summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
* allow --interface only to root user for --enable-network=restrictedLibravatar netblue302016-02-24
|
* x11 workLibravatar netblue302016-02-24
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302016-02-24
|\
| * Merge pull request #319 from yumkam/network-restrictedLibravatar netblue302016-02-24
| |\ | | | | | | Add compile-time option to restrict --net= to root only
| | * Add compile-time option to restrict --net= to root onlyLibravatar Yuriy M. Kaminskiy2016-02-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ./configure --enable-network=restricted allows only --net=none to non-root users. Other variants delegate too much power to non-root users and dangerous (it completely bypasses system-wide firewall and routing, it allows introducing arbitrary-chosen MAC and IP interfaces on LAN [disregarding DHCP policy], etc). Root already had power to twiddle with anything, so no sense to restrain her, and --net=none looks safe enough (and still useful) for ordinary users.
| * | man/firejail.txt: note you don't need --ip6= with SLAACLibravatar Yuriy M. Kaminskiy2016-02-23
| |/
* / x11 workLibravatar netblue302016-02-23
|/
* x11 workLibravatar netblue302016-02-23
|
* small fixesLibravatar netblue302016-02-21
|
* fixesLibravatar netblue302016-02-20
|
* testingLibravatar netblue302016-02-20
|
* euid switchingLibravatar netblue302016-02-19
|
* euid switchingLibravatar netblue302016-02-19
|
* moved sandbox name to /run/firejail/name/<PID>Libravatar netblue302016-02-19
|
* euid switchingLibravatar netblue302016-02-18
|
* added mkdir in all whitelisted profilesLibravatar netblue302016-02-18
|
* mkdir support in profile filesLibravatar netblue302016-02-17
|
* centos7 fixes; support for building rpm packagesLibravatar netblue302016-02-16
|
* fix pathLibravatar netblue302016-02-15
|
* centos6 fixLibravatar netblue302016-02-15
|
* manpage fixLibravatar netblue302016-02-14
|
* Merge pull request #293 from reinerh/masterLibravatar netblue302016-02-14
|\ | | | | Fix memory leak
| * Fix memory leakLibravatar Reiner Herrmann2016-02-13
| |
* | small fixesLibravatar netblue302016-02-14
| |
* | --trace fixLibravatar netblue302016-02-13
| |
* | --trace fixLibravatar netblue302016-02-13
|/
* seccomp fixesLibravatar netblue302016-02-12
|
* set sandbox nice valueLibravatar netblue302016-02-11
|
* Merge pull request #289 from manevich/patch-2Libravatar netblue302016-02-10
|\ | | | | Fix problem with relative path in storage_find function
| * Fix problem with relative path in storage_find functionLibravatar Aleksey Manevich2016-02-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | storage_find function fails on relative path, so nothing reported to log when blacklisted file accessed by relative path. This is because CWD is NULL when realpath function called. How to reproduce: touch /home/user/somefile firejail --blacklist=somefile --tracelog cat somefile Solution: keep CWD value and set it before calling realpath. In order to do this: * new wrapper for chdir call, and variable to keep CWD added. * storage_find modified to chdir before calling realpath function. * order of storage_find and orig_* calls in syscall wrappers changed, to prevent error set by calls in storage_find leak outside. * condition for calling realpath changed to include double-slash and path without initial slash.
* | STUN/WebRTC disabled in default netfilter configurationLibravatar netblue302016-02-10
|/
* fixed man firejail-profileLibravatar netblue302016-02-09
|
* isolate command name problemLibravatar netblue302016-02-08
|
* whitelist fixLibravatar netblue302016-02-08
|
* fixed whitelist problemLibravatar netblue302016-02-08
|
* set window titleLibravatar netblue302016-02-08
|
* default seccomp filter updateLibravatar netblue302016-02-08
|
* 0.9.38 testingLibravatar netblue302016-02-02
|
* 0.9.38 testingLibravatar netblue302016-02-01
|
* deprecated --private-home featureLibravatar netblue302016-02-01
|
* various fixesLibravatar netblue302016-01-31
|
* various fixesLibravatar netblue302016-01-31
|
* fixed ssh login in firejail shellLibravatar netblue302016-01-31
|
* TyposLibravatar Martin Carpenter2016-01-30
|
* 0.9.38-rc1 testingLibravatar netblue302016-01-29
|
* Merge pull request #269 from mcarpenter/sa_family_tLibravatar netblue302016-01-29
|\ | | | | Include <sys/socket.h> for sa_family_t (RHEL 6.6)
| * Include <sys/socket.h> for sa_family_t (RHEL 6.6)Libravatar Martin Carpenter2016-01-29
| |
* | Fix for systems that don't have CAP_SYSLOGLibravatar Martin Carpenter2016-01-29
|/ | | | | | | CAP_SYSLOG was retroactively split from CAP_SYSADMIN (Linux kernel commit ce6ada35bdf710d16582cc4869c26722547e6f11). Existing supported systems might not yet have this commit (eg RHEL 6.6) in which case compilation fails.
* the first protocol list requested takes precedenceLibravatar netblue302016-01-28
|
* don't allow --chroot as user without seccomp supportLibravatar netblue302016-01-26
|
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-06 07:42:06 +0000