| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
| |
* ocenaudio: blacklist cache dir
* ocenaudio: hardenings
* ocenaudio: fix protocol comment
|
|
|
|
|
|
|
|
|
| |
* pip: fix including local override
* pip: allow access to cache
The shared build-systems-common.profile (to which pip.profile redirects) blacklists ${HOME}/.cache/pip. Override that here.
* pip: add cache support in commented whitelist
|
|
|
|
|
| |
* opera fixes
* disable-common.inc: add blacklist /usr/lib/opera/opera_sandbox
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/netblue30/firejail/discussions/4993 (#5042)
* refactor mupdf
* refactor mupdf
* refactor mupdf
* refactor mupdf
* add mupdf-gl blacklist
* move history file back to mupdf-gl
* refactor mupdf-gl
* add no3d to mupdf.profile
* add suggestions from review
* drop unix from protocol [accumulates]
* fix protocol
|
|
|
|
|
|
|
|
|
| |
* drop redundant noblacklist
noblacklist ${HOME}/.vscode-oss already exists in included code.profile
* remove newline
Nitpick for persistency with other profiles that have the comment about #2624.
|
|
|
|
|
|
|
| |
* hardening onionshare-gui.profile
* add another dbus-user filter to onionshare-gui.profile
* harden onionshare
|
|\ |
|
| |\
| | |
| | | |
Fix newest Steam client and Proton ≥ 5.13
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After the Steam cleint update of the 04th March 2022
the steamwebhelper process now needs to be able to do chroot
syscalls to render anything. If not all content tabs in the client will
just appear black.
fixes: https://github.com/netblue30/firejail/issues/5014
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Starting with version 5.13 Proton internally uses bubblewrap to create a
container for the game. To make this work with firejail we need to allow
these 4 additional syscalls.
fixes: https://github.com/netblue30/firejail/issues/4366
fixes: https://github.com/netblue30/firejail/issues/4686
|
| |\ \
| | | |
| | | | |
steam.profile: allow "${HOME}/.prey"
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The directory is used by the Linux binary for Prey (2006), available at https://icculus.org/prey.
Not whitelisting the directory results in the game failing to launch:
found DLL in pak file: /home/user/.steam/steamapps/common/Prey 2006/base/game01.pk4/gamex86.so
copy gamex86.so to /home/user/.prey/base/gamex86.so
dlopen '/home/user/.prey/base/gamex86.so' failed: /home/user/.prey/base/gamex86.so: failed to map segment from shared object
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
as suggested by @rusty-snake
in addition blacklist/noblacklist/whitelist songrec application files
|
|\ \ \
| |/ /
|/| | |
Add songrec
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It is a Rust application using Cargo, so harden based on common supply
chain attacks seen.
https://github.com/marin-m/SongRec
|
| |/
|/| |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add opera-developer to firecfg
* add opera-developer
* fix typo
* add configs for opera-developer
* Create opera-developer.profile
* fixes for opera-developer
* fix for opera-developer
|
| |
| |
| |
| |
| | |
* harden opera-beta
* harden opera
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
* Add support for changing appearance of the Qt6 apps with qt6ct
* Remove qt5ct artifact from zeal.profile
* Remove qt5ct artifact from bibletime.profile
|
|\ \
| | |
| | | |
qbittorrent.profile: fix data directory location
|
| | | |
|
|/ /
| |
| |
| |
| | |
On gentoo linux, /usr/bin/dumpcap requires dac_read_search
instead of dac_override.
|
| |
| |
| |
| |
| |
| |
| | |
* drop private-dev from wireshark.profile
* add comment about private-dev in wireshark.profile
Add a comment as suggested in https://github.com/netblue30/firejail/pull/4958#issuecomment-1044732769.
|
| |
| |
| |
| |
| |
| |
| | |
* Create onionshare.profile
* Create onionshare-cli.profile
* add onionshare redirects to firecfg.config
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Having `read-only /tmp` yields the following:
$ man ls
[...]
man: /usr/share/man/man1/ls.1.gz: SYSERR: mkstemp: /tmp/man.XXXXxxxxxx: Read-only file system
[...]
It also causes the pager (e.g.: less(1)) to not be called, which means
that the entire man page is just printed all at once on the terminal.
Environment: mandoc 1.14.6-1 on Artix Linux.
Fixes #4927.
Reported-by: @hyder365
|
| |
| |
| |
| |
| |
| |
| | |
It's a CLI tool and its output is a key part of the functionality.
Fixes #4900.
Reported-by: @rieje
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It breaks non-binary builds of shellcheck on Arch (e.g.: shellcheck-bin
vs shellcheck-git from the AUR).
Fixes #4875.
Reported-by: @redxef
|
|\ \
| | |
| | | |
steam.profile: allow ~/.config/MangoHud
|
| | | |
|
| | |
| | |
| | | |
MangoHud is a Vulkan and OpenGL overlay for monitoring FPS, temperatures, CPU/GPU load and more, and it can be configured by user in ~/.config/MangoHud/MangoHud.conf.
|
|\ \ \
| | | |
| | | | |
Add neovim profile
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Seafile
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix MediathekView Profile
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | | |
Related to issue #4839.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
{lutris,wine}.profile: allow ~/.cache/wine
|
| | |_|_|/ /
| |/| | | |
| | | | | | |
~/.cache/wine is a directory where wine stores .msi files for wine-gecko and wine-mono that it may download (with user's permission) and reuse every time a new prefix is created.
|