| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without 'ignore nodbus', Teams will not close properly. It looks
like, by design, Teams ignores the close signal from window
managers (i.e. clicking the X in the top corner) - this occurs
even without firejail. Instead, there are two ways to close: by
right-clicking the tray icon and selecting "Close" or by running
`teams --quit`.
'nodbus' hides/prevents the tray icon, and also ignores
`teams --quit` if firecfg has been run (so that `teams` and
`teams --quit` with both be sandboxed). The only way to stop
Teams is then to manually either kill the process (via `kill -9`)
or run something like `/usr/bin/teams --quit` so that the
unsandboxed app is run.
'private-tmp' blocks the tray icon so, again, there's no good way
to kill Teams.
Observed on Debian 10 and Teams 1.3.00.5153
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
|
|
|
|
|
|
|
|
|
|
| |
- four-in-a-row
- gnome-mahjongg
- gnome-robots
- gnome-sudoku
- gnome-taquin
- gnome-tetravex
harden gnome-chess
|
|\
| |
| | |
Create ferdi.profile
|
| | |
|
| |
| |
| | |
Exact copy of franz.profile, simply renamed franz to ferdi.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- frogatto
- gnome_games-common.profile
- gnome-2048 (make redirect)
- gnome-mines
- gnome-nibbles
- lightsoff
- ts3client_runscript.sh (fix #3279)
- warmux (don't get confused with the warmux/wormux thing)
|
| | |
|
|/
|
| |
Signed-off-by: Atrate <Atrate@protonmail.com>
|
| |
|
| |
|
|\ |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Update wire-desktop.profile
|
| |
| |
| | |
Co-Authored-By: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rules for xdg-dbus-proxy:
dbus-user filter
dbus-user.own org.gnome.Pomodoro
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.Shell
dbus-system none
dbus-user filter
dbus-user.own org.gnome.Todo
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
dbus-user.talk org.gnome.evolution.dataserver.Calendar8
dbus-user.talk org.gnome.evolution.dataserver.Sources5
dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.SettingsDaemon.Color
dbus-system filter
dbus-system.talk org.freedesktop.login1
dbus-user filter
dbus.own com.github.dahenson.agenda
dbus.talk ca.desrt.dconf
dbus-system block
|
| |
|
|\ |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
remove netfilter from profiles with net none
allow Viber to use dig, dig is in its private-bin, so I assume that it
need it.
blacklist resolvectl which can also be used for dns lookups
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
private-dev
private-etc dconf,fonts,gtk-3.0,localtime,machine-id
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```
patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
```
|
|
|
|
|
|
|
|
| |
* fix private-lib, closes #3233
* make private-etc and private-lib opt-in
see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765
disable-devel.inc: remove duplicated line
|
|
|
|
|
|
|
|
|
|
|
|
| |
$PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports,
some applications crash if they cann't access these files.
Layout on my system:
~/.local/share/flatpak/exports
|-bin
|-share
|-applications
|-icons
|
|
|
|
|
|
| |
file-roller fails to extract archives without access to bash
Noticed on LMDE 4 (Debian 10 base) with Cinnamon desktop
|
|
|
|
|
|
|
| |
* discord 0.10 | fix #3247
* revert private-bin move & use disable-exec
* fix slack, see https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
|
|
|
|
|
|
|
| |
The zoom SSO workflow launches an embedded sandboxed browser
(QtWebEngineProcess) which requires chroot and netlink to work.
Fixes #3272
|
| |
|
|
|
| |
See also: https://bugs.debian.org/948656
|
|
|
| |
Place `include allow-lua.inc` above the other includes
|
|
|
| |
Replace `noblacklist /usr/lib/liblua*` by including `allow-lua.inc`
|