Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | remove QML_DISABLE_DISK_CACHE from disable-common.inc | smitsohu | 2018-01-18 |
| | | | hardcoded since 1e7045b55cc1e189dba6d9ed21c05c90663f3736 | ||
* | disable qml disk cache globally | smitsohu | 2018-01-08 |
| | |||
* | disable-common.inc: read-only access to ~/.ssh/authorized_keys | Alexander GQ Gerasiov | 2017-12-22 |
| | | | | | | | | | | | | | | | disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh) unblacklists it to allow git over ssh with public key auth. But this creates security hole, since firejailed app could modify ~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd installed (e.g. ssh localhost and run any program) or even open backdoor for remote attacker. This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was unblacklisted. Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su> | ||
* | disable-common.inc: Blacklist .homesick | Alexander GQ Gerasiov | 2017-12-17 |
| | | | | | homesick is dotfiles manager. It keeps dotfiles (e.g. .bashrc) in repository under ~/.homesick and puts symlinks into home directory. | ||
* | remove mutt blacklist redundancies | smitsohu | 2017-12-09 |
| | |||
* | improve fetchmail profile - #1661 | smitsohu | 2017-12-09 |
| | |||
* | more profile improvements | smitsohu | 2017-11-23 |
| | |||
* | some profile improvements | smitsohu | 2017-11-19 |
| | |||
* | streamline disable-common.inc | smitsohu | 2017-11-11 |
| | |||
* | matching noblacklist in profile files with blacklist in disable-programs.inc | netblue30 | 2017-11-02 |
| | |||
* | harden kde | smitsohu | 2017-10-31 |
| | | | | | and whitelist kioslaverc because we don't know if kdeinit will run outside or inside the sandbox. | ||
* | fix and harden various profiles | smitsohu | 2017-10-29 |
| | |||
* | block kdeinit sockets | smitsohu | 2017-10-13 |
| | | | | attempts to handle #1599 | ||
* | removed lxterminal support, blacklisting the terminal in disable-common.inc | netblue30 | 2017-10-04 |
| | |||
* | fix nginx and apache2, possible fix for #1534 | netblue30 | 2017-09-25 |
| | |||
* | remove some redundancies | smitsohu | 2017-09-20 |
| | | | | | | | * ~/.bash_history is already included in ~/.*_history, same file * ~/.password-store is already included in disable-passwdmgr.inc (and not whitelisted in browsers) * ~/.local/share/applications is in whitelist-common.inc since recently | ||
* | blacklist clipboard manager in disable-common.inc | netblue30 | 2017-09-18 |
| | |||
* | fix Arch Linux /etc/resolv.conf symlink to /var/run/systemd/resolve/resolv.conf | netblue30 | 2017-09-14 |
| | |||
* | permit scripts, local mail | smitsohu | 2017-09-10 |
| | |||
* | noexec is hardcoded now | smitsohu | 2017-09-05 |
| | |||
* | Harden /var | Tad | 2017-08-22 |
| | |||
* | Add Jason A. Donenfeld's pass to common blacklist | James Elford | 2017-08-20 |
| | | | | | pass is a password manager that keeps files under ~/.password-store by default. See http://www.passwordstore.org/ for more info | ||
* | Fix bad noexec sorting | Fred Barclay | 2017-08-09 |
| | |||
* | Sorting | Fred-Barclay | 2017-08-08 |
| | |||
* | Change KDE4 services folder to read-only | smitsohu | 2017-08-06 |
| | | | Configurations in this folder are not secret, but need to be protected from manipulation. Let's make it available to all KDE apps for legitimate use. Discussion in #1428 | ||
* | Change ~/.local/share/kservices5 to read-only | Vladimir Schowalter | 2017-08-03 |
| | |||
* | Add fish-shell history and config to disable-common.inc | James Elford | 2017-05-22 |
| | |||
* | rephrase | SYN-cook | 2017-05-11 |
| | |||
* | layout | SYN-cook | 2017-05-11 |
| | |||
* | add noexec folders (tmp/.X11-unix and .config/pulse) | SYN-cook | 2017-05-11 |
| | |||
* | fix trash functionality for file managers | netblue30 | 2017-05-01 |
| | |||
* | noexec ~/.local/share | SYN-cook | 2017-04-21 |
| | | | #1238 | ||
* | add .pam_environment, kwin to blacklist | SYN-cook | 2017-04-04 |
| | |||
* | tidy up (#1182) | SYN-cook | 2017-03-31 |
| | | | | | | | | | | | | | | | | * minor reorganization * tidy up * tidy up * tidy up * tidy up * tidy up * tidy up | ||
* | restrict more KDE files (#1181) | SYN-cook | 2017-03-31 |
| | | | | | | | | | | * update noblacklist * blacklist local plasma overrides, plasmoids * add more KDE configuration (kdeglobals, plasmoids) * kdeglobals now in disable-common.inc | ||
* | various profile fixes and enhancements (#1177) | SYN-cook | 2017-03-29 |
| | | | | | | | | | | | | | | | | | | | | * private-dev breaks playing CDs * reenable services * blacklist kservices5 folder * blacklist nautilus scripts * blacklist ~/.kde4 files, k3b config, nautilus/nemo * sort * update noblacklisting * update blacklisting * update blacklisting/whitelisting (okular) | ||
* | blacklist KDE config (konsole, services) | SYN-cook | 2017-03-28 |
| | |||
* | blacklist krunnerrc | SYN-cook | 2017-03-27 |
| | |||
* | blacklist more KDE files (#1163) | SYN-cook | 2017-03-27 |
| | | | | | | | | | | | | | | | | * blacklist more KDE files * undo doubling of ~/.profile * remove ksmserverrc * remove ksmserverrc * blacklist kdeconnect * blacklist KDE device actions * blacklist kglobalaccel | ||
* | Merge pull request #1156 from SYN-cook/master | netblue30 | 2017-03-26 |
|\ | | | | | profile enhancements | ||
| * | move ~/.pki blacklist to disable-common.inc | SYN-cook | 2017-03-24 |
| | | |||
* | | Merge pull request #1152 from SYN-cook/master | netblue30 | 2017-03-22 |
|\| | | | | | blacklist X11 startup scripts | ||
| * | don't blacklist ~/.profile | SYN-cook | 2017-03-22 |
| | | | | | | sorry for the mistake... ~./profile is not only sourced by some display managers but also by shells, so we should keep everything as before | ||
| * | more blacklisting (X11 session autostart) | SYN-cook | 2017-03-21 |
| | | | | | | reorganization, added files according to Debian documentation | ||
* | | Merge pull request #1149 from SYN-cook/master | netblue30 | 2017-03-20 |
|\| | | | | | complete autostart blacklist for KDE | ||
| * | complete autostart blacklist for KDE | SYN-cook | 2017-03-19 |
| | | |||
* | | Handles #1150 | Fred Barclay | 2017-03-19 |
|/ | | | | Terminix is being renamed to tilix. This adds ${PATH}/tilix to the blacklisted terminals in disable-common.inc without removing terminix (since there will still be users of terminix). | ||
* | persistent config | netblue30 | 2017-02-09 |
| | |||
* | profile merges | netblue30 | 2017-01-25 |
| | |||
* | Prevent tmux connecting to an existing session | ecat3 | 2017-01-22 |
| |