| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tor-browser 11.0.2-1 doesn't work without whitelisting this directory. The
following was the message I got before whitelisting this directory.
Reading profile /etc/firejail/tor-browser.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12653, child pid 12654
104 programs installed in 153.32 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 64.84 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 325.75 ms
/usr/bin/tor-browser: [Error] The tor-browser archive could not be extracted to your home directory.
Check the permissions of ~/.local/opt/tor-browser/app.
The error log can be found in ~/.local/opt/tor-browser/LOG.
/usr/bin/tor-browser: line 218: ~/.local/opt/tor-browser/app/Browser/start-tor-browser: No such file or directory
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- Update RELNOTES and README.md
- disable-common.inc
- blacklist ${HOME}/.local/share/ibus-typing-booster
- blacklist /run/timeshift (closes #4660)
- fix audacity.profile (closes #4659)
|
|\
| |
| | |
Add OpenStego profile
|
| | |
|
|\ \
| | |
| | | |
disable-common.inc: fix paths of slock and physlock
|
| |/
| |
| |
| |
| |
| | |
Added on commit f0adf06c3 ("disable-common.inc: more SUID", 2021-11-09).
Relates to #4668.
|
|/ |
|
|
|
| |
Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
|
|
|
|
| |
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
NOTE: there are several other profiles touching /usr/libexec, so untill someone on Fedora can shed some light on what files are installed under /usr/libexec, I only blacklisted ssh-keysign. I'll pick this up tomorrow, a bit pressed for time in the non-digital worlds...
|
|
|
| |
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
|
|
|
| |
Counterpart fix for changes in allow-ssh.inc.
|
|
|
| |
After seeing https://github.com/netblue30/firejail/commit/9a81078ddbbb4215d06f7d1861481ece05ebda99 it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
fixes --tracelog among other things
|
| |
|
| |
|
|\
| |
| | |
Create disable-proc.inc
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
found in Debian Bullseye.
/run/shm is a symbolic link to /dev/shm,
and whitelisting it will just recreate
the symbolic link.
|
|\ \
| | |
| | | |
Fix vscodium
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It creates the following directories on startup:
* ~/.config/VSCodium
* ~/.vscode-oss
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
Note: The following entry is already on disable-programs.inc:
noblacklist ${HOME}/.vscode-oss
It was added on commit de90834a8 ("Update disable-programs.inc",
2019-03-02).
Relates to #3871.
|
|\ \ \
| |/ /
|/| | |
Add profiles for build-systems (/package-managers)
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip
All redirect to build-systems-common.profile
Other fixes:
- blacklist ${HOME}/.bundle
- blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo
- blacklist /usr/lib64/ruby
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* cheese
- fix: dbus-user.own org.gnome.Cheese
- fix: whitelist /usr/share/gstreamer-1.0
- fix: include allow-python3.inc
- hardening: include disable-shell.inc
- hardening: include whitelist-run-common.inc and whitelist /run/udev/data
- hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
- hardening: noinput
- hardening: nosound
- hardening: seccomp.block-secondary
- hardening: private-dev
* geekbench (closes #4576)
- fix: noblacklist /sbin and noblacklist /usr/sbin
- fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
- fix: comment/remove private-bin, private-lib, private-opt
* inkscape
- add quiet for cli usage
* musixmatch (#4518)
- allow chroot
* pandoc
- fix: include allow-bin-sh.inc
- fix: drop private-bin
- hardening: include whitelist-runuser-common.inc
- hardening: seccomp.block-secondary
|
| | |
|
| | |
|
|\ \
| |/
|/| |
Blacklist Exodus wallet
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- closes #4483 -- mpv requires whitelisting /usr/share/pipewire
- wruc: whitelist pipewire-?, pipewire is becoming more popular and was
developed with isolation (container/sandbox) in mind.
- wruc: whitelist wayland-? instead of only -0 and -1
- wusc: whitelist /usr/share/pipewire
- remove these wruc/wusc lines from other profiles
- firefox-common-addons: Make ignore wruc work again (#4512)
- firefox: org.freedesktop.portal.Desktop should be enough
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- disable-programs.inc: blacklist ${HOME}/.local/state/pipewire
If you did not yet noticed, on 08th May 2021 the XDG Base Directory
Specification 0.8 was resleased (the first update since 2010). New are
$XDG_STATE_HOME and $HOME/.local/bin.
- keepassxc: mkdirs are necessary
- gnote: harden
- pngquant: harden
|
| |
| |
| | |
This is a quick fix of #4482 for distributions that link /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf (Arch Linux is one of them).
|
|/
|
|
|
|
| |
- whitelist /run/resolvconf/resolv.conf -- Fixes #4482
- Drop whitelist for /run/systemd/resolve/stub-resolv.conf,
/run/systemd/resolve/resolv.conf is the right path AIUI.
|
|\
| |
| | |
create yt-dlp.profile
|
| | |
|
|/ |
|
|
|
|
|
| |
(#4461)
See #4454
|