| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
disable-common.inc: make ~/.config/pkcs11 read-only
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is used for storing AppImages.
Note that even when blacklisting a directory, it is possible to execute
an AppImage from it. For example, the following works:
firejail --noprofile --blacklist='${HOME}/Applications' --appimage \
~/Applications/foo.AppImage
While the resulting process does not appear to have access to the
blacklisted directory.
|
| |/
|
|
|
|
|
|
|
|
| |
This directory is monitored by both appimaged[1] and
AppImageLauncher[2]. Also, when opening an AppImage with
AppImageLauncher, it may prompt the user to move the AppImage to
~/Applications.
[1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories
[2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
|
| | |
|
| |
|
|
|
|
|
| |
* ocenaudio: blacklist cache dir
* ocenaudio: hardenings
* ocenaudio: fix protocol comment
|
| |
|
|
|
|
|
|
| |
This amends commit f32cb8393 ("Blacklist scala devel stuff", 2022-03-05)
/ PR #5013.
See the following review:
https://github.com/netblue30/firejail/pull/5013#pullrequestreview-903794958
|
| |
|
|
|
| |
* opera fixes
* disable-common.inc: add blacklist /usr/lib/opera/opera_sandbox
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/netblue30/firejail/discussions/4993 (#5042)
* refactor mupdf
* refactor mupdf
* refactor mupdf
* refactor mupdf
* add mupdf-gl blacklist
* move history file back to mupdf-gl
* refactor mupdf-gl
* add no3d to mupdf.profile
* add suggestions from review
* drop unix from protocol [accumulates]
* fix protocol
|
| |
|
|
|
| |
This amends commit af8f681c0 ("steam.profile: allow "${HOME}/.prey"",
2022-03-11) / PR #5029.
|
| |\ |
|
| | | |
|
| |/
|
|
|
|
| |
as suggested by @rusty-snake
in addition blacklist/noblacklist/whitelist songrec application files
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add opera-developer to firecfg
* add opera-developer
* fix typo
* add configs for opera-developer
* Create opera-developer.profile
* fixes for opera-developer
* fix for opera-developer
|
| | |
|
| |
|
|
|
|
|
| |
* Add support for changing appearance of the Qt6 apps with qt6ct
* Remove qt5ct artifact from zeal.profile
* Remove qt5ct artifact from bibletime.profile
|
| | |
|
| |\
| |
| | |
Allow common access to EGL External platform configuration directory
|
| | |
| |
| |
| | |
This commit fixes Issue #4893 by allowing access to the configuration directory for the Wayland EGL external platform library
|
| |\ \
| |/
|/| |
steam.profile: allow ~/.config/MangoHud
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Add neovim profile
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Seafile
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
{lutris,wine}.profile: allow ~/.cache/wine
|
| | | |_|/
| |/| | |
|
| |\ \ \ \
| | | | |
| | | | | |
Blacklist rclone, 1Password, Ledger Live and cointop
|
| | |/ / / |
|
| |\ \ \ \
| | | | |
| | | | | |
add a profile for cointop
|
| | |/ / / |
|
| | | | | |
|
| | | | | |
|
| |/ / / |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
|/|
| |
| |
| | |
This is the counterpart of the blacklist of rxvt in commit ed5c259f,
as suggested in the discussion of pull request #4831.
|
| |\ \
| | |
| | | |
RPCS3 profile
|
| | |/ |
|
| |/
|
|
|
|
| |
rxvt needs Perl modules, thus does not work. And its blacklist is
needed so that Firefox can run applications with Terminal=true in
their .desktop file (depending on what is installed).
|
| | |
|
| |\
| |
| | |
yt-dlp: add missing paths & mpv.profile: whitelist paths for yt-dlp
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This amends commit d6ca41c19 ("update mpv.profile", 2021-10-24) /
PR #4634.
These paths were taken from yt-dlp(1). They are used since yt-dlp
commit e2e43aea2 ("Portable Configuration file (closes #19)",
2021-01-16)[1].
Environment: yt-dlp 2021.12.01-1 on Artix Linux.
Relates to: https://github.com/yt-dlp/yt-dlp/issues/19
[1] https://github.com/yt-dlp/yt-dlp/commit/e2e43aea2159a235e151f56bd14383129a6b4355
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tor-browser 11.0.2-1 doesn't work without whitelisting this directory. The
following was the message I got before whitelisting this directory.
Reading profile /etc/firejail/tor-browser.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12653, child pid 12654
104 programs installed in 153.32 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 64.84 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 325.75 ms
/usr/bin/tor-browser: [Error] The tor-browser archive could not be extracted to your home directory.
Check the permissions of ~/.local/opt/tor-browser/app.
The error log can be found in ~/.local/opt/tor-browser/LOG.
/usr/bin/tor-browser: line 218: ~/.local/opt/tor-browser/app/Browser/start-tor-browser: No such file or directory
|
| | |
|
netblue30
Kelvin M. Klann
glitsj16
smitsohu
rusty-snake
avallach2000
Jan Sonntag
Anton Shestakov
user
CaseOf
Reed Riley
Reiner Herrmann
Vincent Lefevre
Adrian L. Shaw
Jose Riha
York Zhao
Vladislav Nepogodin