aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc
Commit message (Collapse)AuthorAge
* profiles: hashcat: support newer configuration paths (#6376)Libravatar glitsj162024-06-11
| | | Relates to #6364.
* profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)Libravatar Shahriar Heidrich2024-06-08
| | | | | | | | | This closes the escape route discussed in #6357. It's left open for i3's own profile, so that people who run i3 itself sandboxed still have the option to use IPC with it at all. Reference for file paths: https://i3wm.org/docs/userguide.html#_interprocess_communication
* New profile: armcord (#6365)Libravatar glitsj162024-06-06
| | | | | | | | Description: Standalone Discord client. https://armcord.app/ https://github.com/NextWork123/ArmCord Requested in https://github.com/netblue30/firejail/issues/1139#issuecomment-2140174880.
* New profile: nhex (#6341)Libravatar glitsj162024-05-17
| | | | | | Description: Tauri-based IRC client inspired by HexChat. https://nhexirc.com/ https://github.com/nhexirc/nhex
* several kids programsLibravatar netblue302024-04-29
|
* whitelisting /var/games by defaultLibravatar netblue302024-04-28
|
* profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6309)Libravatar tools200ms2024-04-20
| | | | | The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3). Fixes #6308.
* New profile: axel (#6315)Libravatar glitsj162024-04-20
| | | https://github.com/axel-download-accelerator/axel
* profiles: clarify and add opengl-game to profile.template (#6300)Libravatar Kelvin M. Klann2024-04-05
| | | | | | | | | | | | | | | To make it consistent with the other include profiles. See etc/templates/profile.template. With this, all `etc/inc/allow-*` files are listed in profile.template. The explanation is based on a comment by @rusty-snake[1]. Relates to #4071. This is a follow-up to #6299. [1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
* New profile: gh (GitHub CLI) (#6293)Libravatar glitsj162024-03-27
| | | | | Description: GitHub's official command-line tool. https://github.com/cli/cli
* profiles: rename disable-X11.inc to disable-x11.inc (#6294)Libravatar Kelvin M. Klann2024-03-27
| | | | | | | | | | | | | | | | | | | | | That is, make "X11" lowercase so that the order of the includes in the disable- section remain the same when sorted with `LC_ALL=C`, as is the case for most of the other sections. That is also likely to be the default in text editors (such as in vim on Arch), so this should make the disable- section more consistent and easier to sort when editing the profile. Also, keep the old include as a redirect to the new one for now to avoid breakage. Commands used to search and replace: git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc git grep -Ilz 'disable-X11' -- etc | xargs -0 \ perl -pi -e 's/disable-X11/disable-x11/' Relates to #4462 #4854 #6070 #6289. This is a follow-up to #6286.
* New profile: session-desktop.profile (#6259)Libravatar glitsj162024-03-19
| | | | | | | | | | Description: Encrypted messenger. https://github.com/oxen-io/session-desktop/ https://aur.archlinux.org/packages/session-desktop https://aur.archlinux.org/packages/session-desktop-bin https://aur.archlinux.org/packages/session-desktop-appimage Note: The AUR packages all work with the profiles.
* New profile: tvnamer.profile (#6256)Libravatar glitsj162024-03-18
| | | | | Description: Automatic TV episode file renamer. https://github.com/dbr/tvnamer
* New profile: textroom.profile (#6254)Libravatar glitsj162024-03-18
| | | | | | | Description: Full Screen text editor heavily inspired by Q10 and JDarkRoom. https://code.google.com/p/textroom/ https://aur.archlinux.org/packages/textroom
* New profile: rymdport.profile (#6251)Libravatar glitsj162024-03-18
| | | | | | Description: Encrypted sharing of files, folders, and text between devices. https://github.com/Jacalz/rymdport
* New profile: localsend_app.profile (#6244)Libravatar glitsj162024-03-18
| | | | | Description: An open source cross-platform alternative to AirDrop. https://github.com/localsend/localsend
* New profile: koreader.profile (#6243)Libravatar glitsj162024-03-16
| | | | | Description: Ebook reader application. https://koreader.rocks/
* New profile: deadlink.profile (#6233)Libravatar glitsj162024-03-15
| | | | | | Description: Checks and fixes URLs in code and documentation. https://github.com/nschloe/deadlink https://aur.archlinux.org/packages/deadlink
* landlock: use PATH macro in landlock-common.inc (#6260)Libravatar Kelvin M. Klann2024-03-08
| | | | | | | | | | | To reduce duplication. Support for it was added on commit bf5a99360 ("landlock: add support for PATH macro", 2023-12-22). See also commit 19e108248 ("landlock: expand simple macros in commands", 2023-11-11) / PR #6125. Relates to #6078.
