| Commit message (Collapse) | Author | Age |
|
|
|
|
| |
Games folder must be whitelisted in a dolphin-emu.local
Its private-etc can likely be shortened
|
|
|
|
|
|
|
|
|
| |
- gimp: allow mbind syscall. no start on Fedora 33 without
- minetest: disable private-cache. without persistent cache connecting to servers can take many minutes
- supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers
- supertuxkart: comment private-dev to allow controller use
- profiles: unify controller support comments
- firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
|
|
|
|
|
|
|
|
|
| |
Since version 3.0 Godot is supporting C# as a language for writing
scripts. The C# solution can be built directly in Godot editor using
MSBuild, which requires access to directory /etc/mono. This directory
contains configuration of Mono enviroment. If MSBuild don't have
access to this directory, it's not able to determine location of
DLL files and it's throwing System.DllNotFoundException at beginning
of the build process.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* allow access to gnome-shell search-provider in firefox.profile
Firefox has gnome-shell search-provider support since version 78:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1239694
- https://mastransky.wordpress.com/2020/09/25/firefox-gnome-shell-search-provider/
* add dbus filter for gnome-shell search-provider
|
|
|
|
|
|
|
|
| |
- Lutris isn't added to firecfg just yet, needs more testing
- aria2c profile has a comment regarding Lutris/Winetricks,
but it shouldn't matter since it can't be nested
- Add commented wusc to wine.profile
- Add vulkan and zenity to wusc.inc
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Nitpick wording + added a commented disable-shell.inc
|
| |
|
| |
|
| |
|
|\
| |
| | |
Miscellaneous whitelist-runuser-common fixes
|
| |
| |
| |
| |
| |
| | |
If the GDM display manager runs with Wayland support, and it starts a
desktop environment other than (?) GNOME, the desktop environment will
use the `wayland-1` socket instead of the `wayland-0` socket.
|
| |
| |
| |
| |
| | |
We must ignore include `whitelist-runuser-common.profile`,
because it breaks Enigmail (TB 68) and GnuPG smartcard (TB 78) support.
|
|/
|
| |
Cfr. https://github.com/netblue30/firejail/pull/3517#issuecomment-664715880: element-desktop no longer uses ${HOME}/.config/Element (Riot).
|
|
|
| |
rm is needed to uninstall mods and delete game saves (worlds).
|
|
|
|
|
|
| |
- disable-common: read-only ${HOME}/.zfunc
- fix #3761 -- w3m with w3m-img installed does not display images when on virtual console/framebuffer
- yelp can be used to display manpages
|
|
|
|
|
| |
* Add profile for straw-viewer
* Remove blacklist, fixes
|
|\
| |
| | |
from my overrides
|
| |
| |
| |
| |
| |
| |
| |
| | |
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
|
| |
| |
| | |
Follow-up from discussion in https://github.com/netblue30/firejail/pull/3751.
|
| | |
|
|/
|
|
|
| |
* add dbus comment
* disable dbus
|
|
|
|
| |
…eed to wruc
|
|
|
|
| |
- this might need to be looked into
|
|
|
| |
At least on Ubuntu 16.04 LTS we need an additional own.
|
|
|
| |
It's the path to the game's data in the official Debian package.
|
| |
|
| |
|
|
|
| |
fix for #3737.
|
|
|
| |
Added ${HOME}/.alsaequal.bin to fix #3736
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- .github/ISSUE_TEMPLATE/bug_report.md: get ride off spanish,
french, ... error messages
- etc/inc/firefox-common-addons.inc: support ff2mpv
- etc/profile-a-l/gimp.profile: note about xsane
- etc/profile-m-z/min.profile: prettify
- etc/profile-m-z/mpsyt.profile: fix, add lua
- etc/profile-m-z/qbittorrent.profile: add note for tray-icons; this
will get a better note once I investigated and audited all the D-Bus
tray stuff.
- etc/profile-m-z/transmission-daemon.profile: fix, add protocol packet
close #3686 - mps-youtube needs lua
close #3701 - Firefox native messaging regression in 0.9.62.4 -> 0.9.64rc1
close #3636 - transmission-daemon fills log with error
close #3640 - Gimp - add note how to enable scanning (xsane)
close #3707 - qBittorrent tray icon missing from notification panel when running it with firejail
|
| |
|
|
|
| |
As per https://github.com/netblue30/firejail/pull/3688#discussion_r511290714 min needs wusc. Runs fine with wruc too so let's fix min for users.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
|
|
|
|
| |
linphone 4.0 changed the location of config and database files
to respect freedesktop standards.
|
| |
|
|
|
|
|
|
|
|
| |
- update README.md and RELNOTES
- add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc
- fix #3728, fonts in openSUSE KDE with wc / wusc
- fix gnome-todo
- fix xournalpp MathTeX whitelist
|
|
|
|
|
| |
Closes #3723
Introduced in 388826683c3b90926e73c83ddb91d5c84a7fa1fa
|
|
|
| |
This fixes #3722.
|
|
|
|
|
|
|
| |
* Update firecfg.config
* Update disable-programs.inc
* Create spectacle.profile
|
| |
|