firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	Fix comments in 88 profiles	Tad	2017-08-07
\| \| \| \|	There may actually be some other comments that were removed, but the bulk have been restored
*	Unify all profiles	Tad	2017-08-07
\|
*	various profile fixes (#1433)	Vladimir Schowalter	2017-08-06
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* calibre: add netlink protocol (FB note: removed before merge) calibre started without netlink protocol throws following error in console: Exception in thread Thread-8: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/calibre/calibre/utils/mdns.py", line 43, in run _all_ip_addresses = self.get_all_ips() File "/usr/lib/calibre/calibre/utils/mdns.py", line 27, in get_all_ips for x in netifaces.interfaces(): OSError: [Errno 95] Operation not supported * mpv: add nogroups, tracelog, ipc-namespace, private-dev I used testes all above options and didn't noticed any breakage. * qbittorrent: add netlink protocol, private-etc Netlink protocol is needed if user select to bind specific network interface in config. Otherwise it throws an error in qbittorent log: The network interface defined is invalid: tun0 Example private-etc is added but commented out by default. It's tested but as there are many different system configurations users should enable it manually. * vlc: disable memory-deny-write-execute With memory-deny-write-execute vlc freezes after loading video file. According to https://github.com/VladimirSchowalter20/firejail/commit/b18f42ab0236de7eed5888f43ba36cdaf990cbca memory-deny-write-execute is similar to PAX mprotect feature and linked github project explicitly disables that feature for vlc binary, see https://github.com/copperhead/paxd-archive/commit/deb39e0b91996e2e9c7917b3543030880cd476f4 * Update vlc.profile * wine: add nogroups Nogroups should be safe addition for wine * wireshark: allow users to run wireshark as non-root Wireshark can be run unprivileged when user is part of wireshark group. Unfortunately enabling nogroups,nonewprivs and seccomp will break it with permissions errors. Also added example private-etc option which is commented out by default for now. * cosmetic fix * mpv: comment out ipc-namespace for now As requested in review https://github.com/netblue30/firejail/pull/1433#discussion_r131550515 * calibre: disable netlink protocol It throws an error but actual breakage isn't observed for now.
*	Merge pull request #1438 from smitsohu/patch-1	Fred Barclay	2017-08-06
\|\ \| \| \| \|	Change KDE4 services folder to read-only
\| *	services folder is read-only now	smitsohu	2017-08-06
\| \|
\| *	Change KDE4 services folder to read-only	smitsohu	2017-08-06
\| \| \| \| \| \|	Configurations in this folder are not secret, but need to be protected from manipulation. Let's make it available to all KDE apps for legitimate use. Discussion in #1428
* \|	fix steam startup with >=llvm-4	soredake	2017-08-06
\|/
*	Add a profile for Gnome Twitch	Tad	2017-08-05
\|
*	Update firecfg.config and add a wireshark-* alias	Tad	2017-08-04
\|
*	Merge branch 'master' of https://github.com/netblue30/firejail	netblue30	2017-08-04
\|\
\| *	Gwenview: drop kbuildsycoca5 from private-bin	Vladimir Schowalter	2017-08-04
\| \|
* \|	private-lib: support for /etc/firejail/firejail.config	netblue30	2017-08-04
\|/
*	Add 12 new profiles	Tad	2017-08-03
\| \| \| \|	apktool, Baobab, dex2jar, gitg, Hashcat, MusicBrainz Picard, OBS Studio, Remmina, sdat2img, Sound Converter, SQLiteBrowser, Truecraft
*	profile fixes	Vladimir Schowalter	2017-08-04
\| \| \| \| \| \| \| \|	* Update qbittorrent.profile * Update gwenview.profile * Update disable-programs.inc
*	Change ~/.local/share/kservices5 to read-only	Vladimir Schowalter	2017-08-03
\|
*	Merge pull request #1426 from VladimirSchowalter20/master	startx2017	2017-08-02
\|\ \| \| \| \|	Apparmor: add local configuration
\| *	Minor fix for completness	Vladimir Schowalter	2017-08-02
