firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	Merge pull request #2201 from SkewedZeppelin/u2f-ap	netblue30	2018-10-17
\|\ \| \| \| \|	Add nou2f to all profiles
\| *	Add nou2f to all profiles	Tad	2018-10-15
\| \| \| \| \| \| \| \|	- Closes #2194
* \|	Remove "/etc/firejail/" from all include paths, now that profile_read will ↵	Glenn Washburn	2018-10-17
\|/ \| \| \|	search for the file.
*	Cleanup descriptions	Tad	2018-08-13
\|
*	Add descriptions to profiles, pulled from Ubuntu 18.04	Tad	2018-08-13
\|
*	Add disable-xdg.inc to ~100 profiles	Tad	2018-07-24
\|
*	fix rhythmbox profile	netblue30	2018-04-29
\|
*	WIP: Blacklist common programming interpreters. (#1837)	Fred Barclay	2018-04-02
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Use path variable instead of full path when blacklisting devel tools. * Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc * Part 2: allow access to java as needed * Typo: missing blacklist * Part 3: allow perl access as needed * typo * Add xreader thumbnailer and previewer profiles * Add xplayer audio-preview and thumbnailer profiles * Add atril thumbnailer and previewer profiles * More fixups after adding disable-interpreters.inc * Blacklist javac * More javac noblacklisting * Remove javac from dex2jar, libreoffice, multimc5, and pdfsam profiles * --nodbus, first draft for #1825 * dbus.c * rework akonadi integration the usr.sbin.mysqld-akonadi apparmor profile, enforced by default in ubuntu and debian testing (and probably opensuse), doesn't play well with a number of firejail options. the reason for this is that once the no_new_privs bit is set, apparmor profile transitions are forbidden. enforcing our own apparmor policy instead is also no solution, because these programs don't even start without d-bus. relaxing the kmail profile was necessary so that kmail can fire up akonadi itself, just in case akonadi has not been started earlier already by another program. this is always an issue when kmail is the only installed akonadi client, but there may be more circumstances. for reasons outlined above this doesn't help debian and ubuntu (opensuse?) users though :-/ a brief summary of the seccomp exceptions: chroot is needed for qt webengine, io_prioset for the akonadi indexing agent, io_getevents, io_submit, io_setup are needed for mysqld. when akonadi has an sqlite3 backend, less exceptions to the seccomp filter are necessary, but mysqld is the default. in the future all kontact suite profiles (itm only kmail, knotes) should probably be redirections to akonadi_control, but the issues with apparmor make this somewhat impractical for now (options like 'protocol' couldn't go to akonadi_control.local any more, if current kmail redirected to there). * Add nodbus to some profiles - part 1 * Spotify works with nodbus on Arch * Enable nodbus for keepassx and keepassxc profiles. I've tested on keepassxc but should work for keepassx as well. Settings are not immutable. * recalibrate dbus access, deploy nodbus option see #1822 and #1825. also systematically replaces 'blacklist /run/user//bus' with 'nodbus'. with contributions from @Fred-Barclay various blacklist additions * Add a profile for ncdu, enable private-etc in Steam again, and fixup gnome-recipes * comment nodbus where it interferes with dconf pending further discussion * Add a disabled and extensive private-bin for Steam * Further improve private-bin in steam * comment apparmor, net where they interfere with dconf - #1843 * gnome-calculator fixup * spectre support for clang compiler * spectre clang support * enable/disable dbus handling in /etc/firejail/firejail.config * nodbus man pages, etc. * redirect knotes to kmail, some tweaks * testing * gimp fixup * Even more fixups after adding disable-interpreters.inc * AWS and GCP store credentials in local directories as part of project setup. Configuration for cloud providers is sensitive information; it should be in the default block list. I didn't see profiles for gcloud or awscli, so haven't added any exclusions. boto and kubectl are not provider-specific, but also store credentials for whichever platforms they happen to be being used with. * testing * consolidate makefiles * gitignore * Use path variable instead of full path when blacklisting devel tools. * Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc * Part 2: allow access to java as needed * Typo: missing blacklist * Part 3: allow perl access as needed * typo * More fixups after adding disable-interpreters.inc * Blacklist javac * More javac noblacklisting * Remove javac from dex2jar, libreoffice, multimc5, and pdfsam profiles * Cleanup rebase leftovers * imagej doesn't need javac access * Add cc to blacklisted compilers * Use wildcards when blacklisting some gcc paths * Blacklist lua in disable-interpreters * Correct blacklist for node.js * Fred Barclay note: some of these commits (all of the ones that don't affect files inside etc/) aren't mine but were added during a rebase + squash
*	comment apparmor, net where they interfere with dconf - #1843	smitsohu	2018-03-30
\|
*	comment nodbus where it interferes with dconf	smitsohu	2018-03-29
\| \| \| \|	pending further discussion
*	recalibrate dbus access, deploy nodbus option	smitsohu	2018-03-28
\| \| \| \| \| \| \|	see #1822 and #1825. also systematically replaces 'blacklist /run/user/*/bus' with 'nodbus'. with contributions from @Fred-Barclay
*	Move apparmor option to the top of the options list in all profiles	Tad	2018-03-17
\|
*	apparmor deployment	netblue30	2018-03-16
\|
*	whitelist /var	netblue30	2017-10-04
\|
*	Fix notv placement	Tad	2017-08-11
\|
*	added notv to most profiles	netblue30	2017-08-11
\|
*	Fix comments in 88 profiles	Tad	2017-08-07
\| \| \| \|	There may actually be some other comments that were removed, but the bulk have been restored
*	Unify all profiles	Tad	2017-08-07
\|
*	Harden 50 profiles	Tad	2017-07-04
\| \| \| \| \|	Hardened many profiles using disable-mnt and novideo Fixed gnome-font-viewer
*	added /etc/firejail/globals.local for global customizations	netblue30	2017-05-23
\|
*	persistent support for all profile files	netblue30	2017-02-09
\|
*	squash attempt 2	Fred-Barclay	2016-10-24
\|
*	tested and stable	Fred-Barclay	2016-09-01
\|
*	private-bin conversion	Fred-Barclay	2016-07-10
\|
*	merged Various #542 pull request from Fred-Barclay	netblue30	2016-05-31
\|
*	profiles: Add nonewprivs where sensible	The Fox in the Shell	2016-05-25
\|
*	delete blacklist wine from profiles	avoidr	2016-04-12
\|
*	introducing disable-passwdmgr.inc	netblue30	2016-03-28
\|
*	consolidated disable-terminals into disable-common	netblue30	2016-03-27
\|
*	consolidating disable-mgmt and disable-sercret into disable-common	netblue30	2016-03-26
\|
*	profile work	netblue30	2016-03-26
\|
*	profile update	netblue30	2016-03-12
\|
*	split out terminal blacklisting in disable-terminals.inc	netblue30	2016-02-12
\|
*	added disable-devel.inc	netblue30	2015-11-01
\|
*	merged disable-history.inc into disable-common.inc	netblue30	2015-10-30
\|
*	enable --protocol by default in profiles	netblue30	2015-10-28
\|
*	disabled Wine and VirtualBox in default profiles	netblue30	2015-09-24
\|
*	fixes	netblue30	2015-09-24
\|
*	security profile work	netblue30	2015-09-24
\|
*	disable-history.inc integration - included in all profile files	netblue30	2015-08-12
\|
*	Baseline firejail 0.9.28	netblue30	2015-08-08