| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Fix vscodium
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It creates the following directories on startup:
* ~/.config/VSCodium
* ~/.vscode-oss
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
Note: The following entry is already on disable-programs.inc:
noblacklist ${HOME}/.vscode-oss
It was added on commit de90834a8 ("Update disable-programs.inc",
2019-03-02).
Relates to #3871.
|
|\ \
| |/
|/| |
Add profiles for build-systems (/package-managers)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip
All redirect to build-systems-common.profile
Other fixes:
- blacklist ${HOME}/.bundle
- blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo
- blacklist /usr/lib64/ruby
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* cheese
- fix: dbus-user.own org.gnome.Cheese
- fix: whitelist /usr/share/gstreamer-1.0
- fix: include allow-python3.inc
- hardening: include disable-shell.inc
- hardening: include whitelist-run-common.inc and whitelist /run/udev/data
- hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
- hardening: noinput
- hardening: nosound
- hardening: seccomp.block-secondary
- hardening: private-dev
* geekbench (closes #4576)
- fix: noblacklist /sbin and noblacklist /usr/sbin
- fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
- fix: comment/remove private-bin, private-lib, private-opt
* inkscape
- add quiet for cli usage
* musixmatch (#4518)
- allow chroot
* pandoc
- fix: include allow-bin-sh.inc
- fix: drop private-bin
- hardening: include whitelist-runuser-common.inc
- hardening: seccomp.block-secondary
|
| | |
|
|\ \
| |/
|/| |
Blacklist Exodus wallet
|
| | |
|
|/
|
|
|
|
|
|
|
|
| |
- disable-programs.inc: blacklist ${HOME}/.local/state/pipewire
If you did not yet noticed, on 08th May 2021 the XDG Base Directory
Specification 0.8 was resleased (the first update since 2010). New are
$XDG_STATE_HOME and $HOME/.local/bin.
- keepassxc: mkdirs are necessary
- gnote: harden
- pngquant: harden
|
|\
| |
| | |
create yt-dlp.profile
|
| | |
|
|/ |
|
|
|
|
|
| |
(#4461)
See #4454
|
|
|
|
|
|
|
|
|
|
| |
- Fix #4157 -- [Feature] Should rmenv GitHub auth tokens
There are still more token variables from other program that should be
added.
- Fix #4093 -- darktable needs read access to liblua*
- Fix #4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers)
- Fix xournalpp.profile
- syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32
|
| |
|
|\ |
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add ms-edge-beta paths to disable-programs.inc
Support firecfg
Adding to release notes (already added to README.md)
|
| | | |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3.
Note: This only reverts the changes from etc.
The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments). The main
reason is that the aliases do not meaningfully map to the original
commands. For example, the commands from each pair below seem like they
would do the exact same thing:
* `allow` and `nodeny`
* `deny` and `noallow`
Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.
The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert. Note: This is still the case
even if a commit is [ignored by `git blame`][4390].
So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.
How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):
# Find out which files have been changed on fe0f975f44, but have not
# been changed afterwards and list them on "filestorevert"
git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
comm -2 -3 allfiles filestoignore >filestorevert
# Note: There are 3 extra files on filestoignore because they were
# added after commit fe0f975f44
wc -l allfiles filestoignore filestorevert | head -n 3
# 797 allfiles
# 8 filestoignore
# 792 filestorevert
# Automatically revert files in "filestorevert"
# See https://stackoverflow.com/a/23401018/10095231
tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
git apply --reverse
printf 'Total files reverted:\n'
git diff --name-only | wc -l
# 792
Secondly, do some search/replace on the rest:
tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
-e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \
-e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \
-e 's/deny-nolog /blacklist-nolog /'
find etc -name '*.bak' -print0 | xargs -0 rm
Thirdly, verify the result. The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):
git diff fe0f975f44~1 -- etc
From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.