* profiles: remove blacklisting of qt5ct/qt6ct paths (#6266)Libravatar glitsj162024-03-06
| | | | | | | | Blacklisting qt5ct/qt6ct configuration and data paths breaks styling in all apps that use them. This was working as expected before #6249 and #6250, so remove the blacklisting.
* New profile: green-recoder.profile (#6237)Libravatar glitsj162024-03-05
| | | | | | | Simple screen recorder for Linux desktop, supports Wayland & Xorg. https://github.com/dvershinin/green-recorder https://aur.archlinux.org/packages/green-recorder https://aur.archlinux.org/packages/green-recorder-git
* disable-programs.inc: blacklist /tmp/lwjgl_*Libravatar Kelvin M. Klann2024-03-05
| | | | | | | Fix `noblacklist` entry without an equivalent `blacklist` entry. Added on commit 1a2e8ab85 ("multimc: instances not running, because of missing permissions", 2024-02-19) / PR #6216.
* New profile: qt6ct (#6250)Libravatar glitsj162024-03-05
|
* New profile: qt5ct (#6249)Libravatar glitsj162024-03-05
|
* Merge pull request #6228 from kmk3/landlock-add-fsLibravatar netblue302024-02-29
|\ | | | | landlock: use "landlock.fs." prefix in filesystem commands
| * landlock: use "landlock.fs." prefix in filesystem commandsLibravatar Kelvin M. Klann2024-02-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since Landlock ABI v4 it is possible to restrict actions related to the network and potentially more areas will be added in the future. So use `landlock.fs.` as the prefix in the current filesystem-related commands (and later `landlock.net.` for the network-related commands) to keep them organized and to match what is used in the kernel. Examples of filesystem and network access flags: * `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file. * `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content. * `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port. * `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a remote port. Relates to #6078.
* | disable-programs.inc: add virt-manager supportLibravatar glitsj162024-02-27
|/
* Merge pull request #6181 from haplo/electron-cashLibravatar glitsj162024-02-19
|\ | | | | Profile for Electron Cash
| * Blacklist ~/.electron-cash in disable-programs.incLibravatar Fidel Ramos2024-01-31
| |
* | Merge pull request #6180 from haplo/rawtherapeeLibravatar glitsj162024-02-19
|\ \ | | | | | | Profile for RawTherapee
| * | rawtherapee.profileLibravatar Fidel Ramos2024-01-31
| |/
* / landlock: split .special into .makeipc and .makedevLibravatar Kelvin M. Klann2024-02-02
|/ | | | | | | | | | | | | | | | | | | | | As discussed with @topimiettinen[1], it is unlikely that an unprivileged process would need to directly create block or character devices. Also, `landlock.special` is not very descriptive of what it allows. So split `landlock.special` into: * `landlock.makeipc`: allow creating named pipes and sockets (which are usually used for inter-process communication) * `landlock.makedev`: allow creating block and character devices Misc: The `makedev` name is based on `nodev` from mount(8), which makes mount not interpret block and character devices. `ipc` was suggested by @rusty-snake[2]. Relates to #6078. [1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786 [2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
* profiles: use only /usr/share/lua* (#6150)Libravatar Kelvin M. Klann2024-01-08
| | | | | | | | | | | | | | | | | | To ensure that it includes luajit paths as well: * /usr/share/lua * /usr/share/luajit-2.1 And remove all entries of the same path without the wildcard, to avoid redundancy. Misc: The wildcard entries were added on commit 56b60dfd0 ("additional Lua blacklisting (#3246)", 2020-02-24) and the entries without the wildcard were partially removed on commit 721a984a5 ("Fix Lua in disable-interpreters.inc", 2020-02-24). This is a follow-up to #6128. Reported-by: @pirate486743186
* disable-devel.inc: deduplicate g++ and gcc entriesLibravatar Kelvin M. Klann2024-01-05
| | | | | Added on commit 2d8ff695a ("WIP: Blacklist common programming interpreters. (#1837)", 2018-04-02).
* landlock: move commands into profile and add landlock.enforceLibravatar Kelvin M. Klann2023-12-11
| | | | | | | | | | | | | | | | | | | | | | Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to #6078.
