aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
* manpage: remove overlayfs from non-overlayfs buildsLibravatar startx20172020-09-02
|
* manpage: remove apparmor from non-apparor buildsLibravatar startx20172020-09-02
|
* New profile for man,psi,smuxi; fix pidgin (#3590)Libravatar kortewegdevries2020-09-02
| | | | | | | | | | | | | | | | | | | * Profile for Psi * Fix pidgin buddy icon * Profile for man * Add profile for smuxi * Comment man in firecfg * Add pinentry programs * Update etc/profile-m-z/psi.profile Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Various profiles # 2 (#3566)Libravatar kortewegdevries2020-09-02
| | | | | | | | | * Matrix clients Initial * Add profile for fractal, # 1139 * Fixes
* Various profiles (#3561)Libravatar kortewegdevries2020-09-02
| | | | | | | | | * Various profiles Initial * Various fixes # 1 Removed blacklist,no3d; added icon flatpak paths;sorting;added space
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-09-01
|\
| * Merge branch 'master' of https://github.com/netblue30/firejailLibravatar startx20172020-09-01
| |\
| | * #3106-1, include @mount in @default insted of all the syscallsLibravatar rusty-snake2020-09-01
| | |
| * | preprocessor for man pagesLibravatar startx20172020-09-01
| | |
| * | removed --disable-seccomp from ./configureLibravatar startx20172020-09-01
| |/
* / fshaper.sh fix (#3620)Libravatar netblue302020-09-01
|/
* shell none: avoid syscalls after seccomp_install_filtersLibravatar smitsohu2020-09-01
| | | fixes e.g. --shell=none --seccomp.drop=write --seccomp-error-action=kill
* join: move to mmapped sandbox status indicatorLibravatar smitsohu2020-08-31
| | | | | | | | | | 1) close #3612 2) remove an implicit limitation on rlimit-fsize option (could not set limit to smaller than 6 bytes without affecting the ability to join a sandbox) 3) rename 'join-or-start' file to just 'join' 4) when waiting for a sandbox that is not fully configured yet, increase polling frequency from 10 per second to 100 per second
* chroot: unify path name handlingLibravatar smitsohu2020-08-30
|
* don't attempt to set window title if stdout is not a terminalLibravatar smitsohu2020-08-28
| | | closes #3356
* private-dev: blacklist stashed syslog socket when it is not needed anymoreLibravatar smitsohu2020-08-28
| | | closes #3584
* expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is setLibravatar smitsohu2020-08-27
| | | | issue #3568
* chroot: little tweaksLibravatar smitsohu2020-08-27
|
* mask writable pulseaudio runtime dirLibravatar smitsohu2020-08-27
| | | | ... and don't fail hard without need if there is a FUSE mount
* improve copy_fileLibravatar smitsohu2020-08-27
| | | | don't report success if read failed
* cat fixesLibravatar smitsohu2020-08-25
|
* fix --join for sandboxes with xdg-dbuss-proxyLibravatar netblue302020-08-22
|
* firemon fix for xdg-bus-proxyLibravatar netblue302020-08-22
|
* minor cleanup: move pid functions from main.c to util.cLibravatar netblue302020-08-22
|
* Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-08-22
|\
| * Merge pull request #3572 from smitsohu/dumpableLibravatar netblue302020-08-22
| |\ | | | | | | hardening: run plugins with dumpable flag cleared
| | * cleanupLibravatar smitsohu2020-08-17
| | |
| | * add dumpable warningsLibravatar smitsohu2020-08-17
| | |
| | * various x11 xorg enhancementsLibravatar smitsohu2020-08-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) copy xauth binary into the sandbox and set mode to 0711, so it runs with cleared dumpable flag for unprivileged users 2) run xauth in an sbox sandbox 3) generate Xauthority file in runtime directory instead of /tmp; this way xauth is able to connect to the X11 socket even if the abstract socket doesn't exist, for example because a new network namespace was instantiated
