firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	New profile: axel (#6315)	glitsj16	2024-04-20
\| \| \|	https://github.com/axel-download-accelerator/axel
*	profiles: clarify and add opengl-game to profile.template (#6300)	Kelvin M. Klann	2024-04-05
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	To make it consistent with the other include profiles. See etc/templates/profile.template. With this, all `etc/inc/allow-*` files are listed in profile.template. The explanation is based on a comment by @rusty-snake[1]. Relates to #4071. This is a follow-up to #6299. [1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
*	New profile: gh (GitHub CLI) (#6293)	glitsj16	2024-03-27
\| \| \| \| \|	Description: GitHub's official command-line tool. https://github.com/cli/cli
*	profiles: rename disable-X11.inc to disable-x11.inc (#6294)	Kelvin M. Klann	2024-03-27
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	That is, make "X11" lowercase so that the order of the includes in the disable- section remain the same when sorted with `LC_ALL=C`, as is the case for most of the other sections. That is also likely to be the default in text editors (such as in vim on Arch), so this should make the disable- section more consistent and easier to sort when editing the profile. Also, keep the old include as a redirect to the new one for now to avoid breakage. Commands used to search and replace: git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc git grep -Ilz 'disable-X11' -- etc \| xargs -0 \ perl -pi -e 's/disable-X11/disable-x11/' Relates to #4462 #4854 #6070 #6289. This is a follow-up to #6286.
*	profiles: sort blacklist sections (#6289)	Kelvin M. Klann	2024-03-27
\| \| \| \| \|	See etc/templates/profile.template. This is a follow-up to #6286.
*	firefox: Add org.kde.kdeconnect to plasma integration comment (#6285)	RundownRhino	2024-03-24
\| \| \| \| \| \| \|	I recently set up KDE connect and plasma-browser-integration for firefox (Linux Mint 21.2) and needed this line in addition to the ones mentioned in the profile. Found it via running `firejail --profile=/etc/firejail/firefox.profile --dbus-user.log firefox`, trying to send links to device, and seeing what events get logged.
*	Merge pull request #6286 from kmk3/x11-none-improvements	Kelvin M. Klann	2024-03-24
\|\ \| \| \| \|	profiles: replace x11 socket blacklist with disable-X11.inc
\| *	profiles: replace x11 socket blacklist with disable-X11.inc	Kelvin M. Klann	2024-03-24
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Replace all occurrences of `blacklist /tmp/.X11-unix` with `include disable-X11.inc`, which blacklists more X11-related files. Commands used to search and replace: $ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \ etc/profile/.profile \| xargs -0 perl -0 -pi -e '\ s/\nblacklist \/tmp\/.X11-unix\n/\n/; \ s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \ s/(\ninclude disable-[^Xx\n]+\n)(\n\|# )/$1include disable-X11.inc\n$2/' Note: The following files were also edited manually: * etc/profile-a-l/erd.profile * etc/profile-a-l/links-common.profile * etc/profile-m-z/termshark.profile * etc/profile-m-z/tmux.profile * etc/profile-m-z/tshark.profile Relates to #4462 #4854.
* \|	profiles: deny access to ~/.config/autostart (#6257)	Kelvin M. Klann	2024-03-24
\|/ \| \| \| \| \| \| \| \| \|	The files in this directory are intended to be automatically executed when the user logs in. In which case, granting write access to this directory allows the program to easily escape the sandbox (by autostarting itself outside of firejail, for example). Misc: This was noticed on #6244.
