| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on the report by @Saren-Arterius[1]:
Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and
`ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp.
Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount
with nautilus will fail with a meaningless error message shown in the
UI.
Steps to reproduce[1]:
Prepare ssh server or localhost, then run:
ssh -o"ForwardX11 no" -o"ForwardAgent no" \
-o"PermitLocalCommand no" -o"ClearAllForwardings yes" \
-o"NoHostAuthenticationForLocalhost yes" \
-o"ControlMaster auto" \
-o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \
-s {SSH_HOST} sftp
stderr shows:
unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory
And ssh exits with error code 255.
Fixes #5816.
[1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931
Reported-by: @Saren-Arterius
Suggested-by: @Saren-Arterius
Reported-by: @Alex-Farol
Reported-by: @mirko
|
| |
|
|
|
|
|
|
| |
Related commits:
* 4747e0ed7 ("Whitelist runuser common (#3286)", 2020-03-31)
* ebd4b3eea ("profiles: ssh: allow gpgagent socket for custom homedir
(#6419)", 2024-08-07)
|
| |
|
|
|
|
|
|
|
|
| |
Related commits:
* 7c481eb43 ("Add QOwnNotes profile", 2018-10-20)
* 49a381c70 ("Add nextcloud-desktop", 2021-02-20) / PR #3997
Fixes #5877.
Reported-by: @Sadoon-AlBader
|
| |
|
|
| |
Relates to #3997.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following error:
$ LC_ALL=C firejail /usr/bin/wesnoth
[...]
/usr/bin/wesnoth: error while loading shared libraries: liblua++.so.5.4: cannot open shared object file: Permission denied
Environment: lua 5.4.7-1, wesnoth 1:1.18.2-2 on Arch Linux.
Fixes #6475.
Reported-by: @marek22k
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that LibreWolf 129 uses `io.gitlab.firefox.*` as the dbus
name.
Commands used to check the dbus name:
$ busctl --user --no-legend | grep -v '^:' | grep librewolf |
sed -E 's/(^[^ ]+\.)[^. ]+ .*/\1/'
io.gitlab.firefox.
Commands used to test dbus communication:
# Open a new browser instance:
$ firejail --name=lwtest --ignore=name --ignore='dbus-user none' \
--dbus-user=filter --dbus-user.own='io.gitlab.firefox.*' \
--private --net=none --ignore=net /usr/bin/librewolf
# In another shell, try to open a new tab:
$ firejail --join=lwtest /usr/bin/librewolf --new-tab about:blank
# Check that the new tab was opened
Related commits:
* c3f299620 ("Let programs outside librewolf sandbox open new tabs in
librewolf (#4546)", 2021-09-19)
* a8ad9cad1 ("Update librewolf.profile: use new message bus",
2022-02-03) / PR #4897
* 4211ee323 ("merges", 2022-02-04)
Fixes #6413.
Misc: This was noticed on #6444.
Reported-by: @Lonniebiz
|
| |
|
|
|
|
|
|
|
|
|
| |
These paths are apparently used for attachments.
Disable private-tmp to make it easier to open attachments with external
programs.
Relates to #5101.
Reported-by: @githlp
Suggested-by: @rusty-snake
|
| |
|
|
|
|
|
|
|
| |
It's used by libdvdcss (which is used to play copy-restricted dvds).
It seems to be just a cache directory, so just allow without mkdir.
Relates to #5391.
Suggested-by: @reinerh
|
| |
|
|
|
|
|
|
|
|
| |
Changes:
- Allow shell access (bitwarden-desktop may be a shell script)
- Enable whitelist-usr-share-common.inc
- Introduce a new redirect for bitwarden-desktop
- Add the new redirect to firecfg
Relates to #6442.
|
| |
|
|
|
|
|
| |
By default, Zoom records meetings to ~/Documents/Zoom. Add that folder
to the whitelist so that future users don't lose their meeting
recordings upon shutting Zoom down.
