| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
remove netfilter from profiles with net none
allow Viber to use dig, dig is in its private-bin, so I assume that it
need it.
blacklist resolvectl which can also be used for dns lookups
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
$PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports,
some applications crash if they cann't access these files.
Layout on my system:
~/.local/share/flatpak/exports
|-bin
|-share
|-applications
|-icons
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Allow user access to /proc/config.gz
* Fix Brave's native sandbox
* Move /proc/config.gz to disable-common.inc
* Move /proc/config.gz to disable-common.inc
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add novideo to a lot of profiles
(there are still more profiles where novideo can be added)
- remove commente mdwe from some gnome applications
- add descriptions to some profiles
- blacklist ${HOME}/.cargo/credentials
- move ${HOME}/.git-credentials and ${HOME}/.git-credential-cache to
'top secret' in disable-common.inc
- some ordering in disable-programs.inc
- merge tor browser blacklists to ${HOME}/.tor-browser*
- qupzilla.profile redirect to falkon.profile
- blacklist gnome-builder paths
- fix transmission profiles inlude
- much more
|
|
|
|
|
|
|
|
|
|
|
|
| |
- install contrib/syscalls.sh
- add GitLab-CI status to README.md
- read-only ${HOME}/.cargo/env
- move blacklist ${HOME}/.cargo/registry, ${HOME}/.cargo/config to
disable-programs
- typo in man firejail firejail-profiles firecfg
- better descriptions in man firejail-profiles
- fixes in man firejail
- template descriptions in firejail-profiles
|
| |
|
| |
|
|
|
|
|
|
| |
* ~/.viminfo
* ~/.lesshst
* ~/.python_history
|
| |
|
|
|
|
| |
The files holds credentials to WebDAV servers in plaintext
hence it's probably a good idea to limit access to them.
|
| |
|
|
|
|
|
|
| |
* Add .pythonrc.py to disable-common.inc
* Move .pythonrc.py to more appropriate section
|
| |
|
|\
| |
| |
| | |
lockdis_ipc_fixes
|
| | |
|
| |
| |
| |
| |
| | |
Since nss 3.42, '$HOME/.local/share/pki' is supported dir for storing certs
https://hg.mozilla.org/projects/nss/rev/da45424cb9a0b4d8e45e5040e2e3b574d994e254
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
| |
c083a7b737050c532977b46fac6400f1dbc24ff6
|
|
|
|
|
|
|
|
|
|
| |
setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.
closes #2285
|
| |
|
|
|
|
|
|
|
| |
read-write and read-only are applied in sequence, don't
override read-only restrictions in ~/.local/share
issue #2200
|
| |
|
|
|
|
| |
search for the file.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- Change some links in README to HTTPS
- Fixup some typos in firejail-profile manpage
- Cleanup dash from private-etc
- Fixup gradio
- Synchronize server profile with default profile
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Configuration for cloud providers is sensitive information; it should be
in the default block list. I didn't see profiles for gcloud or awscli,
so haven't added any exclusions.
boto and kubectl are not provider-specific, but also store credentials for
whichever platforms they happen to be being used with.
|