*	gconf-editor: remove X11 socket blacklist	Kelvin M. Klann	2024-03-23
\| \| \| \| \| \| \| \| \| \|	It is a GUI program. It was apparently added by accident on commit 73321c597 ("Fixes (#2816)", 2019-07-01). Reported by @glitsj16 at https://github.com/netblue30/firejail/pull/6286#discussion_r1536618241
*	k3b.profile: fix dvd drive detection (private-dev) (#6280)	Kelvin M. Klann	2024-03-23
\| \| \| \| \| \| \| \| \| \|	@hedgehog29 commented[1]: > It prevents k3b from detecting all dvd drives, incudling USB ones, and > it seems that also SATA. Fixes #6279. [1] https://github.com/netblue30/firejail/issues/6279#issue-2191392448
*	New profile: localsend_app.profile (#6244)	glitsj16	2024-03-18
\| \| \| \| \|	Description: An open source cross-platform alternative to AirDrop. https://github.com/localsend/localsend
*	New profile: editorconfiger.profile (#6235)	glitsj16	2024-03-18
\| \| \| \| \| \| \|	Description: Plain tool to validate and compare .editorconfig files. https://github.com/aegoroff/editorconfiger https://aur.archlinux.org/packages/editorconfiger https://aur.archlinux.org/packages/editorconfiger-bin
*	New profile: koreader.profile (#6243)	glitsj16	2024-03-16
\| \| \| \| \|	Description: Ebook reader application. https://koreader.rocks/
*	New profile: dexios.profile (#6234)	glitsj16	2024-03-16
\| \| \| \| \| \|	Description: CLI encryption tool https://github.com/brxken128/dexios https://aur.archlinux.org/packages/dexios-bin
*	New profile: deadlink.profile (#6233)	glitsj16	2024-03-15
\| \| \| \| \| \|	Description: Checks and fixes URLs in code and documentation. https://github.com/nschloe/deadlink https://aur.archlinux.org/packages/deadlink
*	New profile: cloneit (#6232)	glitsj16	2024-03-15
\| \| \| \| \| \| \| \|	Description: A CLI tool to download specific GitHub directories or files. https://github.com/alok8bb/cloneit https://aur.archlinux.org/packages/cloneit-git
*	New profile: lyriek.profile (#6245)	glitsj16	2024-03-14
\| \| \| \| \| \|	Description: A multi-threaded GTK application to fetch lyrics of currently playing songs. https://gitlab.com/bartwillems/lyriek
*	New profile: erd.profile (#6236)	glitsj16	2024-03-14
\| \| \| \| \| \| \| \| \| \|	Description: Multi-threaded file-tree visualizer and disk usage analyzer. https://github.com/solidiquis/erdtree https://archlinux.org/packages/extra/x86_64/erdtree/ Note: The repo and package are called `erdtree`, but the executable is `erd`.
*	New profile: bpftop.profile (#6231)	glitsj16	2024-03-14
\| \| \| \| \| \| \| \|	Description: Dynamic real-time view of running eBPF programs. https://github.com/Netflix/bpftop https://aur.archlinux.org/packages/bpftop https://aur.archlinux.org/packages/bpftop-bin https://aur.archlinux.org/packages/bpftop-git
*	Merge pull request #6261 from kmk3/sort-py-strip-commas	Kelvin M. Klann	2024-03-08
\|\ \| \| \| \|	build: sort.py: filter empty and duplicate items
\| *	build: sort.py: filter empty and duplicate items	Kelvin M. Klann	2024-03-03
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Note: This seems to already be done for `protocol` lines. Before: $ ./contrib/sort.py test.profile sort.py: checking 1 profile(s)... test.profile:1:-private-etc ,,bar,,foo,,bar,,, test.profile:1:+private-etc ,,,,,,,bar,bar,foo test.profile:2:-protocol ,,unix,,bluetooth,,unix,,inet,,, test.profile:2:+protocol unix,inet,bluetooth [ Fixed ] test.profile After: $ ./contrib/sort.py test.profile sort.py: checking 1 profile(s)... test.profile:1:-private-etc ,,bar,,foo,,bar,,, test.profile:1:+private-etc bar,foo test.profile:2:-protocol ,,unix,,bluetooth,,unix,,inet,,, test.profile:2:+protocol unix,inet,bluetooth [ Fixed ] test.profile
* \|	New profile: green-recoder.profile (#6237)	glitsj16	2024-03-05
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Simple screen recorder for Linux desktop, supports Wayland & Xorg. https://github.com/dvershinin/green-recorder https://aur.archlinux.org/packages/green-recorder https://aur.archlinux.org/packages/green-recorder-git
* \|	archiver-common: add mkinitcpio support to private-etc (#5656)	glitsj16	2024-03-05
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	mkinitcpio (used to generate initramfs images) supports several compression formats: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/blob/master/mkinitcpio.conf#L54-L64. On Arch Linux (based distributions) at least this implies the supported archivers to have access to mkinitcpio-related files under /etc. This was no problem before 29da82d added `private-etc` to `archivers-common.profile`. This adds the now needed extra private-etc items to archiver-common.profile, for mkinitcpio's supported compressors (which seem to be at least cpio, gzip and zstd). Relates to #5610.
* \|	archivers: drop private-etc now that it's in archiver-common (#5655)	glitsj16	2024-03-05
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Commit 29da82d added `private-etc` to `archiver-common.profile`. To avoid doubled options this PR removes it from archiver profiles which already had it. Relates to #5610.
* \|	iagno: ordering fixes (#5681)	glitsj16	2024-03-05
\| \|
* \|	New profiles: lz4 and redirects (#6241)	glitsj16	2024-03-05
\| \|
* \|	gnome-boxes: deny access to /usr/libexec (#6239)	glitsj16	2024-03-05
\| \|
* \|	Add quiet to enchant-2, it has a cli	rusty-snake	2024-03-03
\|/
*	Merge pull request #6219 from haplo/ledger-live-desktop	netblue30	2024-02-29
\|\ \| \| \| \|	Profile for Ledger Live desktop app
\| *	Profile for ledger-live-desktop	Fidel Ramos	2024-02-28
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	/opt/ledger-live installation currently sits at 345 MiB, so I decided to whitelist it instead of using private-opt ledger-live, in case future installations grow in size. Not using private-dev was the only way I managed to get my USB wallet to work.
