aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
* bringing back private-lib in evince, and some fixes for Arch LinuxLibravatar netblue302018-03-12
|
* fix bash on CentOS 7Libravatar startx20172018-03-12
|
* fix speller support in gedit profileLibravatar startx20172018-03-12
|
* Add a steam profile alias for steam-nativeLibravatar Tad2018-03-10
|
* Disable memory-deny-write-execute in evince profileLibravatar Vincent432018-03-07
| | | It started breaking application in Archlinux, see https://github.com/netblue30/firejail/issues/1803
* Add falkon profile - see #1794Libravatar Fred-Barclay2018-03-05
|
* Fix #1797 - Brave doesn't open with noexec /tmpLibravatar Fred-Barclay2018-03-05
|
* fix kioexec/krun for KDE authenticationLibravatar netblue302018-03-05
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar smitsohu2018-03-05
|\
| * Add VS Code profile - see request in #1139Libravatar Fred-Barclay2018-03-03
| |
| * Add netlink to protocol list and drop chroot from seccomp filter - should ↵Libravatar Fred-Barclay2018-03-02
| | | | | | | | | | | | | | | | fix #1792. Brackets no longer opens without netlink in the protocol list, or with chroot blacklisted by the seccomp filter (which this commit changes from 'seccomp' to 'seccomp.keep').
* | blacklist smartgit password file - #1796Libravatar smitsohu2018-03-05
|/
* let konsole access its settings - #1789Libravatar smitsohu2018-03-02
|
* cleanup: remove empty private-bin and private-etc linesLibravatar smitsohu2018-03-01
|
* add join-or-start to dolphin, okular and kwriteLibravatar smitsohu2018-03-01
| | | | fixes registration of d-bus services, closes #1391
* Fixup private-bin in start-tor-browser.profile after ↵Libravatar Tad2018-02-27
| | | | 63d455fbe6cfde2f97137f51b779d44f22cb4675
* Sync start-tor-browser with torbrowser-launcher profile'Libravatar Tad2018-02-27
| | | | | | start-tor-browser.profile should stay seperate from torbrowser-launcher for the case when downloaded manually. The other tor-browser-* are okay to extend torbrowser-launcher because their paths are known.
* Add ld.so.cache to torbrowser-launcher.profileLibravatar Tad2018-02-26
|
* Add ld.so.cache to firefox-common.profile, fixes #1767Libravatar smitsohu2018-02-26
|
* drop cap_mac_admin in apparmor profileLibravatar smitsohu2018-02-27
|
* Merge pull request #1787 from joelazar/masterLibravatar Fred Barclay2018-02-26
|\ | | | | .Xauthority moved from blacklist to read-only
| * .Xauthority moved from blacklist to read-onlyLibravatar joelazar2018-02-26
| |
* | Add join-or-start to kate (should fix #1784)Libravatar Fred-Barclay2018-02-24
| |
* | man page, README.md, RELNOTESLibravatar netblue302018-02-21
|/
* Minor bitcoin-qt nitpicks and update READMELibravatar Tad2018-02-20
|
* Revert "Also whitelist .bitcoin-testnet just in case"Libravatar Witold Baryluk2018-02-20
| | | | | | | | This reverts commit 254d2a9d9b6e752c0e3188fa90e4c5856eae5979. Testnet blockchain is in ~/.bitcoin/testnet3/ no need for anything else. And config is in ./.config/Bitcoin/Bitcoin-Qt-testnet.conf
* Also whitelist .bitcoin-testnet just in caseLibravatar Witold Baryluk2018-02-20
|
* Remove unecassary blacklist for bitcoin-qt config. Comment about private-libLibravatar Witold Baryluk2018-02-20
|
* Add a profile for Bitcoin Core QT client / walletLibravatar Witold Baryluk2018-02-20
|
* Add a profile for Vivaldi SnapshotLibravatar Witold Baryluk2018-02-20
|
* Apparmor: Allow log Firejail blacklist violationsLibravatar Vincent432018-02-19
|
* Log denied write access for easier debuggingLibravatar Vincent432018-02-19
| | | After more testing we can disable logging gain.
* Apparmor: blacklist /proc and /sys access from firejailLibravatar Vincent432018-02-19
| | | | | Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530 There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
* Apparmor: don't duplicate userspace /run/user restrictionsLibravatar Vincent432018-02-19
| | | | | | | Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening. In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor. The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
* enable apparmor for tranamission-gtk and transmission-qtLibravatar netblue302018-02-19
|
* enable apparmor for all firefox and chromium based browsers; enable apparmor ↵Libravatar netblue302018-02-19
| | | | for tranamission-gtk and transmission-qt
* added support to disable apparmor globally in /etc/firejail/firejail.configLibravatar netblue302018-02-19
|
* playonlinux: unblacklist perl usageLibravatar Vincent432018-02-19
| | | Playonlinux may uses perl internally: https://github.com/PlayOnLinux/POL-POM-4/search?utf8=%E2%9C%93&q=perl&type=
* Unify enox.profile under chromium-commonLibravatar Tad2018-02-14
|
* Merge pull request #1744 from soredake/keepassxcLibravatar netblue302018-02-14
|\ | | | | fixes for the keepassxc 2.2.5 version
| * fixes for the keepassxc 2.2.4 versionLibravatar soredake2018-01-21
| |
* | Merge pull request #1751 from bn0785ac/masterLibravatar netblue302018-02-14
|\ \ | | | | | | chromium canary (inox-family)
| * | canaryLibravatar Your Name2018-01-26
| | |
* | | Merge pull request #1766 from Vincent43/patch-1Libravatar netblue302018-02-14
|\ \ \ | | | | | | | | Apparmor: fix various denials
| * | | Apparmor: Be more restrictive for chromium needsLibravatar Vincent432018-02-08
| | | |
| * | | Apparmor: fix various denialsLibravatar Vincent432018-02-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes following erros: wine: AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d" cups: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 chromium: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
* | | | Merge pull request #1762 from soredake/qtoxLibravatar netblue302018-02-14
|\ \ \ \ | | | | | | | | | | add localtime to private-etc to make qtox show correct time
| * | | | add localtime to private-etc to make qtox show correct timeLibravatar soredake2018-02-06
| | | | |
* | | | | blacklist ksslcertificatemanagerLibravatar smitsohu2018-02-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While it is believed that blacklisting these files is a safe default, it has the effect that untrusted certificates have to be acknowledged every time they are encountered (with whitelisting it is possible to accept them for the duration of an application session). Where this causes usability issues, it will be necessary to noblacklist these paths.
* | | | | fix KDE notificationsLibravatar smitsohu2018-02-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | while it is essential to deny manipulation of these files, the information contained therein should be only of secondary value by changing blacklist to read-only, notification functionality is restored
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 15:06:14 +0000