aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
* Add 'ignore nodbus', remove 'private-tmp'Libravatar Fred Barclay2020-04-01
| | | | | | | | | | | | | | | | | | | | Without 'ignore nodbus', Teams will not close properly. It looks like, by design, Teams ignores the close signal from window managers (i.e. clicking the X in the top corner) - this occurs even without firejail. Instead, there are two ways to close: by right-clicking the tray icon and selecting "Close" or by running `teams --quit`. 'nodbus' hides/prevents the tray icon, and also ignores `teams --quit` if firecfg has been run (so that `teams` and `teams --quit` with both be sandboxed). The only way to stop Teams is then to manually either kill the process (via `kill -9`) or run something like `/usr/bin/teams --quit` so that the unsandboxed app is run. 'private-tmp' blocks the tray icon so, again, there's no good way to kill Teams. Observed on Debian 10 and Teams 1.3.00.5153
* Whitelist runuser common (#3286)Libravatar rusty-snake2020-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * introduce whitelist-runuser-common.inc * If an applications does not need a whitelist it can/should be nowhitelisted. Example: nowhitelist ${RUNUSER}/pulse include whitelist-runuser-common.inc * ${RUNUSER}/bus is inaccessible with nodbus regardless of the whitelist. (as it should) * strange wayland setups with an second wayland-compostior need to whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on. * some display-manager store there Xauthority file in ${RUNUSER}. test results with fedora 31: - ssdm: ~/.Xauthority is used - lightdm: /run/lightdm/USER/Xauthority - gdm: /run/user/UID/gdm/Xauthority * IMPORTANT: ATM we can only enable this for non-graphical and GTK3 programs because mutter (GNOMEs window-manger) stores the Xauthority file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX where XXXXXX is random. Until we have whitelist globbing we can't whitelist this file. QT/KDE and other toolkits without full wayland support won't be able to start. * wru update 1 - add wru to more profiles. - blacklist ${RUNUSER} works for the most cli programs too. * add wruc to more profiles * fixes * fixes * wruc: hide pulse pid * update * remove wruc from all the x11 profiles * fixes * fix ordering * read-only * revert read-only * update *
* abiword and more gnome-gamesLibravatar rusty-snake2020-03-29
| | | | | | | | | | | - four-in-a-row - gnome-mahjongg - gnome-robots - gnome-sudoku - gnome-taquin - gnome-tetravex harden gnome-chess
* Merge pull request #3296 from 0x7969/masterLibravatar rusty-snake2020-03-29
|\ | | | | Create ferdi.profile
| * Added paths for ferdiLibravatar 0x79692020-03-29
| |
| * Create ferdi.profileLibravatar 0x79692020-03-25
| | | | | | Exact copy of franz.profile, simply renamed franz to ferdi.
* | blacklist libvirt and flatpak [skip ci]Libravatar rusty-snake2020-03-29
| |
* | more game profilesLibravatar rusty-snake2020-03-29
| | | | | | | | | | | | | | | | | | | | | | - frogatto - gnome_games-common.profile - gnome-2048 (make redirect) - gnome-mines - gnome-nibbles - lightsoff - ts3client_runscript.sh (fix #3279) - warmux (don't get confused with the warmux/wormux thing)
* | support GTK2 apps in wuscLibravatar glitsj162020-03-28
| |
* | Added compatibility with BetterDiscord (#3300)Libravatar Atrate2020-03-27
|/ | | Signed-off-by: Atrate <Atrate@protonmail.com>
* Add a profile for X2GoClientLibravatar Tad2020-03-23
|
* penguin-commandLibravatar netblue302020-03-23
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-03-23
|\
| * fixup 255697bLibravatar rusty-snake2020-03-23
| |
* | penguin-commadLibravatar netblue302020-03-23
|/
* apparmorLibravatar netblue302020-03-23
|
* Merge pull request #3293 from 0x7969/masterLibravatar rusty-snake2020-03-23
|\ | | | | Update wire-desktop.profile
| * Update etc/wire-desktop.profileLibravatar 0x79692020-03-23
| | | | | | Co-Authored-By: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
| * Update wire-desktop.profileLibravatar 0x79692020-03-23
| |
* | replace tabs with spacesLibravatar rusty-snake2020-03-23
|/
* kmplayer etcLibravatar netblue302020-03-22
|
* fixesLibravatar rusty-snake2020-03-22
|
