| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
| |
|
|
| |
nc is a symlink to ncat on some distros
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add qt/qt4 support to wusc
* Add wusc to more profiles
* Add wusc to more profiles
* Update enchant.profile
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add wusc to more profiles
* Add /usr/share/ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
* Add ca-certs to wusc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add novideo to a lot of profiles
(there are still more profiles where novideo can be added)
- remove commente mdwe from some gnome applications
- add descriptions to some profiles
- blacklist ${HOME}/.cargo/credentials
- move ${HOME}/.git-credentials and ${HOME}/.git-credential-cache to
'top secret' in disable-common.inc
- some ordering in disable-programs.inc
- merge tor browser blacklists to ${HOME}/.tor-browser*
- qupzilla.profile redirect to falkon.profile
- blacklist gnome-builder paths
- fix transmission profiles inlude
- much more
|
| |
|
|
|
|
| |
* nodbus for ssh-agent
* nodbus for ssh.profile
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Add nou2f to all profiles
|
| | |
| |
| |
| | |
- Closes #2194
|
| |/
|
|
| |
search for the file.
|
| | |
|
| | |
|
| |
|
|
| |
grep "cache" -L $(grep "redirect" -iL $(grep "whitelist" -RL))
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
There may actually be some other comments that were removed, but the bulk have been restored
|
| | |
|
| |
|
|
|
|
|
|
| |
- mdwe breaks most vm-based languages so python/java/javascript and some mono programs are not compatible
- mdwe also breaks most 3d accelerated programs such as 3d games
- mdwe is similar to PaX's mprotect meaning PaX flag managers can be used as reference
-- See https://github.com/copperhead/paxd-archive/blob/master/paxd.conf
-- See https://github.com/nning/linux-pax-flags
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
firejail output in ssh client breaks git+ssh for me, e.g.,
$ git clone git@github.com:netblue30/firejail.git
Cloning into 'firejail'...
Reading profile /etc/firejail/ssh.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
fatal: protocol error: bad line length character: Pare
The "Pare" comes from "Parent pid x, child pid y".
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
Fred Barclay
Tad
rusty-snake
Reiner Herrmann
glitsj16
rusty-snake
smitsohu
netblue30
Glenn Washburn
Dara Adib
The Fox in the Shell
avoidr