| Commit message (Collapse) | Author | Age |
|
|
| |
Signed-off-by: Atrate <Atrate@protonmail.com>
|
| |
|
| |
|
|\ |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Update wire-desktop.profile
|
| |
| |
| | |
Co-Authored-By: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rules for xdg-dbus-proxy:
dbus-user filter
dbus-user.own org.gnome.Pomodoro
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.Shell
dbus-system none
dbus-user filter
dbus-user.own org.gnome.Todo
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
dbus-user.talk org.gnome.evolution.dataserver.Calendar8
dbus-user.talk org.gnome.evolution.dataserver.Sources5
dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.SettingsDaemon.Color
dbus-system filter
dbus-system.talk org.freedesktop.login1
dbus-user filter
dbus.own com.github.dahenson.agenda
dbus.talk ca.desrt.dconf
dbus-system block
|
| |
|
|\ |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
remove netfilter from profiles with net none
allow Viber to use dig, dig is in its private-bin, so I assume that it
need it.
blacklist resolvectl which can also be used for dns lookups
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
private-dev
private-etc dconf,fonts,gtk-3.0,localtime,machine-id
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```
patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
```
|
|
|
|
|
|
|
|
| |
* fix private-lib, closes #3233
* make private-etc and private-lib opt-in
see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765
disable-devel.inc: remove duplicated line
|
|
|
|
|
|
|
|
|
|
|
|
| |
$PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports,
some applications crash if they cann't access these files.
Layout on my system:
~/.local/share/flatpak/exports
|-bin
|-share
|-applications
|-icons
|
|
|
|
|
|
| |
file-roller fails to extract archives without access to bash
Noticed on LMDE 4 (Debian 10 base) with Cinnamon desktop
|
|
|
|
|
|
|
| |
* discord 0.10 | fix #3247
* revert private-bin move & use disable-exec
* fix slack, see https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
|
|
|
|
|
|
|
| |
The zoom SSO workflow launches an embedded sandboxed browser
(QtWebEngineProcess) which requires chroot and netlink to work.
Fixes #3272
|
| |
|
|
|
| |
See also: https://bugs.debian.org/948656
|
|
|
| |
Place `include allow-lua.inc` above the other includes
|
|
|
| |
Replace `noblacklist /usr/lib/liblua*` by including `allow-lua.inc`
|
|
|
| |
See issue #3250
|
| |
|
|
|
| |
Fixes #3221.
|
|
|
| |
See discussion in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a.
|
|
|
| |
Thanks to @rusty-snake in https://github.com/netblue30/firejail/commit/56b60dfd0ec5227318f21409093eca965baf136a#r37460831.
|
|
|
|
|
|
|
|
|
|
| |
* more lua blacklisting in disable-interpreters.inc
* add some paths to allow-lua.inc
* Revert blacklisting /usr/include/lauxlib.h in disable-interpreters.inc
/usr/include/lauxlib.h is handled in disable-devel.inc. Thanks to @rusty-snake for pointing that out.
|
|
|
|
|
|
|
|
| |
* allow lua in mpv.profile
* fix allow-lua.inc for mpv
* extra lua blacklisting for mpv
|
|
|
|
|
|
| |
- spelling suggestion from @glitsj16 on fda62527
- drop python2 from openshot it never has a python2 version
- #3126 note in manpage: cannot combine --private with --private=
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add profile for offical Linux Teams application
* fix: add mkdir suggestions in Teams profile
* Merge suggestions for Teams profile
* Add suggestion to Teams profile
* Add Teams to firecfg.config
* Add paths from Teams profile to disable-programs
* Remove the duplicated whitelist for downloads in Teams profile
Co-Authored-By: rusty-snake <print_hello_world+GitHub@protonmail.com>
* Cleanup teams profile after testing
* Add comment to Teams profile
Co-authored-by: rusty-snake <print_hello_world+GitHub@protonmail.com>
|