firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	AppArmor: Allow writing to removable media	Vincent43	2018-10-02
\|
*	apparmor: cleanup /home path	Vincent43	2018-08-29
\|
*	apparmor: disable exec from home by default	Vincent43	2018-08-27
\| \| \|	Executing from /home was supposed to be disabled by default
*	apparmor: improve rules for filesystem access	Vincent43	2018-08-27
\| \| \| \| \|	* Make clear distinction for read, write and execute. * Don't allow write and execute at the same time. * Simplify and improve syntax to catch more exceptions with fewer rules
*	Revert "apparmor fix: somehow it cannot find the firejail profile to load it"	Vincent43	2018-08-19
\| \| \| \| \| \| \| \| \| \| \| \|	This reverts commit 949a221a1b92e422e6dcb7ea6089ed5c8d5cc22a. The 'firejail-default' is the name of 'unnatached' profile not path to it. Moreover names starting with '/' are changing profile type back to 'standard' which in this case means we literally create profile for the profile file itself '/etc/apparmor.d/firejail-default'. That means firejail would never load this profile to contain any app thus we have to revert this. For more info, see https://www.suse.com/documentation/sles-15/singlehtml/book_security/book_security.html#sec.apparmor.profiles.types.unattached
*	apparmor fix: somehow it cannot find the firejail profile to load it	netblue30	2018-08-19
\|
*	wireshark.profile: enable apparmor	Vincent43	2018-08-15
\|
*	apparmor: cleanup duplicate rules	Vincent43	2018-08-15
\| \| \|	Those are already covered with https://github.com/netblue30/firejail/blob/0.9.56-rc1/etc/firejail-default#L33
*	apparmor: allow execution from /usr/lib64	Vincent43	2018-08-15
\| \| \|	/usr/lib64 was missing from execution whitelist and it's used in openSUSE, see https://github.com/netblue30/firejail/issues/2078
*	Blacklist all .snapshots directories in AppArmor profile	ಚಿರಾಗ್ ನಟರಾಜ್	2018-07-11
\|
*	AppArmor: allow dbus access by default	Vincent43	2018-06-07
\| \| \|	As discussed in https://github.com/netblue30/firejail/issues/1917#issuecomment-386002234 leave blacklisting dbus access to firejail userspace with 'nodbus' option. Fine grained blacklisting of particular dbus services can be added here in the future.
*	AppArmor: fix firefox sandbox	Vincent43	2018-05-29
\| \| \|	See https://github.com/netblue30/firejail/issues/1965
*	docs and comment updates	smitsohu	2018-04-20
\| \| \| \|	adds sorting to syscall list in firejail man page
*	AppArmor: disable MAC related capabilities	Vincent43	2018-04-12
\| \| \|	We probably don't want to control MAC or audit from firejail
*	Replace shell and seccomp filter for firefox >= 60, should fix #1765 and #1847	Fred-Barclay	2018-04-07
\|
*	drop cap_mac_admin in apparmor profile	smitsohu	2018-02-27
\|
*	Apparmor: Allow log Firejail blacklist violations	Vincent43	2018-02-19
\|
*	Log denied write access for easier debugging	Vincent43	2018-02-19
\| \| \|	After more testing we can disable logging gain.
*	Apparmor: blacklist /proc and /sys access from firejail	Vincent43	2018-02-19
\| \| \| \| \|	Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530 There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
*	Apparmor: don't duplicate userspace /run/user restrictions	Vincent43	2018-02-19
\| \| \| \| \| \| \|	Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user//systemd and /run/user//gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening. In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor. The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
*	Apparmor: Be more restrictive for chromium needs	Vincent43	2018-02-08
\|
*	Apparmor: fix various denials	Vincent43	2018-02-07
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Fixes following erros: wine: AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d" cups: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 chromium: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
*	Apparmor: minor fixes	Vincent43	2018-02-03
\| \| \| \| \|	1. Allow for seven digit PID same as upstream do https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747 2. Fixed dbus functionality. Disabled by default.
*	apparmor support for --overlay sandboxes	netblue30	2018-01-24
\|
*	Apparmor: Revert /proc changes	Vincent43	2018-01-23
\|
*	Apparmor: fix kodi plugins	Vincent43	2018-01-22
\| \| \| \|	Kodi plugins need /proc/@PID/net/dev access outside user processes: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/28/net/dev" pid=2354 comm="kodi.bin" requested_mask="r" denied_mask="r"
*	Apparmor: restrict access	Vincent43	2018-01-21
\| \| \|	Access to writable files can be restricted to their owner only.
*	Revert: Escape '#' character in path	Vincent43	2018-01-17
\| \| \| \| \|	Escaping this create warning and is dropped anyway: Warning from /etc/apparmor.d/firejail-default (/etc/apparmor.d/firejail-default line 163): Character # was quoted unnecessarily, dropped preceding quote ('\') character
*	Escape '#' character in path	Vincent43	2018-01-05
\|
*	Apparmor: fix broken file dialogs in kde plasma	Vincent43	2018-01-04
\| \| \| \| \| \| \| \| \|	For some time apparmor started breaking file dialogs in kde plasma (gwenview, calibre, qbittorrent, etc). typical audit report below: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/run/user/1000/#28520" pid=1997 comm="qbittorrent" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="link" profile="firejail-default" name="/run/user/1000/qBittorrentZcaeTi.1.slave-socket" pid=3679 comm="qbittorrent" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/run/user/1000/#79965" This commit fixes this issue. Tested on Archlinux (linux 4.14.11, kde 5.11.5)
*	apparmor	netblue30	2017-10-12
\|
*	Enumerate root directories in apparmor profile	Antonio Russo	2017-10-03
\| \| \| \| \|	Replace opaque character class with an explicit list of root-level directories to be granted access.
*	Merge pull request #1426 from VladimirSchowalter20/master	startx2017	2017-08-02
\|\ \| \| \| \|	Apparmor: add local configuration
\| *	Minor fix for completness	Vladimir Schowalter	2017-08-02
\| \|
\| *	Apparmor: add local configuration	Vladimir Schowalter	2017-08-02
\| \|
* \|	Apparmor: update whitelist path for kde	Vladimir Schowalter	2017-08-02
\|/
*	Add some /proc dirs to firejail apparmor profile	Vladimir Schowalter	2017-08-02
\|
*	apparmor fixes	netblue30	2017-07-21
\|
*	remove trailing whitespace from etc/	Fred Barclay	2017-05-24
\|
*	apparmor/appimage support	netblue30	2016-10-09
\|
*	apparmor fix	netblue30	2016-10-04
\|
*	apparmor fixes for Arch Linux	netblue30	2016-08-04
\|
*	apparmor	netblue30	2016-08-03
\|
*	apparmor	netblue30	2016-08-02