\| \|
\| *	Apparmor: add local configuration	Vladimir Schowalter	2017-08-02
\| \|
* \|	Merge pull request #1424 from ↵	startx2017	2017-08-02
\|\ \ \| \| \| \| \| \| \| \| \| \| \| \|	VladimirSchowalter20/VladimirSchowalter20-apparmor-kde-fix Apparmor: update whitelist path for kde
\| * \|	Apparmor: update whitelist path for kde	Vladimir Schowalter	2017-08-02
\| \|/
* \|	Add rambox profile from #1425	Fred Barclay	2017-08-02
\| \|
* \|	Fixes	Fred-Barclay	2017-08-02
\| \|
* \|	Add back net none/netfilter as needed	Fred-Barclay	2017-08-02
\| \|
* \|	Partially synchronize Chromium-based profiles	Tad	2017-08-02
\| \|
* \|	Add noexec to more profiles as tested by @curiosity-seeker	Tad	2017-08-02
\| \| \| \| \| \| \| \|	See https://github.com/netblue30/firejail/pull/1367#issuecomment-315793729
* \|	Initial adding of memory-deny-write-execute to profiles	Tad	2017-08-02
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	- mdwe breaks most vm-based languages so python/java/javascript and some mono programs are not compatible - mdwe also breaks most 3d accelerated programs such as 3d games - mdwe is similar to PaX's mprotect meaning PaX flag managers can be used as reference -- See https://github.com/copperhead/paxd-archive/blob/master/paxd.conf -- See https://github.com/nning/linux-pax-flags
* \|	Harden profiles	Tad	2017-08-02
\|/ \| \| \| \| \| \| \|	- Added 'disable-devel.conf' to many profiles - Added 'disable-mnt' to many profiles - Added 'noexec' to many profiles - Removed 'netfilter' and 'net none' from profiles with 'protocol unix' - Cleaned up profiles using defaults
*	x11/xpra support	netblue30	2017-08-01
\|
*	Add some /proc dirs to firejail apparmor profile	Vladimir Schowalter	2017-08-02
\|
*	Fix #1420	Tad	2017-07-31
\|
*	telegram is called telegram-desktop in Debian	Rahiel Kasim	2017-07-30
\|
*	Add a profile for arm	Tad	2017-07-29
\|
*	new profiles	netblue30	2017-07-29
\|
*	arp rework	netblue30	2017-07-29
\|
*	Zoom cache dir	Raphaël Droz	2017-07-27
\| \| \| \| \|	Zoom seems to use of a QT cache-disk feature which depends upon a ~/.cache/<app>/qmlcache directory. If it can not, Zoom will segfault with mprotect failed in ExecutableAllocator::makeExecutable: Permission denied
*	Allow eom and xviewer to write to user's trash	Fred-Barclay	2017-07-27
\|
*	Updates after merges	Fred-Barclay	2017-07-27
\|
*	Add Electron and Riot profiles	Aidan Gauland	2017-07-27
\| \| \| \| \| \| \|	* Add a generic profile for Electron applications. * Add a specific profile for Riot based on this new Electron profile. * Addresses vector-im/riot-web#3004 * Fulfils profile request for Riot.im in netblue30/firejail#1139
*	Add access to trash	Panzerfather	2017-07-23
\| \| \|	Eog needs access to trash to delete files
*	apparmor fixes	netblue30	2017-07-21
\|
*	Merge pull request #1372 from rccavalcanti/chromium_arch	netblue30	2017-07-16
\|\ \| \| \| \|	Fix permission denied for chromium-flags.conf in Arch
\| *	Fix permission denied for chromium-flags.conf in Arch	Rafael Cavalcanti	2017-07-10
\| \|
* \|	Fix typo	Fred-Barclay	2017-07-14
\| \|
* \|	Re-add .ssh to noblacklist for andriod-studio and idea.sh	Fred-Barclay	2017-07-14
\| \|
* \|	Add quiet to exiftool profile	announ	2017-07-13
\| \|
* \|	Fix .java after e2449ae7d25925cec444ac08bbfb9cbc7199e647	Tad	2017-07-13
\| \|
* \|	Update after merge #1374	Fred-Barclay	2017-07-13
\| \| \| \| \| \| \| \| \| \|	This introduces blacklist ~/.java to disable-programs.inc, so it may break some existing profiles that depend on it.
* \|	Merge pull request #1374 from SpotComms/idea	Fred Barclay	2017-07-13
\|\ \ \| \| \| \| \| \|	Add profiles for IntelliJ IDEA and Android Studio
\| * \|	Update idea.sh.profile	Fred Barclay	2017-07-13
\| \| \| \| \| \| \| \| \|	Don't allow ~/.ssh access
\| * \|	Update android-studio.profile	Fred Barclay	2017-07-13
\| \| \| \| \| \| \| \| \|	Don't allow ~/.ssh access