| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|
|
| |
closes #4115
|
|\
| |
| | |
[minor] qcomicbook and pipe-viewer in disable-programs
|
| | |
|
| |
| |
| | |
qcomicbook is the "PawelStolowski" folders
|
|\ \
| | |
| | | |
Create bcompare.profile
|
| | | |
|
| | | |
|
| | | |
|
| |/
|/|
| |
| | |
Left out of firecfg because I think it was buggy.
|
|\ \
| | |
| | | |
Add profile for youtube-dl-gui & some other changes
|
| | | |
|
|/ / |
|
| | |
|
|/ |
|
|\
| |
| | |
Email part (2)
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Create calligragemini.profile
* Update calligra.profile
* Update calligra.profile
* Update firecfg.config
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Update disable-programs.inc
* Update firecfg.config
* Create avidemux.profile
* Update avidemux.profile
|
|\ \
| | |
| | | |
ssh: Refactor, fix bugs & harden
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
|
| | | |
|
|\ \ \
| | | |
| | | | |
New profile for CoyIM
|
| | |/
| |/| |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* refactor google-earth{-pro} blacklisting
* fix google-earth-pro.profile
I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's.
* unbreak google-earth.profile
Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add new profile: qnapi
* add new profile: qnapi
* Create qnapi.profile
* add qnapi configs
* Update README.md
* Update README.md
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
* new profile: shotwell
* Create shotwell.profile
* new profile: shotwell
* add shotwell blacklists
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add profile for npm
* Apply suggestions from code review
* Remove redundant blacklisting of Wayland.
* Remove unnecessary noblacklist lines for nodejs.
* Replace absolute paths to .inc files with filenames.
* Remove unneeded dbus whitelisting.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Remove empty line
To keep consistent with other profiles, remove the blank line after the header comment.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add npm files to add-common-devel
So that our addition of npm paths to disable-programs.inc dose not break IDEs,
we need to unblacklist these same paths in allow-common-devel.inc.
* Remove extra blank line
* Add common whitelist includes to npm profile
* Tighten npm profile
Include disable-exec.inc, but allowing ${HOME}.
* Remove whitelist-common.inc from npm profile
whitelist-common breaks npm, and since we don't know where the user's npm
projects will be, leave the whitelist-common include in a comment with a note
about how to enable it for their setup.
* Fix inverted commands
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Fixes for whitelisting
* Add login.defs to npm profile's private-etc
Co-authored-by: Aidan Gauland <aidalgol+git@fastmail.net>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* new profile: tutanota-desktop
* add tutanota-desktop to firecfg
* blacklist tutanota-desktop files
* Create tutanota-desktop.profile
|
|\ \ |
|
| |\ \
| | | |
| | | | |
Small fixes
|
| | |/ |
|
| |/ |
|
|/ |
|
| |
|
|
|
|
|
|
|
| |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
|
|
|
|
| |
* add curl HSTS support
* add HSTS support
|
|
|
|
|
|
| |
- hopefully fix #3795 finally
- fix README.md codeblock
- blacklist ${HOME}/.texlive20*
|
|
|
|
|
|
|
|
|
| |
* Add profile for authenticator-rs, improve falkon, balsa
* Fix
* Add private-tmp to falkon
* Revert balsa
|
|
|
|
|
| |
Games folder must be whitelisted in a dolphin-emu.local
Its private-etc can likely be shortened
|
|
|
|
|
|
|
|
| |
- Lutris isn't added to firecfg just yet, needs more testing
- aria2c profile has a comment regarding Lutris/Winetricks,
but it shouldn't matter since it can't be nested
- Add commented wusc to wine.profile
- Add vulkan and zenity to wusc.inc
|
|
|
|
|
| |
* Add profile for straw-viewer
* Remove blacklist, fixes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
|