| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5df1f27c638c487dfd664ea3a0f756565e1e57bd.
That commit breaks things, as pointed out by @rusty-snake[1]:
> @kmk3 @glitsj16 The xdg macros are treated literally if they have sub
> components (#2359):
>
> ```
> Error: "${DOCUMENTS}/KeePassXC" is an invalid filename: rejected character: "{"
> ```
[1]: https://github.com/netblue30/firejail/commit/3fa2927c3c1c5cf583864746538ea791c1ba2dc4#commitcomment-46913219
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, some paths are hard-coded:
$ grep -Fnr '${HOME}/Documents' etc etc-fixes
etc/profile-m-z/Mathematica.profile:19:mkdir ${HOME}/Documents/Wolfram Mathematica
etc/profile-m-z/Mathematica.profile:22:whitelist ${HOME}/Documents/Wolfram Mathematica
etc/profile-a-l/keepassxc.profile:34:# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
etc/profile-a-l/keepassxc.profile:35:#mkdir ${HOME}/Documents/KeePassXC
etc/profile-a-l/keepassxc.profile:36:#whitelist ${HOME}/Documents/KeePassXC
Commands used to search and replace:
$ find etc etc-fixes/ -type f -exec \
sed -i.bak -e 's|\${HOME}/Documents|${DOCUMENTS}|' '{}' +
Related to that, the (lack of) usage of ${DOWNLOADS} has been recently
fixed on commit deae31301 ("use ${DOWNLOADS} in lutris.profile
(#3955)").
With the above change, all macros other than ${DOCUMENTS} seem to be
already used appropriately:
$ grep -Fnr '${HOME}/Desktop' etc etc-fixes
$ grep -Fnr '${HOME}/Downloads' etc etc-fixes
$ grep -Fnr '${HOME}/Music' etc etc-fixes
$ grep -Fnr '${HOME}/Pictures' etc etc-fixes
$ grep -Fnr '${HOME}/Videos' etc etc-fixes
See src/firejail/macros.c for details.
|
|
|
|
| |
ungoogled-chromium won't work with keepassxc (#3941)
|
|\
| |
| | |
keepassxc.profile: Fix hang due to seccomp
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the current profile, keepassxc hangs on startup, before showing the
main window:
$ uname -r -m
5.9.1-artix1-1 x86_64
$ firejail --version | head -n 1
firejail version 0.9.64
$ firejail --quiet keepassxc --version
KeePassXC 2.6.2
$ firejail --quiet keepassxc
# (nothing happens)
^C
Seccomp debugging as explained on etc/templates/syscalls.txt:
$ sudo grep -Eo 'keepassxc.* syscall=[0-9]+' /var/log/messages.log | tail -n 1
keepassxc" exe="/usr/bin/keepassxc" sig=31 arch=c000003e syscall=303
$ firejail --debug-syscalls | grep 303
303 - name_to_handle_at
So allow the name_to_handle_at syscall.
Relates to #3549.
|
|/
|
|
|
| |
- split notifications and tray
- fix tray policy
|
|
|
|
|
|
|
|
| |
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* hardening some profiles
- harden and fix flameshot
- wruc: frogatto, ghostwriter
- harden gnome-latex
- add whitelist opt-in note to keepassxc
- add comment to minetest
- harden openarena, tremulous, xonotic
- add profile for xonotic-sdl-wrapper
* followup
|
|
|
|
|
|
|
|
|
|
|
|
| |
* disable-shell.inc
* add disable-shell.inc to all profiles with a …
… private-bin line without bash/sh except profiles with redirect
profiles.
* add it to some more profiles
* exclude aria2c.profile
|
|
|
|
|
|
|
| |
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
|
|
|