| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |/ / |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create cinelerra-gg
* add cinelerra-gg to `New profiles` section
* Add cinelerra-gg to firecfg.config
|
| | | |
| | |
| | | |
Fixes #5463 by adding netlink to the list of allowed protocols
|
| |/ /
| |
| |
| |
| | |
* Create godot3.profile
* Add godot3 redirect to firecfg.config
|
| |/
|
|
| |
Closes #5437
|
| |\
| |
| | |
electron-mail.profile refactoring
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
- redirect to electron.profile
- fix program name
- update program description
- allow /bin/sh
- allow opening links in Firefox
- remove no3d, nonewprivs, noroot, protocol, seccomp
- add machine-id, nosound
- remove private-bin, disable-mnt
- harden private-etc
- allow D-Bus notifications, secrets
|
| |\ \
| | |
| | | |
Streamline Firefoxes D-Bus filtering
|
| | | |
| | |
| | | |
Inspired by https://github.com/netblue30/firejail/pull/5352/files/c04ceb49c7001bb931a35667c831545cd64aeece#r963032151.
|
| | | |
| | |
| | | |
Inspired by https://github.com/netblue30/firejail/pull/5352/files/c04ceb49c7001bb931a35667c831545cd64aeece#r963032151.
|
| | | |
| | |
| | | |
Inspired by https://github.com/netblue30/firejail/pull/5352/files/c04ceb49c7001bb931a35667c831545cd64aeece#r963032151.
|
| | | |
| | |
| | | |
Inspired by https://github.com/netblue30/firejail/pull/5352/files/c04ceb49c7001bb931a35667c831545cd64aeece#r963032151.
|
| | | |
| | |
| | | |
Inspired by https://github.com/netblue30/firejail/pull/5352/files/c04ceb49c7001bb931a35667c831545cd64aeece#r963032151.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
profiles: allow perl/exiftool on the relevant profiles
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Programs that seem to support exiftool:
$ LC_ALL=C pacman -Sii perl-image-exiftool |
grep -e '^Version' -e '^Required' -e '^Optional For' | head -n 3
Version : 12.42-1
Required By : digikam geotag gitlab-workhorse mat2 rapid-photo-downloader
Optional For : darktable geeqie gpsprune hugin jpeg-archive ranger recoll shutter
Environment: Artix Linux.
Note for hugin.profile: Does not currently work with private-bin on
Arch/Artix; see the private-bin comment on
etc/profile-a-l/exiftool.profile.
Relates to #5365.
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As mentioned in its description, this profile is intended for an IDE, so
allow paths used for development and stop including the following
profiles:
* disable-devel.inc
* disable-exec.inc
* disable-interpreters.inc
Fixes #5292.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* use both capitalized and regular discord commands to private-bin
* use both capitalized and regular discord commands to private-bin
* add awk and which to private-bin for better xdg-open support
* use both capitalized and regular discord commands to private-bin
* use both capitalized and regular discord commands to private-bin
* refactor CamelCased discord profiles
* refactor CamelCased discord profiles
* fix private-{bin,opt} sorting
* fix private-{bin,opt} sorting
* unfuck private-{bin,opt} sorting
* unfuck private-{bin,opt} sorting
* fix sorting once more for CI
* fix sorting once again for CI
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Fix Firefox 'Profile not found' for psd (v6.45)
code change: `whitelist ${RUNUSER}/psd/*firefox*`
fixes: #4568
* Whitelist ${RUNUSER}/psd/*firefox*
* Fix workflow for github
|
| | |
| |
| | |
Co-authored-by: Albert Kim <alkim@alkim.org>
|
| | | |
|
| |\ \
| | |
| | | |
lbry-viewer.profile create
|
| | |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* fix(audacity): !5281 sharedlib bug on Arch/Fedora
removed `private-bin` line from audacity profile as it appears to block
access to shared libraries needed to start audacity on some
distributions.
