
- wordwarvi
- xbill
|
| |
|
|
| |
@glitsj16 thanks for the pointer that we now have whitelist globbing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
| |
|
|
|
|
|
|
|
|
|
| |
- four-in-a-row
- gnome-mahjongg
- gnome-robots
- gnome-sudoku
- gnome-taquin
- gnome-tetravex
harden gnome-chess
|
| |
|
|
|
|
|
|
|
|
|
| |
- frogatto
- gnome_games-common.profile
- gnome-2048 (make redirect)
- gnome-mines
- gnome-nibbles
- lightsoff
- ts3client_runscript.sh (fix #3279)
- warmux (don't get confused with the warmux/wormux thing)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rules for xdg-dbus-proxy:
dbus-user filter
dbus-user.own org.gnome.Pomodoro
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.Shell
dbus-system none
dbus-user filter
dbus-user.own org.gnome.Todo
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
dbus-user.talk org.gnome.evolution.dataserver.Calendar8
dbus-user.talk org.gnome.evolution.dataserver.Sources5
dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.SettingsDaemon.Color
dbus-system filter
dbus-system.talk org.freedesktop.login1
dbus-user filter
dbus.own com.github.dahenson.agenda
dbus.talk ca.desrt.dconf
dbus-system block
|
| |\
| |
| | |
new condition: HAS_NOSOUND
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
private-dev
private-etc dconf,fonts,gtk-3.0,localtime,machine-id
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```
patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
```
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Thanks @DurtyDev for testing (netblue30/firetools#47)
|
| | |
|
| |
|
|
| |
Thanks @Micha-Btz for all the testing.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Create gist.profile
* Add gist config to disable-programs.inc
* Add gist to firecfg.config
* Update RELNOTES
* Update README.md
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
See
https://github.com/netblue30/firejail/issues/1139#issuecomment-546683127
|
| | |
|
| | |
|
| | |
|
Reiner Herrmann
rusty-snake
glitsj16
Amin Vakil
netblue30
Topi Miettinen
Tad
rusty-snake
smitsohu
Hans-Christoph Steiner
Fred Barclay