aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
* fixes; close #3775Libravatar rusty-snake2020-11-26
|
* make ${HOME}/.local/lib read-onlyLibravatar rusty-snake2020-11-24
|
* disable dbus in QMediathekView (#3771)Libravatar glitsj162020-11-24
|
* add gnome-shell search-provider file to firefox.profile (#3768)Libravatar glitsj162020-11-24
| | | | | | | | | * allow access to gnome-shell search-provider in firefox.profile Firefox has gnome-shell search-provider support since version 78: - https://bugzilla.mozilla.org/show_bug.cgi?id=1239694 - https://mastransky.wordpress.com/2020/09/25/firefox-gnome-shell-search-provider/ * add dbus filter for gnome-shell search-provider
* Add a profile for LutrisLibravatar Tad2020-11-23
| | | | | | | | - Lutris isn't added to firecfg just yet, needs more testing - aria2c profile has a comment regarding Lutris/Winetricks, but it shouldn't matter since it can't be nested - Add commented wusc to wine.profile - Add vulkan and zenity to wusc.inc
* reorder disable-write-mnt.incLibravatar glitsj162020-11-23
|
* drop newline after mdwe in gnome-system-log.profileLibravatar glitsj162020-11-23
|
* drop newline after mdwe in geekbench.profileLibravatar glitsj162020-11-23
|
* drop newline after mdwe in devilspie.profileLibravatar glitsj162020-11-23
|
* drop newline after mdwe in devhelp.profileLibravatar glitsj162020-11-23
|
* ordering wruc correctly in default.profileLibravatar glitsj162020-11-23
|
* Update default.profileLibravatar glitsj162020-11-23
| | | Nitpick wording + added a commented disable-shell.inc
* drop newline in cower.profileLibravatar glitsj162020-11-23
|
* disable mdweLibravatar glitsj162020-11-23
|
* harden xfce4-mixer.profileLibravatar glitsj162020-11-23
|
* Merge pull request #3766 from kris7t/runuser-fixesLibravatar netblue302020-11-22
|\ | | | | Miscellaneous whitelist-runuser-common fixes
| * Whitelist wayland-1 socketLibravatar Kristóf Marussy2020-11-22
| | | | | | | | | | | | If the GDM display manager runs with Wayland support, and it starts a desktop environment other than (?) GNOME, the desktop environment will use the `wayland-1` socket instead of the `wayland-0` socket.
| * Fix typo in thunderbird.profileLibravatar Kristóf Marussy2020-11-22
| | | | | | | | | | We must ignore include `whitelist-runuser-common.profile`, because it breaks Enigmail (TB 68) and GnuPG smartcard (TB 78) support.
* | drop deprecated pathLibravatar glitsj162020-11-22
|/ | | Cfr. https://github.com/netblue30/firejail/pull/3517#issuecomment-664715880: element-desktop no longer uses ${HOME}/.config/Element (Riot).
* minetest: Enable rm (#3764)Libravatar Liorst42020-11-21
| | | rm is needed to uninstall mods and delete game saves (worlds).
* various profilesLibravatar rusty-snake2020-11-20
| | | | | | - disable-common: read-only ${HOME}/.zfunc - fix #3761 -- w3m with w3m-img installed does not display images when on virtual console/framebuffer - yelp can be used to display manpages
* Add profile for straw-viewer (#3742)Libravatar kortewegdevries2020-11-18
| | | | | * Add profile for straw-viewer * Remove blacklist, fixes
* Merge pull request #3757 from rusty-snake/overrides2upstreamLibravatar rusty-snake2020-11-17
|\ | | | | from my overrides
| * from my overridesLibravatar rusty-snake2020-11-16
| | | | | | | | | | | | | | | | - add seccomp.block-secondary to a lot profiles - add wruc to firefox-common and ignore it in TB and firefox-common-addons - harden dia, gnome-keyring, libreoffice, megaglest, pngquant, ghostwriter, rhythmbox, sqlitebrowser
* | add read-only items for ksh and mkshLibravatar glitsj162020-11-14
| | | | | | Follow-up from discussion in https://github.com/netblue30/firejail/pull/3751.
