aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc
Commit message (Collapse)AuthorAge
...
| * Move the 1793 workaround stuff to a separate file.Libravatar Kishore Gopalakrishnan2021-05-04
| |
| * Add cache directory to disable-programs.incLibravatar Kishore Gopalakrishnan2021-05-02
| |
| * Add neochat files to disable-programs.incLibravatar Kishore Gopalakrishnan2021-05-02
| |
* | steam.profile: fix rogue legacy paths and syntaxLibravatar Kelvin M. Klann2021-05-01
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to using globbing on mkdir, the current version causes this: @davidebeatrici commented on 2021-04-23[1]: > ``` > Error: "${HOME}/.local/share/RogueLegacy*" is an invalid filename: rejected character: "*" > ``` Added on commit a603d4d39 ("steam: some more games added") / PR #4170. The wildcard was used because Rogue Legacy apparently looks up multiple different paths for the config and also for the data[1][2][3]: 1. ~/.config/RogueLegacy 2. ~/.config/RogueLegacyStorageContainer 3. ~/.local/share/RogueLegacy 4. ~/.local/share/RogueLegacyStorageContainer The ones containing "RogueLegacyStorageContainer" appear to be legacy paths (i.e.: paths which are only created by older versions of Rogue Legacy)[2]. So replace all globs with the full paths because: * The paths are known a priori (unlike, say, `/var/lib/libpcre*`) * There aren't too many of them And use only the non-legacy paths on mkdir. Besides mirroring what the current version of Rogue Legacy does (and avoiding the creation of unnecessary dirs), this is also done because _if_ the following applies (i.e.: this was not tested): * legacy paths take precedence over non-legacy paths * the first path clobbers the other ones (i.e.: rather than "merge") * save data exists in a non-legacy path (i.e.: path 3 in this case) * firejail creates all 4 paths Then it would make the newly-created and empty path 4 clobber the non-legacy path 3 and thus make it seem like no save files exist. This would persist even if steam is run without firejail afterwards, as the empty directory would still be there. Losing (or appearing to lose) game saves can be very unfortunate, so create just the non-legacy paths to avoid confusion. [1] https://github.com/netblue30/firejail/pull/4170#issuecomment-825405930 [2] https://steamcommunity.com/app/241600/discussions/1/846957366713233279/ [3] https://www.pcgamingwiki.com/wiki/Rogue_Legacy#Game_data
* Some minor changesLibravatar Neo000012021-04-26
|
* Merge pull request #4071 from rusty-snake/open-game-wrapperLibravatar rusty-snake2021-04-24
|\ | | | | Commons of opengl-game-wrapper.sh
| * Commons of opengl-game-wrapper.shLibravatar rusty-snake2021-04-24
| | | | | | | | | | | | | | | | | | | | | | [skip ci] - Add allow-opengl-game.inc - Add profiles for alienarena-wrapper, ballbuster-wrapper, colorful-wrapper, etr-wrapper, gl-117-wrapper, glaxium-wrapper, neverball-wrapper, neverputt-wrapper, pinball-wrapper, supertuxkart-wrapper - Use allow-opengl-game.inc in xonotic.profile and the profiles above - xonotic.profile: simplify private-bin by using xonotic*
| * Add profiles for alienarena, ballbuster, colorful…Libravatar rusty-snake2021-04-24
| | | | | | | | | | | | | | …, gl-117, glaxium, pinball alienarena is missing in firecfg.config by intention, I didn't tested any online multiplayer.
