| Commit message (Collapse) | Author | Age |
|\
| |
| | |
profiles: allow lxqt config dir
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As suggested by @glitsj16:
https://github.com/netblue30/firejail/discussions/5754#discussioncomment-5428651
Fixes #5754 (font size/dpi issues).
Reported-by: @hotcapy
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Command used to search for entries:
$ git grep '^read-only ${HOME}/' -- 'etc/profile*'
Note for gpg: ~/.gnupg/gpg.conf is apparently only managed by gpgconf(1)
rather than through gpg(1) itself, in which case it does not need to be
made read-write in gpg.profile.
|
| |
| |
| |
| |
| |
| |
| |
| | |
This is an AUR helper and disable-common.inc has entries for pacman and
other system package managers.
Added on commit 6c10737f0 ("archaudit-report and cower for Arch
platforms, #1642", 2017-11-15).
|
| |
| |
| |
| |
| |
| |
| | |
Instead of duplicating them on every profile that tries to allow opening
links in Firefox.
And make that path read-write on firefox.profile.
|
|/
|
|
|
|
|
| |
Note: mpv itself does not modify anything in ~/.config/mpv as far as I
know, in which case it does not need a read-write entry.
Relates to #5706 #5707 #5710.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* microsoft-edge*: fix spacing
* Create microsoft-edge-stable.profile
Relates to #5696.
* firecfg.config: add support for microsoft-edge-stable redirect
* disable-common.inc: blacklist msedge SUID executables
* microsoft-edge: add private-opt and allow internal sandbox access
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arch Linux got systemd v253:
https://github.com/archlinux/svntogit-packages/commit/05d0aedb2b83a2e1ba07cab47205772f82cb4814
It adds a few new files we should blacklist in `disable-common.inc`:
- /etc/credstore
- /etc/credstore.encrypted
- /run/credentials/systemd-sysctl.service
- /run/credentials/systemd-sysusers.service
- /run/credentials/systemd-tmpfiles-setup.service
- /run/credentials/systemd-tmpfiles-setup-dev.service
|
| |
|
|
|
|
|
|
| |
Similarly to the existing ~/.nanorc entry.
Taken from nano.profile.
|
|
|
|
|
|
|
|
|
| |
Move some paths from mutt.profile and neomutt.profile.
Added on commit 6b9bfad37 ("Fix python; add read-only to editors/cli
browsers;re-add cache directory", 2020-12-29) / PR #3849.
Misc: This is a follow-up to #5626.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is already blocked by the first entry:
blacklist-nolog ${HOME}/.*_history
Added on commit 1d56e466c ("three new blacklist in disable-common.inc",
2019-06-18).
|
|
|
|
|
|
|
|
|
|
|
| |
From the manual of mutt 2.2.9:
> 3.125. history_file
>
> Type: path
> Default: "~/.mutthistory"
>
> The file in which Mutt will save its history.
|
|
|
|
|
|
|
| |
* add comment on intentional duplication of blacklisted kernel configuration
* disable-proc.inc: update the duplication comment
* disable-common.inc: add duplication notice for kernel configuration
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenDoas is an alternative to sudo. It is an unofficial port of
OpenBSD's doas. Details:
$ LC_ALL=C pacman -Si galaxy/opendoas |
grep -e '^Version' -e '^Description' -e '^URL'
Version : 6.8.2-1
Description : Run commands as super user or another user
URL : https://github.com/Duncaen/OpenDoas
Environment: Artix Linux.
Also, add /etc/doas.conf to etc/ids.config.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To disable-shell.inc.
Interactive shells can be executed from certain development-related
programs (such as IDEs) and the shells themselves are not blocked by
default, but this shell startup directory currently is. To avoid
running a shell without access to potentially needed startup files, only
blacklist /etc/profile.d when interactive shells are also blocked.
Note that /etc/profile.d should only be of concern to interactive
shells, so a profile that includes both disable-shell.inc and
allow-bin-sh.inc (which likely means that it needs access to only
non-interactive shells) should not be affected by the blacklisting.
