| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Use ?ALLOW_TRAY: (#4510) in profiles
|
| | |
|
|/ |
|
|\
| |
| | |
Fix vscodium
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Both base names are valid:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
$ pacman -Qlq vscodium-bin | grep -v -e '/$' -e /resources/ |
grep /bin/
/usr/bin/codium
/usr/bin/vscodium
/usr/share/vscodium-bin/bin/codium
Note: The first two paths are symlinks to the third one.
Fixes #3871.
|
|\ \
| | |
| | | |
Add profiles for build-systems (/package-managers)
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip
All redirect to build-systems-common.profile
Other fixes:
- blacklist ${HOME}/.bundle
- blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo
- blacklist /usr/lib64/ruby
|
|\ \ \
| |_|/
|/| | |
Correct amule.profile for upnp
|
| | |
| | |
| | |
| | | |
In order UPnP to work netlink protocol must be enabled.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* cheese
- fix: dbus-user.own org.gnome.Cheese
- fix: whitelist /usr/share/gstreamer-1.0
- fix: include allow-python3.inc
- hardening: include disable-shell.inc
- hardening: include whitelist-run-common.inc and whitelist /run/udev/data
- hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
- hardening: noinput
- hardening: nosound
- hardening: seccomp.block-secondary
- hardening: private-dev
* geekbench (closes #4576)
- fix: noblacklist /sbin and noblacklist /usr/sbin
- fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
- fix: comment/remove private-bin, private-lib, private-opt
* inkscape
- add quiet for cli usage
* musixmatch (#4518)
- allow chroot
* pandoc
- fix: include allow-bin-sh.inc
- fix: drop private-bin
- hardening: include whitelist-runuser-common.inc
- hardening: seccomp.block-secondary
|
| | | |
|
|\ \ \
| | | |
| | | | |
Add ld.so.preload to all private-etc lines
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
Command:
sed -i -E "s/^private-etc /private-etc ld.so.preload,/" \
$(grep -LE "^private-etc .*ld.so.preload" etc/profile-*/*) \
&& python3 contrib/sort.py etc/profile-*/*
|
|\ \ \
| | | |
| | | | |
Create goldendict.profile
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Add missing final newlines
|
| |/ / / |
|
|/ / / |
|
| | | |
|
|/ /
| |
| |
| |
| | |
Enable evince to display archived images (.cbz) file with plugin
installed.
|
|\ \
| | |
| | | |
fix duplicate globals
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- closes #4483 -- mpv requires whitelisting /usr/share/pipewire
- wruc: whitelist pipewire-?, pipewire is becoming more popular and was
developed with isolation (container/sandbox) in mind.
- wruc: whitelist wayland-? instead of only -0 and -1
- wusc: whitelist /usr/share/pipewire
- remove these wruc/wusc lines from other profiles
- firefox-common-addons: Make ignore wruc work again (#4512)
- firefox: org.freedesktop.portal.Desktop should be enough
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- disable-programs.inc: blacklist ${HOME}/.local/state/pipewire
If you did not yet noticed, on 08th May 2021 the XDG Base Directory
Specification 0.8 was resleased (the first update since 2010). New are
$XDG_STATE_HOME and $HOME/.local/bin.
- keepassxc: mkdirs are necessary
- gnote: harden
- pngquant: harden
|
|/ /
| |
| |
| | |
Freetube from AUR uses a wrapper script
|
| | |
|
| |
| |
| |
| | |
Fix #4469
|
| |
| |
| |
| | |
follow up
|
| |
| |
| |
| |
| | |
(#4461)
See #4454
|
| |
| |
| |
| |
| |
| |
| | |
- Add whitelist-run-common.inc
- Drop netlink (there are no error or borken feature for me (including
auto-type))
- Second update for the dbus-policy
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Still unresolved:
> If someone who use systemd-resolved can say more which resolv.conf is necessary on such system.
> whitelist /run/systemd/resolve/resolv.conf
> whitelist /run/systemd/resolve/stub-resolv.conf
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Fix #4157 -- [Feature] Should rmenv GitHub auth tokens
There are still more token variables from other program that should be
added.
- Fix #4093 -- darktable needs read access to liblua*
- Fix #4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers)
- Fix xournalpp.profile
- syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32
|
| |
| |
| |
| | |
…profiles with private-bin
|
| | |
|
|\ \ |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ /
|/| |
| | |
| | |
| | | |
See #4410
8b50039a1fad123b90172fadc85bc232e97eb6d1
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Closes #3785 -- Allowing calling specific apps outside the sandbox or with a different firejail profile
The idea isn't worng but should be reweiten in a seperate issue without
all the kodi/lutris clutter.
|
| | |
| | |
| | |
| | | |
closes #4408
|
| | | |
|
|\ \ \ |
|
| | | | |
|