* | Add FireDragon profile (#4203)Libravatar Nico2021-04-24
|/ | | | | | | | | | | | | | | | | * Add firedragon profile * Point private-etc to firefox-common.local Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Add to firecfg.config * Add firedragon to disable-programs.inc * Correct dir * Remove private-etc Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Update Librewolf profile and Add Sway profile (#4164)Libravatar Vladislav Nepogodin2021-04-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add Sway profile * Fix issue Not working then including firefox-common-addons.profile * Allow sway's fallback config * So I agree with @glitsj16 and @BL4CKH47H4CK3R so.. `No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options` * well.. Revert `include whitelist-usr-share-common.inc` Sync with Firefox profile * πŸ˜„ What just hapened * πŸ”„ Sync with upstream * Merge tested from PR * πŸ”„ Sync with upstream * Merge tested from PR * Revert changes * Add Sway profile * Fix issue Not working then including firefox-common-addons.profile * Allow sway's fallback config * So I agree with @glitsj16 and @BL4CKH47H4CK3R so.. `No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options` * πŸ”„ Rebase * πŸ˜„ What just hapened * Merge tested from PR * πŸ”„ Sync with upstream * Merge tested from PR * Revert changes * Update * Update librewolf.profile Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* New profile: Quodlibet (#3983)Libravatar Bundy012021-04-14
| | | | | * New profile: Quodlibet * New profile: Quodlibet
* steam: also added paths to disable-programs.incLibravatar Matthew Cline2021-04-05
|
* adding .cache/youtube-viewerLibravatar pirate4867431862021-03-20
|
* Fix nheko (#4117)Libravatar rusty-snake2021-03-19
| | | closes #4115
* Merge pull request #4101 from pirate486743186/patch-12Libravatar netblue302021-03-19
|\ | | | | [minor] qcomicbook and pipe-viewer in disable-programs
| * adding mcomixLibravatar pirate4867431862021-03-18
| |
| * qcomicbook and pipe-viewer in disable-programsLibravatar pirate4867431862021-03-15
| | | | | | qcomicbook is the "PawelStolowski" folders
* | Merge pull request #4098 from tredondo/masterLibravatar netblue302021-03-19
|\ \ | | | | | | Create bcompare.profile
| * | Add bcompare to disable-programs.incLibravatar Ted Robertson2021-03-13
| | |
* | | Add a profile for pcsxrLibravatar Tad2021-03-15
| | |
* | | Add a profile for openmwLibravatar Tad2021-03-15
| | |
* | | Add a profile for JamiLibravatar Tad2021-03-15
| |/ |/| | | | | Left out of firecfg because I think it was buggy.
* | Merge pull request #4079 from Neo00001/masterLibravatar netblue302021-03-14
|\ \ | | | | | | Add profile for youtube-dl-gui & some other changes
| * | Update disable-programs.incLibravatar Neo000012021-03-11
| | |
* | | Merge pull request #4064 from pirate486743186/patch-8Libravatar netblue302021-03-14
|\ \ \ | |/ / |/| | newsboat/newsbeuter corrections
| * | more newsboat/newsbeuterLibravatar pirate4867431862021-03-10
| | |
* | | more jailtestLibravatar netblue302021-03-08
|/ /
* | new profile: com.github.phase1geo.minderLibravatar rusty-snake2021-03-06
| |
* | Merge pull request #3997 from nidamanx/patch-2Libravatar netblue302021-03-05
|\ \ | |/ |/| Create nextcloud-desktop.profile
| * Add nextcloud-desktopLibravatar Nicola Davide Mannarelli2021-02-20
| |
* | Merge pull request #4031 from glitsj16/firefox-common-addonsLibravatar glitsj162021-03-02
|\ \ | | | | | | Rename firefox-common-addons.inc
| * | Rename etc/inc/firefox-common-addons.inc to ↡Libravatar glitsj162021-03-02
| | | | | | | | | | | | etc/profile-a-l/firefox-common-addons.profile
* | | Merge pull request #4030 from glitsj16/chromium-common-hardenedLibravatar glitsj162021-03-02
|\ \ \ | | | | | | | | Rename chromium-common-hardened.inc
| * | | Rename etc/inc/chromium-common-hardened.inc to ↡Libravatar glitsj162021-03-02
| |/ / | | | | | | | | | etc/profile-a-l/chromium-common-hardened.profile
* | | Merge pull request #4029 from glitsj16/feh-networkLibravatar glitsj162021-03-02
|\ \ \ | | | | | | | | Rename feh-network.inc
| * | | Rename etc/inc/feh-network.inc to etc/profile-a-l/feh-network.profileLibravatar glitsj162021-03-02
| |/ /
* / / Rename etc/inc/archiver-common.inc to etc/profile-a-l/archiver-common.profileLibravatar glitsj162021-03-02
|/ /
* / add local override functionalityLibravatar glitsj162021-03-01
|/ | | Due to https://github.com/netblue30/firejail/commit/5d88ee8957dc38a52c36f71b91c786dbec9d4ec9 we should provide an override option here IMO.