* curl: add support for ~/.config/curlrc (#6120)Libravatar glitsj162023-12-11
| | | | | | | | | | | | | | | curl supports several locations for the rc file according to its man page: [...] When curl is invoked, it (unless -q, --disable is used) checks for a default config file and uses it if found, even when -K, --config is used. The default config file is checked for in the following places in this order: 1) "$CURL_HOME/.curlrc" 2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0) 3) "$HOME/.curlrc" [...]
* steam.profile: Allow Project Zomboid (#6117)Libravatar archaon6162023-12-11
|
* New profile: tiny-rdm (#6083)Libravatar glitsj162023-11-11
| | | | | | | * disable-programs.inc: add support for tiny-rdm * Create tiny-rdm.profile * firecfg.config: add support for tiny-rdm
* profiles: Extend node stack support for pnpm (#6063)Libravatar glitsj162023-10-24
| | | | | | | | | * nodejs-common: add pnpm support * disable-programs.inc: add pnpm support * Create pnpm.profile * Create pnpx.profile
* disable-programs.inc: remove duplicated entriesLibravatar Kelvin M. Klann2023-10-24
| | | | | | | | | | | | | They are already present in disable-common.inc. Added in the following commits: * 6bf6d5ed5 ("updated program files", 2016-12-02) / PR #951 * 49280197c ("various hardening (#3394)", 2020-05-02) * 2e2c2327f ("profiles: support more msmtp configuration paths (#6060)", 2023-10-22) Misc: This was noticed on PR #6060.
* profiles: centralize gnome-boxes blacklisting in dcLibravatar Kelvin M. Klann2023-10-22
| | | | | | | | | They are currently spread over disable-common.inc and disable-programs.inc. Added on commit 6f7ab41e4 ("blacklist gnome-boxes user files (VM-Images)", 2019-10-13) and commit 49280197c ("various hardening (#3394)", 2020-05-02).
* profiles: support more msmtp configuration paths (#6060)Libravatar glitsj162023-10-22
| | | | | | | | | | | | | | | | | Since version 1.8.6 msmtp supports per-user configuration at either ~/.msmtprc (already supported by firejail) or `$XDG_CONFIG_HOME/msmtp/config`. System-wide support can be placed at /etc/msmtprc. This adds the missing paths to the relevant .inc and .profile files. Note that `blacklist ${HOME}/.msmtprc` is present on both disable-common.inc and disable-programs.inc, so the new paths are added to both files. References: https://wiki.archlinux.org/title/Msmtp#Basic_setup https://marlam.de/msmtp/msmtp.html#Configuration-files
* steam.profile: Allow Baba Is You (#6054)Libravatar Frostbyte46642023-10-16
|
* disable-common.inc: more SUID binaries (#6051)Libravatar glitsj162023-10-15
|
* disable-common.inc: add more suid programsLibravatar Kelvin M. Klann2023-10-11
| | | | | | | | | | | Programs: $ pacman -Qo fusermount3 groupmems mount.cifs wall write /usr/bin/fusermount3 is owned by fuse3 3.16.1-1 /usr/bin/groupmems is owned by shadow 4.14.0-4 /usr/bin/mount.cifs is owned by cifs-utils 7.0-3 /usr/bin/wall is owned by util-linux 2.39.2-1 /usr/bin/write is owned by util-linux 2.39.2-1
* disable-common.inc: sort suid sectionLibravatar Kelvin M. Klann2023-10-11
|
* Merge pull request #6030 from glitsj16/np-floorpLibravatar netblue302023-10-05
|\ | | | | New profile: floorp
| * disable-programs.inc: fix sortingLibravatar glitsj162023-10-02
| |
| * disable-programs.inc: add floorp supportLibravatar glitsj162023-10-02
| |
* | Create brz.profile and bzr.profile (#6028)Libravatar glitsj162023-10-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From Breezy's documentation[1] [2]: > Breezy is a friendly fork of the Bazaar (bzr) project, hosted on > http://bazaar.canonical.com/. It is backwards compatibility with > Bazaar's disk format and protocols. One of the key differences with > Bazaar is that Breezy runs on Python 3, rather than on Python 2. breezy is also the drop-in replacement for bazaar on Arch Linux since pacman 6.0.2-8[3]. > By default, Breezy provides support for both the Bazaar and Git file > formats. Note: The profile is implemented as a git redirect. [1] https://github.com/breezy-team/breezy [2] https://www.breezy-vcs.org/ [3] https://gitlab.archlinux.org/archlinux/packaging/packages/pacman/-/commit/c68a4e6602e3488fa093a18d35202c76a730faf6
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 09:11:16 +0000