Fixes #4006.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It was enabled in firefox-common.inc on commit 34d004892 ("private-etc:
corss-distro test for curl, gimp, inkscape, firefox, warzone2100",
2023-01-28), but not in the profiles that include it.
Enable it in the including profiles as well.
Note: This was already done for firefox.profile on commit 76249284f
("firefox: fix private-etc firefox", 2023-06-02) / PR #5844.
Relates to #6400.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a custom GPG homedir is used, a hash of its path is used in the path
of the gpg agent socket[1].
For example, when running:
gpgconf --list-dirs agent-ssh-socket
With a custom homedir it returns:
/run/user/1000/gnupg/<hashed homedir>/S.gpg-agent.ssh
Environment: gnupg 2.4.5-4 on Arch Linux.
[1] https://github.com/gpg/gnupg/blob/91532dc3f40599b74fff489cb021c0cd3344ae60/common/homedir.c#L1342
|
| |
|
|
|
|
|
|
|
| |
Much like the i3 IPC socket (#6361), the sway IPC socket also allows
arbitrary code execution via the `exec` subcommand. Access should only
be permitted to sway itself by default.
The location of the IPC socket is set in sway/ipc-server.c:
https://github.com/swaywm/sway/blob/7e74a4914261cf32c45017521960adf7ff6dac8f/sway/ipc-server.c#L126
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This path is apparently needed on openSUSE Tumbleweed[1]:
$ LC_ALL=C firejail /usr/bin/element-desktop
[...]
Error launching app
Unable to find Electron app at /usr/share/element/app
Cannot find module '/usr/share/element/app'
Parent is shutting down, bye...
Fixes #6421.
[1] https://software.opensuse.org/package/element-desktop
Reported-by: @leukimi
|
| |
|
|
|
|
|
|
| |
Description: TUI for introspecting the state of the system/session dbus.
https://github.com/Troels51/dtui
https://aur.archlinux.org/packages/dtui
Relates to #6420.
|
| |
|
|
|
|
|
|
| |
There are a lot of common options in the `d-feet` and `d-spy` profiles.
Create a new common include file and refactor the existing profiles as
redirects.
Relates to #2492 #6328.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current `bijiben.profile` sets an environment variable to disable
its internal webkit/bubblewrap sandbox but now a different variable
needs to be set[1]:
WEBKIT_FORCE_SANDBOX no longer allows disabling the sandbox. Use WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 instead.
This may be needed to make the profile work, but disabling the sandbox
affects the security in webkit[2], so update the variable and disable
bijiben by default in firecfg.config.
Note: Upstream replaced bijiben by gnome-notes[3] [4].
Relates to #2995.
[1] https://github.com/WebKit/WebKit/blob/0678a98c864ee36f0114ea4e7d303fd07788a822/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp#L117
[2] https://github.com/netblue30/firejail/issues/2995
[3] https://archlinux.org/packages/extra/x86_64/gnome-notes/
[4] https://wiki.gnome.org/Apps/Notes
|
| |
|
|
|
| |
Add `ps2pdf` to private-bin.
Fixes #6402.
|
| |
|
|
|
|
|
|
| |
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
|
| |
|
|
|
|
| |
Fractal 7 (and possibly earlier) stores messages and key material in
${XDG_DATA_DIR}/fractal which defaults to ~/.local/share/fractal.
Lack of access causes it to be unable to load messages offline and
de- or encrypt messages even when online without sharing keys again.
|
| |
|
|
|
|
|
|
|
|
| |
It is apparently used by the (widely used) "Fancy" plugin, which
"Renders HTML e-mail using the WebKit library".
https://www.claws-mail.org/plugins.php
Relates to #6377.
