| Commit message (Collapse) | Author | Age |
... | |
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Starting with version 5.13 Proton internally uses bubblewrap to create a
container for the game. To make this work with firejail we need to allow
these 4 additional syscalls.
fixes: https://github.com/netblue30/firejail/issues/4366
fixes: https://github.com/netblue30/firejail/issues/4686
|
| |\ \
| | | |
| | | | |
steam.profile: allow "${HOME}/.prey"
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The directory is used by the Linux binary for Prey (2006), available at https://icculus.org/prey.
Not whitelisting the directory results in the game failing to launch:
found DLL in pak file: /home/user/.steam/steamapps/common/Prey 2006/base/game01.pk4/gamex86.so
copy gamex86.so to /home/user/.prey/base/gamex86.so
dlopen '/home/user/.prey/base/gamex86.so' failed: /home/user/.prey/base/gamex86.so: failed to map segment from shared object
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
as suggested by @rusty-snake
in addition blacklist/noblacklist/whitelist songrec application files
|
|\ \ \
| |/ /
|/| | |
Add songrec
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It is a Rust application using Cargo, so harden based on common supply
chain attacks seen.
https://github.com/marin-m/SongRec
|
| | | |
|
| |/
|/| |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add opera-developer to firecfg
* add opera-developer
* fix typo
* add configs for opera-developer
* Create opera-developer.profile
* fixes for opera-developer
* fix for opera-developer
|
| |
| |
| |
| |
| | |
* harden opera-beta
* harden opera
|
| |
| |
| |
| |
| | |
* geary fixes
* comment ipc-namespace
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
* Add support for changing appearance of the Qt6 apps with qt6ct
* Remove qt5ct artifact from zeal.profile
* Remove qt5ct artifact from bibletime.profile
|
|\ \
| | |
| | | |
qbittorrent.profile: fix data directory location
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
wireshark.profile: Add dac_read_search to caps.keep
|
| |/ /
| | |
| | |
| | |
| | | |
On gentoo linux, /usr/bin/dumpcap requires dac_read_search
instead of dac_override.
|
|\ \ \
| |/ /
|/| | |
firejail.config: add warning about allow-tray
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to #4053, there is currently no safe (in the sense of not
allowing to escape the sandbox) implementation of
`org.kde.StatusNotifierWatcher`, but it is required by multiple programs
for tray functionality. Users may not be aware of this (for example,
see #4508), so add a warning about it.
Note: allow-tray was added on commit c86cae2d0 ("Add new condition
ALLOW_TRAY", 2021-09-04) / PR #4510.
|
|\ \ \
| | | |
| | | | |
Improve dino.profile.
|
| |/ / |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* drop private-dev from wireshark.profile
* add comment about private-dev in wireshark.profile
Add a comment as suggested in https://github.com/netblue30/firejail/pull/4958#issuecomment-1044732769.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create onionshare.profile
* Create onionshare-cli.profile
* add onionshare redirects to firecfg.config
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Having `read-only /tmp` yields the following:
$ man ls
[...]
man: /usr/share/man/man1/ls.1.gz: SYSERR: mkstemp: /tmp/man.XXXXxxxxxx: Read-only file system
[...]
It also causes the pager (e.g.: less(1)) to not be called, which means
that the entire man page is just printed all at once on the terminal.
Environment: mandoc 1.14.6-1 on Artix Linux.
Fixes #4927.
Reported-by: @hyder365
|
| |
| |
| |
| |
| |
| | |
0319fbd enabled whitelisting in /usr/share for iridium but wusc
was still ignore causing iridium to crash.
Fixes #4917
|
|\ \
| | |
| | | |
keepassx: restore nou2f
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I could not find anything to confirm that keepassx supports hardware
keys. And as mentioned by @rusty-snake[1]:
> The yubikey support in kpxc seems to be based on
> https://github.com/kylemanna/keepassx /
> https://github.com/keepassx/keepassx/pull/52
> which was never merged. For me it looks like kpx never got official
> support for it.
>
> keepass seems to support hw keys (via plugin).
Also of note is the PR that added yubikey support to keepassxc:
https://github.com/keepassxreboot/keepassxc/pull/127
This partially reverts commit 09ac1a73e ("keepass*: remove nou2f",
2022-02-05) / PR #4903. See also commit 91b04172b ("keepass*: fix typo
in private-dev note", 2022-02-06).
Closes #4883.
[1] https://github.com/netblue30/firejail/issues/4883#issuecomment-1031172309
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
s/nou2f/private-dev/
This amends commit 8a718ff4a ("keepass*: note that private-dev blocks
access to new hardware keys", 2022-02-05).
|
| |
| |
| |
| |
| |
| | |
Which may be surprising to some users (see #4883).
Fixes #4883.
|