| Commit message (Collapse) | Author | Age |
... | |
| |
|
|
|
|
| |
Will need to support allow-debuggers in profiles before it can be enabled in firecfg
|
| |
|
| |
|
|
|
|
|
|
|
| |
- At least gnome-music 3.28.2 requires 'env'
- Add 'gio-launch-desktop' and 'yelp' so launching the "Help" menu
doesn't crash the application
- Enabling the disabled private-etc tested to be working
|
| |
|
|
|
|
| |
hardware acceleration on Radeon cards, see issue #2106
|
| |
|
| |
|
|\
| |
| | |
hardening evince, dbus not needed
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
| |
* created jdownloader profile
* fixed some issues
* few more changes
|
| |
|
| |
|
| |
|
|
|
| |
Executing from /home was supposed to be disabled by default
|
|
|
|
|
| |
* Make clear distinction for read, write and execute.
* Don't allow write and execute at the same time.
* Simplify and improve syntax to catch more exceptions with fewer rules
|
| |
|
| |
|
|
|
| |
tested on fedora-28 with pybitmessage 0.6.3.2
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Fixes https://github.com/netblue30/firejail/issues/2087
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 949a221a1b92e422e6dcb7ea6089ed5c8d5cc22a.
The 'firejail-default' is the name of 'unnatached' profile not path
to it. Moreover names starting with '/' are changing profile type
back to 'standard' which in this case means we literally create
profile for the profile file itself '/etc/apparmor.d/firejail-default'.
That means firejail would never load this profile to contain any
app thus we have to revert this. For more info, see
https://www.suse.com/documentation/sles-15/singlehtml/book_security/book_security.html#sec.apparmor.profiles.types.unattached
|
| |
|
| |
|
| |
|
|
|
| |
Those are already covered with https://github.com/netblue30/firejail/blob/0.9.56-rc1/etc/firejail-default#L33
|
|
|
| |
/usr/lib64 was missing from execution whitelist and it's used in openSUSE, see https://github.com/netblue30/firejail/issues/2078
|
|\
| |
| | |
Add descriptions to profiles
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
Blacklisting whole /sys is too restrictive, it may break various graphics stacks, see https://github.com/netblue30/firejail/issues/2080
|
|/
|
|
| |
- The next version of TBB is based on Firefox 60 and will need the same changes to prevent breakage
|
|
|
|
| |
+ minor nitpicks to beaker.profile
|
| |
|
|
|
|
| |
Command: grep "private-etc none," -Ril .
|
|
|
|
|
| |
Command: grep "crypto-policies" -iL $(grep "private-etc" -il $(grep "inet,inet6" . -Rl))
+ fixes for #2077
|
|
|
|
|
| |
+ a fix for Totem
+ and a bit missed from 3c2a7e4c91aa030218b5ad7fa6291d16f1d51b53
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Adds machine-id to all profiles with 'private-etc *pulse*'
- This fixes sound under many profiles
- This is related to #2037, except this adds etc machine-id not spoofed machine-id
- Spoofed machine-id seems to break pulseaudio on some systems
- We already do this in profiles like firefox-common (see the note in it)
- pulseaudio's enable-shm set to yes or no doesn't fix this issue on systems where it occurs
- We can revert this in the future if we find a fix
- Command used:
grep -e music -e videos -e audio -e pulse -e asound -il $(grep "machine-id" -iL $(grep "private-etc" . -Rl))
|