| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
| |
|
|
|
|
|
|
| |
* clarify dropping python2 support in meld.profile
* properly comment the python2 situation in meld
|
|
|
|
| |
https://github.com/netblue30/firejail/issues/3164#issuecomment-575892401
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add wusc to eom
* Fix wusc in firefox
Without access to /usr/share/ca-certificates all HTTPS traffic gets the FF dialog 'Warning: Potential Security Risk Ahead'. Probably needed in thunderbird profile too (untested).
* Fix wusc ordering in meld
Just an alphabetical ordering nitpick.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Work on whitelist-usr-share-common
* sorting; add Modules + QT/KDE stuff
* add wusc.inc to more profiles [needs testing]
* update
* gitg, firefox, evince
* /usr/share/{p11-kit,pixmaps,pki,qt5,tcl8.6,terminfo}
* more profiles
* remove wusc.inc from feedreader
Even with 'whitelist /usr/share/*', feedreader trys to dereference a
NULL pointer.
* more profiles
* whitelist /usr/share breaks wget
even with whitelist /usr/share/*
* extend wusc.inc
* update
* Add alsa,crypto-policies and zoneinfo
* readd wusc.inc to wget and feedreader
* update
* testing results: Debian Buster with KDE
* more KDE stuff
* fix tb
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create allow-INTERPETER.inc
* allow-lua.inc
* allow-perl.inc
* allow-python2.inc
* allow-python3.inc
* Create allow-java.inc
* Update profiles to use new allow-INTERPRETER.inc includes
* Update profiles to use new allow-INTERPRETER.inc includes 2/x
* Fix order of allow-INTERPRETER.inc includes
* Update profiles to use new allow-INTERPRETER.inc includes 3/x
* Fixup comment about allow-java.inc
https://github.com/netblue30/firejail/pull/2736#discussion_r289597997
* Add Arch Linux specific paths to allow-perl.inc
|
| |
|
|
|
|
|
| |
This reverts commit 0d42e12f11825f84d6bf6f9c667cd16272a3700c, reversing
changes made to 63efb454a4af0ee5d4905f7cfae193138aef3e15.
|
|\ |
|
| |
| |
| |
| |
| | |
and noblacklist they in all profiles with
noblacklist .gitconfig
|
|/
|
|
|
| |
and noblacklist they in all profiles with
noblacklist .gitconfig
|
|
|
|
|
|
|
|
|
|
| |
* Add hg,bzr,git,svn,cvs to meld's private-bin
* Update meld.profile
* Update meld.profile
* Update meld.profile
|
|
|
|
|
|
| |
* add disable-exec.inc to all profiles with apparmor - #2385 #2505
* drop disable-exec.inc from generic electron.profile
|
|
|
|
|
|
|
|
| |
* Harden meld.profile
* Fix meld.profile
* Update meld.profile
|
| |
|
|\
| |
| | |
Add nou2f to all profiles
|
| |
| |
| |
| | |
- Closes #2194
|
|/
|
|
| |
search for the file.
|
| |
|
| |
|
| |
|
|
|
|
| |
grep "cache" -L $(grep "redirect" -iL $(grep "whitelist" -RL))
|
|
|
|
|
|
|
| |
see #1822 and #1825. also systematically replaces
'blacklist /run/user/*/bus' with 'nodbus'.
with contributions from @Fred-Barclay
|
|
|
|
|
| |
systematically blacklist /run/user/*/bus in all profiles with
'net none'. targets distros like Fedora
|
| |
|
| |
|
|\
| |
| | |
Fix nodvd placement
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
|
|
|
|
|
| |
Hardened many profiles using disable-mnt and novideo
Fixed gnome-font-viewer
|
|
|
|
| |
GDK with the following error: Gdk-ERROR **: The program 'thunderbird' received an X Window System error
|
| |
|
| |
|
|
|