| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
/opt/ledger-live installation currently sits at 345 MiB, so I decided to
whitelist it instead of using private-opt ledger-live, in case future
installations grow in size.
Not using private-dev was the only way I managed to get my USB wallet to
work.
|
|
|
|
| |
Drop paths present in etc/inc/whitelist-usr-share-common.inc from
profiles that include it.
|
| |
|
|\
| |
| | |
nextcloud: D-Bus filtering changes
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Profile for Electron Cash
|
| | | |
|
| | | |
|
|\ \ \
| |_|/
|/| | |
Profile for RawTherapee
|
| |/ |
|
|\ \
| | |
| | | |
gnome-keyring: harden and add gnome-keyring-daemon.profile
|
| | |
| | |
| | |
| | | |
And use it as the base for the existing gnome-keyring.profile.
|
| | | |
|
|/ / |
|
|\ \
| | |
| | | |
landlock: split .special into .makeipc and .makedev
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recent versions of geeqie[1] use a Lua interpreter, like the one
currently in Arch Linux (2.2).
Without this fix it fails with:
/usr/bin/geeqie: error while loading shared libraries: liblua.so.5.4: [...]
[1] https://www.geeqie.org/
|
| |
| |
| |
| |
| | |
Add common Lua include to crawl.profile (Dungeon Crawl Stone Soup) to
allow Lua libraries, as both the ncurses and tiles executables are
dynamically linked to Lua.
|
|/
|
|
|
|
|
|
|
| |
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`). Including messages from firejail in the
output may break the parsing, so remove them.
Fixes #6171.
Reported-by: @kmille
|
|
|
|
|
|
|
|
|
| |
Committer note: For each profile there is both XXX-gtk and gtk-XXX (such
as lbry-viewer-gtk and gtk-lbry-viewer).
XXX-gtk is the symlink
gtk-XXX is the actual file
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
| |
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To ensure that it includes luajit paths as well:
* /usr/share/lua
* /usr/share/luajit-2.1
And remove all entries of the same path without the wildcard, to avoid
redundancy.
Misc: The wildcard entries were added on commit 56b60dfd0 ("additional
Lua blacklisting (#3246)", 2020-02-24) and the entries without the
wildcard were partially removed on commit 721a984a5 ("Fix Lua in
disable-interpreters.inc", 2020-02-24).
This is a follow-up to #6128.
Reported-by: @pirate486743186
|
|
|
|
|
| |
Added on commit 2d8ff695a ("WIP: Blacklist common programming
interpreters. (#1837)", 2018-04-02).
|
|
|
| |
gropdf (`man -Tpdf`) needs Perl (see #6142).
|
|\
| |
| | |
mpv: whitelist /usr/share/mpv
|
| |
| |
| |
| |
| |
| | |
Use case: You install scripts in `/usr/share/mpv` but they remain
inactive. You then symlink them to `/etc/mpv` to activate them if you
want.
|
|\ \
| | |
| | | |
landlock: move commands into profile and add landlock.enforce
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
|
|\ \
| | |
| | | |
minecraft-launcher.profile: allow keyring access
|
| | | |
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
Some plugins may require it[1]:
error: os_dlopen([...]): libluajit-5.1.so.2: [...]: Permission denied
warning: Module '/usr//lib/obs-plugins/frontend-tools.so' not loaded
[1] https://github.com/netblue30/firejail/issues/6130#issue-2040800338
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
curl supports several locations for the rc file according to its man
page:
[...]
When curl is invoked, it (unless -q, --disable is used) checks for a
default config file and uses it if found, even when -K, --config is
used. The default config file is checked for in the following places in
this order:
1) "$CURL_HOME/.curlrc"
2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0)
3) "$HOME/.curlrc"
[...]
|
| | |
|
|/
|
|
|
|
|
|
|
|
| |
This fixes Fractal 5 not opening on Void Linux due to it failing to
access "/usr/share/fractal/resources.gresource".
Fixes #6119.
Reported-by: @mhmdana
Suggested-by: @rusty-snake
|
|
|
|
|
|
| |
Similarly to steam.profile (see #4864).
Fixes #6106.
|
|
|
|
|
|
|
| |
I accidentally removed the `!` when sorting the arguments in #6067.
This amends commit fbba03790 ("lutris.profile: allow more syscalls",
2023-10-24) / PR #6067.
|
|\
| |
| | |
build: sort.py: use case-sensitive sorting
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To match how things are sorted elsewhere, such as with `noblacklist` /
`whitelist` lines (vertically) in profiles and in
ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c.
This makes the order in `private-etc` always be groups (`@group`), then
uppercase paths, then lowercase paths. Example from
etc/profile-m-z/softmaker-common.profile:
private-etc @tls-ca,SoftMaker,fstab
Note that this does not affect a significant amount of profiles; most
changes are in `private-bin` / `private-lib` lines and in `private-etc`
lines for newer profiles that do not use groups. This is partly due to
commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05)
replacing `X11` with `@x11` in `private-etc` lines and then commit
0f996ea4d ("private-etc: groups modified", 2023-02-05) removing
`Trolltech.conf` from `private-etc` lines and using case-sensitive
sorting in them.
Relates to #5610.
|
|\ \
| | |
| | | |
lutris.profile: allow more syscalls
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work.
journalctl did list `process_vm_readv` when a game was running, but it
didn't crash the game.
Fixes #6035.
|
|\ \ \
| | | |
| | | | |
steam.profile: allow process_vm_readv syscall
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
EA Origin (game launcher) won't launch without this.
See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
|
| | |
| | |
| | |
| | | |
on Debian the data is in /usr/share/tesseract-ocr/
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* disable-programs.inc: add support for tiny-rdm
* Create tiny-rdm.profile
* firecfg.config: add support for tiny-rdm
|
| | | |
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| | |
discord_arch_electron[1] stores its files in /usr/share/discord, rather than
the usual /opt/discord.
[1] https://aur.archlinux.org/packages/discord_arch_electron
|