| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit d94f54736 ("disable all ssh utilities in
disable-common.inc", 2023-08-20).
Certain files in ~/.ssh are only used by sshd (not by ssh), so always
blacklist them.
Also, ssh itself does not need write access to the configuration files,
so make them read-only by default.
For details, see commit 2ec3f3a96 ("disable-common.inc: add missing
openssh paths", 2021-01-09) / PR #3885.
Cc: @netblue30
|
| |
|
| |
|
| |
|
|\
| |
| | |
build: codespell improvements
|
| |
| |
| |
| |
| |
| | |
Found by simply running `codespell .`.
Environment: codespell 2.2.5-2 on Artix Linux.
|
|/
|
|
|
| |
mpDris2 brings MPRIS2 support to MPD:
https://github.com/eonpatapon/mpDris2
|
| |
|
|
|
|
|
|
|
|
|
| |
Changes:
* comment `include whitelist-common.inc` when using `private`
* drop `private` on profiles that access files in `${HOME}`
* use `#` in comments
Relates to #903.
|
|
|
|
|
|
|
| |
This fixes 0ad not opening on OpenSUSE Tumbleweed due to a "Permission
denied" error when trying to open "libmozjs-78.so.0".
See this issue that describes it all:
https://github.com/netblue30/firejail/issues/5938#issue-1833607321
|
|
|
|
|
| |
* firecfg.config: add support for clac
* Create clac.profile
|
| |
|
|
|
|
|
|
| |
On the profiles that allow ~/.config/mpv.
Relates to #5936.
|
|
|
|
|
| |
The programs in question do not create these files; they have to be
created manually.
|
|
|
|
|
|
|
|
|
| |
mpv v0.36.0 uses ~/.cache/mpv[1] [2]:
Relates to #2838 #5936.
[1] https://github.com/mpv-player/mpv/releases/tag/v0.36.0
[2] https://github.com/mpv-player/mpv/pull/10838
|
|
|
|
|
|
|
| |
The new version of mpv changed the path of the watch_later folder to
~/.local/state/mpv/watch_later.
See https://github.com/mpv-player/mpv/pull/10838
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create reader.profile
* firecfg.config: add reader support
* reader: integrate review suggestions
- blacklist whole ${RUNUSER}
- drop x11 none
* reader: fix 'x11 none'
|
|
|
|
|
| |
* firecfg.config: add daisy support
* Create daisy.profile
|
|
|
|
|
| |
* disable-programs.inc: add new gramps dir
* gramps: add new config dir
|
| |
|
| |
|
|
|
|
|
| |
* audacious: D-Bus hardening
* audacious: add noprinters
|
|
|
|
|
|
|
| |
* disable-programs.inc: add sniffnet support
* Create sniffnet.profile
* firecfg.config: add sniffnet support
|
| |
|
| |
|
| |
|
|
|
| |
Co-authored-by: pirate486743186 <>
|
|
|
|
|
|
|
|
|
| |
Homepage: https://mullvad.net/en/download/browser/linux
mullvad-browser: don't use restrict-namespaces
mullvad-browser: cover both installation paths
Suggested in review by @kmk3.
|
|
|
|
|
|
|
| |
torbrowser-launcher: more hardening as per review
torbrowser-launcher: revert enabling restrict-namespaces
Suggested in review by @rusty-snake.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple profiles include firefox-common.profile, but not all of them
include whitelist-usr-share-common.inc.
Suggested by @glitsj16[1].
This amends commit 094892dfd ("profiles: remove /usr/share/vulkan
already whitelisted by wusc (#5910)", 2023-07-20).
[1] https://github.com/netblue30/firejail/pull/5910/files#r1269397348
|
| |
|
|
|
|
|
| |
* disable-programs.inc: add remote sqlitebrowser support
* sqlitebrowser: add support for remote functionality
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `shell` option has been removed. Remove stale references.
This does NOT remove `shell none`-related code comments in:
- src/firejail/fs_lib.c (L433-L441)
- src/firejail/join.c (L415-L417)
Relates to #5196.
Suggested by #5891.
|
|
|
|
|
|
|
| |
Bleachbit is used to permanently delete files by overwriting the memory.
So the most popular feature of Bleachbit is emptying the Trash.
Relates to #5337.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commands used to find the relevant paths in /etc:
$ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort
/etc/pam.d/ is owned by sudo 1.9.14.p1-1
/etc/sudo.conf is owned by sudo 1.9.14.p1-1
/etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1
/etc/sudoers is owned by sudo 1.9.14.p1-1
/etc/sudoers.d/ is owned by sudo 1.9.14.p1-1
Environment: Artix Linux.
Also, add missing paths sudo/doas to etc/ids.config and jailcheck.
See also commit dbebd71db ("disable-common.inc: blacklist doas binary",
2022-10-05).
Relates to #5385.
Reported-by: Dieter Plaetinck <dieter@plaetinck.be>
|
|\
| |
| | |
New profile: rssguard
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| | |
| | | |
Grrrr
|
| | |
| | |
| | | |
Apparently a path containing whitespace and ending with a single digit breaks CI: https://github.com/netblue30/firejail/actions/runs/5448790502.
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
refresh feh.profile
|
| | | | |
|
|/ / / |
|
| |/
|/|
| | |
Co-authored-by: pirate486743186 <>
|
|\ \
| | |
| | | |
fix lobster.profile
|
| | | |
|
|/ / |
|