| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
| |
* fix(audacity): !5281 sharedlib bug on Arch/Fedora
removed `private-bin` line from audacity profile as it appears to block
access to shared libraries needed to start audacity on some
distributions.
Relates to github issue #5281
* fix(audacity): Disabling apparmor and reenabling private-bin
|
|\
| |
| | |
makepkg: add description
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add gdu to 'new profiles' section
* Create gdu.profile
* add gdu to firecfg
* harden gdu sandbox
* fix protocol
* simulate empty protocol in gdu
* more user-friendly gdu sandboxing
|
|\
| |
| | |
introduce new option restrict-namespaces
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
This directory contains the MAC address for connections available
Tested working with torbrowser-launcher and onionshare
Signed-off-by: Tad <tad@spotco.us>
|
|/ |
|
|
|
|
|
|
|
|
|
| |
* remmina.profile: allow python
* Update etc/profile-m-z/remmina.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
now covers syscalls up to including process_madvise (440)
group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305
the only exception is close_range, which was added to both @basic-io and @file-system
this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
|
|
|
|
|
|
|
|
| |
As a reminder to create a profile for winetricks instead of allowing
access to its paths to programs used by winetricks (see #5238).
Added on commit 0ec1c66b5 ("aria2c.profile: allow access to
~/.cache/winetricks") / PR #5238.
|
|
|
|
| |
Otherwise winetricks fails to download packages.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* drop private-lib
* drop private-lib
* drop private-lib
|
|
|
|
|
|
|
| |
Logging is now default disabled in c7e4c8ed592fee7f1644152a23c3e1343b01b922
See https://github.com/netblue30/firejail/issues/5207
This reverts commit c0d314f945b405f1e90a1a43719059cd22f55de7.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Command: sed -i "/^shell none/d" etc/*/*
TODO:
```
etc/profile-a-l/beaker.profile:ignore shell none
etc/profile-a-l/default.profile:# shell none
etc/profile-a-l/fdns.profile:#shell none
etc/profile-a-l/gnome-nettool.profile:#shell none
etc/profile-a-l/jitsi-meet-desktop.profile:ignore shell none
etc/profile-m-z/pidgin.profile:# shell none
etc/profile-m-z/rocketchat.profile:ignore shell none
etc/profile-m-z/server.profile:# shell none
etc/templates/profile.template:# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
etc/templates/profile.template:#shell none
```
- manpage
- RELNOTES
- fbuilder
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
transmission-{gtk,qt} (#5175)
* add comment for enabling desktop notifications
* add comment for enabling desktop notifications
|
|
|
|
|
|
|
|
|
|
|
| |
Since /etc/profile is present, add the other shell-related paths in /etc
that are listed on ids.config.
Suggestion by @rusty-snake[1].
Relates to #5167 #5170.
[1] https://github.com/netblue30/firejail/pull/5167#pullrequestreview-989621852
|
| |
|
|\
| |
| | |
ids.config: add missing global shell paths
|
| |
| |
| |
| |
| |
| | |
Add missing paths for bash, ksh and zsh.
Environment: Artix Linux
|
| |
| |
| |
| | |
Since /etc/profile.d is already being blacklisted.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To disable-shell.inc.
Interactive shells can be executed from certain development-related
programs (such as IDEs) and the shells themselves are not blocked by
default, but this shell startup directory currently is. To avoid
running a shell without access to potentially needed startup files, only
blacklist /etc/profile.d when interactive shells are also blocked.
Note that /etc/profile.d should only be of concern to interactive
shells, so a profile that includes both disable-shell.inc and
allow-bin-sh.inc (which likely means that it needs access to only
non-interactive shells) should not be affected by the blacklisting.
Relates to #3411 #5159.
|
|/
|
|
|
|
|
| |
This amends commit b6b3f3b38 ("kate.profile: allow common development
file access", 2022-05-28) / PR #5159.
See etc/templates/profile.template.
|
|\
| |
| | |
seamonkey.profile: support enigmail/gpg
|
| |
| |
| |
| | |
Changes inspired by Thunderbird profile.
|
|\ \
| | |
| | | |
Kate fixes
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When starting kate and loading into a session containing a git repository, tracelog caused about 30 seconds of delay until the project structure appeared in the projects sidebar. Error message on console:
QProcess: Destroyed while process ("/usr/bin/git") is still running.
Drop tracelog to mitigate the delay and error message.
|
| | |
| | |
| | |
| | |
| | |
| | | |
When starting Kate, a blacklist violation from accessing the kwinrc config file is reported. As a KDE application, it should be fine for Kate to access it.
blacklist violation - sandbox 13410, name kate, exe kate, syscall access, path /home/user/.config/kwinrc
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A side effect of including disable-common.inc is loosing access to /etc/profile.d, where Bash completion is located.
Explicitly enable access to console scripts in /etc/profile.d, so that Kate's built-in Konsole instance can be used without limitations.
Minor side effect: the spawned Bash tries to access /etc/init.d
blacklist violation - sandbox 17317, name kate, exe bash, syscall stat, path /etc/init.d
|
| |/
| |
| |
| |
| |
| | |
Kate has grown support for software development, making it a light IDE. Some version control modules exist, and when using the Git module, a blacklist violation is reported:
blacklist violation - sandbox 13902, name kate, exe git, syscall access, path /home/user/.gitconfig
Including support for common development file access mitigates this violation issue.
|
|/ |
|
| |
|
|\
| |
| | |
nvim: add XDG_STATE_HOME path
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Default paths as of neovim 0.7.0:
* backupdir: $XDG_DATA_HOME/nvim/backup//
* directory: $XDG_DATA_HOME/nvim/swap//
* undodir: $XDG_DATA_HOME/nvim/undo//
* viewdir: $XDG_DATA_HOME/nvim/view//
* shada file: $XDG_DATA_HOME/nvim/shada/main.shada
* log dir: $XDG_CACHE_HOME/nvim/log
Default paths as of [1]:
* backupdir: $XDG_STATE_HOME/nvim/backup//
* directory: $XDG_STATE_HOME/nvim/swap//
* undodir: $XDG_STATE_HOME/nvim/undo//
* viewdir: $XDG_STATE_HOME/nvim/view//
* shada file: $XDG_STATE_HOME/nvim/shada/main.shada
* log dir: $XDG_STATE_HOME/nvim/log
[1] https://github.com/neovim/neovim/pull/15583
|
| |
| |
| |
| |
| |
| |
| | |
It's already blacklisted on disable-common.inc.
Added on commit ec966d4c0 ("fix: neovim profile", 2022-01-10) /
PR #4841.
|
| |
| |
| |
| |
| | |
* update for wget2
* allow ${HOME}/.local/share/wget
|
|/
|
|
|
|
|
| |
Fails to start without this, eg:
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/onionshare/images/favicon.ico'
Signed-off-by: Tad <tad@spotco.us>
|
|
|
|
|
|
| |
After a3f00edb32aca7516d690db046dd1ed3eb186bdd
Signed-off-by: Tad <tad@spotco.us>
|
|
|
|
|
|
|
|
|
|
|
| |
Without whitelist-usr-share-common, /usr/share becomes empty.
Adding whitelist-runuser-common didn't break google chrome.
Whitelisting /usr/share/mozilla/extensions and
/usr/share/webext shouldn't break google chrome, either.
I tested google-chrome.profile only, but
I think later versions should not be different.
|
| |
|