| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
fix protocol list
|
| | |
|
| |
| |
| | |
Now that https://github.com/netblue30/firejail/commit/5d88ee8957dc38a52c36f71b91c786dbec9d4ec9 introduces new protocol list behaviour, we need to add an ignore here due to the redirect to transmission-common.profile. See https://github.com/netblue30/firejail/issues/4017 for clarification.
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
- RELNOTS: protocol now accumulates
- fix #3978 -- Android Studio: cannot create the directory
Unresolved:
> google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too,
> so we should consider to add additional blacklists for ~/.config/Google/*.
- marker.profile: allow ${DOCUMENTS}
- profile.template: add bluetooth protocol
- profile.template: add DBus portal note
- firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile
see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
|
| |
|
| |
|
|\
| |
| | |
signal-desktop.profile: fix typo of disable-xdg.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added on commit f4f676745 ("Refactor electron.profile and electron based
programs (#3807)").
This appears to be the only instance of that:
$ grep -Fnr 'include-xdg' etc
etc/profile-m-z/signal-desktop.profile:9:ignore include-xdg.inc
Simply fixing the typo would enable xdg dirs for the first time since
the aforementioned commit. But, as talked with @rusty-snake[1], since
there has been no negative feedback, and since it's a whitelisting
profile, just remove the affected line instead.
Credits go to syntax highlighting on vim.
[1]: https://github.com/netblue30/firejail/pull/4001
|
|\ \
| | |
| | | |
Minor fixes for vmware
|
| | | |
|
| | | |
|
|/ / |
|
| | |
|
|/
|
|
|
|
|
| |
* Fix patch-util not having access to libdl.so
* Update etc/profile-m-z/patch.profile
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| |
|
| |
|
|
|
| |
The final profile in the include chain - torbrowser-launcher.profile - already includes globals.local. Unless there's some kind of potential race condition that needs to be avoided by changing this 'logic' we should avoid doubled includes.
|
|
|
| |
The final profile in the include chain - torbrowser-launcher.profile - already includes globals.local. Unless there's some kind of potential race condition that needs to be avoided by changing this 'logic' we should avoid doubled includes.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5df1f27c638c487dfd664ea3a0f756565e1e57bd.
That commit breaks things, as pointed out by @rusty-snake[1]:
> @kmk3 @glitsj16 The xdg macros are treated literally if they have sub
> components (#2359):
>
> ```
> Error: "${DOCUMENTS}/KeePassXC" is an invalid filename: rejected character: "{"
> ```
[1]: https://github.com/netblue30/firejail/commit/3fa2927c3c1c5cf583864746538ea791c1ba2dc4#commitcomment-46913219
|
|\
| |
| | |
Email part (2)
|
| | |
|
| |
| |
| |
| | |
mutt,neomuut; some sorting
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, some paths are hard-coded:
$ grep -Fnr '${HOME}/Documents' etc etc-fixes
etc/profile-m-z/Mathematica.profile:19:mkdir ${HOME}/Documents/Wolfram Mathematica
etc/profile-m-z/Mathematica.profile:22:whitelist ${HOME}/Documents/Wolfram Mathematica
etc/profile-a-l/keepassxc.profile:34:# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
etc/profile-a-l/keepassxc.profile:35:#mkdir ${HOME}/Documents/KeePassXC
etc/profile-a-l/keepassxc.profile:36:#whitelist ${HOME}/Documents/KeePassXC
Commands used to search and replace:
$ find etc etc-fixes/ -type f -exec \
sed -i.bak -e 's|\${HOME}/Documents|${DOCUMENTS}|' '{}' +
Related to that, the (lack of) usage of ${DOWNLOADS} has been recently
fixed on commit deae31301 ("use ${DOWNLOADS} in lutris.profile
(#3955)").
With the above change, all macros other than ${DOCUMENTS} seem to be
already used appropriately:
$ grep -Fnr '${HOME}/Desktop' etc etc-fixes
$ grep -Fnr '${HOME}/Downloads' etc etc-fixes
$ grep -Fnr '${HOME}/Music' etc etc-fixes
$ grep -Fnr '${HOME}/Pictures' etc etc-fixes
$ grep -Fnr '${HOME}/Videos' etc etc-fixes
See src/firejail/macros.c for details.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
And mark it as a redirect profile.
This is done so when including other *-common.inc profiles, such as
firefox-common.profile.
|
| |
| |
| |
| | |
damn, forgotten to add
|
| | |
|
| |
| |
| |
| |
| |
| | |
blacklist ${HOME}/.vwmare is already in disable-programs.inc
I did not add it to firecfg.config because it has many extra features
such as usb-redirection that I could not test.
|
|\ \
| | |
| | | |
follow-up fixes for #3914
|
| | |
| | |
| | |
| | | |
https://github.com/netblue30/firejail/commit/43aa71f8c608ec5bd92fd2c7323c603fa37f6d30
|
|\ \ \
| | | |
| | | | |
ssh: Refactor, fix bugs & harden
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1). The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile. Path examples from
sshd(8):
* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc
$ pacman -Q openssh
openssh 8.4p1-2
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is the system-wide equivalent of ~/.ssh/config.
$ pacman -Q openssh
openssh 8.4p1-2
Reasons for blacklisting both /etc/ssh and /etc/ssh/* on
disable-common.inc:
Leave /etc/ssh that way so that profiles without allow-ssh.inc remain
unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that
profiles with allow-ssh.inc are able to access only nonblacklisted files
inside of /etc/ssh.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|
| |/ /
|/| |
| | |
| | | |
…open URL (after update to 0.9.64.2)
|