| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
Commit 29da82d added `private-etc` to `archiver-common.profile`.
To avoid doubled options this PR removes it from archiver profiles which
already had it.
Relates to #5610.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
New profile: virt-manager
|
| | |
|
|\ \
| |/
|/| |
multimc: instances not running, because of missing permissions
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting an instance, in the logs, a failed attempt to load the lwjgl
library is shown and the game doesn't run.
The library is in the /tmp directory. The reason for this appears to
be, in the lwjgl source code, the shared library loading function,
extracts in the temporary directory and continues from there.
This is fixed by whitelisting.
The reason for adding "ignore noexec /tmp" as well, is that without it, the game
can't run, even if the directory is whitelisted. It seems the library needs
to be loaded from /tmp.
A second error for a failed attempt to access /home/user/.cache/JNA is also
shown in the logs. This is also fixed by whitelisting.
|
|/
|
|
| |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
|\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | |
|
| | |
|
| | |
|
|\ \
| |/
|/| |
Profile for RawTherapee
|
| | |
|
|/
|
|
|
|
|
|
|
| |
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`). Including messages from firejail in the
output may break the parsing, so remove them.
Fixes #6171.
Reported-by: @kmille
|
|
|
|
|
|
|
|
|
| |
Committer note: For each profile there is both XXX-gtk and gtk-XXX (such
as lbry-viewer-gtk and gtk-lbry-viewer).
XXX-gtk is the symlink
gtk-XXX is the actual file
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To ensure that it includes luajit paths as well:
* /usr/share/lua
* /usr/share/luajit-2.1
And remove all entries of the same path without the wildcard, to avoid
redundancy.
Misc: The wildcard entries were added on commit 56b60dfd0 ("additional
Lua blacklisting (#3246)", 2020-02-24) and the entries without the
wildcard were partially removed on commit 721a984a5 ("Fix Lua in
disable-interpreters.inc", 2020-02-24).
This is a follow-up to #6128.
Reported-by: @pirate486743186
|
|
|
| |
gropdf (`man -Tpdf`) needs Perl (see #6142).
|
|\
| |
| | |
mpv: whitelist /usr/share/mpv
|
| |
| |
| |
| |
| |
| | |
Use case: You install scripts in `/usr/share/mpv` but they remain
inactive. You then symlink them to `/etc/mpv` to activate them if you
want.
|
|\ \
| | |
| | | |
minecraft-launcher.profile: allow keyring access
|
| | | |
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Some plugins may require it[1]:
error: os_dlopen([...]): libluajit-5.1.so.2: [...]: Permission denied
warning: Module '/usr//lib/obs-plugins/frontend-tools.so' not loaded
[1] https://github.com/netblue30/firejail/issues/6130#issue-2040800338
|
|/ |
|
|\
| |
| | |
build: sort.py: use case-sensitive sorting
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
|\ \
| | |
| | | |
steam.profile: allow process_vm_readv syscall
|
| | |
| | |
| | |
| | |
| | |
| | | |
EA Origin (game launcher) won't launch without this.
See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
|
| | |
| | |
| | |
| | | |
on Debian the data is in /usr/share/tesseract-ocr/
|
| |/
|/|
| |
| |
| |
| |
| | |
* disable-programs.inc: add support for tiny-rdm
* Create tiny-rdm.profile
* firecfg.config: add support for tiny-rdm
|
|/
|
|
|
|
|
|
|
| |
* nodejs-common: add pnpm support
* disable-programs.inc: add pnpm support
* Create pnpm.profile
* Create pnpx.profile
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since version 1.8.6 msmtp supports per-user configuration at either
~/.msmtprc (already supported by firejail) or
`$XDG_CONFIG_HOME/msmtp/config`. System-wide support can be placed at
/etc/msmtprc.
This adds the missing paths to the relevant .inc and .profile files.
Note that `blacklist ${HOME}/.msmtprc` is present on both
disable-common.inc and disable-programs.inc, so the new paths are added
to both files.
References:
https://wiki.archlinux.org/title/Msmtp#Basic_setup
https://marlam.de/msmtp/msmtp.html#Configuration-files
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* profiles: drop private-opt (existing whitelist)
* profiles: replace private-opt with whitelist
In most profiles.
Kept private-opt for enpass (~85MB), mate-dictionary (<20MB),
minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't
check: xmr-stak.
* docs: note potential issues with private-opt
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* Create termshark.profile
* firecfg.config: add termshark support
* termshark: CLI hardening
|
| |
|
| |
|
|
|
|
|
| |
* Update nicotine.profile
* dbus.user set to filter
|
|\
| |
| | |
New profile: tidal-hifi
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
modified src/firecfg/firecfg.config to add tidal-hifi
created etc/profile-m-z/tidal-hifi.profile
closes: #6008
Apply suggestions from code review
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This amends commit dd5539012 ("profiles: refactor log viewers (#5996)",
2023-09-23).
Commands used:
git mv \
etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile \
etc/profile-m-z/system-log-common.profile
rmdir etc/profile-m-z/profile-m-z/profile-m-z/
rmdir etc/profile-m-z/profile-m-z/
|
| |
|