| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
|\
| |
| | |
lbry-viewer.profile create
|
| | |
|
| |
| |
| | |
Co-authored-by: pirate486743186 <>
|
| |
| |
| |
| |
| | |
This amends commit e2631b40d ("steam.profile: fix breakage with newer
Proton-GE (process_vm_readv)", 2022-08-20).
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As reported by @rsramkis on #5185, upgrading from Proton-7.2-GE-2[1]
(released on 2022-02-14) to GE-Proton7-18[2] (released on 2022-05-19)
breaks logging in on World of Tanks Blitz unless the `process_vm_ready`
32-bit syscall is allowed[3], so allow it.
Fixes #5185.
[1] https://github.com/GloriousEggroll/proton-ge-custom/releases/tag/7.2-GE-2
[2] https://github.com/GloriousEggroll/proton-ge-custom/releases/tag/GE-Proton7-18
[3] https://github.com/netblue30/firejail/issues/5185#issuecomment-1152350336
|
| | |
|
| | |
|
|\ \
| | |
| | | |
makedeb profile creation
|
| |/ |
|
|\ \
| | |
| | | |
microsoft-edge.profile rewritten for stable channel and moved microsoft-edge{,-beta,-dev} from private-opt to whitelist
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
* replaced private-opt by whitelist #5307
* added stable channel config dirs to disable-programs.inc
|
|\ \ \
| | | |
| | | | |
vmware.profile: snapshot requires /etc/mtab
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
This patch avoid the following error:
Error: One of the parameters supplied is invalid
Tested with VMware Workstation 16.2.4
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
neomutt won't write to these locations. Processes it spawns might read
to some of them, but creating an empty file doesn't help. This just
pollutes user's $HOME with empty files and directories.
I've kept a few paths that MAY be written to by neomutt; it's not ideal,
but I want to minimise the risk of potential data loss, even if it is
corener cases.
See: https://github.com/netblue30/firejail/discussions/5276
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* fix(audacity): !5281 sharedlib bug on Arch/Fedora
removed `private-bin` line from audacity profile as it appears to block
access to shared libraries needed to start audacity on some
distributions.
Relates to github issue #5281
* fix(audacity): Disabling apparmor and reenabling private-bin
|
|\ \
| | |
| | | |
makepkg: add description
|
| |/ |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add gdu to 'new profiles' section
* Create gdu.profile
* add gdu to firecfg
* harden gdu sandbox
* fix protocol
* simulate empty protocol in gdu
* more user-friendly gdu sandboxing
|
|\
| |
| | |
introduce new option restrict-namespaces
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
This directory contains the MAC address for connections available
Tested working with torbrowser-launcher and onionshare
Signed-off-by: Tad <tad@spotco.us>
|
|/ |
|
|
|
|
|
|
|
|
|
| |
* remmina.profile: allow python
* Update etc/profile-m-z/remmina.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
now covers syscalls up to including process_madvise (440)
group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305
the only exception is close_range, which was added to both @basic-io and @file-system
this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
|
|
|
|
|
|
|
|
| |
As a reminder to create a profile for winetricks instead of allowing
access to its paths to programs used by winetricks (see #5238).
Added on commit 0ec1c66b5 ("aria2c.profile: allow access to
~/.cache/winetricks") / PR #5238.
|
|
|
|
| |
Otherwise winetricks fails to download packages.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* drop private-lib
* drop private-lib
* drop private-lib
|
|
|
|
|
|
|
| |
Logging is now default disabled in c7e4c8ed592fee7f1644152a23c3e1343b01b922
See https://github.com/netblue30/firejail/issues/5207
This reverts commit c0d314f945b405f1e90a1a43719059cd22f55de7.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Command: sed -i "/^shell none/d" etc/*/*
TODO:
```
etc/profile-a-l/beaker.profile:ignore shell none
etc/profile-a-l/default.profile:# shell none
etc/profile-a-l/fdns.profile:#shell none
etc/profile-a-l/gnome-nettool.profile:#shell none
etc/profile-a-l/jitsi-meet-desktop.profile:ignore shell none
etc/profile-m-z/pidgin.profile:# shell none
etc/profile-m-z/rocketchat.profile:ignore shell none
etc/profile-m-z/server.profile:# shell none
etc/templates/profile.template:# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
etc/templates/profile.template:#shell none
```
- manpage
- RELNOTES
- fbuilder
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
transmission-{gtk,qt} (#5175)
* add comment for enabling desktop notifications
* add comment for enabling desktop notifications
|
|
|
|
|
|
|
|
|
|
|
| |
Since /etc/profile is present, add the other shell-related paths in /etc
that are listed on ids.config.
Suggestion by @rusty-snake[1].
Relates to #5167 #5170.
[1] https://github.com/netblue30/firejail/pull/5167#pullrequestreview-989621852
|
| |
|
|\
| |
| | |
ids.config: add missing global shell paths
|
| |
| |
| |
| |
| |
| | |
Add missing paths for bash, ksh and zsh.
Environment: Artix Linux
|
| |
| |
| |
| | |
Since /etc/profile.d is already being blacklisted.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To disable-shell.inc.
Interactive shells can be executed from certain development-related
programs (such as IDEs) and the shells themselves are not blocked by
default, but this shell startup directory currently is. To avoid
running a shell without access to potentially needed startup files, only
blacklist /etc/profile.d when interactive shells are also blocked.
Note that /etc/profile.d should only be of concern to interactive
shells, so a profile that includes both disable-shell.inc and
allow-bin-sh.inc (which likely means that it needs access to only
non-interactive shells) should not be affected by the blacklisting.
Relates to #3411 #5159.
|