* new profiles: agenda, gnome-pomodoro, gnome-todoLibravatar rusty-snake2020-03-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | rules for xdg-dbus-proxy: dbus-user filter dbus-user.own org.gnome.Pomodoro dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.Shell dbus-system none dbus-user filter dbus-user.own org.gnome.Todo dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 dbus-user.talk org.gnome.evolution.dataserver.Calendar8 dbus-user.talk org.gnome.evolution.dataserver.Sources5 dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* dbus-user.talk org.gnome.OnlineAccounts dbus-user.talk org.gnome.SettingsDaemon.Color dbus-system filter dbus-system.talk org.freedesktop.login1 dbus-user filter dbus.own com.github.dahenson.agenda dbus.talk ca.desrt.dconf dbus-system block
* iagno profileLibravatar netblue302020-03-21
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-03-19
|\
| * extend default.profileLibravatar rusty-snake2020-03-19
| |
| * harden baobab and gitgLibravatar rusty-snake2020-03-19
| |
* | new profiles: ripperx, sound-juicerLibravatar netblue302020-03-19
|/
* various profile fixesLibravatar netblue302020-03-19
|
* apparmor support for bind, nslookup, hostLibravatar netblue302020-03-19
|
* misc fixesLibravatar rusty-snake2020-03-19
| | | | | | | | | remove netfilter from profiles with net none allow Viber to use dig, dig is in its private-bin, so I assume that it need it. blacklist resolvectl which can also be used for dns lookups
* fix nslookup.profile headerLibravatar glitsj162020-03-19
|
* fix host.profile headerLibravatar glitsj162020-03-19
|
* nslookup, host profilesLibravatar netblue302020-03-18
|
* profile fixesLibravatar netblue302020-03-18
|
* fix mplayer profileLibravatar netblue302020-03-17
|
* profile fixesLibravatar netblue302020-03-16
|
* some profile hardeningLibravatar netblue302020-03-15
|
* fix freeofficeLibravatar netblue302020-03-15
|
* steam fixes; #841, #3267Libravatar rusty-snake2020-03-15
|
* add gnome-screenshot.profileLibravatar rusty-snake2020-03-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | patch for xdg-dbus-proxy ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -45,3 +45,8 @@ private-bin gnome-screenshot private-dev private-etc dconf,fonts,gtk-3.0,localtime,machine-id private-tmp + +dbus-user filter +dbus-user.own org.gnome.Screenshot +dbus-user.talk org.gnome.Shell.Screenshot +dbus-system block ``` patch for whitelist-runuser-common.inc ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -17,11 +17,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${RUNUSER}/bus -whitelist ${RUNUSER}/pulse -whitelist ${RUNUSER}/gdm/Xauthority -whitelist ${RUNUSER}/wayland-0 include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor ```
* Update file.profileLibravatar rusty-snake2020-03-15
| | | | | | | | * fix private-lib, closes #3233 * make private-etc and private-lib opt-in see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765 disable-devel.inc: remove duplicated line
* allow ro access to .local/share/flatpak/exportsLibravatar rusty-snake2020-03-15
| | | | | | | | | | | | $PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports, some applications crash if they cann't access these files. Layout on my system: ~/.local/share/flatpak/exports |-bin |-share |-applications |-icons
* Fix "Extraction not performed" on Debian 10Libravatar Fred Barclay2020-03-13
| | | | | | file-roller fails to extract archives without access to bash Noticed on LMDE 4 (Debian 10 base) with Cinnamon desktop
* discord 0.10 | fix #3247 (#3259)Libravatar rusty-snake2020-03-13
| | | | | | | * discord 0.10 | fix #3247 * revert private-bin move & use disable-exec * fix slack, see https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
* zoom.profile: fix zoom SSO workflowLibravatar Peter Sanford2020-03-10
| | | | | | | The zoom SSO workflow launches an embedded sandboxed browser (QtWebEngineProcess) which requires chroot and netlink to work. Fixes #3272
* profiles: firefox-esr has default configs somewhere elseLibravatar Reiner Herrmann2020-03-08
|
* profiles: whitelist firefox/thunderbird default directories (#3271)Libravatar Reiner Herrmann2020-03-08
| | | See also: https://bugs.debian.org/948656
* Update conky.profileLibravatar curiosityseeker2020-02-29
| | | Place `include allow-lua.inc` above the other includes
* Update conky.profileLibravatar curiosityseeker2020-02-29
| | | Replace `noblacklist /usr/lib/liblua*` by including `allow-lua.inc`
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-19 13:40:12 +0000