[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
|
|/ |
|
|\
| |
| | |
Update Clion profile and Add Clion EAP profile
|
| | |
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* firecfg.config alpine
* Create alpinef.profile
* Create alpine.profile
* disable-programs.inc alpine
* workaround in comment
* Update etc/profile-a-l/alpine.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* deactivating whitelists in ${HOME}
* comment
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create links-common.profile
* Update links.profile
* Create links2.profile
* Update links.profile
* Update links2.profile
* Update elinks.profile
* Update elinks.profile
* links2
* Update firecfg.config
* Update xlinks.profile
* .xlinks
* add dbus and whitelist-usr-share-common
* .xlinks doesn't exist
* revert
* Create xlinks2
* xlinks2
* Update xlinks2
* Update xlinks.profile
* no wayland
* no wayland
* doesn't use /tmp/.X11-unix
* doesn't use /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add support for cargo toml/non-toml files
* add support for cargo toml/non-toml files
* use globbing to blacklist Rust files
See https://github.com/netblue30/firejail/pull/4286#issuecomment-845318446.
* use globbing to blacklist cargo/Rust files
See https://github.com/netblue30/firejail/pull/4286#issuecomment-845318446.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create node.profile
* Create node-gyp.profile
* refactor npm as redirect
* Create npx.profile
* Create nvm.profile
* Create semver.profile
* refactor yarn as redirect
* collect node.js stack configuration in common profile
* add ~/.nvm to node section
* account for node-gyp python dependency
* read-only ~/.nvm for node.js stack
* blacklist ~/.nvm for node.js stack
* move env var comment cfr. profile.template
* Delete node-gyp.profile
node-gyp is a shell script with a node shebang. We've got that covered via node.profile.
* Delete npx.profile
npx is a shell script with a node shebang. We've got that covered via node.profile.
* Delete semver.profile
semver is a shell script that calls node. We've got that covered via node.profile.
* add node and nvm to new profiles section
|
|\
| |
| | |
New profile for neochat
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to using globbing on mkdir, the current version causes this:
@davidebeatrici commented on 2021-04-23[1]:
> ```
> Error: "${HOME}/.local/share/RogueLegacy*" is an invalid filename: rejected character: "*"
> ```
Added on commit a603d4d39 ("steam: some more games added") / PR #4170.
The wildcard was used because Rogue Legacy apparently looks up multiple
different paths for the config and also for the data[1][2][3]:
1. ~/.config/RogueLegacy
2. ~/.config/RogueLegacyStorageContainer
3. ~/.local/share/RogueLegacy
4. ~/.local/share/RogueLegacyStorageContainer
The ones containing "RogueLegacyStorageContainer" appear to be legacy
paths (i.e.: paths which are only created by older versions of Rogue
Legacy)[2].
So replace all globs with the full paths because:
* The paths are known a priori (unlike, say, `/var/lib/libpcre*`)
* There aren't too many of them
And use only the non-legacy paths on mkdir. Besides mirroring what the
current version of Rogue Legacy does (and avoiding the creation of
unnecessary dirs), this is also done because _if_ the following applies
(i.e.: this was not tested):
* legacy paths take precedence over non-legacy paths
* the first path clobbers the other ones (i.e.: rather than "merge")
* save data exists in a non-legacy path (i.e.: path 3 in this case)
* firejail creates all 4 paths
Then it would make the newly-created and empty path 4 clobber the
non-legacy path 3 and thus make it seem like no save files exist. This
would persist even if steam is run without firejail afterwards, as the
empty directory would still be there. Losing (or appearing to lose)
game saves can be very unfortunate, so create just the non-legacy paths
to avoid confusion.
[1] https://github.com/netblue30/firejail/pull/4170#issuecomment-825405930
[2] https://steamcommunity.com/app/241600/discussions/1/846957366713233279/
[3] https://www.pcgamingwiki.com/wiki/Rogue_Legacy#Game_data
|
|\
| |
| | |
Commons of opengl-game-wrapper.sh
|
| |
| |
| |
| |
| |
| |
| | |
…, gl-117, glaxium, pinball
alienarena is missing in firecfg.config by intention, I didn't tested
any online multiplayer.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add firedragon profile
* Point private-etc to firefox-common.local
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add to firecfg.config
* Add firedragon to disable-programs.inc
* Correct dir
* Remove private-etc
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
| |
* New profile: Quodlibet
* New profile: Quodlibet
|
| |
|
| |
|
|
|
| |
closes #4115
|
|\
| |
| | |
[minor] qcomicbook and pipe-viewer in disable-programs
|
| | |
|
| |
| |
| | |
qcomicbook is the "PawelStolowski" folders
|
|\ \
| | |
| | | |
Create bcompare.profile
|
| | | |
|
| | | |
|
| | | |
|