Relates to #3411 #5159.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default paths as of neovim 0.7.0:
* backupdir: $XDG_DATA_HOME/nvim/backup//
* directory: $XDG_DATA_HOME/nvim/swap//
* undodir: $XDG_DATA_HOME/nvim/undo//
* viewdir: $XDG_DATA_HOME/nvim/view//
* shada file: $XDG_DATA_HOME/nvim/shada/main.shada
* log dir: $XDG_CACHE_HOME/nvim/log
Default paths as of [1]:
* backupdir: $XDG_STATE_HOME/nvim/backup//
* directory: $XDG_STATE_HOME/nvim/swap//
* undodir: $XDG_STATE_HOME/nvim/undo//
* viewdir: $XDG_STATE_HOME/nvim/view//
* shada file: $XDG_STATE_HOME/nvim/shada/main.shada
* log dir: $XDG_STATE_HOME/nvim/log
[1] https://github.com/neovim/neovim/pull/15583
|
| |
|
|\
| |
| | |
disable-common.inc: make ~/.config/pkcs11 read-only
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
|
|/
|
|
|
|
|
|
|
|
| |
This directory is monitored by both appimaged[1] and
AppImageLauncher[2]. Also, when opening an AppImage with
AppImageLauncher, it may prompt the user to move the AppImage to
~/Applications.
[1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories
[2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
|
|
|
|
|
| |
* opera fixes
* disable-common.inc: add blacklist /usr/lib/opera/opera_sandbox
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/netblue30/firejail/discussions/4993 (#5042)
* refactor mupdf
* refactor mupdf
* refactor mupdf
* refactor mupdf
* add mupdf-gl blacklist
* move history file back to mupdf-gl
* refactor mupdf-gl
* add no3d to mupdf.profile
* add suggestions from review
* drop unix from protocol [accumulates]
* fix protocol
|
| |
|
|\
| |
| | |
Add neovim profile
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tor-browser 11.0.2-1 doesn't work without whitelisting this directory. The
following was the message I got before whitelisting this directory.
Reading profile /etc/firejail/tor-browser.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12653, child pid 12654
104 programs installed in 153.32 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 64.84 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 325.75 ms
/usr/bin/tor-browser: [Error] The tor-browser archive could not be extracted to your home directory.
Check the permissions of ~/.local/opt/tor-browser/app.
The error log can be found in ~/.local/opt/tor-browser/LOG.
/usr/bin/tor-browser: line 218: ~/.local/opt/tor-browser/app/Browser/start-tor-browser: No such file or directory
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- Update RELNOTES and README.md
- disable-common.inc
- blacklist ${HOME}/.local/share/ibus-typing-booster
- blacklist /run/timeshift (closes #4660)
- fix audacity.profile (closes #4659)
|
|\
| |
| | |
disable-common.inc: fix paths of slock and physlock
|
| |
| |
| |
| |
| |
| | |
Added on commit f0adf06c3 ("disable-common.inc: more SUID", 2021-11-09).
Relates to #4668.
|
|/ |
|
|
|
| |
Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
|
|
|
|
| |
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
NOTE: there are several other profiles touching /usr/libexec, so untill someone on Fedora can shed some light on what files are installed under /usr/libexec, I only blacklisted ssh-keysign. I'll pick this up tomorrow, a bit pressed for time in the non-digital worlds...
|
|
|
| |
Counterpart fix for changes in allow-ssh.inc.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
(#4461)
See #4454
|
| |
|
|
|
| |
As suggested in https://github.com/netblue30/firejail/pull/4420#discussion_r676929867.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3.
Note: This only reverts the changes from etc.
The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments). The main
reason is that the aliases do not meaningfully map to the original
commands. For example, the commands from each pair below seem like they
would do the exact same thing:
* `allow` and `nodeny`
* `deny` and `noallow`
Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.
The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert. Note: This is still the case
even if a commit is [ignored by `git blame`][4390].
So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.
How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):
# Find out which files have been changed on fe0f975f44, but have not
# been changed afterwards and list them on "filestorevert"
git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
comm -2 -3 allfiles filestoignore >filestorevert
# Note: There are 3 extra files on filestoignore because they were
# added after commit fe0f975f44
wc -l allfiles filestoignore filestorevert | head -n 3
# 797 allfiles
# 8 filestoignore
# 792 filestorevert
# Automatically revert files in "filestorevert"
# See https://stackoverflow.com/a/23401018/10095231
tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
git apply --reverse
printf 'Total files reverted:\n'
git diff --name-only | wc -l
# 792
Secondly, do some search/replace on the rest:
tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
-e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \
-e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \
-e 's/deny-nolog /blacklist-nolog /'
find etc -name '*.bak' -print0 | xargs -0 rm
Thirdly, verify the result. The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):
git diff fe0f975f44~1 -- etc
From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.
[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
|