Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | update plasma vault blacklist in disable-common.inc | smitsohu | 2019-03-02 |
| | |||
* | Merge branch 'master' of https://github.com/Lockdis/firejail into ↵ | Fred-Barclay | 2019-02-16 |
|\ | | | | | | | lockdis_ipc_fixes | ||
| * | add nyx, fix g earth pro | Lockdis | 2019-01-24 |
| | | |||
* | | Add '$HOME/.local/share/pki' to blacklist | Vincent43 | 2019-02-03 |
| | | | | | | | | | | Since nss 3.42, '$HOME/.local/share/pki' is supported dir for storing certs https://hg.mozilla.org/projects/nss/rev/da45424cb9a0b4d8e45e5040e2e3b574d994e254 | ||
* | | additional blacklisting | rusty-snake | 2019-01-27 |
|/ | |||
* | Merges | Tad | 2018-12-22 |
| | |||
* | updates for ~/.cargo | rusty-snake | 2018-12-21 |
| | |||
* | Update disable-common.inc, disable-programs.inc | rusty-snake | 2018-12-20 |
| | |||
* | profile enhancements: blacklist kdesu daemon socket, rework ↵ | smitsohu | 2018-12-11 |
| | | | | c083a7b737050c532977b46fac6400f1dbc24ff6 | ||
* | improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist slave-sockets | smitsohu | 2018-12-07 |
| | | | | | | | | | | setting the KDE_FORK_SLAVES environment variable removes all inconsistencies that arise from slaves running outside the sandbox or in a different sandbox; it also makes it slightly more difficult to abuse KIO in general and helps to mitigate security problems due to thumbnailing, which now always happens inside the same sandbox. The trade-off is more concurrently running slave processes. closes #2285 | ||
* | Update disable-common.inc | glitsj16 | 2018-11-08 |
| | |||
* | profile fixes for recursive read-write mounts | smitsohu | 2018-11-04 |
| | | | | | | | read-write and read-only are applied in sequence, don't override read-only restrictions in ~/.local/share issue #2200 | ||
* | cleanup | smitsohu | 2018-10-25 |
| | |||
* | Remove "/etc/firejail/" from all include paths, now that profile_read will ↵ | Glenn Washburn | 2018-10-17 |
| | | | | search for the file. | ||
* | consolidate cloud blacklisting, alphabetize, other nitpicks | smitsohu | 2018-10-12 |
| | |||
* | Write-protection for thumbnailer dir see #2143 (#2144) | curiosity-seeker | 2018-10-07 |
| | |||
* | adding fluxbox, blackbox, awesome, i3 profiles | netblue30 | 2018-09-03 |
| | |||
* | Update disable-common.inc | 1dnrr | 2018-08-23 |
| | |||
* | Blacklist /.snapshots (see #2030) | ಚಿರಾಗ್ ನಟರಾಜ್ | 2018-07-09 |
| | |||
* | Merges + misc fixes | Tad | 2018-07-04 |
| | | | | | | | | - Change some links in README to HTTPS - Fixup some typos in firejail-profile manpage - Cleanup dash from private-etc - Fixup gradio - Synchronize server profile with default profile | ||
* | disable flatpak directories | netblue30 | 2018-06-20 |
| | |||
* | typo in disable-common.inc | glitsj16 | 2018-04-22 |
| | |||
* | Blacklist some GNOME files in disable-common.inc | Tad | 2018-04-16 |
| | |||
* | update firecfg, shield kde startup better | smitsohu | 2018-04-06 |
| | |||
* | fix a0502dc5144185b6d346e92944e3359a833d2378, various enhancements | smitsohu | 2018-04-04 |
| | |||
* | AWS and GCP store credentials in local directories as part of project setup. | James Elford | 2018-03-31 |
| | | | | | | | | | Configuration for cloud providers is sensitive information; it should be in the default block list. I didn't see profiles for gcloud or awscli, so haven't added any exclusions. boto and kubectl are not provider-specific, but also store credentials for whichever platforms they happen to be being used with. | ||
* | various profile hardening | smitsohu | 2018-03-25 |
| | |||
* | bringing back private-lib in evince, and some fixes for Arch Linux | netblue30 | 2018-03-12 |
| | |||
* | fix bash on CentOS 7 | startx2017 | 2018-03-12 |
| | |||
* | let konsole access its settings - #1789 | smitsohu | 2018-03-02 |
| | |||
* | .Xauthority moved from blacklist to read-only | joelazar | 2018-02-26 |
| | |||
* | blacklist ksslcertificatemanager | smitsohu | 2018-02-14 |
| | | | | | | | | | | While it is believed that blacklisting these files is a safe default, it has the effect that untrusted certificates have to be acknowledged every time they are encountered (with whitelisting it is possible to accept them for the duration of an application session). Where this causes usability issues, it will be necessary to noblacklist these paths. | ||
* | fix KDE notifications | smitsohu | 2018-02-13 |
| | | | | | | | | while it is essential to deny manipulation of these files, the information contained therein should be only of secondary value by changing blacklist to read-only, notification functionality is restored | ||
* | restrict kssl (missing paths) | smitsohu | 2018-02-08 |
| | |||
* | restrict kssl | smitsohu | 2018-02-08 |
| | |||
* | keep menu definitions read-only | smitsohu | 2018-02-07 |
| | |||
* | further harden KDE | smitsohu | 2018-02-06 |
| | | | | | and whitelist some kio settings, because we don't know if slave processes will run inside or outside the sandbox. also prevents weird bugs that depend on sequence in which applications were started. | ||
* | blacklist klipper | smitsohu | 2018-02-02 |
| | | | | further to 8aec7694cb4c7c0d07b333b689ab19faacb519f9 | ||
* | KDE related enhancements | smitsohu | 2018-02-01 |
| | |||
* | harden KDE | smitsohu | 2018-01-30 |
| | |||
* | remove QML_DISABLE_DISK_CACHE from disable-common.inc | smitsohu | 2018-01-18 |
| | | | hardcoded since 1e7045b55cc1e189dba6d9ed21c05c90663f3736 | ||
* | disable qml disk cache globally | smitsohu | 2018-01-08 |
| | |||
* | disable-common.inc: read-only access to ~/.ssh/authorized_keys | Alexander GQ Gerasiov | 2017-12-22 |
| | | | | | | | | | | | | | | | disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh) unblacklists it to allow git over ssh with public key auth. But this creates security hole, since firejailed app could modify ~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd installed (e.g. ssh localhost and run any program) or even open backdoor for remote attacker. This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was unblacklisted. Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su> | ||
* | disable-common.inc: Blacklist .homesick | Alexander GQ Gerasiov | 2017-12-17 |
| | | | | | homesick is dotfiles manager. It keeps dotfiles (e.g. .bashrc) in repository under ~/.homesick and puts symlinks into home directory. | ||
* | remove mutt blacklist redundancies | smitsohu | 2017-12-09 |
| | |||
* | improve fetchmail profile - #1661 | smitsohu | 2017-12-09 |
| | |||
* | more profile improvements | smitsohu | 2017-11-23 |
| | |||
* | some profile improvements | smitsohu | 2017-11-19 |
| | |||
* | streamline disable-common.inc | smitsohu | 2017-11-11 |
| | |||
* | matching noblacklist in profile files with blacklist in disable-programs.inc | netblue30 | 2017-11-02 |
| |