| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1). The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile. Path examples from
sshd(8):
* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc
$ pacman -Q openssh
openssh 8.4p1-2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the system-wide equivalent of ~/.ssh/config.
$ pacman -Q openssh
openssh 8.4p1-2
Reasons for blacklisting both /etc/ssh and /etc/ssh/* on
disable-common.inc:
Leave /etc/ssh that way so that profiles without allow-ssh.inc remain
unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that
profiles with allow-ssh.inc are able to access only nonblacklisted files
inside of /etc/ssh.
|
|
|
|
|
|
|
|
|
|
|
| |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|
|
|
|
| |
See etc/templates/profile.template.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Improvements to balsa,fractal,gajim,trojita
* sort
* Add gpg plugin support to gajim,remove notifications dbus from trojita
* Add dbus policy from flatpak per @rusty-snake
* Add python* to private-bin; remove some dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
|\
| |
| | |
Whitelist Bohemia Interactive config dir for Steam
|
| | |
|
| |
| |
| |
| |
| | |
At least Arma 3 stores its config directory under
~/.local/share/bohemiainteractive
|
|/
|
| |
Discord needs PulseAudio. Without it, it's unable to play any audio.
|
|
|
|
|
|
|
| |
bookmarks are saved unter $HOME/.local/share/gvfs-metadata
since evince is the primary pdf reader, a firejailed evince can't read
or write those
this commit adds instructions to enable metadata writing and reading
|
| |
|
|
|
|
|
| |
'dbus-user none' freeze openshot when clicking on open project,
'dbus-user filter' works.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add profile for npm
* Apply suggestions from code review
* Remove redundant blacklisting of Wayland.
* Remove unnecessary noblacklist lines for nodejs.
* Replace absolute paths to .inc files with filenames.
* Remove unneeded dbus whitelisting.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Remove empty line
To keep consistent with other profiles, remove the blank line after the header comment.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add npm files to add-common-devel
So that our addition of npm paths to disable-programs.inc dose not break IDEs,
we need to unblacklist these same paths in allow-common-devel.inc.
* Remove extra blank line
* Add common whitelist includes to npm profile
* Tighten npm profile
Include disable-exec.inc, but allowing ${HOME}.
* Remove whitelist-common.inc from npm profile
whitelist-common breaks npm, and since we don't know where the user's npm
projects will be, leave the whitelist-common include in a comment with a note
about how to enable it for their setup.
* Fix inverted commands
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Fixes for whitelisting
* Add login.defs to npm profile's private-etc
Co-authored-by: Aidan Gauland <aidalgol+git@fastmail.net>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
| |
* drop doubled netfilter in atom.profile
* drop doubled disable-mnt in tutanota-desktop.profile
|
|
|
|
|
|
|
| |
* harden liferea
* dbus fixes
On closer investigation it seems wiser to tighten D-Bus filtering as Liferea implements stuff via plugins that are disabled by default.
|
| |
|
|
|
|
|
|
|
|
|
| |
* new profile: tutanota-desktop
* add tutanota-desktop to firecfg
* blacklist tutanota-desktop files
* Create tutanota-desktop.profile
|
| |
|
|
|
|
|
|
|
| |
* fix #3859
* fix #3859
* fix #3859
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* really fix running kernel config check
archiver-common.inc includes `disable-shell.inc`, breaking
$ zcat /proc/config.gz
Cannot start application: Permission denied
* really fix running kernel config check
archiver-common.inc includes `disable-shell.inc`, breaking
$ zgrep -c "CONFIG_USER_NS=y" /proc/config.gz
Cannot start application: Permission denied
|
|\
| |
| | |
keepassxc.profile: Fix hang due to seccomp
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the current profile, keepassxc hangs on startup, before showing the
main window:
$ uname -r -m
5.9.1-artix1-1 x86_64
$ firejail --version | head -n 1
firejail version 0.9.64
$ firejail --quiet keepassxc --version
KeePassXC 2.6.2
$ firejail --quiet keepassxc
# (nothing happens)
^C
Seccomp debugging as explained on etc/templates/syscalls.txt:
$ sudo grep -Eo 'keepassxc.* syscall=[0-9]+' /var/log/messages.log | tail -n 1
keepassxc" exe="/usr/bin/keepassxc" sig=31 arch=c000003e syscall=303
$ firejail --debug-syscalls | grep 303
303 - name_to_handle_at
So allow the name_to_handle_at syscall.
Relates to #3549.
|
|\ \ |
|
| |\ \
| | | |
| | | | |
Small fixes
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ /
| | |
| | |
| | |
| | | |
- split notifications and tray
- fix tray policy
|
| | | |
|
|/ / |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
…on to chromium, remove the nowhlist from min and
its whlist from riot-web.
TODO: remove the 'ignore whitelist /usr/share/chomium' from the most
profiles with it.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add the missing binaries in the DNS section, as suggested by @glitsj16:
https://github.com/netblue30/firejail/pull/3810#issuecomment-742920539
Packages and their relevant binaries:
* bind: dnssec-*
* knot: khost
* unbound: unbound-host
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* limit file system access with comments in archiver-common.inc
* note wording
* Warn against overtightening file system access
Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* drop private-bin
* disable private-lib in tar.profile
Removing private-bin caused a test to fail - see discussion in https://github.com/netblue30/firejail/pull/3832. Thanks to @reinerh for explaining why I broke things!
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"Portable OpenBSD ksh, based on the Public Domain Korn Shell (pdksh)."
Project page: https://github.com/ibara/oksh
$ pacman -Q oksh
oksh 6.8.1-1
$ pacman -Qlq oksh | grep bin/
/usr/bin/
/usr/bin/oksh
|
| |
| |
| |
| |
| |
| |
| | |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|