aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
...
| * Update firejail-defaultLibravatar slowpeek2022-04-02
| | | | | | Allow access to avahi-daemon socket in the apparmor profile.
* | Fix chromium browsers in firejail 0.9.68Libravatar rusty-snake2022-04-14
| | | | | | | | closes #4965
* | fix --writable-etcLibravatar netblue302022-04-12
| |
* | small fixesLibravatar netblue302022-04-10
| |
* | Merge pull request #5092 from smitsohu/vlcLibravatar smitsohu2022-04-10
|\ \ | | | | | | harden vlc
| * | harden vlcLibravatar smitsohu2022-04-10
| |/ | | | | | | | | apparmor doesn't disable D-Bus anymore, so add it back remove memory-deny-write-execute comment, as this also breaks JIT compiled QtQuick nowadays
* | libvirt dnsmasq: more fixes (#5089)Libravatar smitsohu2022-04-10
| | | | | | | | | | | | | | following up ce6f792efd0af09b95050864b71f79c46359fa49 /var/lib/libvirt is blacklisted in disable-common.inc so merely whitelisting the directory is not enough
* | harden dnsmasqLibravatar smitsohu2022-04-10
| | | | | | | | | | private option implies private-cache, so it is safe to remove
* | libvirt dnsmasq fix (#5089)Libravatar smitsohu2022-04-10
| |
* | unbound: fixes, blacklist all of ${RUNUSER}Libravatar smitsohu2022-04-10
| |
* | steam: add HotLine Miami (#5097)Libravatar Kelvin M. Klann2022-04-08
| | | | | | https://store.steampowered.com/app/219150/Hotline_Miami/
* | more snap blacklisting (#5093)Libravatar smitsohu2022-04-04
|/
* teams: drop doubled option (#5087)Libravatar glitsj162022-04-01
|
* Merge pull request #5077 from kmk3/dc-add-pkcs11Libravatar netblue302022-03-29
|\ | | | | disable-common.inc: make ~/.config/pkcs11 read-only
| * disable-common.inc: make ~/.config/pkcs11 read-onlyLibravatar Kelvin M. Klann2022-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It looks like it allows arbitrary command execution. From pkcs11.conf(5): > remote: > Instead of loading the PKCS#11 module locally, run the module > remotely. > > Specify a command to run, prefixed with | a pipe. The command > must speak the p11-kit remoting protocol on its standard in > and standard out. For example: > > remote: |ssh user@remote p11-kit remote /path/to/module.so > > Other forms of remoting will appear in later p11-kit releases. Environment: p11-kit 0.24.1-1 on Artix Linux. Currently this entry only exists on whitelist-common.inc, added on commit f74cfd07c ("add p11-kit support - #1646"). With this commit applied, all read-only entries on whitelist-commons.inc are also part of disable-common.inc. See also the discussion on #5069.
* | Merge pull request #5071 from kmk3/add-appimage-dirLibravatar netblue302022-03-29
|\ \ | |/ |/| appimage: blacklist and make ~/Applications dir read-only
| * disable-programs.inc: blacklist ~/Applications dirLibravatar Kelvin M. Klann2022-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | It is used for storing AppImages. Note that even when blacklisting a directory, it is possible to execute an AppImage from it. For example, the following works: firejail --noprofile --blacklist='${HOME}/Applications' --appimage \ ~/Applications/foo.AppImage While the resulting process does not appear to have access to the blacklisted directory.
| * disable-common.inc: make ~/Applications dir read-onlyLibravatar Kelvin M. Klann2022-03-24
| | | | | | | | | | | | | | | | | | | | This directory is monitored by both appimaged[1] and AppImageLauncher[2]. Also, when opening an AppImage with AppImageLauncher, it may prompt the user to move the AppImage to ~/Applications. [1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories [2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
* | megaglest.profile: Add allow-lua.inc (#5066)Libravatar NetSysFire2022-03-25
| | | | | | | | | | * megaglest.profile: Add allow-lua.inc * Move comment to line above
* | Fix Hugin profile. (#5072)Libravatar Jose Riha2022-03-25
|/ | | Fixes #5068.