* | disable-shell.inc: add mksh shellLibravatar Ypnose2020-11-14
| |
* | Dbus fixes (#3750)Libravatar glitsj162020-11-13
|/ | | | | * add dbus comment * disable dbus
* Add XAUTHORITY file of sddm from openSUSE Tumblew…Libravatar rusty-snake2020-11-13
| | | | …eed to wruc
* add gvfs-metadata to disable-common.incLibravatar Tad2020-11-13
| | | | - this might need to be looked into
* fix dbusLibravatar glitsj162020-11-12
| | | At least on Ubuntu 16.04 LTS we need an additional own.
* minetest.profile: whitelist /usr/share/games/minetest (#3740)Libravatar Davide Beatrici2020-11-11
| | | It's the path to the game's data in the official Debian package.
* update konsole/plasma blacklistLibravatar smitsohu2020-11-11
|
* adding /dev/mqueue to disable-exec.incLibravatar smitsohu2020-11-11
|
* add alsa/group to private-etcLibravatar glitsj162020-11-10
| | | fix for #3737.
* fix #3736Libravatar glitsj162020-11-10
| | | Added ${HOME}/.alsaequal.bin to fix #3736
* fixes, closes, enhances, improvements, and so onLibravatar rusty-snake2020-11-09
| | | | | | | | | | | | | | | | | | | - .github/ISSUE_TEMPLATE/bug_report.md: get ride off spanish, french, ... error messages - etc/inc/firefox-common-addons.inc: support ff2mpv - etc/profile-a-l/gimp.profile: note about xsane - etc/profile-m-z/min.profile: prettify - etc/profile-m-z/mpsyt.profile: fix, add lua - etc/profile-m-z/qbittorrent.profile: add note for tray-icons; this will get a better note once I investigated and audited all the D-Bus tray stuff. - etc/profile-m-z/transmission-daemon.profile: fix, add protocol packet close #3686 - mps-youtube needs lua close #3701 - Firefox native messaging regression in 0.9.62.4 -> 0.9.64rc1 close #3636 - transmission-daemon fills log with error close #3640 - Gimp - add note how to enable scanning (xsane) close #3707 - qBittorrent tray icon missing from notification panel when running it with firejail
* disable private-etc in zoom, close #3726Libravatar rusty-snake2020-11-09
|
* fix min.profileLibravatar glitsj162020-11-09
| | | As per https://github.com/netblue30/firejail/pull/3688#discussion_r511290714 min needs wusc. Runs fine with wruc too so let's fix min for users.
* rework chromium (#3688)Libravatar rusty-snake2020-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
* Update linphone profile (#3734)Libravatar Dara Adib2020-11-08
| | | | linphone 4.0 changed the location of config and database files to respect freedesktop standards.
* second #3728 [skip ci]Libravatar rusty-snake2020-11-06
|
* profile fixesLibravatar rusty-snake2020-11-06
| | | | | | | | - update README.md and RELNOTES - add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc - fix #3728, fonts in openSUSE KDE with wc / wusc - fix gnome-todo - fix xournalpp MathTeX whitelist
* Allow lua in minetest.profileLibravatar glitsj162020-11-03
| | | | | Closes #3723 Introduced in 388826683c3b90926e73c83ddb91d5c84a7fa1fa
* fix ${HOME}/.ssh access in filezilla.profileLibravatar glitsj162020-11-03
| | | This fixes #3722.
* Add spectacle's profile (#3717)Libravatar Neo000012020-11-02
| | | | | | | * Update firecfg.config * Update disable-programs.inc * Create spectacle.profile
* Remove nou2f in ssh profileLibravatar David Hyrule2020-11-01
|
* Allow webcam access in zoom.profileLibravatar glitsj162020-10-31
| | | This fixes #3711.
* keepassxc dbus, closes #3713 [skip ci]Libravatar rusty-snake2020-10-31
|
* firefox d-bus (#2953) & fix xournalppLibravatar rusty-snake2020-10-29
|
* added bluetooth to the list of protocols allowed by seccompLibravatar netblue302020-10-28
|
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 20:29:41 +0000