Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | Add a lot of profiles | rusty-snake | 2020-02-10 |
| | |||
* | fix spelling in disable-common.inc | glitsj16 | 2020-01-29 |
| | |||
* | tighten info gathering for openrc | Gauvain "GovanifY" Roussel-Tarbouriech | 2020-01-15 |
| | |||
* | Make ${HOME}/.config/environment.d read-only | rusty-snake | 2019-12-30 |
| | |||
* | Fix Brave's native sandbox (#3087) | glitsj16 | 2019-12-19 |
| | | | | | | | | | | * Allow user access to /proc/config.gz * Fix Brave's native sandbox * Move /proc/config.gz to disable-common.inc * Move /proc/config.gz to disable-common.inc | ||
* | blacklist gksu, gksudo, kdesudo | rusty-snake | 2019-11-25 |
| | |||
* | blacklist .fscrypt directories | smitsohu | 2019-11-12 |
| | |||
* | blacklist gnome-boxes user files (VM-Images) | rusty-snake | 2019-10-13 |
| | |||
* | add HAS_X11 conditional, disconnect session manager - #2205 | smitsohu | 2019-10-08 |
| | |||
* | protect files that can execute commands | rusty-snake | 2019-09-22 |
| | |||
* | many profile fixes (1) | rusty-snake | 2019-08-26 |
| | | | | | | | | | | | | | | | | - add novideo to a lot of profiles (there are still more profiles where novideo can be added) - remove commente mdwe from some gnome applications - add descriptions to some profiles - blacklist ${HOME}/.cargo/credentials - move ${HOME}/.git-credentials and ${HOME}/.git-credential-cache to 'top secret' in disable-common.inc - some ordering in disable-programs.inc - merge tor browser blacklists to ${HOME}/.tor-browser* - qupzilla.profile redirect to falkon.profile - blacklist gnome-builder paths - fix transmission profiles inlude - much more | ||
* | various fixes and improvements | rusty-snake | 2019-08-22 |
| | | | | | | | | | | | | - install contrib/syscalls.sh - add GitLab-CI status to README.md - read-only ${HOME}/.cargo/env - move blacklist ${HOME}/.cargo/registry, ${HOME}/.cargo/config to disable-programs - typo in man firejail firejail-profiles firecfg - better descriptions in man firejail-profiles - fixes in man firejail - template descriptions in firejail-profiles | ||
* | blacklist kwalletrc | smitsohu | 2019-08-01 |
| | |||
* | keep dconf database read-only | smitsohu | 2019-07-08 |
| | |||
* | three new blacklist in disable-common.inc | rusty-snake | 2019-06-18 |
| | | | | | | * ~/.viminfo * ~/.lesshst * ~/.python_history | ||
* | hardening & fixing | rusty-snake | 2019-06-13 |
| | |||
* | Add davfs2 secrets file to blacklist (#2753) | Jose Riha | 2019-06-11 |
| | | | | The files holds credentials to WebDAV servers in plaintext hence it's probably a good idea to limit access to them. | ||
* | many profile cleanups (3) | rusty-snake | 2019-06-02 |
| | |||
* | Add .pythonrc.py to disable-common.inc (#2651) | Senemu | 2019-04-14 |
| | | | | | | * Add .pythonrc.py to disable-common.inc * Move .pythonrc.py to more appropriate section | ||
* | update plasma vault blacklist in disable-common.inc | smitsohu | 2019-03-02 |
| | |||
* | Merge branch 'master' of https://github.com/Lockdis/firejail into ↵ | Fred-Barclay | 2019-02-16 |
|\ | | | | | | | lockdis_ipc_fixes | ||
| * | add nyx, fix g earth pro | Lockdis | 2019-01-24 |
| | | |||
* | | Add '$HOME/.local/share/pki' to blacklist | Vincent43 | 2019-02-03 |
| | | | | | | | | | | Since nss 3.42, '$HOME/.local/share/pki' is supported dir for storing certs https://hg.mozilla.org/projects/nss/rev/da45424cb9a0b4d8e45e5040e2e3b574d994e254 | ||
