firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	disable qml disk cache globally	smitsohu	2018-01-08
\|
*	disable-common.inc: read-only access to ~/.ssh/authorized_keys	Alexander GQ Gerasiov	2017-12-22
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh) unblacklists it to allow git over ssh with public key auth. But this creates security hole, since firejailed app could modify ~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd installed (e.g. ssh localhost and run any program) or even open backdoor for remote attacker. This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was unblacklisted. Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su>
*	disable-common.inc: Blacklist .homesick	Alexander GQ Gerasiov	2017-12-17
\| \| \| \| \|	homesick is dotfiles manager. It keeps dotfiles (e.g. .bashrc) in repository under ~/.homesick and puts symlinks into home directory.
*	remove mutt blacklist redundancies	smitsohu	2017-12-09
\|
*	improve fetchmail profile - #1661	smitsohu	2017-12-09
\|
*	more profile improvements	smitsohu	2017-11-23
\|
*	some profile improvements	smitsohu	2017-11-19
\|
*	streamline disable-common.inc	smitsohu	2017-11-11
\|
*	matching noblacklist in profile files with blacklist in disable-programs.inc	netblue30	2017-11-02
\|
*	harden kde	smitsohu	2017-10-31
\| \| \| \| \|	and whitelist kioslaverc because we don't know if kdeinit will run outside or inside the sandbox.
*	fix and harden various profiles	smitsohu	2017-10-29
\|
*	block kdeinit sockets	smitsohu	2017-10-13
\| \| \| \|	attempts to handle #1599
*	removed lxterminal support, blacklisting the terminal in disable-common.inc	netblue30	2017-10-04
\|
*	fix nginx and apache2, possible fix for #1534	netblue30	2017-09-25
\|
*	remove some redundancies	smitsohu	2017-09-20
\| \| \| \| \| \| \|	* ~/.bash_history is already included in ~/._history, same file ~/.password-store is already included in disable-passwdmgr.inc (and not whitelisted in browsers) * ~/.local/share/applications is in whitelist-common.inc since recently
*	blacklist clipboard manager in disable-common.inc	netblue30	2017-09-18
\|
*	fix Arch Linux /etc/resolv.conf symlink to /var/run/systemd/resolve/resolv.conf	netblue30	2017-09-14
\|
*	permit scripts, local mail	smitsohu	2017-09-10
\|
*	noexec is hardcoded now	smitsohu	2017-09-05
\|
*	Harden /var	Tad	2017-08-22
\|
*	Add Jason A. Donenfeld's pass to common blacklist	James Elford	2017-08-20
\| \| \| \| \|	pass is a password manager that keeps files under ~/.password-store by default. See http://www.passwordstore.org/ for more info
*	Fix bad noexec sorting	Fred Barclay	2017-08-09
\|
*	Sorting	Fred-Barclay	2017-08-08
\|
*	Change KDE4 services folder to read-only	smitsohu	2017-08-06
\| \| \|	Configurations in this folder are not secret, but need to be protected from manipulation. Let's make it available to all KDE apps for legitimate use. Discussion in #1428
*	Change ~/.local/share/kservices5 to read-only	Vladimir Schowalter	2017-08-03
\|
*	Add fish-shell history and config to disable-common.inc	James Elford	2017-05-22
\|
*	rephrase	SYN-cook	2017-05-11
\|
*	layout	SYN-cook	2017-05-11
\|
*	add noexec folders (tmp/.X11-unix and .config/pulse)	SYN-cook	2017-05-11
\|
*	fix trash functionality for file managers	netblue30	2017-05-01
\|
*	noexec ~/.local/share	SYN-cook	2017-04-21
\| \| \|	#1238
*	add .pam_environment, kwin to blacklist	SYN-cook	2017-04-04
\|
*	tidy up (#1182)	SYN-cook	2017-03-31
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* minor reorganization * tidy up * tidy up * tidy up * tidy up * tidy up * tidy up
*	restrict more KDE files (#1181)	SYN-cook	2017-03-31
\| \| \| \| \| \| \| \| \| \|	* update noblacklist * blacklist local plasma overrides, plasmoids * add more KDE configuration (kdeglobals, plasmoids) * kdeglobals now in disable-common.inc
*	various profile fixes and enhancements (#1177)	SYN-cook	2017-03-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* private-dev breaks playing CDs * reenable services * blacklist kservices5 folder * blacklist nautilus scripts * blacklist ~/.kde4 files, k3b config, nautilus/nemo * sort * update noblacklisting * update blacklisting * update blacklisting/whitelisting (okular)
*	blacklist KDE config (konsole, services)	SYN-cook	2017-03-28
\|
*	blacklist krunnerrc	SYN-cook	2017-03-27
\|
*	blacklist more KDE files (#1163)	SYN-cook	2017-03-27
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* blacklist more KDE files * undo doubling of ~/.profile * remove ksmserverrc * remove ksmserverrc * blacklist kdeconnect * blacklist KDE device actions * blacklist kglobalaccel
*	Merge pull request #1156 from SYN-cook/master	netblue30	2017-03-26
\|\ \| \| \| \|	profile enhancements
\| *	move ~/.pki blacklist to disable-common.inc	SYN-cook	2017-03-24
\| \|
* \|	Merge pull request #1152 from SYN-cook/master	netblue30	2017-03-22
\|\\| \| \| \| \|	blacklist X11 startup scripts
\| *	don't blacklist ~/.profile	SYN-cook	2017-03-22
\| \| \| \| \| \|	sorry for the mistake... ~./profile is not only sourced by some display managers but also by shells, so we should keep everything as before
\| *	more blacklisting (X11 session autostart)	SYN-cook	2017-03-21
\| \| \| \| \| \|	reorganization, added files according to Debian documentation
* \|	Merge pull request #1149 from SYN-cook/master	netblue30	2017-03-20
\|\\| \| \| \| \|	complete autostart blacklist for KDE
\| *	complete autostart blacklist for KDE	SYN-cook	2017-03-19
\| \|
* \|	Handles #1150	Fred Barclay	2017-03-19
\|/ \| \| \|	Terminix is being renamed to tilix. This adds ${PATH}/tilix to the blacklisted terminals in disable-common.inc without removing terminix (since there will still be users of terminix).
*	persistent config	netblue30	2017-02-09
\|
*	profile merges	netblue30	2017-01-25
\|
*	Prevent tmux connecting to an existing session	ecat3	2017-01-22
\|
*	profile merges	netblue30	2017-01-20
\|