| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* unbreak audio-recorder
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their audio-recorder.local.
* unbreak ddgtk
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their ddgtk.local.
* unbreak and harden gconf-editor
Support both X11 and Wayland by default. Also whitelist /usr/share/gconf-editor for wusc.
* unbreak seahorse
Support both X11 and Wayland by default.
* add blacklist ${RUNUSER}/wayland-* to dnscrypt-proxy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* harden devilspie
* harden devilspie2
* harden curl
* harden wget
* harden curl
* harden dig
* harden claws-mail
* harden dnscrypt-proxy
* harden dnscrypt-proxy
* harden dnscrypt-proxy
* harden exfalso
* refactor easystroke as whitelist profile
* refactor enchant as whitelist profile
* safeguard ${DOCUMENTS}
Thanks @rusty-snake for the suggestion.
* drop x11-none
Thanks @rusty-snake for catching this.
* drop x11 none
Thanks @rusty-snake for saving the bacon...
* drop x11 none
Thanks @rusty-snake for catching this.
* drop x11 none
Thanks @rusty-snake for preventing breakage!
* drop ipc-namespace
Better safe than sorry...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add qt/qt4 support to wusc
* Add wusc to more profiles
* Add wusc to more profiles
* Update enchant.profile
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add /usr/share/ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* nano: add quiet option
* ffmpegthumbnailer: fix quiet leakage
* ffplay: fix quiet leakage
* ffprobe: fix quiet leakage
* rnano: fix quiet leakage
* qt-faststart: fix quiet leakage
* scp: fix quiet leakage
* sftp: fix quiet leakage
* transmission-create: fix quiet leakage
* transmission-edit: fix quiet leakage
* transmission-remote-cli: fix quiet leakage
* transmission-remote-gtk: fix quiet leakage
* dnscrypt-proxy: add quiet option
* dnsmasq: add quiet option
* seahorse-daemon: add quiet option
* xpra: add quiet option
* Xephyr: add quiet option
* Xvfb: add quiet option
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Revert #2816
* Revert #2816
* Revert #2816
* Revert #2816
* Revert #2816
* Revert #2816
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Unbreak gconf-editor
* Add x11 none to curl.profile
* Add x11 none to wget.profile
* Add x11 none to dnscrypt-proxy.profile
* Add tracelog to ssh-agent.profile
* Add x11 none to aria2c.profile
* Add x11 none to arch-audit.profile
* Add x11 none to archaudit-report.profile
|
|
|
|
|
|
|
|
|
|
| |
* Harden curl.profile
* Harden dnscrypt-proxy.profile
* Harden unbound.profile
* Harden unbound.profile
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Sort seccomp.drop in unbound.profile
* Sort caps.keep in tor.profile
* Sort seccomp.drop in qgjs.profile
* Sort seccomp.drop in dnscrypt-proxy.profile
* Sort caps.keep in chromium-common.profile
|
| |
|
|\
| |
| | |
Add nou2f to all profiles
|
| |
| |
| |
| | |
- Closes #2194
|
|/
|
|
| |
search for the file.
|
| |
|
| |
|
|
|
|
| |
grep "cache" -L $(grep "redirect" -iL $(grep "whitelist" -RL))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use path variable instead of full path when blacklisting devel tools.
* Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc
* Part 2: allow access to java as needed
* Typo: missing blacklist
* Part 3: allow perl access as needed
* typo
* Add xreader thumbnailer and previewer profiles
* Add xplayer audio-preview and thumbnailer profiles
* Add atril thumbnailer and previewer profiles
* More fixups after adding disable-interpreters.inc
* Blacklist javac
* More javac noblacklisting
* Remove javac from dex2jar, libreoffice, multimc5, and pdfsam profiles
* --nodbus, first draft for #1825
* dbus.c
* rework akonadi integration
the usr.sbin.mysqld-akonadi apparmor profile, enforced by default in ubuntu and
debian testing (and probably opensuse), doesn't play well with a number of firejail options.
the reason for this is that once the no_new_privs bit is set, apparmor profile
transitions are forbidden.
enforcing our own apparmor policy instead is also no solution, because
these programs don't even start without d-bus.
relaxing the kmail profile was necessary so that kmail can fire up akonadi itself,
just in case akonadi has not been started earlier already by another program.
this is always an issue when kmail is the only installed akonadi client, but
there may be more circumstances. for reasons outlined above this doesn't help
debian and ubuntu (opensuse?) users though :-/
a brief summary of the seccomp exceptions: chroot is needed for qt webengine,
io_prioset for the akonadi indexing agent, io_getevents, io_submit, io_setup
are needed for mysqld. when akonadi has an sqlite3 backend, less exceptions
to the seccomp filter are necessary, but mysqld is the default.
in the future all kontact suite profiles (itm only kmail, knotes) should
probably be redirections to akonadi_control, but the issues with apparmor
make this somewhat impractical for now (options like 'protocol' couldn't go to
akonadi_control.local any more, if current kmail redirected to there).
* Add nodbus to some profiles - part 1
* Spotify works with nodbus on Arch
* Enable nodbus for keepassx and keepassxc profiles.
I've tested on keepassxc but should work for keepassx as well. Settings are not immutable.
* recalibrate dbus access, deploy nodbus option
see #1822 and #1825. also systematically replaces
'blacklist /run/user/*/bus' with 'nodbus'.
with contributions from @Fred-Barclay
* various blacklist additions
* Add a profile for ncdu, enable private-etc in Steam again, and fixup gnome-recipes
* comment nodbus where it interferes with dconf
pending further discussion
* Add a disabled and extensive private-bin for Steam
* Further improve private-bin in steam
* comment apparmor, net where they interfere with dconf - #1843
* gnome-calculator fixup
* spectre support for clang compiler
* spectre clang support
* enable/disable dbus handling in /etc/firejail/firejail.config
* nodbus man pages, etc.
* redirect knotes to kmail, some tweaks
* testing
* gimp fixup
* Even more fixups after adding disable-interpreters.inc
* AWS and GCP store credentials in local directories as part of project setup.
Configuration for cloud providers is sensitive information; it should be
in the default block list. I didn't see profiles for gcloud or awscli,
so haven't added any exclusions.
boto and kubectl are not provider-specific, but also store credentials for
whichever platforms they happen to be being used with.
* testing
* consolidate makefiles
* gitignore
* Use path variable instead of full path when blacklisting devel tools.
* Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc
* Part 2: allow access to java as needed
* Typo: missing blacklist
* Part 3: allow perl access as needed
* typo
* More fixups after adding disable-interpreters.inc
* Blacklist javac
* More javac noblacklisting
* Remove javac from dex2jar, libreoffice, multimc5, and pdfsam profiles
* Cleanup rebase leftovers
* imagej doesn't need javac access
* Add cc to blacklisted compilers
* Use wildcards when blacklisting some gcc paths
* Blacklist lua in disable-interpreters
* Correct blacklist for node.js
* Fred Barclay note: some of these commits (all of the ones that don't affect files inside etc/) aren't mine but were added during a rebase + squash
|
| |
|
|
|
|
|
|
|
| |
* okular needs kdeinit4 for open file dialog since recently
* memory-deny-write-execute should be a safe addition for
desktop use of dnscrypt and unbound
* cleanup works
|
| |
|
|\
| |
| | |
improve servers, harden musescore
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|