| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
closes #4965
|
| | |
|
| | |
|
| |\
| |
| | |
harden vlc
|
| | |
| |
| |
| |
| | |
apparmor doesn't disable D-Bus anymore, so add it back
remove memory-deny-write-execute comment, as this also breaks JIT compiled QtQuick nowadays
|
| | |
| |
| |
| |
| |
| |
| | |
following up ce6f792efd0af09b95050864b71f79c46359fa49
/var/lib/libvirt is blacklisted in disable-common.inc
so merely whitelisting the directory is not enough
|
| | |
| |
| |
| |
| | |
private option implies private-cache,
so it is safe to remove
|
| | | |
|
| | | |
|
| | |
| |
| | |
https://store.steampowered.com/app/219150/Hotline_Miami/
|
| |/ |
|
| | |
|
| |\
| |
| | |
disable-common.inc: make ~/.config/pkcs11 read-only
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
|
| |\ \
| |/
|/| |
appimage: blacklist and make ~/Applications dir read-only
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is used for storing AppImages.
Note that even when blacklisting a directory, it is possible to execute
an AppImage from it. For example, the following works:
firejail --noprofile --blacklist='${HOME}/Applications' --appimage \
~/Applications/foo.AppImage
While the resulting process does not appear to have access to the
blacklisted directory.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This directory is monitored by both appimaged[1] and
AppImageLauncher[2]. Also, when opening an AppImage with
AppImageLauncher, it may prompt the user to move the AppImage to
~/Applications.
[1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories
[2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
|
| | |
| |
| |
| |
| | |
* megaglest.profile: Add allow-lua.inc
* Move comment to line above
|
| |/
|
| |
Fixes #5068.
|
| |\
| |
| | |
ping: (extra) hardening
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| | |
[nvm](https://github.com/nvm-sh/nvm) is implemented as a sourced shell function, not an executable binary. Regular sandboxing doesn't work but we can add nvm support to the applications used by it internally (curl, sha256sum, tar & wget).
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
| |
* ocenaudio: blacklist cache dir
* ocenaudio: hardenings
* ocenaudio: fix protocol comment
|
| |
|
|
|
| |
* cmake: fix local override & wusc
* cmake: another wusc fix
|
| |
|
|
|
|
|
|
|
| |
* pip: fix including local override
* pip: allow access to cache
The shared build-systems-common.profile (to which pip.profile redirects) blacklists ${HOME}/.cache/pip. Override that here.
* pip: add cache support in commented whitelist
|
| |
|
|
|
|
|
|
| |
This amends commit f32cb8393 ("Blacklist scala devel stuff", 2022-03-05)
/ PR #5013.
See the following review:
https://github.com/netblue30/firejail/pull/5013#pullrequestreview-903794958
|
| |
|
|
|
| |
* opera fixes
* disable-common.inc: add blacklist /usr/lib/opera/opera_sandbox
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/netblue30/firejail/discussions/4993 (#5042)
* refactor mupdf
* refactor mupdf
* refactor mupdf
* refactor mupdf
* add mupdf-gl blacklist
* move history file back to mupdf-gl
* refactor mupdf-gl
* add no3d to mupdf.profile
* add suggestions from review
* drop unix from protocol [accumulates]
* fix protocol
|
| |
|
|
|
|
|
|
|
| |
* drop redundant noblacklist
noblacklist ${HOME}/.vscode-oss already exists in included code.profile
* remove newline
Nitpick for persistency with other profiles that have the comment about #2624.
|
| |
|
|
|
|
|
| |
* hardening onionshare-gui.profile
* add another dbus-user filter to onionshare-gui.profile
* harden onionshare
|
| |
|
|
|
| |
This amends commit af8f681c0 ("steam.profile: allow "${HOME}/.prey"",
2022-03-11) / PR #5029.
|
| |\ |
|
| | |\
| | |
| | | |
Blacklist scala devel stuff
|
| | | | |
|
| | |\ \
| | | |
| | | | |
Fix newest Steam client and Proton ≥ 5.13
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
After the Steam cleint update of the 04th March 2022
the steamwebhelper process now needs to be able to do chroot
syscalls to render anything. If not all content tabs in the client will
just appear black.
fixes: https://github.com/netblue30/firejail/issues/5014
|
rusty-snake
netblue30
smitsohu
Kelvin M. Klann
glitsj16
NetSysFire
Jose Riha
Oneric