| Commit message (Collapse) | Author | Age |
|
|
| |
Added ${HOME}/.alsaequal.bin to fix #3736
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- .github/ISSUE_TEMPLATE/bug_report.md: get ride off spanish,
french, ... error messages
- etc/inc/firefox-common-addons.inc: support ff2mpv
- etc/profile-a-l/gimp.profile: note about xsane
- etc/profile-m-z/min.profile: prettify
- etc/profile-m-z/mpsyt.profile: fix, add lua
- etc/profile-m-z/qbittorrent.profile: add note for tray-icons; this
will get a better note once I investigated and audited all the D-Bus
tray stuff.
- etc/profile-m-z/transmission-daemon.profile: fix, add protocol packet
close #3686 - mps-youtube needs lua
close #3701 - Firefox native messaging regression in 0.9.62.4 -> 0.9.64rc1
close #3636 - transmission-daemon fills log with error
close #3640 - Gimp - add note how to enable scanning (xsane)
close #3707 - qBittorrent tray icon missing from notification panel when running it with firejail
|
| |
|
|
|
| |
As per https://github.com/netblue30/firejail/pull/3688#discussion_r511290714 min needs wusc. Runs fine with wruc too so let's fix min for users.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
|
|
|
|
| |
linphone 4.0 changed the location of config and database files
to respect freedesktop standards.
|
| |
|
|
|
|
|
|
|
|
| |
- update README.md and RELNOTES
- add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc
- fix #3728, fonts in openSUSE KDE with wc / wusc
- fix gnome-todo
- fix xournalpp MathTeX whitelist
|
|
|
|
|
| |
Closes #3723
Introduced in 388826683c3b90926e73c83ddb91d5c84a7fa1fa
|
|
|
| |
This fixes #3722.
|
|
|
|
|
|
|
| |
* Update firecfg.config
* Update disable-programs.inc
* Create spectacle.profile
|
| |
|
|
|
| |
This fixes #3711.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* Update okular.profile
okular has support for reading cbr (rar-compressed comic book). without unrar or unar in private-bin, okular fails to decompress the files for viewing.
* Sorted private-bin
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* remove read-only item redundancy
'read-only ${HOME}/.config/mimeapps.list' is already part of disable-common.inc
* remove read-only item redundancy
'read-only ${HOME}/.config/mimeapps.list' is already part of disable-common.inc, which is included in the redirect profile
* remove read-only item redundancy
'read-only ${HOME}/.config/mimeapps.list' is already part of disable-common.inc, which is included in the redirect profile
|
|
|
| |
The user mime database needs to be writable.
|
|
|
|
|
|
|
| |
and update allow-xxx.inc
Fedora uses /usr/lib64 for arch specifiy files and /usr/lib for arch
independent files. php, py2, ruby may have also paths there.
|
|\
| |
| | |
fix #3699 -- Firefox can't inhibit screensavers/screen blanking
|
| | |
|
| | |
|
|/
|
| |
liblua is needed for celluloid & otherwise at least on arch it's showing this error - "celluloid: error while loading shared libraries: liblua5.2.so.5.2: cannot open shared object file: Permission denied"
|
| |
|
|\
| |
| | |
Switch mails to whitelisting
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
…recorder to firecfg.config
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
closes #3643
|
|\ \
| | |
| | | |
Update wire-desktop.profile (again)
|
| | | |
|
| | |
| | |
| | | |
On arch,wire-desktop is now depending on electron9. Using wildcard for this sorta packages would be better.
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
AppArmor introduces the @{run} variable, which is used in
<abstractions/dbus-strict> and <abstractions/dbus-session-strict> among
other places. Thus, we follow suit of the built-in profiles and #include
<tunables/global>, which includes <tunables/run> in AppArmor 3.0,
defining the variable.
As <tunables/global> exists in previous versions of AppArmor, too, this
patch does not introduce a backward-compatibility issue with Apparmor
2.x.
|
| |
| |
| | |
With private-etc enabled vmware-tools doesn't get installed. Existing VM with an installed vmware-tools works as usual. For the time being keep it commented.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
- blacklist ~/.rustup in disable-devel.inc
- add note to mpv (See #3628)
- harden warsow
- update relnotes
- new profile qrencode, dbus-send, notify-send
|
| | |
|