| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
| |
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
|
| |
|
|
|
| |
Preliminary fixes tested/confirmed on Arch regarding #3389 (in-progress).
|
|
|
| |
Fix for #3385.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* refactor caja.profile
* refactor dolphin.profile
* Create file-manager-common.profile
* refactor nautilus.profile
* refactor nemo.profile
* refactor pcmanfm.profile
* refactor ranger.profile
* refactor Thunar.profile
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Profile for Jitsi Meet desktop app (electron)
* Update description.
* Correctly include global definitions.
* Add jitsi-meet-desktop to firecfg.
* blacklist Jitsi-meet config directory in disable-programs.inc
* Disable more things.
disable-exec.inc not included, as the application shows some error if I
include it.
* Disable more stuff.
* No need to whitelist Downloads directory.
I don't think this application has any file sharing / downloading
feature.
* Use private-bin
I needed to allow the bash executable as well for this to work.
* Add some whitelist rules.
* Use private-cache option
* include disable-exec.inc
Apparently one needs to allow execution in /tmp for the program to work.
* Redirect to electron.profile.
* Use private-etc.
* Do not whitelist Downloads directory.
electron.profile does this, but I do not think this program needs it.
* Rearrange whitelisted files to alphabetical order.
* Move nonwhitelist to appropriate section.
* Newlines as section separators.
|
|
|
| |
Fixes #3363.
|
|\
| |
| | |
Add new profile: nicotine
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
https://github.com/netblue30/firejail/commit/ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b
As per discussion in #3333, thanks to @rusty-snake for coming up with an alternative.
|
| |
| |
| |
| | |
…g.config (#3333).
|
|/
|
|
|
|
| |
- Makefile.in: loops are slow
- Makefile.in: firecfg.config wasn't installed
- allow-gjs.inc: gjs uses libmozjs, forgotten to commit
|
|
|
| |
This fixes #3333.
|
|
|
|
|
|
|
|
|
|
|
| |
- disable-interpreters: blacklist /usr/lib64/libmozjs-*
- fdns:
- fix .local name
- remove server.profile comment (do we need /sbin and /usr/sbin?)
- add wusc and wvc (commented because untested)
- minimize caps.keep (based on fdns.service)
- fix protocol position
- add private-etc (based on fdns.service)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, fails with error
CreateDirectories: failed to mkdir /usr/share/games (mode 448)
file_system.cpp(158): Function call failed: return value was -110300 (Insufficient access rights to open file)
Function call failed: return value was -110300 (Insufficient access rights to open file)
Location: file_system.cpp:158 (CreateDirectories)
Observed on Debian 10, 0ad 0.0.23
|
| |
|
| |
|
| |
|
|
|
|
| |
caps are already handled by caps.keep ... in this profile
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
| |
fix #3321
|
| |
|
| |
|
| |
|
|
|
|
| |
nc is a symlink to ncat on some distros
|
|
|
|
| |
see https://github.com/netblue30/firejail/pull/3292#issuecomment-603467884
|
|
|
|
| |
Syslog is spammed with the following message otherwise:
Could not create AF_NETLINK socket
|
|
|
|
|
|
|
| |
- fix description
- add gnome-klotski, five-or-more, swell-foop
[skip ci]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- blobwars
- gravity-beams-and-evaporating-stars
- hyperrogue
- jumpnbump-menu (alias)
- jumpnbump
- magicor
- mindless
- mirrormagic
- mrrescue
- scorched3d-wrapper (alias)
- scorchwentbonkers
- seahorse-adventures
- wordwarvi
- xbill
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'd like to tighten this up more esp. for seccomp
- caps.keep sys_chroot needed or fails with
Cannot chroot into /proc/ directory: Operation not permitted
1. caps.drop all replaced with caps.keep
- caps.keep sys_admin needed or fails with
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
2. nonewprivs dropped to avoid failure:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
3. noroot dropped to avoid failure:
[22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755.
4. Removed protocol filter
to avoid:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
5. Unable to get a working seccomp filter
See
https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
seccomp !chroot seems to have worked for earlier versions of slack
6. private-tmp means no tray icon
Observed on Debian 10, Slack 4.4.0
|
| |
|
|
|
| |
Access to ${HOME}/.cache/mozilla actually not necessary to let Firefox open links
|
| |
|
|
|
|
| |
@glitsj16 thanks for the pointer that we now have whitelist globbing
|
|\
| |
| | |
steam.profile: correctly blacklist unneeded directories in user's home
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"noblacklist" directives prevent following ones from blacklisting the specified directory/file.
The profile currently has a "noblacklist" directive for each directory used by Steam and/or its games, which is fine.
However, there are no directives blacklisting the user's home, thus all directories and files inside it are accessible by Steam.
This commit fixes the issue by adding "whitelist" directives, which automatically blacklist the parent directory (in this case the user's home).
"mkdir" and "mkfile" directives are added so that the directories/files are created if they don't exist.
Thanks to @SkewedZeppelin for suggesting to keep "noblacklist" and use "mkdir" and "mkfile".
|