firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
*	hardening some profiles (#3505)	rusty-snake	2020-07-09
\| \| \| \| \| \| \| \| \| \| \| \| \|	* hardening some profiles - harden and fix flameshot - wruc: frogatto, ghostwriter - harden gnome-latex - add whitelist opt-in note to keepassxc - add comment to minetest - harden openarena, tremulous, xonotic - add profile for xonotic-sdl-wrapper * followup
*	Fix seccomp error action	Topi Miettinen	2020-07-04
\| \| \| \| \| \| \|	2345cc4 broke environment variable passing for seccomp error action for fseccomp. Closes #3488.
*	new profile: gapplication	rusty-snake	2020-07-03
\|
*	minor makefile fixes	netblue30	2020-06-29
\|
*	new profiles	rusty-snake	2020-06-25
\|
*	New profiles: apostrophe & quadrapassel	rusty-snake	2020-06-11
\|
*	Add strawberry profile (#3459)	Amin Vakil	2020-06-11
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Add strawberry profile * Fix comment * Add to disable-programs.inc & firecfg.config * Add /home/amin/.local/share/strawberry to profile and disable-programs * Various hardening for strawberry profile Signed-off-by: Amin Vakil <info@aminvakil.com> * Change nodbus to dbus-system none in strawberry profile * Add dbus-user none to strawberry profile * Add whitelist-var-common, sort private-etc * Sort, Add wruc, Add netlink to protocol in strawberry profile * Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
*	Remove double sys/prctl.h include	Fred Barclay	2020-06-06
\|
*	Man pages: were missing info about .profile .local resolution (#3440)	OndrejMalek	2020-06-04
\| \| \| \| \| \| \| \| \|	* Man pages: link to .profile resolution, urls * Man pages: firejail-profile add link to wiki profile creation * Man pages: line break, slash in path * Man pages remove space before dots
*	man: minor clarifications to man pages (#3445)	Jeff Squyres	2020-06-04
\| \| \| \| \| \| \| \|	Add verbiage to the man pages clarifying that the files/directories in the lists given to options such as --private-bin must be relative to the directory that is being limited (e.g., --private-opt requires a list of files/directories that are relative to /opt). Signed-off-by: Jeff Squyres <jeff@squyres.com>
*	firecfg: Only use fix_desktop_files automatically when run through sudo (#3382)	backspac	2020-06-04
\| \| \| \| \|	* firecfg: Only use fix_desktop_files when --fix is specified * firecfg: Only use fix_desktop_files automatically when run through sudo
*	Merge pull request #3406 from kris7t/dbus-proxy	Kristóf Marussy	2020-06-01
\|\ \| \| \| \|	DBus filtering enhancements
\| *	Turn attempted DBus policy downgrade into warning (fixes #3408)	Kristóf Marussy	2020-05-09
\| \|
\| *	Documentation for new DBus options	Kristóf Marussy	2020-05-07
\| \|
\| *	Update D-Bus audit	Kristóf Marussy	2020-05-07
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	D-Bus audit is now more in line with D-Bus filtering settings: * Checks both the DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS environment variables. * Also checks common paths for fallback sockets in /run. * Will report GOOD when D-Bus filtering is enabled.
\| *	Add options for D-Bus logging	Kristóf Marussy	2020-05-07
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	--dbus-user.log and --dbus-system.log instruct xdg-dbus-proxy to log interactions with the session and system buses, respectively. --dbus-log= can specify the location of the log file. If no location is specified, log output is written to stdout.
\| *	Add dbus-.call and dbus-.broadcast commands	Kristóf Marussy	2020-05-07
\| \| \| \| \| \| \| \| \| \|	This allows setting per-member and per-object path policies for xdg-dbus-proxy.
\| *	Add --dbus-*.see options	Kristóf Marussy	2020-05-07
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	The SEE policy of xdg-dbus-proxy allows clients to see objects and bus names, but not interact with them. The --call and --broadcast can allow interactions with objects that have the SEE policy set. Profile support for these proxy options will be added in a future commit.
* \|	new profile: mocp (#3437)	glitsj16	2020-05-27
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Create mocp.profile * add mocp support to disable-programs.inc * add mocp support in firecfg.config * update RELNOTES for mocp * fix configuration access for mocp Thanks to @rusty-snake for spotting this.