* Merge pull request #5061 from glitsj16/ping-fixesLibravatar netblue302022-03-24
|\ | | | | ping: (extra) hardening
| * ping: fix hardening commentLibravatar glitsj162022-03-21
| |
| * Create ping-hardened.inc.profileLibravatar glitsj162022-03-21
| |
| * ping: extra hardeningLibravatar glitsj162022-03-21
| |
* | nodejs-common: fix noteLibravatar glitsj162022-03-21
| |
* | Create semver.profileLibravatar glitsj162022-03-20
| |
* | Create npx.profileLibravatar glitsj162022-03-20
| |
* | Create node-gyp.profileLibravatar glitsj162022-03-20
| |
* | nodejs-common: add comment & minor hardeningLibravatar glitsj162022-03-20
| |
* | wget: add nvm support commentLibravatar glitsj162022-03-20
| |
* | webui-aria2: add nvm supportLibravatar glitsj162022-03-20
| |
* | webstorm: fix orderingLibravatar glitsj162022-03-20
| |
* | tar: add nvm support commentLibravatar glitsj162022-03-20
| |
* | sha256sum: add nvm support commentLibravatar glitsj162022-03-20
| |
* | nvm: remove profileLibravatar glitsj162022-03-20
| | | | | | [nvm](https://github.com/nvm-sh/nvm) is implemented as a sourced shell function, not an executable binary. Regular sandboxing doesn't work but we can add nvm support to the applications used by it internally (curl, sha256sum, tar & wget).
* | curl: add nvm support commentLibravatar glitsj162022-03-20
| |
* | allow-nodejs.inc: add nvm supportLibravatar glitsj162022-03-20
|/
* ocenaudio hardening (#5056)Libravatar glitsj162022-03-18
| | | | | | | * ocenaudio: blacklist cache dir * ocenaudio: hardenings * ocenaudio: fix protocol comment
* cmake: fix local override & wusc (#5054)Libravatar glitsj162022-03-16
| | | | | * cmake: fix local override & wusc * cmake: another wusc fix
* pip: fixes (#5053)Libravatar glitsj162022-03-15
| | | | | | | | | * pip: fix including local override * pip: allow access to cache The shared build-systems-common.profile (to which pip.profile redirects) blacklists ${HOME}/.cache/pip. Override that here. * pip: add cache support in commented whitelist
* allow-common-devel.inc: add missing java/scala pathsLibravatar Kelvin M. Klann2022-03-14
| | | | | | | | This amends commit f32cb8393 ("Blacklist scala devel stuff", 2022-03-05) / PR #5013. See the following review: https://github.com/netblue30/firejail/pull/5013#pullrequestreview-903794958
* opera fixes (#5041)Libravatar glitsj162022-03-14
| | | | | * opera fixes * disable-common.inc: add blacklist /usr/lib/opera/opera_sandbox
* mupdf refactoring cfr. ↵Libravatar glitsj162022-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | https://github.com/netblue30/firejail/discussions/4993 (#5042) * refactor mupdf * refactor mupdf * refactor mupdf * refactor mupdf * add mupdf-gl blacklist * move history file back to mupdf-gl * refactor mupdf-gl * add no3d to mupdf.profile * add suggestions from review * drop unix from protocol [accumulates] * fix protocol
* minor cleanups, no functional changes (#5040)Libravatar glitsj162022-03-13
| | | | | | | | | * drop redundant noblacklist noblacklist ${HOME}/.vscode-oss already exists in included code.profile * remove newline Nitpick for persistency with other profiles that have the comment about #2624.
* hardening onionshare-gui.profile (#4959)Libravatar glitsj162022-03-13
| | | | | | | * hardening onionshare-gui.profile * add another dbus-user filter to onionshare-gui.profile * harden onionshare
* disable-programs.inc: add ~/.preyLibravatar Kelvin M. Klann2022-03-11
| | | | | This amends commit af8f681c0 ("steam.profile: allow "${HOME}/.prey"", 2022-03-11) / PR #5029.
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar smitsohu2022-03-11
|\
| * Merge pull request #5013 from rusty-snake/scalaLibravatar netblue302022-03-11
| |\ | | | | | | Blacklist scala devel stuff
| | * Blacklist scala devel stuffLibravatar rusty-snake2022-03-05
| | |
| * | Merge pull request #5017 from TheOneric/fix_steam+protonLibravatar netblue302022-03-11
| |\ \ | | | | | | | | Fix newest Steam client and Proton ≥ 5.13
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 20:25:21 +0000