Relates to github issue #5281
* fix(audacity): Disabling apparmor and reenabling private-bin
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add gdu to 'new profiles' section
* Create gdu.profile
* add gdu to firecfg
* harden gdu sandbox
* fix protocol
* simulate empty protocol in gdu
* more user-friendly gdu sandboxing
|
| | |
|
| |
|
|
|
|
|
|
| |
As a reminder to create a profile for winetricks instead of allowing
access to its paths to programs used by winetricks (see #5238).
Added on commit 0ec1c66b5 ("aria2c.profile: allow access to
~/.cache/winetricks") / PR #5238.
|
| |
|
|
| |
Otherwise winetricks fails to download packages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Command: sed -i "/^shell none/d" etc/*/*
TODO:
```
etc/profile-a-l/beaker.profile:ignore shell none
etc/profile-a-l/default.profile:# shell none
etc/profile-a-l/fdns.profile:#shell none
etc/profile-a-l/gnome-nettool.profile:#shell none
etc/profile-a-l/jitsi-meet-desktop.profile:ignore shell none
etc/profile-m-z/pidgin.profile:# shell none
etc/profile-m-z/rocketchat.profile:ignore shell none
etc/profile-m-z/server.profile:# shell none
etc/templates/profile.template:# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
etc/templates/profile.template:#shell none
```
- manpage
- RELNOTES
- fbuilder
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To disable-shell.inc.
Interactive shells can be executed from certain development-related
programs (such as IDEs) and the shells themselves are not blocked by
default, but this shell startup directory currently is. To avoid
running a shell without access to potentially needed startup files, only
blacklist /etc/profile.d when interactive shells are also blocked.
Note that /etc/profile.d should only be of concern to interactive
shells, so a profile that includes both disable-shell.inc and
allow-bin-sh.inc (which likely means that it needs access to only
non-interactive shells) should not be affected by the blacklisting.
Relates to #3411 #5159.
|
| |
|
|
|
|
|
| |
This amends commit b6b3f3b38 ("kate.profile: allow common development
file access", 2022-05-28) / PR #5159.
See etc/templates/profile.template.
|
| |\
| |
| | |
Kate fixes
|
| | |
| |
| |
| |
| |
| |
| | |
When starting kate and loading into a session containing a git repository, tracelog caused about 30 seconds of delay until the project structure appeared in the projects sidebar. Error message on console:
QProcess: Destroyed while process ("/usr/bin/git") is still running.
Drop tracelog to mitigate the delay and error message.
|
| | |
| |
| |
| |
| |
| | |
When starting Kate, a blacklist violation from accessing the kwinrc config file is reported. As a KDE application, it should be fine for Kate to access it.
blacklist violation - sandbox 13410, name kate, exe kate, syscall access, path /home/user/.config/kwinrc
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A side effect of including disable-common.inc is loosing access to /etc/profile.d, where Bash completion is located.
Explicitly enable access to console scripts in /etc/profile.d, so that Kate's built-in Konsole instance can be used without limitations.
Minor side effect: the spawned Bash tries to access /etc/init.d
blacklist violation - sandbox 17317, name kate, exe bash, syscall stat, path /etc/init.d
|
| | |
| |
| |
| |
| |
| | |
Kate has grown support for software development, making it a light IDE. Some version control modules exist, and when using the Git module, a blacklist violation is reported:
blacklist violation - sandbox 13902, name kate, exe git, syscall access, path /home/user/.gitconfig
Including support for common development file access mitigates this violation issue.
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
| |
Without whitelist-usr-share-common, /usr/share becomes empty.
Adding whitelist-runuser-common didn't break google chrome.
Whitelisting /usr/share/mozilla/extensions and
/usr/share/webext shouldn't break google chrome, either.
I tested google-chrome.profile only, but
I think later versions should not be different.
|
| | |
|
| | |
|
rusty-snake
glitsj16
Jan Sonntag
Frostbyte4664
netblue30
pirate486743186
Kelvin M. Klann
godbless
alkim0
Christopher Morrow
smitsohu
Davide Beatrici
Hartmut Knaack
crocket
Łukasz Mariański