| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Command used to search for entries:
$ git grep '^read-only ${HOME}/' -- 'etc/profile*'
Note for gpg: ~/.gnupg/gpg.conf is apparently only managed by gpgconf(1)
rather than through gpg(1) itself, in which case it does not need to be
made read-write in gpg.profile.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This amends commit e2631b40d ("steam.profile: fix breakage with newer
Proton-GE (process_vm_readv)", 2022-08-20).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by @rsramkis on #5185, upgrading from Proton-7.2-GE-2[1]
(released on 2022-02-14) to GE-Proton7-18[2] (released on 2022-05-19)
breaks logging in on World of Tanks Blitz unless the `process_vm_ready`
32-bit syscall is allowed[3], so allow it.
Fixes #5185.
[1] https://github.com/GloriousEggroll/proton-ge-custom/releases/tag/7.2-GE-2
[2] https://github.com/GloriousEggroll/proton-ge-custom/releases/tag/GE-Proton7-18
[3] https://github.com/netblue30/firejail/issues/5185#issuecomment-1152350336
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Command: sed -i "/^shell none/d" etc/*/*
TODO:
```
etc/profile-a-l/beaker.profile:ignore shell none
etc/profile-a-l/default.profile:# shell none
etc/profile-a-l/fdns.profile:#shell none
etc/profile-a-l/gnome-nettool.profile:#shell none
etc/profile-a-l/jitsi-meet-desktop.profile:ignore shell none
etc/profile-m-z/pidgin.profile:# shell none
etc/profile-m-z/rocketchat.profile:ignore shell none
etc/profile-m-z/server.profile:# shell none
etc/templates/profile.template:# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
etc/templates/profile.template:#shell none
```
- manpage
- RELNOTES
- fbuilder
|
| |
|
| |
https://store.steampowered.com/app/219150/Hotline_Miami/
|
| |\
| |
| | |
Fix newest Steam client and Proton ≥ 5.13
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
After the Steam cleint update of the 04th March 2022
the steamwebhelper process now needs to be able to do chroot
syscalls to render anything. If not all content tabs in the client will
just appear black.
fixes: https://github.com/netblue30/firejail/issues/5014
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with version 5.13 Proton internally uses bubblewrap to create a
container for the game. To make this work with firejail we need to allow
these 4 additional syscalls.
fixes: https://github.com/netblue30/firejail/issues/4366
fixes: https://github.com/netblue30/firejail/issues/4686
|
| |/
|
|
|
|
|
|
|
|
| |
The directory is used by the Linux binary for Prey (2006), available at https://icculus.org/prey.
Not whitelisting the directory results in the game failing to launch:
found DLL in pak file: /home/user/.steam/steamapps/common/Prey 2006/base/game01.pk4/gamex86.so
copy gamex86.so to /home/user/.prey/base/gamex86.so
dlopen '/home/user/.prey/base/gamex86.so' failed: /home/user/.prey/base/gamex86.so: failed to map segment from shared object
|
| |\
| |
| | |
steam.profile: allow ~/.config/MangoHud
|
| | | |
|
| | |
| |
| | |
MangoHud is a Vulkan and OpenGL overlay for monitoring FPS, temperatures, CPU/GPU load and more, and it can be configured by user in ~/.config/MangoHud/MangoHud.conf.
|
| |/
|
| |
AMD Open Source Driver For Vulkan (amdvlk) installs ICD files to /etc/vulkan.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`nogroups` should not have been causing issues with rendering on nvidia
since commit 623e68216 ("temporary fix for nvidia/nogroups/noroot issue
(#3644, #841)", 2020-10-02) and commit cb460c32c ("more nvidia (#3644)",
2020-10-03), which had made it a no-op on nvidia. And the handling of
the "render" and "video" groups are independent to the handling of
`nogroups` now; see the previous 3 commits.
Commits which introduced the comments on each profile:
* kodi.profile: commit ce462b6b1 ("fix #3501", 2020-07-16)
* mpsyt.profile: commit e17b48fca ("new profile mpsyt.profile",
2018-11-28)
* mpv.profile: commit cc7c48983 ("Document #1945", 2018-07-25)
* steam.profile: commit d6f8169dd ("steam fixes; #841, #3267",
2020-03-15)
Commands used to find the comments:
git grep -i nvidia -- etc/profile-* | grep -v private-etc
Relates to #4632.
|
| |
|
|
|
| |
(#4461)
See #4454
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3.
Note: This only reverts the changes from etc.
The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments). The main
reason is that the aliases do not meaningfully map to the original
commands. For example, the commands from each pair below seem like they
would do the exact same thing:
* `allow` and `nodeny`
* `deny` and `noallow`
Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.
