aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
...
* Follow-up for #3326 (#3397)Libravatar glitsj162020-05-04
| | | | | | | | | | | * use the new dbus format in chromium-common.profile * use new dbus format in firejail.config Now that #3326 landed I think it might be less confusing to keep using the --nodbus wording. Couldn't come up with a better alternative (yet), so this might need future improvements. * block dbus system bus Blocking the system bus shouldn't affect password functionality etc, as that uses the session bus.
* fix makefile and dbusLibravatar rusty-snake2020-05-04
| | | | | | - create vim directorys (#3396) - fix #3400 (Eye of GNOME won't open) - fix feedreader, it is broken without org.freedesktop.secrets access
* fix #3399Libravatar rusty-snake2020-05-04
|
* dbus filter profiles (1) (#3326)Libravatar rusty-snake2020-05-02
| | | | | | | * dbus filter (1) * dbus-filter: firefox * drop org.gtk.vfs and com.canonical.AppMenu.Registrar
* various hardening (#3394)Libravatar rusty-snake2020-05-02
|
* fixes for zeal.profileLibravatar glitsj162020-04-30
| | | Preliminary fixes tested/confirmed on Arch regarding #3389 (in-progress).
* drop no3d from gnome-contacts.profileLibravatar glitsj162020-04-26
| | | Fix for #3385.
* Add steam-runtime aliasLibravatar backspac2020-04-24
|
* cleanup private-etc in steam.profileLibravatar glitsj162020-04-22
|
* add disable-exec to file-manager-common profileLibravatar smitsohu2020-04-22
|
* small fixesLibravatar netblue302020-04-21
|
* file managers refactoring (#3375)Libravatar glitsj162020-04-21
| | | | | | | | | | | | | | | | | * refactor caja.profile * refactor dolphin.profile * Create file-manager-common.profile * refactor nautilus.profile * refactor nemo.profile * refactor pcmanfm.profile * refactor ranger.profile * refactor Thunar.profile
* update issue template + add ICEauthority to wrucLibravatar rusty-snake2020-04-21
|
* reorganize github etc directoryLibravatar netblue302020-04-21
|
* small fixesLibravatar netblue302020-04-21
|
* Profile for jitsi-meet-desktop (#3362)Libravatar Kishore96in2020-04-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Profile for Jitsi Meet desktop app (electron) * Update description. * Correctly include global definitions. * Add jitsi-meet-desktop to firecfg. * blacklist Jitsi-meet config directory in disable-programs.inc * Disable more things. disable-exec.inc not included, as the application shows some error if I include it. * Disable more stuff. * No need to whitelist Downloads directory. I don't think this application has any file sharing / downloading feature. * Use private-bin I needed to allow the bash executable as well for this to work. * Add some whitelist rules. * Use private-cache option * include disable-exec.inc Apparently one needs to allow execution in /tmp for the program to work. * Redirect to electron.profile. * Use private-etc. * Do not whitelist Downloads directory. electron.profile does this, but I do not think this program needs it. * Rearrange whitelisted files to alphabetical order. * Move nonwhitelist to appropriate section. * Newlines as section separators.
* Allow Lua for mpv in dolphin.profileLibravatar glitsj162020-04-18
| | | Fixes #3363.
* Merge pull request #3348 from chrpinedo/profile-nicotineLibravatar rusty-snake2020-04-17
|\ | | | | Add new profile: nicotine
| * Add nicotine to disable-programs.incLibravatar Christian Pinedo2020-04-17
| |
| * Create nicotine profileLibravatar Christian Pinedo2020-04-17
| |
* | Revert ↵Libravatar glitsj162020-04-15
| | | | | | | | | | https://github.com/netblue30/firejail/commit/ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b As per discussion in #3333, thanks to @rusty-snake for coming up with an alternative.
* | add sthortwave (#1139) and remove gjs from firecf…Libravatar rusty-snake2020-04-13
| | | | | | | | …g.config (#3333).
* | misc fixesLibravatar rusty-snake2020-04-13
|/ | | | | | - Makefile.in: loops are slow - Makefile.in: firecfg.config wasn't installed - allow-gjs.inc: gjs uses libmozjs, forgotten to commit
* Fix shell in firefox-common.profileLibravatar glitsj162020-04-12
| | | This fixes #3333.
