| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|
|
|
|
|
|
| |
transmission-{gtk,qt} (#5175)
* add comment for enabling desktop notifications
* add comment for enabling desktop notifications
|
|
|
|
|
|
|
|
|
|
|
| |
Since /etc/profile is present, add the other shell-related paths in /etc
that are listed on ids.config.
Suggestion by @rusty-snake[1].
Relates to #5167 #5170.
[1] https://github.com/netblue30/firejail/pull/5167#pullrequestreview-989621852
|
| |
|
|\
| |
| | |
ids.config: add missing global shell paths
|
| |
| |
| |
| |
| |
| | |
Add missing paths for bash, ksh and zsh.
Environment: Artix Linux
|
| |
| |
| |
| | |
Since /etc/profile.d is already being blacklisted.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To disable-shell.inc.
Interactive shells can be executed from certain development-related
programs (such as IDEs) and the shells themselves are not blocked by
default, but this shell startup directory currently is. To avoid
running a shell without access to potentially needed startup files, only
blacklist /etc/profile.d when interactive shells are also blocked.
Note that /etc/profile.d should only be of concern to interactive
shells, so a profile that includes both disable-shell.inc and
allow-bin-sh.inc (which likely means that it needs access to only
non-interactive shells) should not be affected by the blacklisting.
Relates to #3411 #5159.
|
|/
|
|
|
|
|
| |
This amends commit b6b3f3b38 ("kate.profile: allow common development
file access", 2022-05-28) / PR #5159.
See etc/templates/profile.template.
|
|\
| |
| | |
seamonkey.profile: support enigmail/gpg
|
| |
| |
| |
| | |
Changes inspired by Thunderbird profile.
|
|\ \
| | |
| | | |
Kate fixes
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When starting kate and loading into a session containing a git repository, tracelog caused about 30 seconds of delay until the project structure appeared in the projects sidebar. Error message on console:
QProcess: Destroyed while process ("/usr/bin/git") is still running.
Drop tracelog to mitigate the delay and error message.
|
| | |
| | |
| | |
| | |
| | |
| | | |
When starting Kate, a blacklist violation from accessing the kwinrc config file is reported. As a KDE application, it should be fine for Kate to access it.
blacklist violation - sandbox 13410, name kate, exe kate, syscall access, path /home/user/.config/kwinrc
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A side effect of including disable-common.inc is loosing access to /etc/profile.d, where Bash completion is located.
Explicitly enable access to console scripts in /etc/profile.d, so that Kate's built-in Konsole instance can be used without limitations.
Minor side effect: the spawned Bash tries to access /etc/init.d
blacklist violation - sandbox 17317, name kate, exe bash, syscall stat, path /etc/init.d
|
| |/
| |
| |
| |
| |
| | |
Kate has grown support for software development, making it a light IDE. Some version control modules exist, and when using the Git module, a blacklist violation is reported:
blacklist violation - sandbox 13902, name kate, exe git, syscall access, path /home/user/.gitconfig
Including support for common development file access mitigates this violation issue.
|
|/ |
|
| |
|
|\
| |
| | |
nvim: add XDG_STATE_HOME path
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Default paths as of neovim 0.7.0:
* backupdir: $XDG_DATA_HOME/nvim/backup//
* directory: $XDG_DATA_HOME/nvim/swap//
* undodir: $XDG_DATA_HOME/nvim/undo//
* viewdir: $XDG_DATA_HOME/nvim/view//
* shada file: $XDG_DATA_HOME/nvim/shada/main.shada
* log dir: $XDG_CACHE_HOME/nvim/log
Default paths as of [1]:
* backupdir: $XDG_STATE_HOME/nvim/backup//
* directory: $XDG_STATE_HOME/nvim/swap//
* undodir: $XDG_STATE_HOME/nvim/undo//
* viewdir: $XDG_STATE_HOME/nvim/view//
* shada file: $XDG_STATE_HOME/nvim/shada/main.shada
* log dir: $XDG_STATE_HOME/nvim/log
[1] https://github.com/neovim/neovim/pull/15583
|
| |
| |
| |
| |
| |
| |
| | |
It's already blacklisted on disable-common.inc.
Added on commit ec966d4c0 ("fix: neovim profile", 2022-01-10) /
PR #4841.
|
| |
| |
| |
| |
| | |
* update for wget2
* allow ${HOME}/.local/share/wget
|
|/
|
|
|
|
|
| |
Fails to start without this, eg:
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/onionshare/images/favicon.ico'
Signed-off-by: Tad <tad@spotco.us>
|
|
|
|
|
|
| |
After a3f00edb32aca7516d690db046dd1ed3eb186bdd
Signed-off-by: Tad <tad@spotco.us>
|
|
|
|
|
|
|
|
|
|
|
| |
Without whitelist-usr-share-common, /usr/share becomes empty.
Adding whitelist-runuser-common didn't break google chrome.
Whitelisting /usr/share/mozilla/extensions and
/usr/share/webext shouldn't break google chrome, either.
I tested google-chrome.profile only, but
I think later versions should not be different.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Add electron-flags.conf for all versions of electron
|
|\
| |
| | |
Allow resolution of .local names with avahi-daemon in the apparmor profile.
|
| |
| |
| | |
Allow access to avahi-daemon socket in the apparmor profile.
|
| |
| |
| |
| | |
closes #4965
|
| | |
|
| | |
|
|\ \
| | |
| | | |
harden vlc
|
| |/
| |
| |
| |
| | |
apparmor doesn't disable D-Bus anymore, so add it back
remove memory-deny-write-execute comment, as this also breaks JIT compiled QtQuick nowadays
|
| |
| |
| |
| |
| |
| |
| | |
following up ce6f792efd0af09b95050864b71f79c46359fa49
/var/lib/libvirt is blacklisted in disable-common.inc
so merely whitelisting the directory is not enough
|
| |
| |
| |
| |
| | |
private option implies private-cache,
so it is safe to remove
|
| | |
|
| | |
|
| |
| |
| | |
https://store.steampowered.com/app/219150/Hotline_Miami/
|
|/ |
|
| |
|
|\
| |
| | |
disable-common.inc: make ~/.config/pkcs11 read-only
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
|
|\ \
| |/
|/| |
appimage: blacklist and make ~/Applications dir read-only
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is used for storing AppImages.
Note that even when blacklisting a directory, it is possible to execute
an AppImage from it. For example, the following works:
firejail --noprofile --blacklist='${HOME}/Applications' --appimage \
~/Applications/foo.AppImage
While the resulting process does not appear to have access to the
blacklisted directory.
|