| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Profile for Ledger Live desktop app
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
/opt/ledger-live installation currently sits at 345 MiB, so I decided to
whitelist it instead of using private-opt ledger-live, in case future
installations grow in size.
Not using private-dev was the only way I managed to get my USB wallet to
work.
|
|\ \
| | |
| | | |
landlock: use "landlock.fs." prefix in filesystem commands
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
|
|\ \
| | |
| | | |
New profile: virt-manager
|
| | | |
|
| |/ |
|
|\ \
| | |
| | | |
New profile: gnome-boxes
|
| |/ |
|
|\ \
| |/
|/| |
multimc: instances not running, because of missing permissions
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting an instance, in the logs, a failed attempt to load the lwjgl
library is shown and the game doesn't run.
The library is in the /tmp directory. The reason for this appears to
be, in the lwjgl source code, the shared library loading function,
extracts in the temporary directory and continues from there.
This is fixed by whitelisting.
The reason for adding "ignore noexec /tmp" as well, is that without it, the game
can't run, even if the directory is whitelisted. It seems the library needs
to be loaded from /tmp.
A second error for a failed attempt to access /home/user/.cache/JNA is also
shown in the logs. This is also fixed by whitelisting.
|
|/
|
|
| |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
| |
|
|\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Profile for Electron Cash
|
| | | |
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Profile for RawTherapee
|
| |/ |
|
|\ \
| | |
| | | |
gnome-keyring: harden and add gnome-keyring-daemon.profile
|
| | |
| | |
| | |
| | | |
And use it as the base for the existing gnome-keyring.profile.
|
| | | |
|
|/ / |
|
|\ \
| | |
| | | |
landlock: split .special into .makeipc and .makedev
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recent versions of geeqie[1] use a Lua interpreter, like the one
currently in Arch Linux (2.2).
Without this fix it fails with:
/usr/bin/geeqie: error while loading shared libraries: liblua.so.5.4: [...]
[1] https://www.geeqie.org/
|
| |
| |
| |
| |
| | |
Add common Lua include to crawl.profile (Dungeon Crawl Stone Soup) to
allow Lua libraries, as both the ncurses and tiles executables are
dynamically linked to Lua.
|
|/
|
|
|
|
|
|
|
| |
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`). Including messages from firejail in the
output may break the parsing, so remove them.
Fixes #6171.
Reported-by: @kmille
|
|
|
|
|
|
|
|
|
| |
Committer note: For each profile there is both XXX-gtk and gtk-XXX (such
as lbry-viewer-gtk and gtk-lbry-viewer).
XXX-gtk is the symlink
gtk-XXX is the actual file
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
| |
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To ensure that it includes luajit paths as well:
* /usr/share/lua
* /usr/share/luajit-2.1
And remove all entries of the same path without the wildcard, to avoid
redundancy.
Misc: The wildcard entries were added on commit 56b60dfd0 ("additional
Lua blacklisting (#3246)", 2020-02-24) and the entries without the
wildcard were partially removed on commit 721a984a5 ("Fix Lua in
disable-interpreters.inc", 2020-02-24).
This is a follow-up to #6128.
Reported-by: @pirate486743186
|
|
|
|
|
| |
Added on commit 2d8ff695a ("WIP: Blacklist common programming
interpreters. (#1837)", 2018-04-02).
|
|
|
| |
gropdf (`man -Tpdf`) needs Perl (see #6142).
|
|\
| |
| | |
mpv: whitelist /usr/share/mpv
|
| |
| |
| |
| |
| |
| | |
Use case: You install scripts in `/usr/share/mpv` but they remain
inactive. You then symlink them to `/etc/mpv` to activate them if you
want.
|
|\ \
| | |
| | | |
landlock: move commands into profile and add landlock.enforce
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
|
|\ \
| | |
| | | |
minecraft-launcher.profile: allow keyring access
|
| | | |
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Some plugins may require it[1]:
error: os_dlopen([...]): libluajit-5.1.so.2: [...]: Permission denied
warning: Module '/usr//lib/obs-plugins/frontend-tools.so' not loaded
[1] https://github.com/netblue30/firejail/issues/6130#issue-2040800338
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
curl supports several locations for the rc file according to its man
page:
[...]
When curl is invoked, it (unless -q, --disable is used) checks for a
default config file and uses it if found, even when -K, --config is
used. The default config file is checked for in the following places in
this order:
1) "$CURL_HOME/.curlrc"
2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0)
3) "$HOME/.curlrc"
[...]
|
| | |
|