| Commit message (Collapse) | Author | Age |
... | |
| |
| |
| |
| |
| |
| |
| |
| | |
…on to chromium, remove the nowhlist from min and
its whlist from riot-web.
TODO: remove the 'ignore whitelist /usr/share/chomium' from the most
profiles with it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* disable private-lib in tar.profile
Removing private-bin caused a test to fail - see discussion in https://github.com/netblue30/firejail/pull/3832. Thanks to @reinerh for explaining why I broke things!
|
| |
| |
| |
| |
| |
| |
| | |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| |
| |
| |
| |
| | |
* fix gzip
* fix tar
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* harden 7z.profile
* harden atool.profile
* harden bsdtar.profile
* harden cpio.profile
* harden gzip.profile
* harden tar.profile
* harden unrar.profile
* harden unzip.profile
* harden xzdec.profile
* harden zstd.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create archiver-common.inc
* add apparmor to archiver-common.inc
* refactor 7z.profile
* refactor ar.profile
* refactor atool.profile
* refactor bsdtar.profile
* refactor cpio.profile
* refactor gzip.profile
* refactor tar.profile
* refactor unrar.profile
* refactor unzip.profile
* refactor xzdec.profile
* refactor zstd.profile
* rewording
* blacklist ${RUNUSER} in archiver-common.inc
Thanks to @rusty-snake for suggesting this.
* drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc
See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
* drop non-sensical ${RUNUSER}/wayland-* blacklisting
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Rename etc/inc/softmaker-common.inc to etc/profile-m-z/softmaker-common.profile
As per suggestion by @rusty-snake in https://github.com/netblue30/firejail/pull/3819#issuecomment-745244982
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
* softmaker-common.profile name change
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update and rename whitelist-players.inc to whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
* renamed whitelist-player-common.inc
|
| | |
|
| |
| |
| |
| |
| | |
* add curl HSTS support
* add HSTS support
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add profile for authenticator-rs, improve falkon, balsa
* Fix
* Add private-tmp to falkon
* Revert balsa
|
| |
| |
| |
| |
| | |
Games folder must be whitelisted in a dolphin-emu.local
Its private-etc can likely be shortened
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- gimp: allow mbind syscall. no start on Fedora 33 without
- minetest: disable private-cache. without persistent cache connecting to servers can take many minutes
- supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers
- supertuxkart: comment private-dev to allow controller use
- profiles: unify controller support comments
- firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since version 3.0 Godot is supporting C# as a language for writing
scripts. The C# solution can be built directly in Godot editor using
MSBuild, which requires access to directory /etc/mono. This directory
contains configuration of Mono enviroment. If MSBuild don't have
access to this directory, it's not able to determine location of
DLL files and it's throwing System.DllNotFoundException at beginning
of the build process.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* allow access to gnome-shell search-provider in firefox.profile
Firefox has gnome-shell search-provider support since version 78:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1239694
- https://mastransky.wordpress.com/2020/09/25/firefox-gnome-shell-search-provider/
* add dbus filter for gnome-shell search-provider
|
| |
| |
| |
| |
| |
| |
| |
| | |
- Lutris isn't added to firecfg just yet, needs more testing
- aria2c profile has a comment regarding Lutris/Winetricks,
but it shouldn't matter since it can't be nested
- Add commented wusc to wine.profile
- Add vulkan and zenity to wusc.inc
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
Nitpick wording + added a commented disable-shell.inc
|
| | |
|
| |
| |
| | |
Cfr. https://github.com/netblue30/firejail/pull/3517#issuecomment-664715880: element-desktop no longer uses ${HOME}/.config/Element (Riot).
|
|/
|
|
|
| |
* Add profile for straw-viewer
* Remove blacklist, fixes
|
|\
| |
| | |
from my overrides
|
| |
| |
| |
| |
| |
| |
| |
| | |
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
|
|/
|
|
|
| |
* add dbus comment
* disable dbus
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- .github/ISSUE_TEMPLATE/bug_report.md: get ride off spanish,
french, ... error messages
- etc/inc/firefox-common-addons.inc: support ff2mpv
- etc/profile-a-l/gimp.profile: note about xsane
- etc/profile-m-z/min.profile: prettify
- etc/profile-m-z/mpsyt.profile: fix, add lua
- etc/profile-m-z/qbittorrent.profile: add note for tray-icons; this
will get a better note once I investigated and audited all the D-Bus
tray stuff.
- etc/profile-m-z/transmission-daemon.profile: fix, add protocol packet
close #3686 - mps-youtube needs lua
close #3701 - Firefox native messaging regression in 0.9.62.4 -> 0.9.64rc1
close #3636 - transmission-daemon fills log with error
close #3640 - Gimp - add note how to enable scanning (xsane)
close #3707 - qBittorrent tray icon missing from notification panel when running it with firejail
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
|
|
|
|
| |
linphone 4.0 changed the location of config and database files
to respect freedesktop standards.
|
|
|
|
|
|
|
|
| |
- update README.md and RELNOTES
- add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc
- fix #3728, fonts in openSUSE KDE with wc / wusc
- fix gnome-todo
- fix xournalpp MathTeX whitelist
|
|
|
| |
This fixes #3722.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* remove read-only item redundancy
'read-only ${HOME}/.config/mimeapps.list' is already part of disable-common.inc
* remove read-only item redundancy
'read-only ${HOME}/.config/mimeapps.list' is already part of disable-common.inc, which is included in the redirect profile
* remove read-only item redundancy
'read-only ${HOME}/.config/mimeapps.list' is already part of disable-common.inc, which is included in the redirect profile
|
|
|
| |
The user mime database needs to be writable.
|
|\
| |
| | |
fix #3699 -- Firefox can't inhibit screensavers/screen blanking
|
| | |
|
| | |
|
|/
|
| |
liblua is needed for celluloid & otherwise at least on arch it's showing this error - "celluloid: error while loading shared libraries: liblua5.2.so.5.2: cannot open shared object file: Permission denied"
|
| |
|
|\
| |
| | |
Switch mails to whitelisting
|
| | |
|
| | |
|