| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
|
| | | | |
| | | |
| | | |
| | | | |
…open URL (after update to 0.9.64.2)
|
| | |/ /
|/| | |
|
| |\ \ \
| | | |
| | | | |
Update telegram.profile
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | | |
Optimized "include whitelist-common.inc"
|
| | | | |
| | | |
| | | | |
Allow Telegram ONLY in .TelegramDesktop, .local/share/TelegramDesktop and Downloads
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* add comment: allow python
* add comment: allow python
* reorder allow comments
* fix perl allow comment
* add comment: allow python
* add comment: allow lua, perl & python
* reorder allow comments
* add comment: allow python
* add comment: allow python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow python
* add comment: allow python
* fix spacing in comments
* add comment: allow python
* add comment: allow python
* fix comment
* add comment: allow perl & python
* add comment: allow lua & python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow perl & python
* streamline allow python comments
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
New profile for CoyIM
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | |_|/
| |/| | |
|
| |\ \ \ \
| | | | |
| | | | | |
Create nolocal6.net
|
| | | |/ /
| |/| | |
|
| |\ \ \ \
| | | | |
| | | | | |
Add profile for kdiff3
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| |/ / / / |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Update vmware.profile
`private-etc` can be uncommented.
* Update vmware.profile
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* fix comment in blackbox.profile
* fix comment in fluxbox.profile
* fix comment in i3.profile
* fix comment in krunner.profile
* fix comment in openbox.profile
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* refactor google-earth{-pro} blacklisting
* fix google-earth-pro.profile
I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's.
* unbreak google-earth.profile
Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To solve issue#3907, doc directory of the bibletime has to be
whitelisted. Otherwise, it always fails to start.
Co-authored-by: hhnb <hhnb@nanenient.cc>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* add pkglog to new profiles
* Create pkglog.profile
* Update README.md
* fix ordering in pkglog.profile
* drop extra whitespace in pkglog.profile
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | | |
hardening: wusc + wruc
fix: settings was immutable
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
/bin/sh is usually just a symlink to bash. However this is not the case
for every distro, debian for example uses dash. bash,dash and sh have a
blacklist command in disable-shell.inc. An own allow-*.inc for it
enusres usage of all necessary nolacklists.
For private-bin sh is enough because it follows symlinks.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* newsboat: add lynx support
* newsboat: fix using sort.py
* newsboat: remove unneeded perms
|
| | | |
| | |
| | | |
Thanks @rusty-snake for [spotting](https://github.com/netblue30/firejail/commit/662ebd214b0a7874072381f5aaf3fbd322f0e460) this!
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add new profile: qnapi
* add new profile: qnapi
* Create qnapi.profile
* add qnapi configs
* Update README.md
* Update README.md
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* new profile: shotwell
* Create shotwell.profile
* new profile: shotwell
* add shotwell blacklists
|
| | | |
| | |
| | |
| | |
| | | |
* add new profile: mdr
* Create mdr.profile
|
| | | |
| | |
| | |
| | |
| | | |
* Create agetpkg.profile
* new profile: agetpkg
|
| | |/
|/|
| |
| |
| |
| |
| | |
* Create lsar.profile
* Create unar.profile
* new profiles lsar & unar
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Improvements to balsa,fractal,gajim,trojita
* sort
* Add gpg plugin support to gajim,remove notifications dbus from trojita
* Add dbus policy from flatpak per @rusty-snake
* Add python* to private-bin; remove some dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| |\ \
| | |
| | | |
Whitelist Bohemia Interactive config dir for Steam
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
At least Arma 3 stores its config directory under
~/.local/share/bohemiainteractive
|
| |/ /
| |
| | |
Discord needs PulseAudio. Without it, it's unable to play any audio.
|
| | |
| |
| |
| |
| |
| |
| | |
bookmarks are saved unter $HOME/.local/share/gvfs-metadata
since evince is the primary pdf reader, a firejailed evince can't read
or write those
this commit adds instructions to enable metadata writing and reading
|
| | | |
|
| | |
| |
| |
| |
| | |
'dbus-user none' freeze openshot when clicking on open project,
'dbus-user filter' works.
|
Kelvin M. Klann
rusty-snake
Nicola Davide Mannarelli
Nicola Davide Mannarelli
glitsj16
netblue30
Nex
rootalc
Neo00001
hhzek0014
altf_four
bbhtt
SkewedZeppelin
Aidan Gauland
Nikos Chantziaras
Samtinel