aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
* electron-cash: use new private-etc syntaxLibravatar glitsj162024-02-19
|
* Merge pull request #6211 from glitsj16/nextcloud-fixLibravatar glitsj162024-02-19
|\ | | | | nextcloud: D-Bus filtering changes
| * nextcloud: fix the comment link to the wiki FAQLibravatar glitsj162024-02-16
| |
| * nextcloud: edit dbus comment as requested in reviewLibravatar glitsj162024-02-16
| |
| * nextcloud: harden D-Bus filteringLibravatar glitsj162024-02-16
| |
* | Merge pull request #6181 from haplo/electron-cashLibravatar glitsj162024-02-19
|\ \ | | | | | | Profile for Electron Cash
| * | Blacklist ~/.electron-cash in disable-programs.incLibravatar Fidel Ramos2024-01-31
| | |
| * | electron-cash.profileLibravatar Fidel Ramos2024-01-30
| | |
* | | Merge pull request #6180 from haplo/rawtherapeeLibravatar glitsj162024-02-19
|\ \ \ | |_|/ |/| | Profile for RawTherapee
| * | rawtherapee.profileLibravatar Fidel Ramos2024-01-31
| |/
* | Merge pull request #6201 from glitsj16/gnome-keyring-fixesLibravatar glitsj162024-02-08
|\ \ | | | | | | gnome-keyring: harden and add gnome-keyring-daemon.profile
| * | Create gnome-keyring-daemon.profileLibravatar glitsj162024-02-08
| | | | | | | | | | | | And use it as the base for the existing gnome-keyring.profile.
| * | gnome-keyring: harden and remove quietLibravatar glitsj162024-02-08
| | |
* | | enchant-lsmod-2: redirect to enchant-2 (#6202)Libravatar glitsj162024-02-08
|/ /
* | Merge pull request #6187 from kmk3/landlock-add-devLibravatar Kelvin M. Klann2024-02-05
|\ \ | | | | | | landlock: split .special into .makeipc and .makedev
| * | landlock: split .special into .makeipc and .makedevLibravatar Kelvin M. Klann2024-02-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As discussed with @topimiettinen[1], it is unlikely that an unprivileged process would need to directly create block or character devices. Also, `landlock.special` is not very descriptive of what it allows. So split `landlock.special` into: * `landlock.makeipc`: allow creating named pipes and sockets (which are usually used for inter-process communication) * `landlock.makedev`: allow creating block and character devices Misc: The `makedev` name is based on `nodev` from mount(8), which makes mount not interpret block and character devices. `ipc` was suggested by @rusty-snake[2]. Relates to #6078. [1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786 [2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
* | | geeqie.profile: allow Lua interpreter (#6183)Libravatar Fidel Ramos2024-02-03
|/ / | | | | | | | | | | | | | | | | | | Recent versions of geeqie[1] use a Lua interpreter, like the one currently in Arch Linux (2.2). Without this fix it fails with: /usr/bin/geeqie: error while loading shared libraries: liblua.so.5.4: [...] [1] https://www.geeqie.org/
* | crawl.profile: allow lua (#6182)Libravatar luca0N!2024-02-02
| | | | | | | | | | Add common Lua include to crawl.profile (Dungeon Crawl Stone Soup) to allow Lua libraries, as both the ncurses and tiles executables are dynamically linked to Lua.
