| Commit message (Collapse) | Author | Age |
... | |
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to using globbing on mkdir, the current version causes this:
@davidebeatrici commented on 2021-04-23[1]:
> ```
> Error: "${HOME}/.local/share/RogueLegacy*" is an invalid filename: rejected character: "*"
> ```
Added on commit a603d4d39 ("steam: some more games added") / PR #4170.
The wildcard was used because Rogue Legacy apparently looks up multiple
different paths for the config and also for the data[1][2][3]:
1. ~/.config/RogueLegacy
2. ~/.config/RogueLegacyStorageContainer
3. ~/.local/share/RogueLegacy
4. ~/.local/share/RogueLegacyStorageContainer
The ones containing "RogueLegacyStorageContainer" appear to be legacy
paths (i.e.: paths which are only created by older versions of Rogue
Legacy)[2].
So replace all globs with the full paths because:
* The paths are known a priori (unlike, say, `/var/lib/libpcre*`)
* There aren't too many of them
And use only the non-legacy paths on mkdir. Besides mirroring what the
current version of Rogue Legacy does (and avoiding the creation of
unnecessary dirs), this is also done because _if_ the following applies
(i.e.: this was not tested):
* legacy paths take precedence over non-legacy paths
* the first path clobbers the other ones (i.e.: rather than "merge")
* save data exists in a non-legacy path (i.e.: path 3 in this case)
* firejail creates all 4 paths
Then it would make the newly-created and empty path 4 clobber the
non-legacy path 3 and thus make it seem like no save files exist. This
would persist even if steam is run without firejail afterwards, as the
empty directory would still be there. Losing (or appearing to lose)
game saves can be very unfortunate, so create just the non-legacy paths
to avoid confusion.
[1] https://github.com/netblue30/firejail/pull/4170#issuecomment-825405930
[2] https://steamcommunity.com/app/241600/discussions/1/846957366713233279/
[3] https://www.pcgamingwiki.com/wiki/Rogue_Legacy#Game_data
|
| |
|
|\
| |
| | |
Commons of opengl-game-wrapper.sh
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[skip ci]
- Add allow-opengl-game.inc
- Add profiles for alienarena-wrapper, ballbuster-wrapper,
colorful-wrapper, etr-wrapper, gl-117-wrapper, glaxium-wrapper,
neverball-wrapper, neverputt-wrapper, pinball-wrapper,
supertuxkart-wrapper
- Use allow-opengl-game.inc in xonotic.profile and the profiles above
- xonotic.profile: simplify private-bin by using xonotic*
|
| |
| |
| |
| |
| |
| |
| | |
β¦, gl-117, glaxium, pinball
alienarena is missing in firecfg.config by intention, I didn't tested
any online multiplayer.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add firedragon profile
* Point private-etc to firefox-common.local
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add to firecfg.config
* Add firedragon to disable-programs.inc
* Correct dir
* Remove private-etc
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* well..
Revert `include whitelist-usr-share-common.inc`
Sync with Firefox profile
* π What just hapened
* π Sync with upstream
* Merge tested from PR
* π Sync with upstream
* Merge tested from PR
* Revert changes
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* π Rebase
* π What just hapened
* Merge tested from PR
* π Sync with upstream
* Merge tested from PR
* Revert changes
* Update
* Update librewolf.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
| |
* New profile: Quodlibet
* New profile: Quodlibet
|
| |
|
| |
|
|
|
| |
closes #4115
|
|\
| |
| | |
[minor] qcomicbook and pipe-viewer in disable-programs
|
| | |
|
| |
| |
| | |
qcomicbook is the "PawelStolowski" folders
|
|\ \
| | |
| | | |
Create bcompare.profile
|
| | | |
|
| | | |
|
| | | |
|
| |/
|/|
| |
| | |
Left out of firecfg because I think it was buggy.
|
|\ \
| | |
| | | |
Add profile for youtube-dl-gui & some other changes
|
| | | |
|
|\ \ \
| |/ /
|/| | |
newsboat/newsbeuter corrections
|
| | | |
|
|/ / |
|
| | |
|
|\ \
| |/
|/| |
Create nextcloud-desktop.profile
|
| | |
|
|\ \
| | |
| | | |
Rename firefox-common-addons.inc
|
| | |
| | |
| | |
| | | |
etc/profile-a-l/firefox-common-addons.profile
|
|\ \ \
| | | |
| | | | |
Rename chromium-common-hardened.inc
|
| |/ /
| | |
| | |
| | | |
etc/profile-a-l/chromium-common-hardened.profile
|
|\ \ \
| | | |
| | | | |
Rename feh-network.inc
|
| |/ / |
|
|/ / |
|
|/
|
| |
Due to https://github.com/netblue30/firejail/commit/5d88ee8957dc38a52c36f71b91c786dbec9d4ec9 we should provide an override option here IMO.
|
|\
| |
| | |
Email part (2)
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Create calligragemini.profile
* Update calligra.profile
* Update calligra.profile
* Update firecfg.config
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And sort the paths on allow-gjs.inc.
$ pacman -Q js78
js78 78.6.0-1
$ pacman -Qlq js78 | grep -v /usr/include/
/usr/
/usr/bin/
/usr/bin/js78
/usr/bin/js78-config
/usr/lib/
/usr/lib/libmozjs-78.so
/usr/lib/pkgconfig/
/usr/lib/pkgconfig/mozjs-78.pc
This appears to be the only counterpart path missing when looking at the
current lib64 entries with:
$ grep -Fnr lib64 etc
|
| | |
|
| |
| |
| | |
uim is a multilingual input method framework, so any program that takes user input potentially needs it to work.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Update disable-programs.inc
* Update firecfg.config
* Create avidemux.profile
* Update avidemux.profile
|
|\ \
| | |
| | | |
ssh: Refactor, fix bugs & harden
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The paths are taken from ssh(1) and sshd(8).
$ pacman -Q openssh
openssh 8.4p1-2
These are only used by sshd(8), so always blacklist them:
* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts
Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.
Note2: From sshd(8):
> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.
So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.
This file is actually used by ssh(1), so just mark it read-only:
* ~/.ssh/config: allows arbitrary command execution on the remote
machine (with e.g.: RemoteCommand) and also defines the connection
strength
Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2]. This is the conventional
path for storing them[3], so mark it read-only:
* ~/.ssh/config.d: same as above
P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.
[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
|