firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	adding fluxbox, blackbox, awesome, i3 profiles	netblue30	2018-09-03
\|
*	Update disable-common.inc	1dnrr	2018-08-23
\|
*	Blacklist /.snapshots (see #2030)	ಚಿರಾಗ್ ನಟರಾಜ್	2018-07-09
\|
*	Merges + misc fixes	Tad	2018-07-04
\| \| \| \| \| \| \| \|	- Change some links in README to HTTPS - Fixup some typos in firejail-profile manpage - Cleanup dash from private-etc - Fixup gradio - Synchronize server profile with default profile
*	disable flatpak directories	netblue30	2018-06-20
\|
*	typo in disable-common.inc	glitsj16	2018-04-22
\|
*	Blacklist some GNOME files in disable-common.inc	Tad	2018-04-16
\|
*	update firecfg, shield kde startup better	smitsohu	2018-04-06
\|
*	fix a0502dc5144185b6d346e92944e3359a833d2378, various enhancements	smitsohu	2018-04-04
\|
*	AWS and GCP store credentials in local directories as part of project setup.	James Elford	2018-03-31
\| \| \| \| \| \| \| \| \|	Configuration for cloud providers is sensitive information; it should be in the default block list. I didn't see profiles for gcloud or awscli, so haven't added any exclusions. boto and kubectl are not provider-specific, but also store credentials for whichever platforms they happen to be being used with.
*	various profile hardening	smitsohu	2018-03-25
\|
*	bringing back private-lib in evince, and some fixes for Arch Linux	netblue30	2018-03-12
\|
*	fix bash on CentOS 7	startx2017	2018-03-12
\|
*	let konsole access its settings - #1789	smitsohu	2018-03-02
\|
*	.Xauthority moved from blacklist to read-only	joelazar	2018-02-26
\|
*	blacklist ksslcertificatemanager	smitsohu	2018-02-14
\| \| \| \| \| \| \| \| \| \|	While it is believed that blacklisting these files is a safe default, it has the effect that untrusted certificates have to be acknowledged every time they are encountered (with whitelisting it is possible to accept them for the duration of an application session). Where this causes usability issues, it will be necessary to noblacklist these paths.
*	fix KDE notifications	smitsohu	2018-02-13
\| \| \| \| \| \| \| \|	while it is essential to deny manipulation of these files, the information contained therein should be only of secondary value by changing blacklist to read-only, notification functionality is restored
*	restrict kssl (missing paths)	smitsohu	2018-02-08
\|
*	restrict kssl	smitsohu	2018-02-08
\|
*	keep menu definitions read-only	smitsohu	2018-02-07
\|
*	further harden KDE	smitsohu	2018-02-06
\| \| \| \| \|	and whitelist some kio settings, because we don't know if slave processes will run inside or outside the sandbox. also prevents weird bugs that depend on sequence in which applications were started.
*	blacklist klipper	smitsohu	2018-02-02
\| \| \| \|	further to 8aec7694cb4c7c0d07b333b689ab19faacb519f9
*	KDE related enhancements	smitsohu	2018-02-01
\|
*	harden KDE	smitsohu	2018-01-30
\|
*	remove QML_DISABLE_DISK_CACHE from disable-common.inc	smitsohu	2018-01-18
\| \| \|	hardcoded since 1e7045b55cc1e189dba6d9ed21c05c90663f3736
*	disable qml disk cache globally	smitsohu	2018-01-08
\|
*	disable-common.inc: read-only access to ~/.ssh/authorized_keys	Alexander GQ Gerasiov	2017-12-22
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh) unblacklists it to allow git over ssh with public key auth. But this creates security hole, since firejailed app could modify ~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd installed (e.g. ssh localhost and run any program) or even open backdoor for remote attacker. This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was unblacklisted. Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su>
*	disable-common.inc: Blacklist .homesick	Alexander GQ Gerasiov	2017-12-17
\| \| \| \| \|	homesick is dotfiles manager. It keeps dotfiles (e.g. .bashrc) in repository under ~/.homesick and puts symlinks into home directory.
*	remove mutt blacklist redundancies	smitsohu	2017-12-09
\|
*	improve fetchmail profile - #1661	smitsohu	2017-12-09
\|
*	more profile improvements	smitsohu	2017-11-23
\|
*	some profile improvements	smitsohu	2017-11-19
\|
*	streamline disable-common.inc	smitsohu	2017-11-11
\|
*	matching noblacklist in profile files with blacklist in disable-programs.inc	netblue30	2017-11-02
\|
*	harden kde	smitsohu	2017-10-31
\| \| \| \| \|	and whitelist kioslaverc because we don't know if kdeinit will run outside or inside the sandbox.
*	fix and harden various profiles	smitsohu	2017-10-29
\|
*	block kdeinit sockets	smitsohu	2017-10-13
\| \| \| \|	attempts to handle #1599
*	removed lxterminal support, blacklisting the terminal in disable-common.inc	netblue30	2017-10-04
\|
*	fix nginx and apache2, possible fix for #1534	netblue30	2017-09-25
\|
*	remove some redundancies	smitsohu	2017-09-20
\| \| \| \| \| \| \|	* ~/.bash_history is already included in ~/._history, same file ~/.password-store is already included in disable-passwdmgr.inc (and not whitelisted in browsers) * ~/.local/share/applications is in whitelist-common.inc since recently
*	blacklist clipboard manager in disable-common.inc	netblue30	2017-09-18
\|
*	fix Arch Linux /etc/resolv.conf symlink to /var/run/systemd/resolve/resolv.conf	netblue30	2017-09-14
\|
*	permit scripts, local mail	smitsohu	2017-09-10
\|
*	noexec is hardcoded now	smitsohu	2017-09-05
\|
*	Harden /var	Tad	2017-08-22
\|
*	Add Jason A. Donenfeld's pass to common blacklist	James Elford	2017-08-20
\| \| \| \| \|	pass is a password manager that keeps files under ~/.password-store by default. See http://www.passwordstore.org/ for more info
*	Fix bad noexec sorting	Fred Barclay	2017-08-09
\|
*	Sorting	Fred-Barclay	2017-08-08
\|
*	Change KDE4 services folder to read-only	smitsohu	2017-08-06
\| \| \|	Configurations in this folder are not secret, but need to be protected from manipulation. Let's make it available to all KDE apps for legitimate use. Discussion in #1428
*	Change ~/.local/share/kservices5 to read-only	Vladimir Schowalter	2017-08-03
\|