| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
The files in this directory are intended to be automatically executed
when the user logs in.
In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).
Misc: This was noticed on #6244.
|
| |
|
|
|
| |
Description: QEMU frontend without libvirt.
https://github.com/thanoulis/tqemu
|
| |
|
|
|
|
| |
Description: Python GTK3 application to view and clean metadata in
files, using mat2.
https://gitlab.com/rmnvgr/metadata-cleaner
|
| |
|
| |
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Description: Encrypted messenger.
https://github.com/oxen-io/session-desktop/
https://aur.archlinux.org/packages/session-desktop
https://aur.archlinux.org/packages/session-desktop-bin
https://aur.archlinux.org/packages/session-desktop-appimage
Note: The AUR packages all work with the profiles.
|
| |
|
|
|
|
| |
Description: Determines the file type.
https://metacpan.org/release/File-MimeInfo
https://archlinux.org/packages/extra/any/perl-file-mimeinfo/
|
| |
|
|
|
| |
Description: Automatic TV episode file renamer.
https://github.com/dbr/tvnamer
|
| |
|
|
|
|
|
| |
Description: Full Screen text editor heavily inspired by Q10 and
JDarkRoom.
https://code.google.com/p/textroom/
https://aur.archlinux.org/packages/textroom
|
| |
|
|
|
|
| |
Description: Encrypted sharing of files, folders, and text between
devices.
https://github.com/Jacalz/rymdport
|
| |
|
|
|
| |
Description: Python script to check the status of a list of URLs.
https://github.com/Arthurdw/statusof
|
| |
|
|
|
|
| |
Add support for qt6ct packages that use XDG desktop portal.
https://github.com/MikeWalrus/qt6ct#branch=colorscheme-portal
https://aur.archlinux.org/packages/qt6ct-xdg-colorscheme-git
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently Tor Browser 13.0.11 (based on Mozilla Firefox 115.8.0esr)
changed a few things. The former versions installed under
`${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser`
and now under
`${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser`.
All of our tor-browser-foo.profile profiles redirect to
torbrowser-launcher.profile and are covered by the fixes.
torbrowser.profile was not tested. It redirects to
firefox-common.profile and seems to be Gentoo-specific.
Fixes #6269.
|
| |
|
|
|
|
|
|
| |
Blacklisting qt5ct/qt6ct configuration and data paths breaks styling in all
apps that use them.
This was working as expected before #6249 and #6250, so remove the
blacklisting.
|
| |
|
|
|
|
|
|
|
| |
Since gnome-keyring 1.46, the ssh-agent functionality has been removed
and gcr-ssh-agent is the recommended alternative.
Source:
- https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67
- https://wiki.archlinux.org/title/GNOME/Keyring#SSH_keys
|
| |
|
|
|
|
|
|
| |
Commit 29da82d added `private-etc` to `archiver-common.profile`.
To avoid doubled options this PR removes it from archiver profiles which
already had it.
Relates to #5610.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
New profile: virt-manager
|
| | | |
|
| |\ \
| |/
|/| |
multimc: instances not running, because of missing permissions
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting an instance, in the logs, a failed attempt to load the lwjgl
library is shown and the game doesn't run.
The library is in the /tmp directory. The reason for this appears to
be, in the lwjgl source code, the shared library loading function,
extracts in the temporary directory and continues from there.
This is fixed by whitelisting.
The reason for adding "ignore noexec /tmp" as well, is that without it, the game
can't run, even if the directory is whitelisted. It seems the library needs
to be loaded from /tmp.
A second error for a failed attempt to access /home/user/.cache/JNA is also
shown in the logs. This is also fixed by whitelisting.
|
| |/
|
|
| |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
| |\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| |/
|/| |
Profile for RawTherapee
|
| | | |
|
| |/
|
|
|
|
|
|
|
| |
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`). Including messages from firejail in the
output may break the parsing, so remove them.
Fixes #6171.
Reported-by: @kmille
|
| |
|
|
|
|
|
|
|
| |
Committer note: For each profile there is both XXX-gtk and gtk-XXX (such
as lbry-viewer-gtk and gtk-lbry-viewer).
XXX-gtk is the symlink
gtk-XXX is the actual file
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To ensure that it includes luajit paths as well:
* /usr/share/lua
* /usr/share/luajit-2.1
And remove all entries of the same path without the wildcard, to avoid
redundancy.
Misc: The wildcard entries were added on commit 56b60dfd0 ("additional
Lua blacklisting (#3246)", 2020-02-24) and the entries without the
wildcard were partially removed on commit 721a984a5 ("Fix Lua in
disable-interpreters.inc", 2020-02-24).
This is a follow-up to #6128.
Reported-by: @pirate486743186
|
| |
|
| |
gropdf (`man -Tpdf`) needs Perl (see #6142).
|
| |\
| |
| | |
mpv: whitelist /usr/share/mpv
|
| | |
| |
| |
| |
| |
| | |
Use case: You install scripts in `/usr/share/mpv` but they remain
inactive. You then symlink them to `/etc/mpv` to activate them if you
want.
|
| |\ \
| | |
| | | |
minecraft-launcher.profile: allow keyring access
|
| | | | |
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Some plugins may require it[1]:
error: os_dlopen([...]): libluajit-5.1.so.2: [...]: Permission denied
warning: Module '/usr//lib/obs-plugins/frontend-tools.so' not loaded
[1] https://github.com/netblue30/firejail/issues/6130#issue-2040800338
|
| |/ |
|
| |\
| |
| | |
build: sort.py: use case-sensitive sorting
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
| |\ \
| | |
| | | |
steam.profile: allow process_vm_readv syscall
|
| | | |
| | |
| | |
| | |
| | |
| | | |
EA Origin (game launcher) won't launch without this.
See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
|
| | | |
| | |
| | |
| | | |
on Debian the data is in /usr/share/tesseract-ocr/
|
| | |/
|/|
| |
| |
| |
| |
| | |
* disable-programs.inc: add support for tiny-rdm
* Create tiny-rdm.profile
* firecfg.config: add support for tiny-rdm
|
| |/
|
|
|
|
|
|
|
| |
* nodejs-common: add pnpm support
* disable-programs.inc: add pnpm support
* Create pnpm.profile
* Create pnpx.profile
|
Kelvin M. Klann
glitsj16
pirate486743186
Michele Sorcinelli
netblue30
powerjungle
Fidel Ramos
NetSysFire
archaon616
duevo
Reiner Herrmann