| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
/bin/sh is usually just a symlink to bash. However this is not the case
for every distro, debian for example uses dash. bash,dash and sh have a
blacklist command in disable-shell.inc. An own allow-*.inc for it
enusres usage of all necessary nolacklists.
For private-bin sh is enough because it follows symlinks.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add new profile: qnapi
* add new profile: qnapi
* Create qnapi.profile
* add qnapi configs
* Update README.md
* Update README.md
|
|
|
|
|
|
|
|
|
| |
* new profile: shotwell
* Create shotwell.profile
* new profile: shotwell
* add shotwell blacklists
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add profile for npm
* Apply suggestions from code review
* Remove redundant blacklisting of Wayland.
* Remove unnecessary noblacklist lines for nodejs.
* Replace absolute paths to .inc files with filenames.
* Remove unneeded dbus whitelisting.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Remove empty line
To keep consistent with other profiles, remove the blank line after the header comment.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add npm files to add-common-devel
So that our addition of npm paths to disable-programs.inc dose not break IDEs,
we need to unblacklist these same paths in allow-common-devel.inc.
* Remove extra blank line
* Add common whitelist includes to npm profile
* Tighten npm profile
Include disable-exec.inc, but allowing ${HOME}.
* Remove whitelist-common.inc from npm profile
whitelist-common breaks npm, and since we don't know where the user's npm
projects will be, leave the whitelist-common include in a comment with a note
about how to enable it for their setup.
* Fix inverted commands
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Fixes for whitelisting
* Add login.defs to npm profile's private-etc
Co-authored-by: Aidan Gauland <aidalgol+git@fastmail.net>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
| |
* new profile: tutanota-desktop
* add tutanota-desktop to firecfg
* blacklist tutanota-desktop files
* Create tutanota-desktop.profile
|
|\ |
|
| |\
| | |
| | | |
Small fixes
|
| | | |
|
| |/ |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the missing binaries in the DNS section, as suggested by @glitsj16:
https://github.com/netblue30/firejail/pull/3810#issuecomment-742920539
Packages and their relevant binaries:
* bind: dnssec-*
* knot: khost
* unbound: unbound-host
|
|
|
|
|
|
|
|
|
| |
* limit file system access with comments in archiver-common.inc
* note wording
* Warn against overtightening file system access
Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834.
|
|
|
|
|
|
|
|
|
|
|
| |
"Portable OpenBSD ksh, based on the Public Domain Korn Shell (pdksh)."
Project page: https://github.com/ibara/oksh
$ pacman -Q oksh
oksh 6.8.1-1
$ pacman -Qlq oksh | grep bin/
/usr/bin/
/usr/bin/oksh
|
|
|
|
|
|
|
| |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create archiver-common.inc
* add apparmor to archiver-common.inc
* refactor 7z.profile
* refactor ar.profile
* refactor atool.profile
* refactor bsdtar.profile
* refactor cpio.profile
* refactor gzip.profile
* refactor tar.profile
* refactor unrar.profile
* refactor unzip.profile
* refactor xzdec.profile
* refactor zstd.profile
* rewording
* blacklist ${RUNUSER} in archiver-common.inc
Thanks to @rusty-snake for suggesting this.
* drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc
See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rename etc/inc/softmaker-common.inc to etc/profile-m-z/softmaker-common.profile
As per suggestion by @rusty-snake in https://github.com/netblue30/firejail/pull/3819#issuecomment-745244982
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Update and rename whitelist-players.inc to whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
|
|
|
|
|
|
|
|
|
|
|
| |
* streamline comments
* streamline comments
* streamline comments
* streamline comments
* streamline comments
|
|\
| |
| | |
Dc add ldns
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
drill(1) from ldns is the first tool suggested on the Arch Wiki for DNS
lookup:
https://wiki.archlinux.org/index.php/Domain_name_resolution#Lookup_utilities
Home page: https://www.nlnetlabs.nl/projects/ldns/about/
$ pacman -Q ldns
ldns 1.7.1-2
$ pacman -Qlq ldns | grep bin
/usr/bin/
/usr/bin/drill
/usr/bin/ldns-chaos
/usr/bin/ldns-compare-zones
/usr/bin/ldns-config
/usr/bin/ldns-dane
/usr/bin/ldns-dpa
/usr/bin/ldns-gen-zone
/usr/bin/ldns-key2ds
/usr/bin/ldns-keyfetcher
/usr/bin/ldns-keygen
/usr/bin/ldns-mx
/usr/bin/ldns-notify
/usr/bin/ldns-nsec3-hash
/usr/bin/ldns-read-zone
/usr/bin/ldns-resolver
/usr/bin/ldns-revoke
/usr/bin/ldns-rrsig
/usr/bin/ldns-signzone
/usr/bin/ldns-test-edns
/usr/bin/ldns-testns
/usr/bin/ldns-update
/usr/bin/ldns-verify-zone
/usr/bin/ldns-version
/usr/bin/ldns-walk
/usr/bin/ldns-zcat
/usr/bin/ldns-zsplit
/usr/bin/ldnsd
|
| | |
|
|/
|
|
|
| |
* add curl HSTS support
* add HSTS support
|
|
|
|
|
|
| |
- hopefully fix #3795 finally
- fix README.md codeblock
- blacklist ${HOME}/.texlive20*
|
|
|
|
|
|
|
|
|
| |
* Add profile for authenticator-rs, improve falkon, balsa
* Fix
* Add private-tmp to falkon
* Revert balsa
|
|
|
|
|
| |
Games folder must be whitelisted in a dolphin-emu.local
Its private-etc can likely be shortened
|
| |
|
|
|
|
|
|
|
|
| |
- Lutris isn't added to firecfg just yet, needs more testing
- aria2c profile has a comment regarding Lutris/Winetricks,
but it shouldn't matter since it can't be nested
- Add commented wusc to wine.profile
- Add vulkan and zenity to wusc.inc
|
| |
|
|
|
|
|
|
| |
If the GDM display manager runs with Wayland support, and it starts a
desktop environment other than (?) GNOME, the desktop environment will
use the `wayland-1` socket instead of the `wayland-0` socket.
|
|
|
|
|
|
| |
- disable-common: read-only ${HOME}/.zfunc
- fix #3761 -- w3m with w3m-img installed does not display images when on virtual console/framebuffer
- yelp can be used to display manpages
|
|
|
|
|
| |
* Add profile for straw-viewer
* Remove blacklist, fixes
|
|\
| |
| | |
from my overrides
|
| |
| |
| |
| |
| |
| |
| |
| | |
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
|
| |
| |
| | |
Follow-up from discussion in https://github.com/netblue30/firejail/pull/3751.
|
|/ |
|
|
|
|
| |
…eed to wruc
|
|
|
|
| |
- this might need to be looked into
|
| |
|
| |
|
|
|
| |
Added ${HOME}/.alsaequal.bin to fix #3736
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- .github/ISSUE_TEMPLATE/bug_report.md: get ride off spanish,
french, ... error messages
- etc/inc/firefox-common-addons.inc: support ff2mpv
- etc/profile-a-l/gimp.profile: note about xsane
- etc/profile-m-z/min.profile: prettify
- etc/profile-m-z/mpsyt.profile: fix, add lua
- etc/profile-m-z/qbittorrent.profile: add note for tray-icons; this
will get a better note once I investigated and audited all the D-Bus
tray stuff.
- etc/profile-m-z/transmission-daemon.profile: fix, add protocol packet
close #3686 - mps-youtube needs lua
close #3701 - Firefox native messaging regression in 0.9.62.4 -> 0.9.64rc1
close #3636 - transmission-daemon fills log with error
close #3640 - Gimp - add note how to enable scanning (xsane)
close #3707 - qBittorrent tray icon missing from notification panel when running it with firejail
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
|
|
|
|
| |
linphone 4.0 changed the location of config and database files
to respect freedesktop standards.
|
| |
|
|
|
|
|
|
|
|
| |
- update README.md and RELNOTES
- add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc
- fix #3728, fonts in openSUSE KDE with wc / wusc
- fix gnome-todo
- fix xournalpp MathTeX whitelist
|
|
|
|
|
|
|
| |
* Update firecfg.config
* Update disable-programs.inc
* Create spectacle.profile
|