| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* profiles: drop private-opt (existing whitelist)
* profiles: replace private-opt with whitelist
In most profiles.
Kept private-opt for enpass (~85MB), mate-dictionary (<20MB),
minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't
check: xmr-stak.
* docs: note potential issues with private-opt
|
|
|
|
| |
Closes #5965
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `shell` option has been removed. Remove stale references.
This does NOT remove `shell none`-related code comments in:
- src/firejail/fs_lib.c (L433-L441)
- src/firejail/join.c (L415-L417)
Relates to #5196.
Suggested by #5891.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
now covers syscalls up to including process_madvise (440)
group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305
the only exception is close_range, which was added to both @basic-io and @file-system
this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
|
|
|
|
| |
closes #4965
|
|
|
|
|
|
|
| |
See commit bd15e763e ("--noprinter option", 2021-10-20) and commit
d9403dcdc ("small fix", 2021-10-20).
Relates to #4607.
|
| |
|
|\
| |
| | |
Create disable-proc.inc
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
| |
follow up
|
|
|
|
|
|
|
| |
Still unresolved:
> If someone who use systemd-resolved can say more which resolv.conf is necessary on such system.
> whitelist /run/systemd/resolve/resolv.conf
> whitelist /run/systemd/resolve/stub-resolv.conf
|
|
|
|
|
|
|
|
|
|
| |
- Fix #4157 -- [Feature] Should rmenv GitHub auth tokens
There are still more token variables from other program that should be
added.
- Fix #4093 -- darktable needs read access to liblua*
- Fix #4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers)
- Fix xournalpp.profile
- syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32
|
|
|
|
| |
Rework + suggest --seccomp-error-action=log
|
|\
| |
| | |
remove kcmp from seccomp default drop list
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
| |
The header of profile.template define this order:
IGNORES
NOBLACKLISTS
ALLOW INCLUDES
BLACKLISTS
DISABLE INCLUDES
|
| |
|
|
|
|
| |
Clarify some options that supersede others.
|
| |
|
| |
|
|
|
|
| |
[skip ci]
|
| |
|
|\
| |
| | |
Clarify what the Description comment is for
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- RELNOTS: protocol now accumulates
- fix #3978 -- Android Studio: cannot create the directory
Unresolved:
> google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too,
> so we should consider to add additional blacklists for ~/.config/Google/*.
- marker.profile: allow ${DOCUMENTS}
- profile.template: add bluetooth protocol
- profile.template: add DBus portal note
- firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile
see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
|
|
|
| |
See https://github.com/netblue30/firejail/pull/3993/files/660bc3435b43e32d156d9bb5bee2dbad2f84cf36#r577366805.
|
| |
|
| |
|
| |
|
|\
| |
| | |
ssh: Refactor, fix bugs & harden
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|
|/ |
|
| |
|
|
|
|
|
|
|
|
| |
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* New disable include: disable-write-mnt.inc
It is for profiles which have a reasonable mnt access (we can not add
disable-mnt), but no edit function (e.g. any kind of viewer).
Added to
- profile.template
- default.profile
- eo-common.profile
* Update default.profile
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* disable-shell.inc
* add disable-shell.inc to all profiles with a …
… private-bin line without bash/sh except profiles with redirect
profiles.
* add it to some more profiles
* exclude aria2c.profile
|
|
|
|
|
|
|
| |
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
|
|
|
|
| |
…g.config (#3333).
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
|
|
|
|
|
| |
* blacklist gjs in disable-interpreters
* Update
|