* | tesseract.profile: add quiet (#6173)Libravatar Kelvin M. Klann2024-01-31
|/ | | | | | | | | Tesseract is a CLI program and its output may be parsed by other programs (such as `ocrmypdf`). Including messages from firejail in the output may break the parsing, so remove them. Fixes #6171. Reported-by: @kmille
* profiles: add profiles for gtk youtube viewers symlinks (#6154)Libravatar pirate4867431862024-01-19
| | | | | | | | | Committer note: For each profile there is both XXX-gtk and gtk-XXX (such as lbry-viewer-gtk and gtk-lbry-viewer). XXX-gtk is the symlink gtk-XXX is the actual file Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
* lobster.profile: allow basename (#6155)Libravatar pirate4867431862024-01-19
| | | Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
* profiles: use only /usr/share/lua* (#6150)Libravatar Kelvin M. Klann2024-01-08
| | | | | | | | | | | | | | | | | | To ensure that it includes luajit paths as well: * /usr/share/lua * /usr/share/luajit-2.1 And remove all entries of the same path without the wildcard, to avoid redundancy. Misc: The wildcard entries were added on commit 56b60dfd0 ("additional Lua blacklisting (#3246)", 2020-02-24) and the entries without the wildcard were partially removed on commit 721a984a5 ("Fix Lua in disable-interpreters.inc", 2020-02-24). This is a follow-up to #6128. Reported-by: @pirate486743186
* disable-devel.inc: deduplicate g++ and gcc entriesLibravatar Kelvin M. Klann2024-01-05
| | | | | Added on commit 2d8ff695a ("WIP: Blacklist common programming interpreters. (#1837)", 2018-04-02).
* man: allow Perl (#6143)Libravatar glitsj162024-01-04
| | | gropdf (`man -Tpdf`) needs Perl (see #6142).
* Merge pull request #6128 from pirate486743186/masterLibravatar netblue302023-12-21
|\ | | | | mpv: whitelist /usr/share/mpv
| * mpv: whitelist /usr/share/mpvLibravatar pirate4867431862023-12-13
| | | | | | | | | | | | Use case: You install scripts in `/usr/share/mpv` but they remain inactive. You then symlink them to `/etc/mpv` to activate them if you want.
* | Merge pull request #6125 from kmk3/landlock-enforceLibravatar netblue302023-12-21
|\ \ | | | | | | landlock: move commands into profile and add landlock.enforce
| * | landlock: move commands into profile and add landlock.enforceLibravatar Kelvin M. Klann2023-12-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to #6078.
* | Merge pull request #6118 from NetSysFire/patch-4Libravatar netblue302023-12-21
|\ \ | | | | | | minecraft-launcher.profile: allow keyring access
| * | Use dbus-user filterLibravatar NetSysFire2023-12-08
| | |
| * | Update minecraft-launcher.profileLibravatar NetSysFire2023-12-07
| | |
* | | obs.profile: allow lua (#6131)Libravatar Kelvin M. Klann2023-12-14
| |/ |/| | | | | | | | | | | | | | | Some plugins may require it[1]: error: os_dlopen([...]): libluajit-5.1.so.2: [...]: Permission denied warning: Module '/usr//lib/obs-plugins/frontend-tools.so' not loaded [1] https://github.com/netblue30/firejail/issues/6130#issue-2040800338
* | curl: add support for ~/.config/curlrc (#6120)Libravatar glitsj162023-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | curl supports several locations for the rc file according to its man page: [...] When curl is invoked, it (unless -q, --disable is used) checks for a default config file and uses it if found, even when -K, --config is used. The default config file is checked for in the following places in this order: 1) "$CURL_HOME/.curlrc" 2) "$XDG_CONFIG_HOME/curlrc" (Added in 7.73.0) 3) "$HOME/.curlrc" [...]
* | steam.profile: Allow Project Zomboid (#6117)Libravatar archaon6162023-12-11
| |
* | fractal.profile: allow /usr/share/fractalLibravatar Kelvin M. Klann2023-12-11
|/ | | | | | | | | | This fixes Fractal 5 not opening on Void Linux due to it failing to access "/usr/share/fractal/resources.gresource". Fixes #6119. Reported-by: @mhmdana Suggested-by: @rusty-snake
* lutris.profile: allow mangohudLibravatar Kelvin M. Klann2023-11-27
| | | | | | Similarly to steam.profile (see #4864). Fixes #6106.
* lutris.profile: fix seccomp argumentsLibravatar Kelvin M. Klann2023-11-25
| | | | | | | I accidentally removed the `!` when sorting the arguments in #6067. This amends commit fbba03790 ("lutris.profile: allow more syscalls", 2023-10-24) / PR #6067.