* \|	Create gnome-boxes.profile	glitsj16	2024-02-27
\|/
*	profiles: drop paths already in wusc (#6218)	glitsj16	2024-02-23
\| \| \| \|	Drop paths present in etc/inc/whitelist-usr-share-common.inc from profiles that include it.
*	electron-cash: use new private-etc syntax	glitsj16	2024-02-19
\|
*	Merge pull request #6181 from haplo/electron-cash	glitsj16	2024-02-19
\|\ \| \| \| \|	Profile for Electron Cash
\| *	electron-cash.profile	Fidel Ramos	2024-01-30
\| \|
* \|	Merge pull request #6201 from glitsj16/gnome-keyring-fixes	glitsj16	2024-02-08
\|\ \ \| \| \| \| \| \|	gnome-keyring: harden and add gnome-keyring-daemon.profile
\| * \|	Create gnome-keyring-daemon.profile	glitsj16	2024-02-08
\| \| \| \| \| \| \| \| \| \| \| \|	And use it as the base for the existing gnome-keyring.profile.
\| * \|	gnome-keyring: harden and remove quiet	glitsj16	2024-02-08
\| \| \|
* \| \|	enchant-lsmod-2: redirect to enchant-2 (#6202)	glitsj16	2024-02-08
\|/ /
* \|	geeqie.profile: allow Lua interpreter (#6183)	Fidel Ramos	2024-02-03
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Recent versions of geeqie[1] use a Lua interpreter, like the one currently in Arch Linux (2.2). Without this fix it fails with: /usr/bin/geeqie: error while loading shared libraries: liblua.so.5.4: [...] [1] https://www.geeqie.org/
* \|	crawl.profile: allow lua (#6182)	luca0N!	2024-02-02
\|/ \| \| \| \|	Add common Lua include to crawl.profile (Dungeon Crawl Stone Soup) to allow Lua libraries, as both the ncurses and tiles executables are dynamically linked to Lua.
*	profiles: add profiles for gtk youtube viewers symlinks (#6154)	pirate486743186	2024-01-19
\| \| \| \| \| \| \| \| \|	Committer note: For each profile there is both XXX-gtk and gtk-XXX (such as lbry-viewer-gtk and gtk-lbry-viewer). XXX-gtk is the symlink gtk-XXX is the actual file Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K \| base64 -d>
*	lobster.profile: allow basename (#6155)	pirate486743186	2024-01-19
\| \| \|	Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K \| base64 -d>
*	profiles: use only /usr/share/lua* (#6150)	Kelvin M. Klann	2024-01-08
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	To ensure that it includes luajit paths as well: * /usr/share/lua * /usr/share/luajit-2.1 And remove all entries of the same path without the wildcard, to avoid redundancy. Misc: The wildcard entries were added on commit 56b60dfd0 ("additional Lua blacklisting (#3246)", 2020-02-24) and the entries without the wildcard were partially removed on commit 721a984a5 ("Fix Lua in disable-interpreters.inc", 2020-02-24). This is a follow-up to #6128. Reported-by: @pirate486743186
*	Merge pull request #6128 from pirate486743186/master	netblue30	2023-12-21
\|\ \| \| \| \|	mpv: whitelist /usr/share/mpv
\| *	mpv: whitelist /usr/share/mpv	pirate486743186	2023-12-13
\| \| \| \| \| \| \| \| \| \| \| \|	Use case: You install scripts in `/usr/share/mpv` but they remain inactive. You then symlink them to `/etc/mpv` to activate them if you want.
* \|	landlock: move commands into profile and add landlock.enforce	Kelvin M. Klann	2023-12-11
\|/ \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to #6078.
*	curl: add support for ~/.config/curlrc (#6120)	glitsj16	2023-12-11
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	curl supports several locations for the rc file according to its man page: [...] When curl is invoked, it (unless -q, --disable is used) checks for a default config file and uses it if found, even when -K, --config is used. The default config file is checked for in the following places in this order: 1) "$CURL_HOME/.curlrc" 2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0) 3) "$HOME/.curlrc" [...]
*	fractal.profile: allow /usr/share/fractal	Kelvin M. Klann	2023-12-11
\| \| \| \| \| \| \| \| \| \|	This fixes Fractal 5 not opening on Void Linux due to it failing to access "/usr/share/fractal/resources.gresource". Fixes #6119. Reported-by: @mhmdana Suggested-by: @rusty-snake