| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* unbreak audio-recorder
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their audio-recorder.local.
* unbreak ddgtk
Support both X11 and Wayland by default. Users can add 'blacklist ${RUNUSER}/wayland-*' or 'x11 none' in their ddgtk.local.
* unbreak and harden gconf-editor
Support both X11 and Wayland by default. Also whitelist /usr/share/gconf-editor for wusc.
* unbreak seahorse
Support both X11 and Wayland by default.
* add blacklist ${RUNUSER}/wayland-* to dnscrypt-proxy
|
| |
|
|
| |
…les with 'blacklist /tmp/.X11-unix'
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add qt/qt4 support to wusc
* Add wusc to more profiles
* Add wusc to more profiles
* Update enchant.profile
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add /usr/share/ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
|
| |
|
|
|
| |
- dconf database is read-only (fde6e04b) and accessed over dbus,
there are no reasons to keep it in the sandbox
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* beginn fixup
* continue
* continue
* continue
* continue
* continue
* continue
|
| | |
|
| |
|
|
|
|
|
|
| |
* Sort private-etc
This .inc file got missed by https://github.com/netblue30/firejail/pull/2766.
* Sort private-etc
|
| |
|
| |
Thanks to @rusty-snake for pointing this out.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* Re-add 'shell none' to gpg.profile
* Update seahorse.profile
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor seahorse into a whitelist profile
* Refactor seahorse-tool as a whitelist profile
* Create seahorse-daemon.profile
* Add seahorse-daemon to firecfg
* Drop blacklist /tmp/.X11-unix from seahorse.profile
Thanks to @rusty-snake for pointing out blacklisting /tmp/.X11-unix is ridiculous for GUI's.
* Add non-GUI option to seahorse-daemon
|
| | |
|
| |
|
|
|
|
| |
* Fix seahorse GUI
* Fix seahorse-tool GUI
|
| |
|
|
|
|
| |
* add disable-exec.inc to all profiles with apparmor - #2385 #2505
* drop disable-exec.inc from generic electron.profile
|
|
|
* Create seahorse.profile
* Create seahorse-tool.profile
* Add seahorse to firecfg
|
rusty-snake
glitsj16
rusty-snake
rusty-snake
smitsohu