| * | harden cat optionLibravatar smitsohu2020-08-20
| | |
| * | Merge branch 'master' into lsLibravatar smitsohu2020-08-19
| |\ \
| * | | cat optionLibravatar smitsohu2020-08-19
| | | |
| * | | drop system(3) calls from sandbox.cLibravatar smitsohu2020-08-19
| | | |
| * | | refactor ls.c and prepare for new --cat optionLibravatar smitsohu2020-08-19
| | |/ | |/|
* | | cleaning up POSTMORTEM codeLibravatar netblue302020-08-22
| |/ |/|
* | Merge pull request #3559 from smitsohu/smitsohu-bandwidthLibravatar smitsohu2020-08-14
|\ \ | | | | | | harden bandwidth command
| * | harden bandwidth commandLibravatar smitsohu2020-07-14
| | | | | | | | | add extra checks to defend against command injection (respective strings are controlled by Firejail, so this should be redundant and only for the paranoid), run shell in a minimal sandbox
* | | print errno if char device creation failsLibravatar Reiner Herrmann2020-08-14
| | | | | | | | | | | | on Ubuntu autopkgtest runs on armhf, /dev/zero creation fails.
* | | shutdown option hidepid fixLibravatar smitsohu2020-08-13
| | |
* | | Merge pull request #3569 from topimiettinen/seccomp-logLibravatar startx20172020-08-12
|\ \ \ | | | | | | | | seccomp: logging
| * | | seccomp: loggingLibravatar Topi Miettinen2020-08-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow `log` as an alternative seccomp error action instead of killing or returning an errno code. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* | | | Added youtube-viewer profile with Gtk frontends (#3542)Libravatar kortewegdevries2020-08-11
| | | | | | | | | | | | | | | | | | | | Initial,amend: wrong dir,delete gtk-*,added new files Co-authored-by: kortewegdevries <k0rtic_dv@aol.com>
* | | | chroot: expose x11 session if FIREJAIL_CHROOT_X11 is setLibravatar smitsohu2020-08-10
| | | | | | | | | | | | | | | | add check so that environment variable FIREJAIL_CHROOT_X11 can be used to mount /tmp/.X11-unix into the chroot; issue #3568
* | | | mount sandbox lib directory ro,nosuid,nodevLibravatar smitsohu2020-08-08
| | | |
* | | | fix for older compilers (gcc 4.9.2, Debian 8)Libravatar netblue302020-08-08
| | | |
* | | | annotate some functions as non-returning (#3574)Libravatar Reiner Herrmann2020-08-08
| |_|/ |/| |
* | | firejail: don't pass command line through shell when redirecting outputLibravatar Reiner Herrmann2020-08-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When redirecting output via --output or --output-stderr, firejail was concatenating all command line arguments into a single string that was passed to a shell. As the arguments were no longer escaped, the shell was able to interpret them. Someone who has control over the command line arguments of the sandboxed application could use this to run arbitrary other commands. Instead of passing it through a shell for piping the output to ftee, the pipeline is now manually created and the processes are executed directly. Fixes: CVE-2020-17368 Reported-by: Tim Starling <tstarling@wikimedia.org>
* | | firejail: don't interpret output arguments after end-of-options tagLibravatar Reiner Herrmann2020-08-06
|/ / | | | | | | | | | | | | | | | | | | | | Firejail was parsing --output and --output-stderr options even after the end-of-options separator ("--"), which would allow someone who has control over command line options of the sandboxed application, to write data to a specified file. Fixes: CVE-2020-17367 Reported-by: Tim Starling <tstarling@wikimedia.org>
* | Support to ingore a include foobar.incLibravatar rusty-snake2020-08-04
| | | | | | | | closes #1139
* | Add profile for otter-browser (#3564)Libravatar kortewegdevries2020-08-04
| | | | | | | | | | | | | | * Add profile for otter-browser Initial * private-bin,sorting
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-01 19:54:01 +0000