| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
| |
| |
| |
| |
| | |
Ensure that all standard streams are open and we don't inadvertently print to files opened for a different reason; in general we can expect glibc
to take care of this, but it doesn't cover the case where a sandbox is started by root. The added code also serves as a fallback.
Unrelated: For what it's worth, shift umask call closer to main start, so it runs before lowering privileges and before anything can really go wrong.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Added git-cola profile
Initial
* Edit private-etc
Add alternatives,pki
* Add disable-xdg
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* Added lyx profile
Initial
* Rmoved whitelists
Make home directory more accessible
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* Added minitube profile
Initial
* Second
Removed no3d,added novideo
|
| | |
| |
| | |
Initial
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* Added mtpaint profile
Initial
* Second
Remove IPC-namespace,netfilter
|
| | | |
|
| |\ \
| | |
| | | |
integrate join(-or-start) with dbus options (partial fix)
|
| | | |
| | |
| | |
| | |
| | | |
update D-Bus environment variables during join, so that
a joining process is able to use D-Bus, too
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Added minecraft-launcher-profile
Initial
* Changed minecraft-launcher profile
Added space,tracelog,nodvd
* Third
Fixed private-etc,added notes about path,java
* Sorting
|
| |\ \ \
| | | |
| | | | |
Added xfce4-screenshooter profile
|
| | | | |
| | | |
| | | |
| | | | |
Initial,removed common blaclist,add netfilter,private-etc
|
| |\ \ \ \
| |/ / /
|/| | | |
Ignore SIGTTOU during flush_stdin()
|
| | | | |
| | | |
| | | |
| | | | |
fixes #3500
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Added freetube profile
Initial
* Added freetube profile
Second:drop ignore seccomp,add disable-shell
See https://github.com/netblue30/firejail/pull/3535
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Added cawbird profile
See https://github.com/netblue30/firejail/pull/3533
Squash commits for merging
|
| |\ \ \ \
| | | | |
| | | | | |
Add Mattermost desktop profile
|
| | | |/ /
| |/| | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Add files via upload
New profile for homebank
* Update etc/profile-a-l/homebank.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Update etc/profile-a-l/homebank.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Update homebank.profile
* Update firecfg.config
homebank added
* Update disable-programs.inc
Added blacklist.
* Update homebank.profile
Added disable-shell,removed whitelisted docs
* Update disable-programs.inc
Changed sorting
* Update homebank.profile
Changed sorting
* Added cawbird profile
Initial
* Revert "Added cawbird profile"
This reverts commit 6b045976adf62a91882236600c55926af34b6a52.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I too saw some breaktages with programs using it.
It can still be used like this:
firejail pandoc -t foo bar.tex
closes #3524
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create element-desktop.profile
* add element-desktop dirs to disable-programs.inc
* add element-desktop to firecfg.config
* Update RELNOTES
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* hardening some profiles
- harden and fix flameshot
- wruc: frogatto, ghostwriter
- harden gnome-latex
- add whitelist opt-in note to keepassxc
- add comment to minetest
- harden openarena, tremulous, xonotic
- add profile for xonotic-sdl-wrapper
* followup
|
| | |
| |
| |
| |
| |
| |
| | |
2345cc4 broke environment variable passing for seccomp error action
for fseccomp.
Closes #3488.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* Man pages: link to .profile resolution, urls
* Man pages: firejail-profile add link to wiki profile creation
* Man pages: line break, slash in path
* Man pages remove space before dots
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add verbiage to the man pages clarifying that the files/directories in
the lists given to options such as --private-bin must be relative to
the directory that is being limited (e.g., --private-opt requires a
list of files/directories that are relative to /opt).
Signed-off-by: Jeff Squyres <jeff@squyres.com>
|
| | |
| |
| |
| |
| | |
* firecfg: Only use fix_desktop_files when --fix is specified
* firecfg: Only use fix_desktop_files automatically when run through sudo
|
| |\ \
| | |
| | | |
DBus filtering enhancements
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
D-Bus audit is now more in line with D-Bus filtering settings:
* Checks both the DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS
environment variables.
* Also checks common paths for fallback sockets in /run.
* Will report GOOD when D-Bus filtering is enabled.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
--dbus-user.log and --dbus-system.log instruct xdg-dbus-proxy to log
interactions with the session and system buses, respectively.
--dbus-log= can specify the location of the log file. If no location is
specified, log output is written to stdout.
|
| | | |
| | |
| | |
| | |
| | | |
This allows setting per-member and per-object path policies for
xdg-dbus-proxy.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The SEE policy of xdg-dbus-proxy allows clients to see objects and bus
names, but not interact with them. The --call and --broadcast can allow
interactions with objects that have the SEE policy set. Profile support
for these proxy options will be added in a future commit.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Create mocp.profile
* add mocp support to disable-programs.inc
* add mocp support in firecfg.config
* update RELNOTES for mocp
* fix configuration access for mocp
Thanks to @rusty-snake for spotting this.
|
| | | |
| | |
| | | |
Ubuntu packages dino as dino-im
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Also fixed a typo for new profiles: nicontine --> nicotine
* add plv to firecfg
* add plv to disable-programs.inc
* Create plv.profile
* Update plv.profile
|
| | |
| |
| |
| | |
Done to match whats stated in etc/firejail/firejail.config
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Some applications like Byobu, tmux and screen like to use environment
and then 100 environment variables may be too few.
Closes: #3350
|
smitsohu
kortewegdevries
Neo00001
rusty-snake
kortewegdevries
Arne Welzel
Ondřej Nový
glitsj16
Topi Miettinen
netblue30
Amin Vakil
Fred Barclay
OndrejMalek
Jeff Squyres
backspac
Kristóf Marussy
Kristóf Marussy
Karoshi42
Lior Stern
Topi Miettinen