| Commit message (Collapse) | Author | Age |
|
|
|
|
|
| |
Fractal 7 (and possibly earlier) stores messages and key material in
${XDG_DATA_DIR}/fractal which defaults to ~/.local/share/fractal.
Lack of access causes it to be unable to load messages offline and
de- or encrypt messages even when online without sharing keys again.
|
|
|
|
|
|
|
|
|
|
| |
It is apparently used by the (widely used) "Fancy" plugin, which
"Renders HTML e-mail using the WebKit library".
https://www.claws-mail.org/plugins.php
Relates to #6377.
Note: etc/profile-a-l/email-common.profile contains `private-cache`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
|
|
|
| |
Fixes #6377.
|
|
|
|
|
| |
Added on commit 2453f0ecf ("email-common.profile: allow clamav plugin
for claws-mail", 2023-03-07) / PR #5719.
|
|
|
| |
Relates to #6364.
|
|
|
|
|
|
|
|
|
| |
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
|
|
|
|
|
|
|
|
| |
Description: Standalone Discord client.
https://armcord.app/
https://github.com/NextWork123/ArmCord
Requested in https://github.com/netblue30/firejail/issues/1139#issuecomment-2140174880.
|
|
|
|
|
| |
Based on the entries in etc/profile-m-z/makepkg.profile.
This fixes #6352.
|
|
|
|
|
|
|
|
| |
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
|
| |
|
|
|
|
|
|
| |
Description: Tauri-based IRC client inspired by HexChat.
https://nhexirc.com/
https://github.com/nhexirc/nhex
|
| |
|
|
|
|
|
|
| |
Update comment to account for camera-based motion trackers.
Fixes an issue with https://github.com/markx86/opentrack-launcher, where
video input devices won't show up unless novideo is removed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The profile currently does not include disable-common nor makes
`${HOME}` read-only, so the program can simply write to ~/.bashrc
directly[1].
disable-common.inc was commented due to it apparently breaking bwrap.
As discovered by @glitsj16, it seems that allowing the bwrap binary is
enough to make it work (and that apparmor breaks loupe)[2].
So disable apparmor, allow bwrap and include disable-common.inc, plus
other hardening by @glitsj16.
This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) /
PR #6327.
[1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865
[2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* profiles: hexchat: hardenings
* profiles: hexchat: allow lua/downloads and harden
Allow more paths and add some extra options to harden the profile.
We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.
Consulted resources:
- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/
|
|
|
|
|
|
|
|
|
|
|
| |
Description: D-Bus debugger for GNOME
https://gitlab.gnome.org/GNOME/d-spy
From [1]:
> D-Feet is no longer maintained. Please use d-spy
[1] https://wiki.gnome.org/Apps/DFeet
|
|
|
|
| |
Signed-off-by: Tavi <tavi@divested.dev>
|
|
|
|
|
|
|
|
| |
Fix sorting and improve comments.
See etc/templates/profile.template.
This amends commit 4c5f55899 ("several kids programs", 2024-04-29).
|
| |
|
| |
|
|
|
|
| |
(#6322)
|
|
|
|
|
|
|
| |
Newly-released audacity 3.5 supports cloud-saving and remote backup
features:
- https://www.audacityteam.org/blog/audacity-3-5/
- https://support.audacityteam.org/additional-resources/changelog/audacity-3.5#cloud-project-saving
|
|
|
|
|
| |
The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3).
Fixes #6308.
|
|
|
| |
https://github.com/axel-download-accelerator/axel
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Remove ffmpeg from private-bin
* Allow download folder
* It needs an editor to allow editing the config, so I put in nano; sh
and uname are used for launching nano
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
With this, all `etc/inc/allow-*` files are listed in profile.template.
The explanation is based on a comment by @rusty-snake[1].
Relates to #4071.
This is a follow-up to #6299.
[1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
|
|
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Note: It is not currently included in any profile.
Added on commit 89f30f1f2 ("Create allow-php.inc", 2020-01-25).
This is a follow-up to #6298.
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Relates to #3866 #5881.
|
| |
|
|
|
|
|
| |
Description: GitHub's official command-line tool.
https://github.com/cli/cli
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections. That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.
Also, keep the old include as a redirect to the new one for now to avoid
breakage.
Commands used to search and replace:
git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
git grep -Ilz 'disable-X11' -- etc | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #4462 #4854 #6070 #6289.
This is a follow-up to #6286.
|
|
|
|
|
| |
See etc/templates/profile.template.
This is a follow-up to #6286.
|
|
|
|
|
|
| |
Add a common profile to deduplicate entries and make qemu-related
profiles redirect to it.
Relates to #6255.
|
|
|
|
|
|
|
| |
I recently set up KDE connect and plasma-browser-integration for firefox
(Linux Mint 21.2) and needed this line in addition to the ones mentioned
in the profile. Found it via running `firejail
--profile=/etc/firejail/firefox.profile --dbus-user.log firefox`, trying
to send links to device, and seeing what events get logged.
|
|\
| |
| | |
profiles: replace x11 socket blacklist with disable-X11.inc
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to #4462 #4854.
|
| |
| |
| |
| |
| |
| |
| | |
Move disable-X11.inc before disable-xdg.inc for consistency with other
profiles.
Added on commit 73a6fced2 ("New profile: ssmtp (#5544)", 2022-12-21).
|
|/
|
|
|
|
|
|
|
|
| |
The files in this directory are intended to be automatically executed
when the user logs in.
In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).
Misc: This was noticed on #6244.
|
|
|
|
|
|
|
|
|
|
| |
It is a GUI program.
It was apparently added by accident on commit 73321c597 ("Fixes
(#2816)", 2019-07-01).
Reported by @glitsj16 at
https://github.com/netblue30/firejail/pull/6286#discussion_r1536618241
|
|
|
|
|
| |
Description: QEMU frontend without libvirt.
https://github.com/thanoulis/tqemu
|
|
|
|
|
|
|
|
|
|
| |
@hedgehog29 commented[1]:
> It prevents k3b from detecting all dvd drives, incudling USB ones, and
> it seems that also SATA.
Fixes #6279.
[1] https://github.com/netblue30/firejail/issues/6279#issue-2191392448
|
|
|
|
|
|
| |
Description: Python GTK3 application to view and clean metadata in
files, using mat2.
https://gitlab.com/rmnvgr/metadata-cleaner
|
|
|
| |
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Description: Encrypted messenger.
https://github.com/oxen-io/session-desktop/
https://aur.archlinux.org/packages/session-desktop
https://aur.archlinux.org/packages/session-desktop-bin
https://aur.archlinux.org/packages/session-desktop-appimage
Note: The AUR packages all work with the profiles.
|
|
|
|
|
|
| |
Description: Determines the file type.
https://metacpan.org/release/File-MimeInfo
https://archlinux.org/packages/extra/any/perl-file-mimeinfo/
|
|
|
|
|
| |
Description: Automatic TV episode file renamer.
https://github.com/dbr/tvnamer
|
|
|
|
|
|
|
| |
Description: Full Screen text editor heavily inspired by Q10 and
JDarkRoom.
https://code.google.com/p/textroom/
https://aur.archlinux.org/packages/textroom
|
|
|
|
|
|
| |
Description: Encrypted sharing of files, folders, and text between
devices.
https://github.com/Jacalz/rymdport
|