| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
| |
* Allow user access to /proc/config.gz
* Fix Brave's native sandbox
* Move /proc/config.gz to disable-common.inc
* Move /proc/config.gz to disable-common.inc
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add novideo to a lot of profiles
(there are still more profiles where novideo can be added)
- remove commente mdwe from some gnome applications
- add descriptions to some profiles
- blacklist ${HOME}/.cargo/credentials
- move ${HOME}/.git-credentials and ${HOME}/.git-credential-cache to
'top secret' in disable-common.inc
- some ordering in disable-programs.inc
- merge tor browser blacklists to ${HOME}/.tor-browser*
- qupzilla.profile redirect to falkon.profile
- blacklist gnome-builder paths
- fix transmission profiles inlude
- much more
|
|
|
|
|
|
|
|
|
|
|
|
| |
- install contrib/syscalls.sh
- add GitLab-CI status to README.md
- read-only ${HOME}/.cargo/env
- move blacklist ${HOME}/.cargo/registry, ${HOME}/.cargo/config to
disable-programs
- typo in man firejail firejail-profiles firecfg
- better descriptions in man firejail-profiles
- fixes in man firejail
- template descriptions in firejail-profiles
|
| |
|
| |
|
|
|
|
|
|
| |
* ~/.viminfo
* ~/.lesshst
* ~/.python_history
|
| |
|
|
|
|
| |
The files holds credentials to WebDAV servers in plaintext
hence it's probably a good idea to limit access to them.
|
| |
|
|
|
|
|
|
| |
* Add .pythonrc.py to disable-common.inc
* Move .pythonrc.py to more appropriate section
|
| |
|
|\
| |
| |
| | |
lockdis_ipc_fixes
|
| | |
|
| |
| |
| |
| |
| | |
Since nss 3.42, '$HOME/.local/share/pki' is supported dir for storing certs
https://hg.mozilla.org/projects/nss/rev/da45424cb9a0b4d8e45e5040e2e3b574d994e254
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
| |
c083a7b737050c532977b46fac6400f1dbc24ff6
|
|
|
|
|
|
|
|
|
|
| |
setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.
closes #2285
|
| |
|
|
|
|
|
|
|
| |
read-write and read-only are applied in sequence, don't
override read-only restrictions in ~/.local/share
issue #2200
|
| |
|
|
|
|
| |
search for the file.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- Change some links in README to HTTPS
- Fixup some typos in firejail-profile manpage
- Cleanup dash from private-etc
- Fixup gradio
- Synchronize server profile with default profile
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Configuration for cloud providers is sensitive information; it should be
in the default block list. I didn't see profiles for gcloud or awscli,
so haven't added any exclusions.
boto and kubectl are not provider-specific, but also store credentials for
whichever platforms they happen to be being used with.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
While it is believed that blacklisting these files is a safe default,
it has the effect that untrusted certificates have to be acknowledged every
time they are encountered (with whitelisting it is possible to accept
them for the duration of an application session).
Where this causes usability issues, it will be necessary to noblacklist
these paths.
|
|
|
|
|
|
|
|
| |
while it is essential to deny manipulation of these files,
the information contained therein should be only of secondary value
by changing blacklist to read-only, notification functionality is
restored
|
| |
|
| |
|