The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert. Note: This is still the case
even if a commit is [ignored by `git blame`][4390].
So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.
How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):
# Find out which files have been changed on fe0f975f44, but have not
# been changed afterwards and list them on "filestorevert"
git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
comm -2 -3 allfiles filestoignore >filestorevert
# Note: There are 3 extra files on filestoignore because they were
# added after commit fe0f975f44
wc -l allfiles filestoignore filestorevert | head -n 3
# 797 allfiles
# 8 filestoignore
# 792 filestorevert
# Automatically revert files in "filestorevert"
# See https://stackoverflow.com/a/23401018/10095231
tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
git apply --reverse
printf 'Total files reverted:\n'
git diff --name-only | wc -l
# 792
Secondly, do some search/replace on the rest:
tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
-e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \
-e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \
-e 's/deny-nolog /blacklist-nolog /'
find etc -name '*.bak' -print0 | xargs -0 rm
Thirdly, verify the result. The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):
git diff fe0f975f44~1 -- etc
From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.
[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* Follow-up for #4165
* fix noroot comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630981737).
* fix dbus-user comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630982527).
* fix private-dev comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630980029).
* fix private-etc comment
As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630979698).
* move writable-var comment cfr. profile.template
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to using globbing on mkdir, the current version causes this:
@davidebeatrici commented on 2021-04-23[1]:
> ```
> Error: "${HOME}/.local/share/RogueLegacy*" is an invalid filename: rejected character: "*"
> ```
Added on commit a603d4d39 ("steam: some more games added") / PR #4170.
The wildcard was used because Rogue Legacy apparently looks up multiple
different paths for the config and also for the data[1][2][3]:
1. ~/.config/RogueLegacy
2. ~/.config/RogueLegacyStorageContainer
3. ~/.local/share/RogueLegacy
4. ~/.local/share/RogueLegacyStorageContainer
The ones containing "RogueLegacyStorageContainer" appear to be legacy
paths (i.e.: paths which are only created by older versions of Rogue
Legacy)[2].
So replace all globs with the full paths because:
* The paths are known a priori (unlike, say, `/var/lib/libpcre*`)
* There aren't too many of them
And use only the non-legacy paths on mkdir. Besides mirroring what the
current version of Rogue Legacy does (and avoiding the creation of
unnecessary dirs), this is also done because _if_ the following applies
(i.e.: this was not tested):
* legacy paths take precedence over non-legacy paths
* the first path clobbers the other ones (i.e.: rather than "merge")
* save data exists in a non-legacy path (i.e.: path 3 in this case)
* firejail creates all 4 paths
Then it would make the newly-created and empty path 4 clobber the
non-legacy path 3 and thus make it seem like no save files exist. This
would persist even if steam is run without firejail afterwards, as the
empty directory would still be there. Losing (or appearing to lose)
game saves can be very unfortunate, so create just the non-legacy paths
to avoid confusion.
[1] https://github.com/netblue30/firejail/pull/4170#issuecomment-825405930
[2] https://steamcommunity.com/app/241600/discussions/1/846957366713233279/
[3] https://www.pcgamingwiki.com/wiki/Rogue_Legacy#Game_data
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Games added:
* Don't Starve
* Dungeons of Dredmor
* Epic
* Loop Hero
* Pillars of Eternity I
* Rogue Legacy I
* Slay the Spire modding
* Steam World Dig I & II
|
| |
|
|
|
| |
At least Arma 3 stores its config directory under
~/.local/share/bohemiainteractive
|
| |
|
| |
Co-authored-by: fenuks <fenuks>
|
| |
|
|
|
|
|
|
|
| |
- gimp: allow mbind syscall. no start on Fedora 33 without
- minetest: disable private-cache. without persistent cache connecting to servers can take many minutes
- supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers
- supertuxkart: comment private-dev to allow controller use
- profiles: unify controller support comments
- firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
|
| |
|
| |
See https://github.com/netblue30/firejail/issues/3219#issuecomment-638823377
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add Faster Than Light, Into the Breach, Paradox Interactive, and mbwarband
to disable-programs.inc.
Also, add Faster Than Light and Into the Breach into steam.profile. This
fixes saved games being lost when steam is closed, and also lets Steam
cloud sync work properly.
Lastly, remove a duplicate whitelist ${HOME}/.steampid from
steam.profile.
|
| | |
|
| |
|
glitsj16
Kelvin M. Klann
netblue30
smitsohu
0x9fff00
Serphentas
rusty-snake
Oneric
Davide Beatrici
Anton Shestakov
Matthew Cline
Aidan Gauland
fenuks
Tad
corecontingency
netblue30