Note: etc/profile-a-l/email-common.profile contains `private-cache`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
|
| |
|
| |
Fixes #6377.
|
| |
|
|
|
| |
Added on commit 2453f0ecf ("email-common.profile: allow clamav plugin
for claws-mail", 2023-03-07) / PR #5719.
|
| |
|
| |
Relates to #6364.
|
| |
|
|
|
|
|
|
|
| |
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
|
| |
|
|
|
|
|
|
| |
Description: Standalone Discord client.
https://armcord.app/
https://github.com/NextWork123/ArmCord
Requested in https://github.com/netblue30/firejail/issues/1139#issuecomment-2140174880.
|
| |
|
|
|
| |
Based on the entries in etc/profile-m-z/makepkg.profile.
This fixes #6352.
|
| |
|
|
|
|
|
|
| |
Changes:
* Improve Firefox D-Bus comment
* Add missing/standardize related comments
* Include allow-bin-sh.inc in relevant profiles
* Use Firefox URL open section in relevant profiles
|
| | |
|
| |
|
|
|
|
| |
Description: Tauri-based IRC client inspired by HexChat.
https://nhexirc.com/
https://github.com/nhexirc/nhex
|
| | |
|
| |
|
|
|
|
| |
Update comment to account for camera-based motion trackers.
Fixes an issue with https://github.com/markx86/opentrack-launcher, where
video input devices won't show up unless novideo is removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The profile currently does not include disable-common nor makes
`${HOME}` read-only, so the program can simply write to ~/.bashrc
directly[1].
disable-common.inc was commented due to it apparently breaking bwrap.
As discovered by @glitsj16, it seems that allowing the bwrap binary is
enough to make it work (and that apparmor breaks loupe)[2].
So disable apparmor, allow bwrap and include disable-common.inc, plus
other hardening by @glitsj16.
This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) /
PR #6327.
[1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865
[2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* profiles: hexchat: hardenings
* profiles: hexchat: allow lua/downloads and harden
Allow more paths and add some extra options to harden the profile.
We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.
Consulted resources:
- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/
|
| |
|
|
|
|
|
|
|
|
|
| |
Description: D-Bus debugger for GNOME
https://gitlab.gnome.org/GNOME/d-spy
From [1]:
> D-Feet is no longer maintained. Please use d-spy
[1] https://wiki.gnome.org/Apps/DFeet
|
| |
|
|
| |
Signed-off-by: Tavi <tavi@divested.dev>
|
| |
|
|
|
|
|
|
| |
Fix sorting and improve comments.
See etc/templates/profile.template.
This amends commit 4c5f55899 ("several kids programs", 2024-04-29).
|
| | |
|
| | |
|
| |
|
|
| |
(#6322)
|
| |
|
|
|
|
|
| |
Newly-released audacity 3.5 supports cloud-saving and remote backup
features:
- https://www.audacityteam.org/blog/audacity-3-5/
- https://support.audacityteam.org/additional-resources/changelog/audacity-3.5#cloud-project-saving
|
| |
|
|
|
| |
The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3).
Fixes #6308.
|
| |
|
| |
https://github.com/axel-download-accelerator/axel
|
| |
|
|
|
|
|
|
|
|
| |
Changes:
* Remove ffmpeg from private-bin
* Allow download folder
* It needs an editor to allow editing the config, so I put in nano; sh
and uname are used for launching nano
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
With this, all `etc/inc/allow-*` files are listed in profile.template.
The explanation is based on a comment by @rusty-snake[1].
Relates to #4071.
This is a follow-up to #6299.
[1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
|
| |
|
|
|
|
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Note: It is not currently included in any profile.
Added on commit 89f30f1f2 ("Create allow-php.inc", 2020-01-25).
This is a follow-up to #6298.
|
| |
|
|
|
|
|
| |
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Relates to #3866 #5881.
|
| | |
|
| |
|
|
|
| |
Description: GitHub's official command-line tool.
https://github.com/cli/cli
|
Kelvin M. Klann
glitsj16
Caleb McCombs
ayham
Felix Pehla
Gabriel
qdii
Dieter Plaetinck
Shahriar Heidrich
duevo
Tavi
netblue30
tools200ms
pirate486743186