| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
| |
@glitsj16 thanks for the pointer that we now have whitelist globbing
|
| |\
| |
| | |
steam.profile: correctly blacklist unneeded directories in user's home
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"noblacklist" directives prevent following ones from blacklisting the specified directory/file.
The profile currently has a "noblacklist" directive for each directory used by Steam and/or its games, which is fine.
However, there are no directives blacklisting the user's home, thus all directories and files inside it are accessible by Steam.
This commit fixes the issue by adding "whitelist" directives, which automatically blacklist the parent directory (in this case the user's home).
"mkdir" and "mkfile" directives are added so that the directories/files are created if they don't exist.
Thanks to @SkewedZeppelin for suggesting to keep "noblacklist" and use "mkdir" and "mkfile".
|
| |\ \
| | |
| | | |
thunderbird.profile: harden and enable the rules necessary to make Firefox open links
|
| | | |
| | |
| | |
| | |
| | | |
open links
See issue #3291
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Without 'ignore nodbus', Teams will not close properly. It looks
like, by design, Teams ignores the close signal from window
managers (i.e. clicking the X in the top corner) - this occurs
even without firejail. Instead, there are two ways to close: by
right-clicking the tray icon and selecting "Close" or by running
`teams --quit`.
'nodbus' hides/prevents the tray icon, and also ignores
`teams --quit` if firecfg has been run (so that `teams` and
`teams --quit` with both be sandboxed). The only way to stop
Teams is then to manually either kill the process (via `kill -9`)
or run something like `/usr/bin/teams --quit` so that the
unsandboxed app is run.
'private-tmp' blocks the tray icon so, again, there's no good way
to kill Teams.
Observed on Debian 10 and Teams 1.3.00.5153
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- four-in-a-row
- gnome-mahjongg
- gnome-robots
- gnome-sudoku
- gnome-taquin
- gnome-tetravex
harden gnome-chess
|
| |\ \ \
| | | |
| | | | |
Create ferdi.profile
|
| | | | | |
|
| | | |/
| |/|
| | | |
Exact copy of franz.profile, simply renamed franz to ferdi.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- frogatto
- gnome_games-common.profile
- gnome-2048 (make redirect)
- gnome-mines
- gnome-nibbles
- lightsoff
- ts3client_runscript.sh (fix #3279)
- warmux (don't get confused with the warmux/wormux thing)
|
| | | | |
|
| |/ /
| |
| | |
Signed-off-by: Atrate <Atrate@protonmail.com>
|
| | | |
|
| | | |
|
| |\ \ |
|
| | | | |
|
| |/ / |
|
| | | |
|
| |\ \
| | |
| | | |
Update wire-desktop.profile
|
| | | |
| | |
| | | |
Co-Authored-By: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | | | |
|
| |/ / |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rules for xdg-dbus-proxy:
dbus-user filter
dbus-user.own org.gnome.Pomodoro
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.Shell
dbus-system none
dbus-user filter
dbus-user.own org.gnome.Todo
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
dbus-user.talk org.gnome.evolution.dataserver.Calendar8
dbus-user.talk org.gnome.evolution.dataserver.Sources5
dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.SettingsDaemon.Color
dbus-system filter
dbus-system.talk org.freedesktop.login1
dbus-user filter
dbus.own com.github.dahenson.agenda
dbus.talk ca.desrt.dconf
dbus-system block
|
| | | |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| |/ / |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
remove netfilter from profiles with net none
allow Viber to use dig, dig is in its private-bin, so I assume that it
need it.
blacklist resolvectl which can also be used for dns lookups
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
private-dev
private-etc dconf,fonts,gtk-3.0,localtime,machine-id
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```
patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
```
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* fix private-lib, closes #3233
* make private-etc and private-lib opt-in
see https://github.com/netblue30/firejail/issues/3233#issuecomment-589871765
disable-devel.inc: remove duplicated line
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
$PATH and $XDG_DATA_DIRS can contain subdirs of flatpak/exports,
some applications crash if they cann't access these files.
Layout on my system:
~/.local/share/flatpak/exports
|-bin
|-share
|-applications
|-icons
|
| | |
| |
| |
| |
| |
| | |
file-roller fails to extract archives without access to bash
Noticed on LMDE 4 (Debian 10 base) with Cinnamon desktop
|
| | |
| |
| |
| |
| |
| |
| | |
* discord 0.10 | fix #3247
* revert private-bin move & use disable-exec
* fix slack, see https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
|
rusty-snake
netblue30
Davide Beatrici
curiosityseeker
Fred Barclay
0x7969
glitsj16
Atrate
Tad
rusty-snake