| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|\
| |
| | |
Add seccomp filters for remmina, from an strace session connecting via RDP
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
quick test of ~50 profiles on Fedora 27
audacity - "An error occured while loading or saving configuration information"
soundconverter - fix crash on start by removing explicit dbus blacklist added in 55938d07a58d29ceb893e4554a4ddf3c41810fc9
many issues were found that were unfixed
evolution - cannot access ~/.evolution on first run, doesn't seem to ever be used/accessed again
gedit - many plugins (spell check) are broken by private-lib
gnome-contacts - "warning: wayland-egl: could not open /dev/dri/card0" due to no3d, don't know why it thinks it needs that
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
This fixes "LibreOffice will attempt to recover the state of the files you were working on before it crashed." messages when you go to open a second document.
We should see if there are any other profile where we can use join-or-start to fix similar issues.
|
| | |
|
| | |
|
| | |
|
|/
|
| |
my profiles happened to be in ~/.remmina
|
|\ |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
and whitelist some kio settings, because we don't know if slave processes will run inside or outside the sandbox.
also prevents weird bugs that depend on sequence in which applications were started.
|
|/ |
|
|
|
|
|
| |
1. Allow for seven digit PID same as upstream do https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
2. Fixed dbus functionality. Disabled by default.
|
|
|
|
| |
see #1653 #1572
|
|
|
|
| |
further to 8aec7694cb4c7c0d07b333b689ab19faacb519f9
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Apparmor: restrict access to writable files
|
| | |
|
| |
| |
| |
| | |
Kodi plugins need /proc/@PID/net/dev access outside user processes:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/28/net/dev" pid=2354 comm="kodi.bin" requested_mask="r" denied_mask="r"
|
| |
| |
| | |
Access to writable files can be restricted to their owner only.
|
| |
| |
| |
| | |
- This appears to be a general issue with private-lib, that might've already been fixed in master
|
| | |
|
|/
|
|
| |
- Tor browser doesn't have nosound, so include pulse in private-etc
|
| |
|
|\
| |
| | |
Apparmor: fix broken file dialogs in kde plasma
|
| |
| |
| |
| |
| | |
Escaping this create warning and is dropped anyway:
Warning from /etc/apparmor.d/firejail-default (/etc/apparmor.d/firejail-default line 163): Character # was quoted unnecessarily, dropped preceding quote ('\') character
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For some time apparmor started breaking file dialogs in kde plasma (gwenview, calibre, qbittorrent, etc). typical audit report below:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/run/user/1000/#28520" pid=1997 comm="qbittorrent" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="link" profile="firejail-default" name="/run/user/1000/qBittorrentZcaeTi.1.slave-socket" pid=3679 comm="qbittorrent" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/run/user/1000/#79965"
This commit fixes this issue. Tested on Archlinux (linux 4.14.11, kde 5.11.5)
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
hardcoded since 1e7045b55cc1e189dba6d9ed21c05c90663f3736
|