Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | more apparmor deployment | Vincent43 | 2018-03-17 |
| | |||
* | apparmor deployment | netblue30 | 2018-03-16 |
| | |||
* | Add a LibreOffice profile alias for Base | Tad | 2018-03-15 |
| | |||
* | removing private-lib from evince, issue #1711 | netblue30 | 2018-03-14 |
| | |||
* | fix private-etc in spotify profile - #1768 | smitsohu | 2018-03-13 |
| | |||
* | fix qupzilla, falkon (seccomp, tracelog, private-tmp) - #1794, #1736 | smitsohu | 2018-03-13 |
| | |||
* | fix unbound (ip-transparent option) - #1731 | smitsohu | 2018-03-13 |
| | |||
* | harden kwrite | smitsohu | 2018-03-13 |
| | |||
* | noblacklist /etc/profile.d cleanup | netblue30 | 2018-03-13 |
| | |||
* | fix PROMPT_COMMAND for bash - this was the problem on CentOS that we needed ↵ | netblue30 | 2018-03-13 |
| | | | | to unblacklist /etc/profile.d; I'll do some cleanup in the next commit | ||
* | (Temporarily?) fix private-lib for evince. See #1711"e | Fred-Barclay | 2018-03-12 |
| | |||
* | Even more fixes for /etc/profile | Fred-Barclay | 2018-03-12 |
| | |||
* | More fixes for /etc/profile and mdwe | Tad | 2018-03-12 |
| | | | | | - Adds noblacklist /etc/profile.d to many profiles like 2e17082ba4b3399bf5d68bb75587934ea028cc5c and 970f739e2be202a39ab82f589d5773267b903de6 - Disables mdwe to workaround #1803 like 970f739e2be202a39ab82f589d5773267b903de6 | ||
* | Merge branch 'master' of http://github.com/netblue30/firejail | netblue30 | 2018-03-12 |
|\ | |||
| * | Add a profile for gnome-builder | Tad | 2018-03-12 |
| | | |||
| * | Remove mdwe from viewnior - fix #1808 | Fred-Barclay | 2018-03-12 |
| | | |||
* | | bringing back private-lib in evince, and some fixes for Arch Linux | netblue30 | 2018-03-12 |
|/ | |||
* | fix bash on CentOS 7 | startx2017 | 2018-03-12 |
| | |||
* | fix speller support in gedit profile | startx2017 | 2018-03-12 |
| | |||
* | Add a steam profile alias for steam-native | Tad | 2018-03-10 |
| | |||
* | Disable memory-deny-write-execute in evince profile | Vincent43 | 2018-03-07 |
| | | | It started breaking application in Archlinux, see https://github.com/netblue30/firejail/issues/1803 | ||
* | Add falkon profile - see #1794 | Fred-Barclay | 2018-03-05 |
| | |||
* | Fix #1797 - Brave doesn't open with noexec /tmp | Fred-Barclay | 2018-03-05 |
| | |||
* | fix kioexec/krun for KDE authentication | netblue30 | 2018-03-05 |
| | |||
* | Merge branch 'master' of https://github.com/netblue30/firejail | smitsohu | 2018-03-05 |
|\ | |||
| * | Add VS Code profile - see request in #1139 | Fred-Barclay | 2018-03-03 |
| | | |||
| * | Add netlink to protocol list and drop chroot from seccomp filter - should ↵ | Fred-Barclay | 2018-03-02 |
| | | | | | | | | | | | | | | | | fix #1792. Brackets no longer opens without netlink in the protocol list, or with chroot blacklisted by the seccomp filter (which this commit changes from 'seccomp' to 'seccomp.keep'). | ||
* | | blacklist smartgit password file - #1796 | smitsohu | 2018-03-05 |
|/ | |||
* | let konsole access its settings - #1789 | smitsohu | 2018-03-02 |
| | |||
* | cleanup: remove empty private-bin and private-etc lines | smitsohu | 2018-03-01 |
| | |||
* | add join-or-start to dolphin, okular and kwrite | smitsohu | 2018-03-01 |
| | | | | fixes registration of d-bus services, closes #1391 | ||
* | Fixup private-bin in start-tor-browser.profile after ↵ | Tad | 2018-02-27 |
| | | | | 63d455fbe6cfde2f97137f51b779d44f22cb4675 | ||
* | Sync start-tor-browser with torbrowser-launcher profile' | Tad | 2018-02-27 |
| | | | | | | start-tor-browser.profile should stay seperate from torbrowser-launcher for the case when downloaded manually. The other tor-browser-* are okay to extend torbrowser-launcher because their paths are known. | ||
* | Add ld.so.cache to torbrowser-launcher.profile | Tad | 2018-02-26 |
| | |||
* | Add ld.so.cache to firefox-common.profile, fixes #1767 | smitsohu | 2018-02-26 |
| | |||
* | drop cap_mac_admin in apparmor profile | smitsohu | 2018-02-27 |
| | |||
* | Merge pull request #1787 from joelazar/master | Fred Barclay | 2018-02-26 |
|\ | | | | | .Xauthority moved from blacklist to read-only | ||
| * | .Xauthority moved from blacklist to read-only | joelazar | 2018-02-26 |
| | | |||
* | | Add join-or-start to kate (should fix #1784) | Fred-Barclay | 2018-02-24 |
| | | |||
* | | man page, README.md, RELNOTES | netblue30 | 2018-02-21 |
|/ | |||
* | Minor bitcoin-qt nitpicks and update README | Tad | 2018-02-20 |
| | |||
* | Revert "Also whitelist .bitcoin-testnet just in case" | Witold Baryluk | 2018-02-20 |
| | | | | | | | | This reverts commit 254d2a9d9b6e752c0e3188fa90e4c5856eae5979. Testnet blockchain is in ~/.bitcoin/testnet3/ no need for anything else. And config is in ./.config/Bitcoin/Bitcoin-Qt-testnet.conf | ||
* | Also whitelist .bitcoin-testnet just in case | Witold Baryluk | 2018-02-20 |
| | |||
* | Remove unecassary blacklist for bitcoin-qt config. Comment about private-lib | Witold Baryluk | 2018-02-20 |
| | |||
* | Add a profile for Bitcoin Core QT client / wallet | Witold Baryluk | 2018-02-20 |
| | |||
* | Add a profile for Vivaldi Snapshot | Witold Baryluk | 2018-02-20 |
| | |||
* | Apparmor: Allow log Firejail blacklist violations | Vincent43 | 2018-02-19 |
| | |||
* | Log denied write access for easier debugging | Vincent43 | 2018-02-19 |
| | | | After more testing we can disable logging gain. | ||
* | Apparmor: blacklist /proc and /sys access from firejail | Vincent43 | 2018-02-19 |
| | | | | | Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530 There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance. | ||
* | Apparmor: don't duplicate userspace /run/user restrictions | Vincent43 | 2018-02-19 |
| | | | | | | | Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening. In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor. The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do. |