* misc profilesLibravatar rusty-snake2020-04-11
| | | | | | | | | | | - disable-interpreters: blacklist /usr/lib64/libmozjs-* - fdns: - fix .local name - remove server.profile comment (do we need /sbin and /usr/sbin?) - add wusc and wvc (commented because untested) - minimize caps.keep (based on fdns.service) - fix protocol position - add private-etc (based on fdns.service)
* fix #3343Libravatar glitsj162020-04-10
|
* add description to rambox.profileLibravatar glitsj162020-04-10
|
* Add /usr/share/games to whitelistLibravatar Fred Barclay2020-04-09
| | | | | | | | | | Otherwise, fails with error CreateDirectories: failed to mkdir /usr/share/games (mode 448) file_system.cpp(158): Function call failed: return value was -110300 (Insufficient access rights to open file) Function call failed: return value was -110300 (Insufficient access rights to open file) Location: file_system.cpp:158 (CreateDirectories) Observed on Debian 10, 0ad 0.0.23
* fix alphabetical ordering in fdns.profile (2)Libravatar glitsj162020-04-08
|
* fix alphabetical ordering in fdns.profileLibravatar glitsj162020-04-08
|
* fdns profileLibravatar netblue302020-04-07
|
* Ignore `caps.drop all` import from transmission-common.profileLibravatar Fred Barclay2020-04-07
| | | | caps are already handled by caps.keep ... in this profile
* Replace `nodbus` with dbus-* filtersLibravatar Fred Barclay2020-04-07
| | | | | | | | | | | | | See - 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters - https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183 Except for ocenaudio, access/restrictions on dbus options should be unchanged Ocenaudio profile: dbus filters were sandboxed (initially `nodbus` was enabled) since comments indicated blocking dbus meant preferences were broken
* dbus-proxy (gnome_games)Libravatar rusty-snake2020-04-07
|
* Alphabetically order firejail.config (#3324)Libravatar glitsj162020-04-07
|
* Allow changing error action in seccomp filtersLibravatar Topi Miettinen2020-04-06
| | | | | | | | | | | | | | Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call.
* cleanup, fixes, more profstatsLibravatar netblue302020-04-06
|
* Update bitwarden.profileLibravatar rusty-snake2020-04-06
| | | fix #3321
* fixing my previous commitLibravatar netblue302020-04-05
|
* profile fixesLibravatar netblue302020-04-04
|
* fix alphabetical ordering of caps.keep in slack.profileLibravatar glitsj162020-04-04
|
* noblacklist ncat in ssh profileLibravatar Tad2020-04-04
| | | | nc is a symlink to ncat on some distros
* steam profile fixesLibravatar Tad2020-04-04
| | | | see https://github.com/netblue30/firejail/pull/3292#issuecomment-603467884
* Add netlink to mumble profileLibravatar SkewedZeppelin2020-04-04
| | | | Syslog is spammed with the following message otherwise: Could not create AF_NETLINK socket
* gnome games: more + fixesLibravatar rusty-snake2020-04-04
| | | | | | | - fix description - add gnome-klotski, five-or-more, swell-foop [skip ci]
* more gamesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | | | | - blobwars - gravity-beams-and-evaporating-stars - hyperrogue - jumpnbump-menu (alias) - jumpnbump - magicor - mindless - mirrormagic - mrrescue - scorched3d-wrapper (alias) - scorchwentbonkers - seahorse-adventures - wordwarvi - xbill
* Fixes for slack 4.4Libravatar Fred Barclay2020-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'd like to tighten this up more esp. for seccomp - caps.keep sys_chroot needed or fails with Cannot chroot into /proc/ directory: Operation not permitted 1. caps.drop all replaced with caps.keep - caps.keep sys_admin needed or fails with Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 2. nonewprivs dropped to avoid failure: The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 3. noroot dropped to avoid failure: [22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755. 4. Removed protocol filter to avoid: The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted 5. Unable to get a working seccomp filter See https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520 seccomp !chroot seems to have worked for earlier versions of slack 6. private-tmp means no tray icon Observed on Debian 10, Slack 4.4.0
* Harden signal-desktop.profile and add rules for FirefoxLibravatar curiosityseeker2020-04-04
|
* Harden thunderbird.profileLibravatar curiosityseeker2020-04-04
| | | Access to ${HOME}/.cache/mozilla actually not necessary to let Firefox open links
* misc fixes & hardeningLibravatar rusty-snake2020-04-03
|
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 13:48:44 +0000