* Merge pull request #6070 from kmk3/sort-py-csortLibravatar netblue302023-11-24
|\ | | | | build: sort.py: use case-sensitive sorting
| * build: sort.py: use case-sensitive sortingLibravatar Kelvin M. Klann2023-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To match how things are sorted elsewhere, such as with `noblacklist` / `whitelist` lines (vertically) in profiles and in ci/check/profiles/sort-disable-programs.sh and src/etc-cleanup/main.c. This makes the order in `private-etc` always be groups (`@group`), then uppercase paths, then lowercase paths. Example from etc/profile-m-z/softmaker-common.profile: private-etc @tls-ca,SoftMaker,fstab Note that this does not affect a significant amount of profiles; most changes are in `private-bin` / `private-lib` lines and in `private-etc` lines for newer profiles that do not use groups. This is partly due to commit 5d0822c52 ("private-etc: big profile changes", 2023-02-05) replacing `X11` with `@x11` in `private-etc` lines and then commit 0f996ea4d ("private-etc: groups modified", 2023-02-05) removing `Trolltech.conf` from `private-etc` lines and using case-sensitive sorting in them. Relates to #5610.
* | Merge pull request #6067 from nutta-git/patch-2Libravatar netblue302023-11-24
|\ \ | | | | | | lutris.profile: allow more syscalls
| * | lutris.profile: allow more syscallsLibravatar duevo2023-11-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | Need to whitelist `ptrace` and `clone3` for Ubisoft Connect to work. journalctl did list `process_vm_readv` when a game was running, but it didn't crash the game. Fixes #6035.
* | | Merge pull request #6066 from nutta-git/patch-1Libravatar netblue302023-11-24
|\ \ \ | | | | | | | | steam.profile: allow process_vm_readv syscall
| * | | steam.profile: allow process_vm_readv syscallLibravatar duevo2023-10-31
| |/ / | | | | | | | | | | | | | | | EA Origin (game launcher) won't launch without this. See https://github.com/netblue30/firejail/issues/5185#issuecomment-1776516159
* | | profiles: whitelist alternative data directory for tesseractLibravatar Reiner Herrmann2023-11-18
| | | | | | | | | | | | on Debian the data is in /usr/share/tesseract-ocr/
* | | New profile: tiny-rdm (#6083)Libravatar glitsj162023-11-11
| | | | | | | | | | | | | | | | | | | | | * disable-programs.inc: add support for tiny-rdm * Create tiny-rdm.profile * firecfg.config: add support for tiny-rdm
* | | clamtk: fix scanning (#6074)Libravatar glitsj162023-11-02
| | |
* | | freshclam: fix .local include (#6075)Libravatar glitsj162023-11-02
| | |
* | | discord.profile: allow /usr/share/discord (#6072)Libravatar veloute2023-10-29
| |/ |/| | | | | | | | | | | discord_arch_electron[1] stores its files in /usr/share/discord, rather than the usual /opt/discord. [1] https://aur.archlinux.org/packages/discord_arch_electron
* | profiles: Extend node stack support for pnpm (#6063)Libravatar glitsj162023-10-24
| | | | | | | | | | | | | | | | | | * nodejs-common: add pnpm support * disable-programs.inc: add pnpm support * Create pnpm.profile * Create pnpx.profile
* | disable-programs.inc: remove duplicated entriesLibravatar Kelvin M. Klann2023-10-24
| | | | | | | | | | | | | | | | | | | | | | | | | | They are already present in disable-common.inc. Added in the following commits: * 6bf6d5ed5 ("updated program files", 2016-12-02) / PR #951 * 49280197c ("various hardening (#3394)", 2020-05-02) * 2e2c2327f ("profiles: support more msmtp configuration paths (#6060)", 2023-10-22) Misc: This was noticed on PR #6060.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 13:56:38 +0000