| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
|
| |
|
|
|
|
|
|
| |
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
|
| | |
|
| |
|
|
|
|
| |
Description: Tauri-based IRC client inspired by HexChat.
https://nhexirc.com/
https://github.com/nhexirc/nhex
|
| |
|
|
|
|
| |
Update comment to account for camera-based motion trackers.
Fixes an issue with https://github.com/markx86/opentrack-launcher, where
video input devices won't show up unless novideo is removed.
|
| |
|
|
|
|
|
|
| |
Fix sorting and improve comments.
See etc/templates/profile.template.
This amends commit 4c5f55899 ("several kids programs", 2024-04-29).
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Changes:
* Remove ffmpeg from private-bin
* Allow download folder
* It needs an editor to allow editing the config, so I put in nano; sh
and uname are used for launching nano
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
With this, all `etc/inc/allow-*` files are listed in profile.template.
The explanation is based on a comment by @rusty-snake[1].
Relates to #4071.
This is a follow-up to #6299.
[1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
|
| |
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Relates to #3866 #5881.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections. That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.
Also, keep the old include as a redirect to the new one for now to avoid
breakage.
Commands used to search and replace:
git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
git grep -Ilz 'disable-X11' -- etc | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #4462 #4854 #6070 #6289.
This is a follow-up to #6286.
|
| |
|
|
|
| |
See etc/templates/profile.template.
This is a follow-up to #6286.
|
| |
|
|
|
|
| |
Add a common profile to deduplicate entries and make qemu-related
profiles redirect to it.
Relates to #6255.
|
| |\
| |
| | |
profiles: replace x11 socket blacklist with disable-X11.inc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to #4462 #4854.
|
| | |
| |
| |
| |
| |
| |
| | |
Move disable-X11.inc before disable-xdg.inc for consistency with other
profiles.
Added on commit 73a6fced2 ("New profile: ssmtp (#5544)", 2022-12-21).
|
| |/
|
|
|
|
|
|
|
|
| |
The files in this directory are intended to be automatically executed
when the user logs in.
In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).
Misc: This was noticed on #6244.
|
| |
|
|
|
| |
Description: QEMU frontend without libvirt.
https://github.com/thanoulis/tqemu
|
| |
|
|
|
|
| |
Description: Python GTK3 application to view and clean metadata in
files, using mat2.
https://gitlab.com/rmnvgr/metadata-cleaner
|
| |
|
| |
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Description: Encrypted messenger.
https://github.com/oxen-io/session-desktop/
https://aur.archlinux.org/packages/session-desktop
https://aur.archlinux.org/packages/session-desktop-bin
https://aur.archlinux.org/packages/session-desktop-appimage
Note: The AUR packages all work with the profiles.
|
| |
|
|
|
|
| |
Description: Determines the file type.
https://metacpan.org/release/File-MimeInfo
https://archlinux.org/packages/extra/any/perl-file-mimeinfo/
|
| |
|
|
|
| |
Description: Automatic TV episode file renamer.
https://github.com/dbr/tvnamer
|
| |
|
|
|
|
|
| |
Description: Full Screen text editor heavily inspired by Q10 and
JDarkRoom.
https://code.google.com/p/textroom/
https://aur.archlinux.org/packages/textroom
|
| |
|
|
|
|
| |
Description: Encrypted sharing of files, folders, and text between
devices.
https://github.com/Jacalz/rymdport
|
| |
|
|
|
| |
Description: Python script to check the status of a list of URLs.
https://github.com/Arthurdw/statusof
|
| |
|
|
|
|
| |
Add support for qt6ct packages that use XDG desktop portal.
https://github.com/MikeWalrus/qt6ct#branch=colorscheme-portal
https://aur.archlinux.org/packages/qt6ct-xdg-colorscheme-git
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently Tor Browser 13.0.11 (based on Mozilla Firefox 115.8.0esr)
changed a few things. The former versions installed under
`${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser`
and now under
`${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser`.
All of our tor-browser-foo.profile profiles redirect to
torbrowser-launcher.profile and are covered by the fixes.
torbrowser.profile was not tested. It redirects to
firefox-common.profile and seems to be Gentoo-specific.
Fixes #6269.
|
| |
|
|
|
|
|
|
| |
Blacklisting qt5ct/qt6ct configuration and data paths breaks styling in all
apps that use them.
This was working as expected before #6249 and #6250, so remove the
blacklisting.
|
| |
|
|
|
|
|
|
|
| |
Since gnome-keyring 1.46, the ssh-agent functionality has been removed
and gcr-ssh-agent is the recommended alternative.
Source:
- https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67
- https://wiki.archlinux.org/title/GNOME/Keyring#SSH_keys
|
| |
|
|
|
|
|
|
| |
Commit 29da82d added `private-etc` to `archiver-common.profile`.
To avoid doubled options this PR removes it from archiver profiles which
already had it.
Relates to #5610.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
New profile: virt-manager
|
| | | |
|
| |\ \
| |/
|/| |
multimc: instances not running, because of missing permissions
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting an instance, in the logs, a failed attempt to load the lwjgl
library is shown and the game doesn't run.
The library is in the /tmp directory. The reason for this appears to
be, in the lwjgl source code, the shared library loading function,
extracts in the temporary directory and continues from there.
This is fixed by whitelisting.
The reason for adding "ignore noexec /tmp" as well, is that without it, the game
can't run, even if the directory is whitelisted. It seems the library needs
to be loaded from /tmp.
A second error for a failed attempt to access /home/user/.cache/JNA is also
shown in the logs. This is also fixed by whitelisting.
|
| |/
|
|
| |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
| |\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| |/
|/| |
Profile for RawTherapee
|
| | | |
|
| |/
|
|
|
|
|
|
|
| |
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`). Including messages from firejail in the
output may break the parsing, so remove them.
Fixes #6171.
Reported-by: @kmille
|
Kelvin M. Klann
glitsj16
duevo
netblue30
pirate486743186
Michele Sorcinelli
powerjungle
Fidel Ramos