aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
* Add a profile for Vivaldi SnapshotLibravatar Witold Baryluk2018-02-20
|
* Apparmor: Allow log Firejail blacklist violationsLibravatar Vincent432018-02-19
|
* Log denied write access for easier debuggingLibravatar Vincent432018-02-19
| | | After more testing we can disable logging gain.
* Apparmor: blacklist /proc and /sys access from firejailLibravatar Vincent432018-02-19
| | | | | Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530 There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
* Apparmor: don't duplicate userspace /run/user restrictionsLibravatar Vincent432018-02-19
| | | | | | | Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening. In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor. The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
* enable apparmor for tranamission-gtk and transmission-qtLibravatar netblue302018-02-19
|
* enable apparmor for all firefox and chromium based browsers; enable apparmor ↵Libravatar netblue302018-02-19
| | | | for tranamission-gtk and transmission-qt
* added support to disable apparmor globally in /etc/firejail/firejail.configLibravatar netblue302018-02-19
|
* playonlinux: unblacklist perl usageLibravatar Vincent432018-02-19
| | | Playonlinux may uses perl internally: https://github.com/PlayOnLinux/POL-POM-4/search?utf8=%E2%9C%93&q=perl&type=
* Unify enox.profile under chromium-commonLibravatar Tad2018-02-14
|
* Merge pull request #1744 from soredake/keepassxcLibravatar netblue302018-02-14
|\ | | | | fixes for the keepassxc 2.2.5 version
| * fixes for the keepassxc 2.2.4 versionLibravatar soredake2018-01-21
| |
* | Merge pull request #1751 from bn0785ac/masterLibravatar netblue302018-02-14
|\ \ | | | | | | chromium canary (inox-family)
| * | canaryLibravatar Your Name2018-01-26
| | |
* | | Merge pull request #1766 from Vincent43/patch-1Libravatar netblue302018-02-14
|\ \ \ | | | | | | | | Apparmor: fix various denials
| * | | Apparmor: Be more restrictive for chromium needsLibravatar Vincent432018-02-08
| | | |
| * | | Apparmor: fix various denialsLibravatar Vincent432018-02-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes following erros: wine: AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d" cups: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 chromium: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default" AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
* | | | Merge pull request #1762 from soredake/qtoxLibravatar netblue302018-02-14
|\ \ \ \ | | | | | | | | | | add localtime to private-etc to make qtox show correct time
| * | | | add localtime to private-etc to make qtox show correct timeLibravatar soredake2018-02-06
| | | | |
* | | | | blacklist ksslcertificatemanagerLibravatar smitsohu2018-02-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While it is believed that blacklisting these files is a safe default, it has the effect that untrusted certificates have to be acknowledged every time they are encountered (with whitelisting it is possible to accept them for the duration of an application session). Where this causes usability issues, it will be necessary to noblacklist these paths.
* | | | | fix KDE notificationsLibravatar smitsohu2018-02-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | while it is essential to deny manipulation of these files, the information contained therein should be only of secondary value by changing blacklist to read-only, notification functionality is restored
* | | | | update more application blacklistsLibravatar smitsohu2018-02-13
| | | | |
* | | | | Further unify private-etc in Firefox-based browsersLibravatar Tad2018-02-11
| | | | |
* | | | | whitelist gpg in brave profileLibravatar smitsohu2018-02-12
| | | | |
* | | | | Breakout noblacklists/whitelsits for common addons/plugins/programs from ↵Libravatar Tad2018-02-11
| | | | | | | | | | | | | | | | | | | | firefox-common
* | | | | Unify all Chromium and Firefox based browser profiles as part of #1773Libravatar Tad2018-02-11
| | | | |
* | | | | update various application blacklistsLibravatar smitsohu2018-02-11
| | | | |
* | | | | Merge pull request #1764 from jelford/remmina_seccompLibravatar smitsohu2018-02-11
|\ \ \ \ \ | | | | | | | | | | | | Add seccomp filters for remmina, from an strace session connecting via RDP
| * | | | | keep remmina seccomp whitelist opt-inLibravatar smitsohu2018-02-11
| | | | | |
| * | | | | Add seccomp filters for remmina, from an strace session connecting via RDPLibravatar James Elford2018-02-07
| | | | | |
* | | | | | Fix soundconverter not launching and audacity error popupLibravatar Tad2018-02-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | quick test of ~50 profiles on Fedora 27 audacity - "An error occured while loading or saving configuration information" soundconverter - fix crash on start by removing explicit dbus blacklist added in 55938d07a58d29ceb893e4554a4ddf3c41810fc9 many issues were found that were unfixed evolution - cannot access ~/.evolution on first run, doesn't seem to ever be used/accessed again gedit - many plugins (spell check) are broken by private-lib gnome-contacts - "warning: wayland-egl: could not open /dev/dri/card0" due to no3d, don't know why it thinks it needs that
* | | | | | Oops - didn't include actual tilp profile.Libravatar Fred-Barclay2018-02-09
| | | | | |
* | | | | | Add tilp profileLibravatar Fred-Barclay2018-02-09
| | | | | |
* | | | | | Fix error messages when opening multiple documents in LibreOfficeLibravatar Tad2018-02-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes "LibreOffice will attempt to recover the state of the files you were working on before it crashed." messages when you go to open a second document. We should see if there are any other profile where we can use join-or-start to fix similar issues.
* | | | | | restrict kssl (missing paths)Libravatar smitsohu2018-02-08
| | | | | |
* | | | | | restrict ksslLibravatar smitsohu2018-02-08
| |_|/ / / |/| | | |
* | | | | keep menu definitions read-onlyLibravatar smitsohu2018-02-07
| | | | |
* | | | | Update remmina.profileLibravatar Chris Kuethe2018-02-06
|/ / / / | | | | | | | | my profiles happened to be in ~/.remmina
* | | | Merge branch 'master' of https://github.com/netblue30/firejailLibravatar smitsohu2018-02-06
|\| | |
| * | | Allow Spotify to run ZenityLibravatar Rafael Cavalcanti2018-02-05
| | | |
| * | | Fix Tor Browser Launcher dirs not getting created on first launchLibravatar Tad2018-02-04
| | | |
* | | | pdfchain profileLibravatar smitsohu2018-02-06
| | | |
* | | | further harden KDELibravatar smitsohu2018-02-06
| | | | | | | | | | | | | | | | | | | | and whitelist some kio settings, because we don't know if slave processes will run inside or outside the sandbox. also prevents weird bugs that depend on sequence in which applications were started.
* | | | enable private-etc for gwenviewLibravatar smitsohu2018-02-06
|/ / /
* | | Apparmor: minor fixesLibravatar Vincent432018-02-03
| | | | | | | | | | | | | | | 1. Allow for seven digit PID same as upstream do https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747 2. Fixed dbus functionality. Disabled by default.
* | | enable email encryption for thunderbird, kmailLibravatar smitsohu2018-02-03
| | | | | | | | | | | | see #1653 #1572
* | | blacklist klipperLibravatar smitsohu2018-02-02
| | | | | | | | | | | | further to 8aec7694cb4c7c0d07b333b689ab19faacb519f9
* | | KDE related enhancementsLibravatar smitsohu2018-02-01
| | |
* | | unbound fix (part 2) - whitelist /var/runLibravatar smitsohu2018-02-01
| | |
* | | unbound fix (writable-var) - #1731Libravatar smitsohu2018-01-31
| | |
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-08-10 09:34:51 +0000