| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tor-browser 11.0.2-1 doesn't work without whitelisting this directory. The
following was the message I got before whitelisting this directory.
Reading profile /etc/firejail/tor-browser.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12653, child pid 12654
104 programs installed in 153.32 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 64.84 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 325.75 ms
/usr/bin/tor-browser: [Error] The tor-browser archive could not be extracted to your home directory.
Check the permissions of ~/.local/opt/tor-browser/app.
The error log can be found in ~/.local/opt/tor-browser/LOG.
/usr/bin/tor-browser: line 218: ~/.local/opt/tor-browser/app/Browser/start-tor-browser: No such file or directory
|
|
|
|
|
|
|
| |
Tested these settings and they work fine, including a test call. I can't
explain why, but if the `org.kde.StatusNotifierWatcher` entry is
removed, Skype will immediately log out the previous session when
started.
|
|
|
|
| |
Without this, Skype's session isn't retained.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`nogroups` should not have been causing issues with rendering on nvidia
since commit 623e68216 ("temporary fix for nvidia/nogroups/noroot issue
(#3644, #841)", 2020-10-02) and commit cb460c32c ("more nvidia (#3644)",
2020-10-03), which had made it a no-op on nvidia. And the handling of
the "render" and "video" groups are independent to the handling of
`nogroups` now; see the previous 3 commits.
Commits which introduced the comments on each profile:
* kodi.profile: commit ce462b6b1 ("fix #3501", 2020-07-16)
* mpsyt.profile: commit e17b48fca ("new profile mpsyt.profile",
2018-11-28)
* mpv.profile: commit cc7c48983 ("Document #1945", 2018-07-25)
* steam.profile: commit d6f8169dd ("steam fixes; #841, #3267",
2020-03-15)
Commands used to find the comments:
git grep -i nvidia -- etc/profile-* | grep -v private-etc
Relates to #4632.
|
| |
|
|\
| |
| | |
Added `quiet` to some CLI profiles
|
| | |
|
|\ \
| | |
| | | |
deterministic-shutdown option
|
| | | |
|
|\ \ \
| | | |
| | | | |
Add OpenStego profile
|
| | | | |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
update yt-dlp.profile
|
| |/ / /
| | | |
| | | | |
ffprobe used for embedding images in difficult cases.
|
|/ / / |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Profile Checks
|
| |/ /
| | |
| | |
| | | |
Command is the same as in d8d97acb
|
|/ /
| |
| | |
add yt-dlp in private-bin
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Add profiles for imv, retroarch, and torbrowser
|
| | |
| | |
| | |
| | |
| | | |
imv, retroarch, and torbrowser are also added to
firecfg.config
|
|\ \ \
| | | |
| | | | |
Drop noinput for games with joystick/gamepad support
|
| | | |
| | | |
| | | |
| | | | |
Fixes #4608
|
|\ \ \ \
| | | | |
| | | | | |
Fix tremulous profile for Arch users
|
| | | | |
| | | | |
| | | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | | |
| | | | |
| | | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | | |
| | | | |
| | | | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |/ / / |
|
| | | |
| | | |
| | | | |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
| | | |
| | | |
| | | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | | |
| | | |
| | | | |
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
Warsow uses a shell wrapper hence requires some modifications. Netlink
was added to protocols as the game was segfaulting after changing
resolution and saving the setting.
|
|/ / |
|
|\ \
| | |
| | | |
Fix vscodium
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It creates the following directories on startup:
* ~/.config/VSCodium
* ~/.vscode-oss
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q vscodium-bin
vscodium-bin 1.60.2-2
Note: The following entry is already on disable-programs.inc:
noblacklist ${HOME}/.vscode-oss
It was added on commit de90834a8 ("Update disable-programs.inc",
2019-03-02).
Relates to #3871.
|
| | |
| | |
| | |
| | | |
Added on commit 4bb7dee49 ("small changes", 2019-02-07).
|
|\ \ \
| |/ /
|/| | |
Add profiles for build-systems (/package-managers)
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip
All redirect to build-systems-common.profile
Other fixes:
- blacklist ${HOME}/.bundle
- blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo
- blacklist /usr/lib64/ruby
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* cheese
- fix: dbus-user.own org.gnome.Cheese
- fix: whitelist /usr/share/gstreamer-1.0
- fix: include allow-python3.inc
- hardening: include disable-shell.inc
- hardening: include whitelist-run-common.inc and whitelist /run/udev/data
- hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
- hardening: noinput
- hardening: nosound
- hardening: seccomp.block-secondary
- hardening: private-dev
* geekbench (closes #4576)
- fix: noblacklist /sbin and noblacklist /usr/sbin
- fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
- fix: comment/remove private-bin, private-lib, private-opt
* inkscape
- add quiet for cli usage
* musixmatch (#4518)
- allow chroot
* pandoc
- fix: include allow-bin-sh.inc
- fix: drop private-bin
- hardening: include whitelist-runuser-common.inc
- hardening: seccomp.block-secondary
|
| | |
| | |
| | |
| | |
| | | |
- Allow org.freedesktop.secrets, fixes #4584
- Improve comments about notifications and systray
|
| | | |
|
|\ \ \
| | | |
| | | | |
telegram: Enable private-bin
|