| Commit message (Collapse) | Author | Age |
|\
| |
| | |
follow-up fixes for #3914
|
| |
| |
| |
| | |
https://github.com/netblue30/firejail/commit/43aa71f8c608ec5bd92fd2c7323c603fa37f6d30
|
|\ \
| | |
| | | |
ssh: Refactor, fix bugs & harden
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|
| | |
| | |
| | |
| | | |
See etc/templates/profile.template.
|
| |/
|/| |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add comment: allow python
* add comment: allow python
* reorder allow comments
* fix perl allow comment
* add comment: allow python
* add comment: allow lua, perl & python
* reorder allow comments
* add comment: allow python
* add comment: allow python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow python
* add comment: allow python
* fix spacing in comments
* add comment: allow python
* add comment: allow python
* fix comment
* add comment: allow perl & python
* add comment: allow lua & python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow perl & python
* streamline allow python comments
|
|\ \
| | |
| | | |
New profile for CoyIM
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Add profile for kdiff3
|
| | | | |
|
| | | | |
|
|/ / / |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* fix comment in blackbox.profile
* fix comment in fluxbox.profile
* fix comment in i3.profile
* fix comment in krunner.profile
* fix comment in openbox.profile
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* refactor google-earth{-pro} blacklisting
* fix google-earth-pro.profile
I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's.
* unbreak google-earth.profile
Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
|
| | |
| | |
| | |
| | |
| | |
| | | |
To solve issue#3907, doc directory of the bibletime has to be
whitelisted. Otherwise, it always fails to start.
Co-authored-by: hhnb <hhnb@nanenient.cc>
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
hardening: wusc + wruc
fix: settings was immutable
|
| | |
| | |
| | |
| | |
| | | |
* Create agetpkg.profile
* new profile: agetpkg
|
| |/
|/|
| |
| |
| |
| |
| | |
* Create lsar.profile
* Create unar.profile
* new profiles lsar & unar
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Improvements to balsa,fractal,gajim,trojita
* sort
* Add gpg plugin support to gajim,remove notifications dbus from trojita
* Add dbus policy from flatpak per @rusty-snake
* Add python* to private-bin; remove some dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| |
| |
| | |
Discord needs PulseAudio. Without it, it's unable to play any audio.
|
| |
| |
| |
| |
| |
| |
| | |
bookmarks are saved unter $HOME/.local/share/gvfs-metadata
since evince is the primary pdf reader, a firejailed evince can't read
or write those
this commit adds instructions to enable metadata writing and reading
|
| |
| |
| |
| |
| | |
* drop doubled netfilter in atom.profile
* drop doubled disable-mnt in tutanota-desktop.profile
|
| |
| |
| |
| |
| |
| |
| | |
* harden liferea
* dbus fixes
On closer investigation it seems wiser to tighten D-Bus filtering as Liferea implements stuff via plugins that are disabled by default.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
* fix #3859
* fix #3859
* fix #3859
|
|\ \
| | |
| | | |
keepassxc.profile: Fix hang due to seccomp
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
With the current profile, keepassxc hangs on startup, before showing the
main window:
$ uname -r -m
5.9.1-artix1-1 x86_64
$ firejail --version | head -n 1
firejail version 0.9.64
$ firejail --quiet keepassxc --version
KeePassXC 2.6.2
$ firejail --quiet keepassxc
# (nothing happens)
^C
Seccomp debugging as explained on etc/templates/syscalls.txt:
$ sudo grep -Eo 'keepassxc.* syscall=[0-9]+' /var/log/messages.log | tail -n 1
keepassxc" exe="/usr/bin/keepassxc" sig=31 arch=c000003e syscall=303
$ firejail --debug-syscalls | grep 303
303 - name_to_handle_at
So allow the name_to_handle_at syscall.
Relates to #3549.
|
|\ \ \ |
|
| |\ \ \
| | | | |
| | | | | |
Small fixes
|
| | | | | |
|
| | | | | |
|
| | | |/
| | |/| |
|
| |/ /
| | |
| | |
| | |
| | | |
- split notifications and tray
- fix tray policy
|
|/ / |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
…on to chromium, remove the nowhlist from min and
its whlist from riot-web.
TODO: remove the 'ignore whitelist /usr/share/chomium' from the most
profiles with it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* disable private-lib in tar.profile
Removing private-bin caused a test to fail - see discussion in https://github.com/netblue30/firejail/pull/3832. Thanks to @reinerh for explaining why I broke things!
|
| |
| |
| |
| |
| |
| |
| | |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| |
| |
| |
| |
| | |
* fix gzip
* fix tar
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* harden 7z.profile
* harden atool.profile
* harden bsdtar.profile
* harden cpio.profile
* harden gzip.profile
* harden tar.profile
* harden unrar.profile
* harden unzip.profile
* harden xzdec.profile
* harden zstd.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create archiver-common.inc
* add apparmor to archiver-common.inc
* refactor 7z.profile
* refactor ar.profile
* refactor atool.profile
* refactor bsdtar.profile
* refactor cpio.profile
* refactor gzip.profile
* refactor tar.profile
* refactor unrar.profile
* refactor unzip.profile
* refactor xzdec.profile
* refactor zstd.profile
* rewording
* blacklist ${RUNUSER} in archiver-common.inc
Thanks to @rusty-snake for suggesting this.
* drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc
See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
|