| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* New disable include: disable-write-mnt.inc
It is for profiles which have a reasonable mnt access (we can not add
disable-mnt), but no edit function (e.g. any kind of viewer).
Added to
- profile.template
- default.profile
- eo-common.profile
* Update default.profile
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* disable-shell.inc
* add disable-shell.inc to all profiles with a …
… private-bin line without bash/sh except profiles with redirect
profiles.
* add it to some more profiles
* exclude aria2c.profile
|
| |
|
|
|
|
|
| |
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
|
| |
|
|
| |
…g.config (#3333).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
| |
|
|
|
|
| |
* blacklist gjs in disable-interpreters
* Update
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Work on whitelist-usr-share-common
* sorting; add Modules + QT/KDE stuff
* add wusc.inc to more profiles [needs testing]
* update
* gitg, firefox, evince
* /usr/share/{p11-kit,pixmaps,pki,qt5,tcl8.6,terminfo}
* more profiles
* remove wusc.inc from feedreader
Even with 'whitelist /usr/share/*', feedreader trys to dereference a
NULL pointer.
* more profiles
* whitelist /usr/share breaks wget
even with whitelist /usr/share/*
* extend wusc.inc
* update
* Add alsa,crypto-policies and zoneinfo
* readd wusc.inc to wget and feedreader
* update
* testing results: Debian Buster with KDE
* more KDE stuff
* fix tb
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* Change wording in redirect_alias-profile.template
* Change wording in profile.template
* Update wording in redirect_alias-profile.template
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* uncomment .local includes
* add options
* ##ignore noexec /tmp
* ##caps.keep CAPS
* ##hostname NAME
* ##writable-etc
* ##writable-run-user
* ##writable-var
* ##writable-var-log
* add disable x11
* x11 none
* blacklist /tmp/.X11-unix
* comment when which of the both option should be used
* sort private-etc template Common
* add comments
* machine-id: breaks sound and sometime dbus related functions
* private-bin: python should be added by 'python*'
* protocol: auxiliary comment for protocol line
* add 'packet' to protocol list
* Sections structure: OPTIONS: now has seccomp* instead of seccomp
|
| | |
|
| |
|
|
| |
This replaces the outdated templates from #1734
with new templates from the program used in #2093
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|
|
Create etc/templates
* profile.template
* redirect_alias-profile.template
* syscalls.txt
* Notes
|
rusty-snake
Fred Barclay
rusty-snake
glitsj16
SkewedZeppelin
Jose Riha