| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
| |
* use the new dbus format in chromium-common.profile
* use new dbus format in firejail.config
Now that #3326 landed I think it might be less confusing to keep using the --nodbus wording. Couldn't come up with a better alternative (yet), so this might need future improvements.
* block dbus system bus
Blocking the system bus shouldn't affect password functionality etc, as that uses the session bus.
|
|
|
|
|
|
| |
- create vim directorys (#3396)
- fix #3400 (Eye of GNOME won't open)
- fix feedreader, it is broken without org.freedesktop.secrets access
|
| |
|
|
|
|
|
|
|
| |
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
|
| |
|
|
|
| |
Preliminary fixes tested/confirmed on Arch regarding #3389 (in-progress).
|
|
|
| |
Fix for #3385.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* refactor caja.profile
* refactor dolphin.profile
* Create file-manager-common.profile
* refactor nautilus.profile
* refactor nemo.profile
* refactor pcmanfm.profile
* refactor ranger.profile
* refactor Thunar.profile
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Profile for Jitsi Meet desktop app (electron)
* Update description.
* Correctly include global definitions.
* Add jitsi-meet-desktop to firecfg.
* blacklist Jitsi-meet config directory in disable-programs.inc
* Disable more things.
disable-exec.inc not included, as the application shows some error if I
include it.
* Disable more stuff.
* No need to whitelist Downloads directory.
I don't think this application has any file sharing / downloading
feature.
* Use private-bin
I needed to allow the bash executable as well for this to work.
* Add some whitelist rules.
* Use private-cache option
* include disable-exec.inc
Apparently one needs to allow execution in /tmp for the program to work.
* Redirect to electron.profile.
* Use private-etc.
* Do not whitelist Downloads directory.
electron.profile does this, but I do not think this program needs it.
* Rearrange whitelisted files to alphabetical order.
* Move nonwhitelist to appropriate section.
* Newlines as section separators.
|
|
|
| |
Fixes #3363.
|
|\
| |
| | |
Add new profile: nicotine
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
https://github.com/netblue30/firejail/commit/ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b
As per discussion in #3333, thanks to @rusty-snake for coming up with an alternative.
|
| |
| |
| |
| | |
…g.config (#3333).
|
|/
|
|
|
|
| |
- Makefile.in: loops are slow
- Makefile.in: firecfg.config wasn't installed
- allow-gjs.inc: gjs uses libmozjs, forgotten to commit
|
|
|
| |
This fixes #3333.
|
|
|
|
|
|
|
|
|
|
|
| |
- disable-interpreters: blacklist /usr/lib64/libmozjs-*
- fdns:
- fix .local name
- remove server.profile comment (do we need /sbin and /usr/sbin?)
- add wusc and wvc (commented because untested)
- minimize caps.keep (based on fdns.service)
- fix protocol position
- add private-etc (based on fdns.service)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, fails with error
CreateDirectories: failed to mkdir /usr/share/games (mode 448)
file_system.cpp(158): Function call failed: return value was -110300 (Insufficient access rights to open file)
Function call failed: return value was -110300 (Insufficient access rights to open file)
Location: file_system.cpp:158 (CreateDirectories)
Observed on Debian 10, 0ad 0.0.23
|
| |
|
| |
|
| |
|
|
|
|
| |
caps are already handled by caps.keep ... in this profile
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
| |
fix #3321
|
| |
|
| |
|
| |
|
|
|
|
| |
nc is a symlink to ncat on some distros
|
|
|
|
| |
see https://github.com/netblue30/firejail/pull/3292#issuecomment-603467884
|
|
|
|
| |
Syslog is spammed with the following message otherwise:
Could not create AF_NETLINK socket
|
|
|
|
|
|
|
| |
- fix description
- add gnome-klotski, five-or-more, swell-foop
[skip ci]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- blobwars
- gravity-beams-and-evaporating-stars
- hyperrogue
- jumpnbump-menu (alias)
- jumpnbump
- magicor
- mindless
- mirrormagic
- mrrescue
- scorched3d-wrapper (alias)
- scorchwentbonkers
- seahorse-adventures
- wordwarvi
- xbill
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'd like to tighten this up more esp. for seccomp
- caps.keep sys_chroot needed or fails with
Cannot chroot into /proc/ directory: Operation not permitted
1. caps.drop all replaced with caps.keep
- caps.keep sys_admin needed or fails with
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
2. nonewprivs dropped to avoid failure:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
3. noroot dropped to avoid failure:
[22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755.
4. Removed protocol filter
to avoid:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
5. Unable to get a working seccomp filter
See
https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
seccomp !chroot seems to have worked for earlier versions of slack
6. private-tmp means no tray icon
Observed on Debian 10, Slack 4.4.0
|
| |
|
|
|
| |
Access to ${HOME}/.cache/mozilla actually not necessary to let Firefox open links
|
| |
|