| Commit message (Collapse) | Author | Age |
| |
|
|
|
| |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
|
|
| |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
|
|
|
|
|
|
|
| |
This configuration is to be applied in order to get screen sharing
working under Wayland (via pipewire and a xdg-desktop-portal backend).
Note that {chrome|chromium} does not need the dbus filters (at least
as of today) because dbus filtering is not enabled (dbus-user not set
to none).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5df1f27c638c487dfd664ea3a0f756565e1e57bd.
That commit breaks things, as pointed out by @rusty-snake[1]:
> @kmk3 @glitsj16 The xdg macros are treated literally if they have sub
> components (#2359):
>
> ```
> Error: "${DOCUMENTS}/KeePassXC" is an invalid filename: rejected character: "{"
> ```
[1]: https://github.com/netblue30/firejail/commit/3fa2927c3c1c5cf583864746538ea791c1ba2dc4#commitcomment-46913219
|
|\
| |
| | |
Email part (2)
|
| | |
|
| |
| |
| |
| | |
mutt,neomuut; some sorting
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
to both geary and evolution; add dbus permissions fromflatpak
|
| | |
|
| |
| |
| |
| |
| | |
Just `find . -not \( -name .git -prune -o -name *.AppImage -prune \) -type f -print0 | xargs -0 perl -pi -e 's/ +$//'`
and filter to avoid unwanted changes (especially .md files)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, some paths are hard-coded:
$ grep -Fnr '${HOME}/Documents' etc etc-fixes
etc/profile-m-z/Mathematica.profile:19:mkdir ${HOME}/Documents/Wolfram Mathematica
etc/profile-m-z/Mathematica.profile:22:whitelist ${HOME}/Documents/Wolfram Mathematica
etc/profile-a-l/keepassxc.profile:34:# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
etc/profile-a-l/keepassxc.profile:35:#mkdir ${HOME}/Documents/KeePassXC
etc/profile-a-l/keepassxc.profile:36:#whitelist ${HOME}/Documents/KeePassXC
Commands used to search and replace:
$ find etc etc-fixes/ -type f -exec \
sed -i.bak -e 's|\${HOME}/Documents|${DOCUMENTS}|' '{}' +
Related to that, the (lack of) usage of ${DOWNLOADS} has been recently
fixed on commit deae31301 ("use ${DOWNLOADS} in lutris.profile
(#3955)").
With the above change, all macros other than ${DOCUMENTS} seem to be
already used appropriately:
$ grep -Fnr '${HOME}/Desktop' etc etc-fixes
$ grep -Fnr '${HOME}/Downloads' etc etc-fixes
$ grep -Fnr '${HOME}/Music' etc etc-fixes
$ grep -Fnr '${HOME}/Pictures' etc etc-fixes
$ grep -Fnr '${HOME}/Videos' etc etc-fixes
See src/firejail/macros.c for details.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
And mark it as a redirect profile.
This is done so when including other *-common.inc profiles, such as
firefox-common.profile.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Create calligragemini.profile
* Update calligra.profile
* Update calligra.profile
* Update firecfg.config
|
| |
| |
| |
| | |
ungoogled-chromium won't work with keepassxc (#3941)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Update disable-programs.inc
* Update firecfg.config
* Create avidemux.profile
* Update avidemux.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
webkit2gtk uses a bwrap based sandbox by default since 4.0, see #3647.
This is good as it means more security by default on for linux system.
Unfortunately is it not possible to run bwrap inside firejail if bwrap
is started with --unshare-pid --proc /proc at all. In general we should
exclude a program from firecfg until a final solution is found. But
bijiben is special, while epiphany or evolution display random stuff
from the internet is webkit2gtk in bijiben used to display local files
create by the user. Bijiben has a thight profile (net none, whitelist,
private-bin, ...) therefore my decision here was to disable the
webkit2gtk sandbox rather then firejail.
|
| |
| |
| |
| |
| | |
* add quiet to lzdiff
* add quiet to lzmadec
|
|\ \
| | |
| | | |
follow-up fixes for #3914
|
| | |
| | |
| | |
| | | |
https://github.com/netblue30/firejail/commit/43aa71f8c608ec5bd92fd2c7323c603fa37f6d30
|
|\ \ \
| | | |
| | | | |
ssh: Refactor, fix bugs & harden
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|
| | | |
| | | |
| | | |
| | | | |
See etc/templates/profile.template.
|
| |/ /
|/| | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add comment: allow python
* add comment: allow python
* reorder allow comments
* fix perl allow comment
* add comment: allow python
* add comment: allow lua, perl & python
* reorder allow comments
* add comment: allow python
* add comment: allow python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow python
* add comment: allow python
* fix spacing in comments
* add comment: allow python
* add comment: allow python
* fix comment
* add comment: allow perl & python
* add comment: allow lua & python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow perl & python
* streamline allow python comments
|
|\ \ \
| | | |
| | | | |
New profile for CoyIM
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
| |/| |
|
|\ \ \
| | | |
| | | | |
Add profile for kdiff3
|
| | | | |
|
| | | | |
|
|/ / / |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* fix comment in blackbox.profile
* fix comment in fluxbox.profile
* fix comment in i3.profile
* fix comment in krunner.profile
* fix comment in openbox.profile
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* refactor google-earth{-pro} blacklisting
* fix google-earth-pro.profile
I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's.
* unbreak google-earth.profile
Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
|
| | |
| | |
| | |
| | |
| | |
| | | |
To solve issue#3907, doc directory of the bibletime has to be
whitelisted. Otherwise, it always fails to start.
Co-authored-by: hhnb <hhnb@nanenient.cc>
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
hardening: wusc + wruc
fix: settings was immutable
|
| | |
| | |
| | |
| | |
| | | |
* Create agetpkg.profile
* new profile: agetpkg
|
| |/
|/|
| |
| |
| |
| |
| | |
* Create lsar.profile
* Create unar.profile
* new profiles lsar & unar
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Improvements to balsa,fractal,gajim,trojita
* sort
* Add gpg plugin support to gajim,remove notifications dbus from trojita
* Add dbus policy from flatpak per @rusty-snake
* Add python* to private-bin; remove some dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| |
| |
| | |
Discord needs PulseAudio. Without it, it's unable to play any audio.
|