* | | additional blacklisting | rusty-snake | 2019-01-27 |
|/ | |||
* | Merges | Tad | 2018-12-22 |
| | |||
* | updates for ~/.cargo | rusty-snake | 2018-12-21 |
| | |||
* | Update disable-common.inc, disable-programs.inc | rusty-snake | 2018-12-20 |
| | |||
* | profile enhancements: blacklist kdesu daemon socket, rework ↵ | smitsohu | 2018-12-11 |
| | | | | c083a7b737050c532977b46fac6400f1dbc24ff6 | ||
* | improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist slave-sockets | smitsohu | 2018-12-07 |
| | | | | | | | | | | setting the KDE_FORK_SLAVES environment variable removes all inconsistencies that arise from slaves running outside the sandbox or in a different sandbox; it also makes it slightly more difficult to abuse KIO in general and helps to mitigate security problems due to thumbnailing, which now always happens inside the same sandbox. The trade-off is more concurrently running slave processes. closes #2285 | ||
* | Update disable-common.inc | glitsj16 | 2018-11-08 |
| | |||
* | profile fixes for recursive read-write mounts | smitsohu | 2018-11-04 |
| | | | | | | | read-write and read-only are applied in sequence, don't override read-only restrictions in ~/.local/share issue #2200 | ||
* | cleanup | smitsohu | 2018-10-25 |
| | |||
* | Remove "/etc/firejail/" from all include paths, now that profile_read will ↵ | Glenn Washburn | 2018-10-17 |
| | | | | search for the file. | ||
* | consolidate cloud blacklisting, alphabetize, other nitpicks | smitsohu | 2018-10-12 |
| | |||
* | Write-protection for thumbnailer dir see #2143 (#2144) | curiosity-seeker | 2018-10-07 |
| | |||
* | adding fluxbox, blackbox, awesome, i3 profiles | netblue30 | 2018-09-03 |
| | |||
* | Update disable-common.inc | 1dnrr | 2018-08-23 |
| | |||
* | Blacklist /.snapshots (see #2030) | ಚಿರಾಗ್ ನಟರಾಜ್ | 2018-07-09 |
| | |||
* | Merges + misc fixes | Tad | 2018-07-04 |
| | | | | | | | | - Change some links in README to HTTPS - Fixup some typos in firejail-profile manpage - Cleanup dash from private-etc - Fixup gradio - Synchronize server profile with default profile | ||
* | disable flatpak directories | netblue30 | 2018-06-20 |
| | |||
* | typo in disable-common.inc | glitsj16 | 2018-04-22 |
| | |||
* | Blacklist some GNOME files in disable-common.inc | Tad | 2018-04-16 |
| | |||
* | update firecfg, shield kde startup better | smitsohu | 2018-04-06 |
| | |||
* | fix a0502dc5144185b6d346e92944e3359a833d2378, various enhancements | smitsohu | 2018-04-04 |
| | |||
* | AWS and GCP store credentials in local directories as part of project setup. | James Elford | 2018-03-31 |
| | | | | | | | | | Configuration for cloud providers is sensitive information; it should be in the default block list. I didn't see profiles for gcloud or awscli, so haven't added any exclusions. boto and kubectl are not provider-specific, but also store credentials for whichever platforms they happen to be being used with. | ||
* | various profile hardening | smitsohu | 2018-03-25 |
| | |||
* | bringing back private-lib in evince, and some fixes for Arch Linux | netblue30 | 2018-03-12 |
| | |||
* | fix bash on CentOS 7 | startx2017 | 2018-03-12 |
| | |||
* | let konsole access its settings - #1789 | smitsohu | 2018-03-02 |
| | |||
* | .Xauthority moved from blacklist to read-only | joelazar | 2018-02-26 |
| |