* Merge pull request #3849 from bbhtt/emailLibravatar netblue302021-02-09
|\ | | | | Email part (2)
| * Add folks cache directoryLibravatar bbhtt2020-12-29
| |
| * Add whitelisting to mutt; improve geary, new profile for neomuttLibravatar bbhtt2020-12-28
| |
* | archivers: wrap commentsLibravatar Kelvin M. Klann2021-02-08
| |
* | Add profile for Gemini (#3946)Libravatar Neo000012021-02-07
| | | | | | | | | | | | | | | | | | | | | | * Update disable-programs.inc * Create calligragemini.profile * Update calligra.profile * Update calligra.profile * Update firecfg.config
* | disable-interpreters.inc: blacklist the other libmozjsLibravatar Kelvin M. Klann2021-02-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And sort the paths on allow-gjs.inc. $ pacman -Q js78 js78 78.6.0-1 $ pacman -Qlq js78 | grep -v /usr/include/ /usr/ /usr/bin/ /usr/bin/js78 /usr/bin/js78-config /usr/lib/ /usr/lib/libmozjs-78.so /usr/lib/pkgconfig/ /usr/lib/pkgconfig/mozjs-78.pc This appears to be the only counterpart path missing when looking at the current lib64 entries with: $ grep -Fnr lib64 etc
* | disable-interpreters.inc: sort pathsLibravatar Kelvin M. Klann2021-02-06
| |
* | add a /usr/share whitelist item for uimLibravatar Anton Shestakov2021-02-05
| | | | | | uim is a multilingual input method framework, so any program that takes user input potentially needs it to work.
* | Add profile for avidemux (#3935)Libravatar Neo000012021-01-31
| | | | | | | | | | | | | | | | | | | | | | * Update disable-programs.inc * Update disable-programs.inc * Update firecfg.config * Create avidemux.profile * Update avidemux.profile
* | Merge pull request #3885 from kmk3/fix-sshLibravatar glitsj162021-01-30
|\ \ | | | | | | ssh: Refactor, fix bugs & harden
| * | disable-common.inc: add missing openssh pathsLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The paths are taken from ssh(1) and sshd(8). $ pacman -Q openssh openssh 8.4p1-2 These are only used by sshd(8), so always blacklist them: * ~/.rhosts: controls remote access to the local machine * ~/.shosts: same as above * ~/.ssh/authorized_keys: same as above * ~/.ssh/authorized_keys2: same as above * ~/.ssh/environment: potentially allows arbitrary command execution on the local machine * ~/.ssh/rc: allows arbitrary command execution on the local machine * /etc/hosts.equiv: system-wide equivalent of ~/.rhosts Note: There are files in /etc/ssh that are equivalent to some of the above ones, but they are already blocked by `blacklist /etc/ssh/*`. Note2: From sshd(8): > If the file ~/.ssh/rc exists, sh(1) runs it after reading the > environment files but before starting the user's shell or command. So even if the user shell is set to /usr/bin/firejail and disable-common.inc is loaded, this patch shouldn't interfere with sshd. This file is actually used by ssh(1), so just mark it read-only: * ~/.ssh/config: allows arbitrary command execution on the remote machine (with e.g.: RemoteCommand) and also defines the connection strength Since version 7.3p1 (released on 2016-08-01), openssh supports including other config files on ssh_config(5)[1][2]. This is the conventional path for storing them[3], so mark it read-only: * ~/.ssh/config.d: same as above P.S. See also the explanation on the commit b5542fc94 ("disable-common.inc: read-only access to ~/.ssh/authorized_keys"), which last touched/added the "Remote access" section. [1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37 [2]: https://www.openssh.com/txt/release-7.3 [3]: https://superuser.com/a/1142813
| * | allow-ssh.inc: allow access to ssh-agent(1)Libravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-05 15:01:18 +0000