aboutsummaryrefslogtreecommitdiffstats
path: root/etc/templates
Commit message (Collapse)AuthorAge
* Update DBus wiki linkLibravatar Dpeta2022-12-23
|
* introduce new option restrict-namespacesLibravatar smitsohu2022-07-23
|
* refresh syscall groups (#5188)Libravatar smitsohu2022-07-17
| | | | | | | | | | | | now covers syscalls up to including process_madvise (440) group assignment was blindly copied from systemd: https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305 the only exception is close_range, which was added to both @basic-io and @file-system this commit adds the following syscalls to the default blacklist: pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
* Fix chromium browsers in firejail 0.9.68Libravatar rusty-snake2022-04-14
| | | | closes #4965
* profile.template: add noprintersLibravatar Kelvin M. Klann2022-01-05
| | | | | | | See commit bd15e763e ("--noprinter option", 2021-10-20) and commit d9403dcdc ("small fix", 2021-10-20). Relates to #4607.
* deterministic-shutdown optionLibravatar smitsohu2021-10-28
|
* Merge pull request #4521 from rusty-snake/disable-proc.incLibravatar smitsohu2021-10-20
|\ | | | | Create disable-proc.inc
| * Create disable-proc.incLibravatar rusty-snake2021-09-09
| |
* | fix spelling (#4573)Libravatar a13460542021-09-22
|/
* Update profile.template to use disable-X11.incLibravatar rusty-snake2021-09-08
|
* add disable-X11.inc to profile templateLibravatar Reiner Herrmann2021-08-14
|
* Move disable-passwordmgr.inc into disable-common.inc/disable-programs.inc ↵Libravatar rusty-snake2021-08-12
| | | | follow up
* Add wru to firefox-common, chromium-common and profile.templateLibravatar rusty-snake2021-08-04
| | | | | | | Still unresolved: > If someone who use systemd-resolved can say more which resolv.conf is necessary on such system. > whitelist /run/systemd/resolve/resolv.conf > whitelist /run/systemd/resolve/stub-resolv.conf
* Profile fixesLibravatar rusty-snake2021-08-04
| | | | | | | | | | - Fix #4157 -- [Feature] Should rmenv GitHub auth tokens There are still more token variables from other program that should be added. - Fix #4093 -- darktable needs read access to liblua* - Fix #4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers) - Fix xournalpp.profile - syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32
* Update etc/templates/syscalls.txtLibravatar rusty-snake2021-07-28
| | | | Rework + suggest --seccomp-error-action=log
* Merge pull request #4375 from smitsohu/kcmpLibravatar netblue302021-06-27
|\ | | | | remove kcmp from seccomp default drop list
| * remove kcmp from seccomp default drop list (#3219)Libravatar smitsohu2021-06-26
| |
* | Fix sort error in profile.template (#4334)Libravatar pirate4867431862021-06-04
|/
* Update profile.templateLibravatar rusty-snake2021-06-03
| | | | | | | | | The header of profile.template define this order: IGNORES NOBLACKLISTS ALLOW INCLUDES BLACKLISTS DISABLE INCLUDES
* Add read-write to profile.templateLibravatar rusty-snake2021-05-16
|
* Update profile.templateLibravatar rusty-snake2021-05-13
| | | | Clarify some options that supersede others.
* Stying fixes (mrrescue.profile, pingus.profile, profile.template)Libravatar rusty-snake2021-05-05
|
* Add noinput to all profiles with private-devLibravatar rusty-snake2021-05-05
|
* Add allow-bin-sh.inc to profile.templateLibravatar rusty-snake2021-04-17
| | | | [skip ci]
* Fix typo policiesLibravatar Ted Robertson2021-03-13
|
* Merge pull request #4084 from tredondo/patch-4Libravatar glitsj162021-03-11
|\ | | | | Clarify what the Description comment is for
| * Clarify what the Description comment is forLibravatar Ted Robertson2021-03-11
| |
* | Improve EnglishLibravatar Ted Robertson2021-03-11
|/
* fixesLibravatar rusty-snake2021-03-01
| | | | | | | | | | | | | - RELNOTS: protocol now accumulates - fix #3978 -- Android Studio: cannot create the directory Unresolved: > google-earth.profile has a 'noblacklist ${HOME}/.config/Google' too, > so we should consider to add additional blacklists for ~/.config/Google/*. - marker.profile: allow ${DOCUMENTS} - profile.template: add bluetooth protocol - profile.template: add DBus portal note - firejail-profile.txt: revert 17fe4b9e -- fix private=directory in man firejail-profile see https://github.com/netblue30/firejail/pull/3970#discussion_r574411745
* fix Common-ExtraLibravatar glitsj162021-02-17
| | | See https://github.com/netblue30/firejail/pull/3993/files/660bc3435b43e32d156d9bb5bee2dbad2f84cf36#r577366805.
