| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
remove netfilter from profiles with net none
allow Viber to use dig, dig is in its private-bin, so I assume that it
need it.
blacklist resolvectl which can also be used for dns lookups
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
private-dev
private-etc dconf,fonts,gtk-3.0,localtime,machine-id
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```
patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
```
|
|
|
|
|
|
|
|
| |
* fix private-lib, closes #3233
* make private-etc and private-lib opt-in
see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765
disable-devel.inc: remove duplicated line
|
|
|
|
|
|
|
|
|
|
|
|
| |
$PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports,
some applications crash if they cann't access these files.
Layout on my system:
~/.local/share/flatpak/exports
|-bin
|-share
|-applications
|-icons
|
|
|
|
|
|
| |
file-roller fails to extract archives without access to bash
Noticed on LMDE 4 (Debian 10 base) with Cinnamon desktop
|
|
|
|
|
|
|
| |
* discord 0.10 | fix #3247
* revert private-bin move & use disable-exec
* fix slack, see https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
|
|
|
|
|
|
|
| |
The zoom SSO workflow launches an embedded sandboxed browser
(QtWebEngineProcess) which requires chroot and netlink to work.
Fixes #3272
|
| |
|
|
|
| |
See also: https://bugs.debian.org/948656
|
|
|
| |
Place `include allow-lua.inc` above the other includes
|
|
|
| |
Replace `noblacklist /usr/lib/liblua*` by including `allow-lua.inc`
|
|
|
| |
See issue #3250
|
| |
|
|
|
| |
Fixes #3221.
|
|
|
| |
See discussion in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a.
|
|
|
| |
Thanks to @rusty-snake in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a#r37460831.
|
|
|
|
|
|
|
|
|
|
| |
* more lua blacklisting in disable-interpreters.inc
* add some paths to allow-lua.inc
* Revert blacklisting /usr/include/lauxlib.h in disable-interpreters.inc
/usr/include/lauxlib.h is handled in disable-devel.inc. Thanks to @rusty-snake for pointing that out.
|
|
|
|
|
|
|
|
| |
* allow lua in mpv.profile
* fix allow-lua.inc for mpv
* extra lua blacklisting for mpv
|
|
|
|
|
|
| |
- spelling suggestion from @glitsj16 on fda62527
- drop python2 from openshot it never has a python2 version
- #3126 note in manpage: cannot combine --private with --private=
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add profile for offical Linux Teams application
* fix: add mkdir suggestions in Teams profile
* Merge suggestions for Teams profile
* Add suggestion to Teams profile
* Add Teams to firecfg.config
* Add paths from Teams profile to disable-programs
* Remove the duplicated whitelist for downloads in Teams profile
Co-Authored-By: rusty-snake <print_hello_world+GitHub@protonmail.com>
* Cleanup teams profile after testing
* Add comment to Teams profile
Co-authored-by: rusty-snake <print_hello_world+GitHub@protonmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some distributions include fonts in the texmf and texlive subdirectories
of /usr/share. This makes those fonts accessible, addressing buggy
behavior in okular where some text fails to render.
This also whitelists /usr/share/config.kcfg which contains default
settings that should be available to many applications.
|
|
|
| |
Allow writing some proc paths used by browsers but restrict it to their owner.
|
|
|
| |
Openshot 2.5.0 needs networking. This fixes #3221.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
- mdwe broken
- ${HOME}/.ssr
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* include wvc in aria2c.profile
* include wvc in clawsker.profile
* include wvc in conky.profile
* include wvc in dconf.profile
* include wvc in dconf-editor.profile
* include wvc in exiftool.profile
* include wvc in font-manager.profile
* include wvc in gconf.profile
* include wvc in git.profile
* include wvc in gjs.profile
* include wvc in gpg.profile
* include wvc in img2txt.profile
* include wvc in mediainfo.profile
* include wvc in mpd.profile
* include wvc in nitroshare.profile
* include wvc in ocenaudio.profile
* include wvc to ping.profile
* include wvc in simple-scan.profile
* include wvc in simplescreenrecorder.profile
* include wvc in sysprof.profile
* include wvc in tshark.profile
* include wvc in uget-gtk.profile
* include wvc in viewnior.profile
* include wvc in weechat.profile
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|