* \|	Add Ubuntu specific name for dino	Karoshi42	2020-05-22
\| \| \| \| \| \|	Ubuntu packages dino as dino-im
* \|	fix firejail-in-firejail test	netblue30	2020-05-18
\| \|
* \|	add new profile: plv (#3410)	glitsj16	2020-05-11
\|/ \| \| \| \| \| \| \| \| \| \|	Also fixed a typo for new profiles: nicontine --> nicotine * add plv to firecfg * add plv to disable-programs.inc * Create plv.profile * Update plv.profile
*	Disable browser drm by default.	Lior Stern	2020-05-01
\| \| \| \|	Done to match whats stated in etc/firejail/firejail.config
*	Print status of SELinux support with --version	Topi Miettinen	2020-04-29
\|
*	Increase MAX_ENVS to 256 (#3386)	Topi Miettinen	2020-04-26
\| \| \| \| \| \|	Some applications like Byobu, tmux and screen like to use environment and then 100 environment variables may be too few. Closes: #3350
*	Add steam-runtime alias	backspac	2020-04-24
\|
*	fix gcc10 static analysis warning	Reiner Herrmann	2020-04-22
\|
*	fix gcc10 static analysis warning	Reiner Herrmann	2020-04-22
\|
*	selinux relabeling, little things	smitsohu	2020-04-22
\|
*	Merge pull request #3359 from abranson/arm	netblue30	2020-04-21
\|\ \| \| \| \|	32bit ARM syscall table
\| *	Add 32bit ARM syscalls	Andrew Branson	2020-04-15
\| \|
* \|	update --build	rusty-snake	2020-04-21
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The profile generated by --build are quite outdated. There are still a lot of things left to do. - fix #2150 (whitelist-common.inc is still opened from /etc/firejail) - include wusc and wvc (todo: remove whitelists in wusc/wvc from the generated profile.) - fix parsing wc / use ${HOME} macro instead of ~ - update profile headers - include all disable includes (mustly commented) in the output - reorder the filesystem section
* \|	small fixes	netblue30	2020-04-21
\| \|
* \|	resolve conflict between private and allusers options - #3185	smitsohu	2020-04-21
\| \|
* \|	relaxing symlink restrictions	smitsohu	2020-04-20
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	More liberal use of an already existing fall back path in pulseaudio.c removes issues caused by symlinks in ~/.config/pulse (issue #3351 and some others) Don't die, but print warnings during /home directory masking, so that users with a symbolic link in their home directory path can at least make it to a shell prompt (only in combination with pulseaudio fix).
* \|	private-home: create directories as the user	smitsohu	2020-04-20
\| \|
* \|	debug seccomp as the user	smitsohu	2020-04-20
\| \|
* \|	sbox: blacklist umount syscall	smitsohu	2020-04-20
\| \|
* \|	cleanup	smitsohu	2020-04-20
\| \|
* \|	Profile for jitsi-meet-desktop (#3362)	Kishore96in	2020-04-19
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Profile for Jitsi Meet desktop app (electron) * Update description. * Correctly include global definitions. * Add jitsi-meet-desktop to firecfg. * blacklist Jitsi-meet config directory in disable-programs.inc * Disable more things. disable-exec.inc not included, as the application shows some error if I include it. * Disable more stuff. * No need to whitelist Downloads directory. I don't think this application has any file sharing / downloading feature. * Use private-bin I needed to allow the bash executable as well for this to work. * Add some whitelist rules. * Use private-cache option * include disable-exec.inc Apparently one needs to allow execution in /tmp for the program to work. * Redirect to electron.profile. * Use private-etc. * Do not whitelist Downloads directory. electron.profile does this, but I do not think this program needs it. * Rearrange whitelisted files to alphabetical order. * Move nonwhitelist to appropriate section. * Newlines as section separators.
* \|	Merge pull request #3348 from chrpinedo/profile-nicotine	rusty-snake	2020-04-17
\|\ \ \| \|/ \|/\|	Add new profile: nicotine
\| *	Add nicotine to firecfg.config	Christian Pinedo	2020-04-17
\| \|
* \|	add sthortwave (#1139) and remove gjs from firecf…	rusty-snake	2020-04-13
\| \| \| \| \| \| \| \|	…g.config (#3333).
* \|	suport mkdir and mkfile for /run/user/<PID> directory (#3346)	netblue30	2020-04-13
\|/
*	Clarify that file globbing occurs only at start	Antonio Russo	2020-04-11
\| \| \| \| \| \|	firejail can blacklist (and now also whitelist) files based on glob pattern. This pattern is evaluated at firejail start, and not updated at run time. This patch documents this behavior.
*	Fix (fatal-warnings) warning by adding braces	Topi Miettinen	2020-04-11
\|
*	Fix build with --enable-fatal-warnings	Topi Miettinen	2020-04-10
\| \| \| \|	Delete two unused variables.
*	fix example in firejail-profile.txt	glitsj16	2020-04-08
\|
*	add example for overriding individiual DBus filter to firejail-profile.txt	glitsj16	2020-04-08
\| \| \|	See discussion in https://github.com/netblue30/firejail/pull/3326.
*	fix typos in dbus-{system,user}.talk [usage.c]	glitsj16	2020-04-07
\|