* fix ordering in profile.templateLibravatar glitsj162021-02-16
|
* miscellaneous fixes to profile.templateLibravatar glitsj162021-02-16
|
* add support for faccessat2 syscallLibravatar glitsj162021-02-10
|
* Merge pull request #3885 from kmk3/fix-sshLibravatar glitsj162021-01-30
|\ | | | | ssh: Refactor, fix bugs & harden
| * etc: add allow-ssh.incLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
* | Add 'seccomp-error-action log' to profile.templateLibravatar rusty-snake2021-01-18
|/
* update manpages and RELNOTESLibravatar rusty-snake2021-01-08
|
* from my overridesLibravatar rusty-snake2020-11-16
| | | | | | | | - add seccomp.block-secondary to a lot profiles - add wruc to firefox-common and ignore it in TB and firefox-common-addons - harden dia, gnome-keyring, libreoffice, megaglest, pngquant, ghostwriter, rhythmbox, sqlitebrowser
* New disable include: disable-write-mnt.inc (#3622)Libravatar rusty-snake2020-09-07
| | | | | | | | | | | | | * New disable include: disable-write-mnt.inc It is for profiles which have a reasonable mnt access (we can not add disable-mnt), but no edit function (e.g. any kind of viewer). Added to - profile.template - default.profile - eo-common.profile * Update default.profile
* #3106-1, include @mount in @default insted of all the syscallsLibravatar rusty-snake2020-09-01
|
* disable-shell.inc (#3411)Libravatar rusty-snake2020-06-04
| | | | | | | | | | | | * disable-shell.inc * add disable-shell.inc to all profiles with a … … private-bin line without bash/sh except profiles with redirect profiles. * add it to some more profiles * exclude aria2c.profile
* dbus filter profiles (1) (#3326)Libravatar rusty-snake2020-05-02
| | | | | | | * dbus filter (1) * dbus-filter: firefox * drop org.gtk.vfs and com.canonical.AppMenu.Registrar
* add sthortwave (#1139) and remove gjs from firecf…Libravatar rusty-snake2020-04-13
| | | | …g.config (#3333).
* Replace `nodbus` with dbus-* filtersLibravatar Fred Barclay2020-04-07
| | | | | | | | | | | | | See - 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters - https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183 Except for ocenaudio, access/restrictions on dbus options should be unchanged Ocenaudio profile: dbus filters were sandboxed (initially `nodbus` was enabled) since comments indicated blocking dbus meant preferences were broken
* Whitelist runuser common (#3286)Libravatar rusty-snake2020-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * introduce whitelist-runuser-common.inc * If an applications does not need a whitelist it can/should be nowhitelisted. Example: nowhitelist ${RUNUSER}/pulse include whitelist-runuser-common.inc * ${RUNUSER}/bus is inaccessible with nodbus regardless of the whitelist. (as it should) * strange wayland setups with an second wayland-compostior need to whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on. * some display-manager store there Xauthority file in ${RUNUSER}. test results with fedora 31: - ssdm: ~/.Xauthority is used - lightdm: /run/lightdm/USER/Xauthority - gdm: /run/user/UID/gdm/Xauthority * IMPORTANT: ATM we can only enable this for non-graphical and GTK3 programs because mutter (GNOMEs window-manger) stores the Xauthority file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX where XXXXXX is random. Until we have whitelist globbing we can't whitelist this file. QT/KDE and other toolkits without full wayland support won't be able to start. * wru update 1 - add wru to more profiles. - blacklist ${RUNUSER} works for the most cli programs too. * add wruc to more profiles * fixes * fixes * wruc: hide pulse pid * update * remove wruc from all the x11 profiles * fixes * fix ordering * read-only * revert read-only * update *
* blacklist gjs in disable-interpreters (#3186)Libravatar rusty-snake2020-01-25
| | | | | | * blacklist gjs in disable-interpreters * Update
* add RUNUSER and Disable Wayland to the templateLibravatar rusty-snake2020-01-18
|
* Fix #3105 -- add allow-ruby.incLibravatar rusty-snake2020-01-02
|
* whitelist-usr-share-common.inc (#2972)Libravatar rusty-snake2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Work on whitelist-usr-share-common * sorting; add Modules + QT/KDE stuff * add wusc.inc to more profiles [needs testing] * update * gitg, firefox, evince * /usr/share/{p11-kit,pixmaps,pki,qt5,tcl8.6,terminfo} * more profiles * remove wusc.inc from feedreader Even with 'whitelist /usr/share/*', feedreader trys to dereference a NULL pointer. * more profiles * whitelist /usr/share breaks wget even with whitelist /usr/share/* * extend wusc.inc * update * Add alsa,crypto-policies and zoneinfo * readd wusc.inc to wget and feedreader * update * testing results: Debian Buster with KDE * more KDE stuff * fix tb
* typos [skip ci]Libravatar rusty-snake2019-09-14
|
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 05:13:45 +0000