| Commit message (Collapse) | Author | Age |
|
|
|
|
| |
Escaping this create warning and is dropped anyway:
Warning from /etc/apparmor.d/firejail-default (/etc/apparmor.d/firejail-default line 163): Character # was quoted unnecessarily, dropped preceding quote ('\') character
|
| |
|
|
|
|
|
|
|
|
|
| |
For some time apparmor started breaking file dialogs in kde plasma (gwenview, calibre, qbittorrent, etc). typical audit report below:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/run/user/1000/#28520" pid=1997 comm="qbittorrent" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="link" profile="firejail-default" name="/run/user/1000/qBittorrentZcaeTi.1.slave-socket" pid=3679 comm="qbittorrent" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/run/user/1000/#79965"
This commit fixes this issue. Tested on Archlinux (linux 4.14.11, kde 5.11.5)
|
| |
|
|\
| |
| | |
tor flavours
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Add profile for "playonlinux"
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This profile have been successfully tested by starting a windows application through it.
"wine.profile" has been used as template for this. Only "noblacklist ${PATH}/nc" has been added because playonlinux needs it to run.
Please note that this is currently not tested due to security aspects, so it may need a rework later on. Because opening a unknown windows application through it could possibly be a security risk.
|
|\| |
| | |
| | | |
Fix #1702 - Couldn't start 'minetest' in Debian Testing
|
| | | |
|
| |/
| |
| | |
This removes the "private-etc" line from the "minetest"-profile for a successfully start of the game.
|
| | |
|
|/
|
| |
This profile have been successfully tested by sending and receiving an Email. "claws-mail.profile" has been used as template for this.
|
| |
|
| |
|
|
|
|
| |
for #1695
|
| |
|
|\
| |
| | |
Blacklist the monero wallets directory
|
| |
| |
| | |
~/Monero/wallets is the default path suggested by the official wallet application, but it can be changed by user.
|
|/ |
|
|
|
|
| |
avoid clash with Thunderbird on Debian systems.
|
|\
| |
| | |
Fix Deluge
|
| |
| |
| |
| |
| | |
Deluge needs access to more than the deluge binary if it runs as a daemon (or if
you want to access it via the web or command line)
|
| | |
|
|\ \
| | |
| | | |
Added environment variable QML_DISABLE_DISK_CACHE=1 to okular.profile.
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Without it, recent okular versions (here 17.12.0-1 on Arch Linux) crash with
mprotect failed in ExecutableAllocator::makeExecutable: Permission denied
due to the noexec constraints in the firejail profile.
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh)
unblacklists it to allow git over ssh with public key auth.
But this creates security hole, since firejailed app could modify
~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd
installed (e.g. ssh localhost and run any program) or even open backdoor for
remote attacker.
This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was
unblacklisted.
Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su>
|
| |
|
|
|
|
| |
look into why this is breaking
|
| |
|
|
|
|
|
| |
Latest versions of TelegramDesktop supports both old (~/.TelegramDesktop) and
new (~/.local/share/TelegramDesktop) location of sensitive data files.
|
|
|
|
|
| |
homesick is dotfiles manager. It keeps dotfiles (e.g. .bashrc) in repository
under ~/.homesick and puts symlinks into home directory.
|
| |
|
|\ |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
and move disable-mnt from thunderbird to firefox profile, in alignment with
recent commit from @Fred-Barclay
|
| |
|
|
|
| |
minimal fix to get file dialog working when there is no kdeinit4 outside the sandbox (relevant e.g. for Debian up to Stretch)
|
| |
|
|\ |
|