aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc
Commit message (Collapse)AuthorAge
* profiles: move ~/.rustup blacklist to disable-programs.inc (#5969)Libravatar Kelvin M. Klann2023-08-23
| | | | | | | | Which also blacklists ~/.cargo. Note that ~/.rustup is the only `${HOME}` entry in disable-devel.inc. Added on commit 8d9b12d1c ("New profiles + fixes + hardening", 2020-09-14).
* disable-devel.inc: split packaging-related entriesLibravatar Kelvin M. Klann2023-08-23
| | | | | `dh_*` and `fakeroot` can be used when building .deb packages; they are not part of autoconf/automake.
* disable-devel.inc: sort entriesLibravatar Kelvin M. Klann2023-08-23
| | | | And fix a few inconsistent comments.
* profiles: move fakeroot blacklisting to disable-devel.inc (#5968)Libravatar glitsj162023-08-23
| | | | | | As of commit 96beb3358, `fakeroot` is blacklisted in disable-common.inc, which may break makepkg and other build-related tools; cfr [1]. [1] https://github.com/netblue30/firejail/commit/96beb3358c430a5e470ce02fd64ffc3f7fc23706#r125237349.
* update disable-devel.incLibravatar netblue302023-08-22
|
* a second round of blacklisting in disable-common.incLibravatar netblue302023-08-22
|
* profiles: restore entries for ssh-related pathsLibravatar Kelvin M. Klann2023-08-21
| | | | | | | | | | | | | | | | This partially reverts commit d94f54736 ("disable all ssh utilities in disable-common.inc", 2023-08-20). Certain files in ~/.ssh are only used by sshd (not by ssh), so always blacklist them. Also, ssh itself does not need write access to the configuration files, so make them read-only by default. For details, see commit 2ec3f3a96 ("disable-common.inc: add missing openssh paths", 2021-01-09) / PR #3885. Cc: @netblue30
* disable all /bin/dpkg* programs in disable-common.incLibravatar netblue302023-08-20
|
* disable all ssh utilities in disable-common.incLibravatar netblue302023-08-20
|
* New profile: journal-viewer (#5943)Libravatar glitsj162023-08-10
|
* mpv.profile: add new XDG_CACHE_HOME pathLibravatar Kelvin M. Klann2023-08-03
| | | | | | | | | mpv v0.36.0 uses ~/.cache/mpv[1] [2]: Relates to #2838 #5936. [1] https://github.com/mpv-player/mpv/releases/tag/v0.36.0 [2] https://github.com/mpv-player/mpv/pull/10838
* mpv.profile: add new XDG_STATE_HOME pathLibravatar CodeWithMa2023-08-03
| | | | | | | The new version of mpv changed the path of the watch_later folder to ~/.local/state/mpv/watch_later. See https://github.com/mpv-player/mpv/pull/10838
* gramps: bring in new config directory (#5933)Libravatar glitsj162023-07-31
| | | | | * disable-programs.inc: add new gramps dir * gramps: add new config dir
* New profile: sniffnet (#5920)Libravatar glitsj162023-07-25
| | | | | | | * disable-programs.inc: add sniffnet support * Create sniffnet.profile * firecfg.config: add sniffnet support
* profiles: Miscellaneous cleanups (#5918)Libravatar glitsj162023-07-25
|
* update mov-cli (#5924)Libravatar pirate4867431862023-07-25
| | | Co-authored-by: pirate486743186 <>
* Create mullvad-browser.profile (#5887)Libravatar glitsj162023-07-22
| | | | | | | | | Homepage: https://mullvad.net/en/download/browser/linux mullvad-browser: don't use restrict-namespaces mullvad-browser: cover both installation paths Suggested in review by @kmk3.
* sqlitebrowser remote support (#5909)Libravatar glitsj162023-07-20
| | | | | * disable-programs.inc: add remote sqlitebrowser support * sqlitebrowser: add support for remote functionality
* disable-common.inc: blacklist sudo/doas paths in /etcLibravatar Kelvin M. Klann2023-07-14
| | | | | | | | | | | | | | | | | | | | | | Commands used to find the relevant paths in /etc: $ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort /etc/pam.d/ is owned by sudo 1.9.14.p1-1 /etc/sudo.conf is owned by sudo 1.9.14.p1-1 /etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1 /etc/sudoers is owned by sudo 1.9.14.p1-1 /etc/sudoers.d/ is owned by sudo 1.9.14.p1-1 Environment: Artix Linux. Also, add missing paths sudo/doas to etc/ids.config and jailcheck. See also commit dbebd71db ("disable-common.inc: blacklist doas binary", 2022-10-05). Relates to #5385. Reported-by: Dieter Plaetinck <dieter@plaetinck.be>
* Merge pull request #5881 from glitsj16/rssguardLibravatar netblue302023-07-13
|\ | | | | New profile: rssguard
| * disable-programs.inc: fix ordering rssguard entreeLibravatar glitsj162023-07-03
| | | | | | Grrrr
| * disable-programs.inc: fix rssguard entreeLibravatar glitsj162023-07-03
| | | | | | Apparently a path containing whitespace and ending with a single digit breaks CI: https://github.com/netblue30/firejail/actions/runs/5448790502.
| * disable-programs.inc: add support for rssguardLibravatar glitsj162023-07-03
| |
* | refresh feh.profileLibravatar pirate4867431862023-07-12
|/
* update lobster profileLibravatar pirate4867431862023-06-14
|
* block local python (#5826)Libravatar pirate4867431862023-05-11
| | | Co-authored-by: pirate486743186 <>
* Merge pull request #5755 from kmk3/profiles-allow-lxqtLibravatar netblue302023-04-06
|\ | | | | profiles: allow lxqt config dir
| * profiles: allow lxqt config dirLibravatar Kelvin M. Klann2023-03-26
| | | | | | | | | | | | | | | | | | As suggested by @glitsj16: https://github.com/netblue30/firejail/discussions/5754#discussioncomment-5428651 Fixes #5754 (font size/dpi issues). Reported-by: @hotcapy
* | profiles: move read-only config entries to dcLibravatar Kelvin M. Klann2023-03-28
| | | | | | | | | | | | | | | | | | | | Command used to search for entries: $ git grep '^read-only ${HOME}/' -- 'etc/profile*' Note for gpg: ~/.gnupg/gpg.conf is apparently only managed by gpgconf(1) rather than through gpg(1) itself, in which case it does not need to be made read-write in gpg.profile.
* | cower: move blacklist from disable-programs to dcLibravatar Kelvin M. Klann2023-03-28
| | | | | | | | | | | | | | | | This is an AUR helper and disable-common.inc has entries for pacman and other system package managers. Added on commit 6c10737f0 ("archaudit-report and cower for Arch platforms, #1642", 2017-11-15).
* | firefox: move read-only entries to disable-common.incLibravatar Kelvin M. Klann2023-03-28
| | | | | | | | | | | | | | Instead of duplicating them on every profile that tries to allow opening links in Firefox. And make that path read-write on firefox.profile.
* | mpv: move read-only entries to disable-common.incLibravatar Kelvin M. Klann2023-03-27
| | | | | | | | | | | | | | Note: mpv itself does not modify anything in ~/.config/mpv as far as I know, in which case it does not need a read-write entry. Relates to #5706 #5707 #5710.
* | whitelist-common.inc: remove read-only entriesLibravatar Kelvin M. Klann2023-03-27
|/ | | | | | | They are already present on etc/inc/disable-common.inc. First added on commit 695b67f43 ("handle ~/.config/user-dirs.dirs", 2015-11-17).
* Add profiles for jami and postman (#5691)Libravatar Kobaxidze2562023-03-15
|
* microsoft-edge fixes (#5697)Libravatar glitsj162023-03-14
| | | | | | | | | | | | | * microsoft-edge*: fix spacing * Create microsoft-edge-stable.profile Relates to #5696. * firecfg.config: add support for microsoft-edge-stable redirect * disable-common.inc: blacklist msedge SUID executables * microsoft-edge: add private-opt and allow internal sandbox access
* Add Discord PTB profileLibravatar Neotamandua2023-03-12
|
* Merge pull request #5718 from marek22k/masterLibravatar netblue302023-03-08
|\ | | | | email-common.profile: allow bsfilter
| * email-common.profile: allow bsfilterLibravatar Marek Küthe2023-03-08
| | | | | | | | | | https://bsfilter.org/ Signed-off-by: Marek Küthe <m.k@mk16.de>
* | Merge pull request #5707 from pirate486743186/ani-cliLibravatar netblue302023-03-08
|\ \ | | | | | | add ani-cli.profile
| * | add ani-cli.profileLibravatar pirate4867431862023-03-05
| |/ | | | | | | https://github.com/pystardust/ani-cli
* / add lobster.profileLibravatar pirate4867431862023-03-03
|/ | | | https://github.com/justchokingaround/lobster
* Merge pull request #5646 from NetSysFire/parsecdLibravatar netblue302023-02-24
|\ | | | | New profile: parsecd
| * New profile: parsecdLibravatar NetSysFire2023-02-18
| |
* | disable-common.inc: add systemd v253 blacklists (#5669)Libravatar glitsj162023-02-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Arch Linux got systemd v253: https://github.com/archlinux/svntogit-packages/commit/05d0aedb2b83a2e1ba07cab47205772f82cb4814 It adds a few new files we should blacklist in `disable-common.inc`: - /etc/credstore - /etc/credstore.encrypted - /run/credentials/systemd-sysctl.service - /run/credentials/systemd-sysusers.service - /run/credentials/systemd-tmpfiles-setup.service - /run/credentials/systemd-tmpfiles-setup-dev.service
* | wusc: allow hyphenation (#5666)Libravatar glitsj162023-02-15
| |
* | Merge pull request #5653 from slowpeek/masterLibravatar netblue302023-02-14
|\ \ | | | | | | disable-programs.inc: blacklist sendgmail config
| * | Blacklist sendgmail configLibravatar slowpeek2023-02-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | sendgmail is a cli tool by Google that "uses Gmail in order to mimic sendmail for git send-email" as per its own description. In other words it is a basic sendmail replacement with OAuth2 support to send emails from Gmail accounts. https://github.com/google/gmail-oauth2-tools/tree/master/go/sendgmail Config files location depends on "xdg" build tag. Without the tag it would be "~/.sendgmail.*". With the tag it is either under "$XDG_CONFIG_HOME/sendgmail" if set or "~/.config/sendgmail" otherwise.
* / Prevent access to LUKS keyfileLibravatar Netcarver2023-02-14
|/
* Merge pull request #5635 from kmk3/dc-add-ro-editor-browserLibravatar netblue302023-01-31
|\ | | | | disable-common.inc: add more ro editor/browser paths
| * disable-common.inc: make ~/.config/nano read-onlyLibravatar Kelvin M. Klann2023-01-30
| | | | | | | | | | | | Similarly to the existing ~/.nanorc entry. Taken from nano.profile.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 22:36:13 +0000