| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If `less` is sandboxed, then we get a similar message to below
when calling `man <anything>`
Error clone: main.c:2743 main: Operation not permitted
man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less
See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143
https://github.com/netblue30/firejail/issues/1856
Noticed on Debian 10, firejail 0.9.63
|
|\
| |
| | |
Simple sanity checks for arguments and environment
|
| |
| |
| |
| |
| | |
Restrict number of program arguments and their length as well as
number of environment variables and their length.
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
| |
- fix description
- add gnome-klotski, five-or-more, swell-foop
[skip ci]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- blobwars
- gravity-beams-and-evaporating-stars
- hyperrogue
- jumpnbump-menu (alias)
- jumpnbump
- magicor
- mindless
- mirrormagic
- mrrescue
- scorched3d-wrapper (alias)
- scorchwentbonkers
- seahorse-adventures
- wordwarvi
- xbill
|
| |
|
| |
|
|\ |
|
| |\
| | |
| | | |
Preserve CFLAGS given to configure in common.mk.in
|
| | | |
|
|/ / |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
| |
- four-in-a-row
- gnome-mahjongg
- gnome-robots
- gnome-sudoku
- gnome-taquin
- gnome-tetravex
harden gnome-chess
|
|\
| |
| | |
Create ferdi.profile
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|/
|
|
|
| |
Since target addresses for other (conditional) jumps are in hex, it's
very confusing to have one jump address in decimal.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rules for xdg-dbus-proxy:
dbus-user filter
dbus-user.own org.gnome.Pomodoro
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.Shell
dbus-system none
dbus-user filter
dbus-user.own org.gnome.Todo
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
dbus-user.talk org.gnome.evolution.dataserver.Calendar8
dbus-user.talk org.gnome.evolution.dataserver.Sources5
dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.SettingsDaemon.Color
dbus-system filter
dbus-system.talk org.freedesktop.login1
dbus-user filter
dbus.own com.github.dahenson.agenda
dbus.talk ca.desrt.dconf
dbus-system block
|
| |
|
|\
| |
| |
| |
| | |
dmfreemon/add-name-or-private-dir-to-xpra-window-title
add name or private directory being used to the window title when xpra is being used
|
| | |
|
| |
| |
| |
| | |
when xpra is being used
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
new condition: HAS_NOSOUND
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
private-dev
private-etc dconf,fonts,gtk-3.0,localtime,machine-id
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```
patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor
```
|
| |
| |
| |
| | |
previous commit 3d35c039074cc11fbacf8de5bc8cb1a0952ceae4
issue #3277
|
| |
| |
| | |
issue #3277
|
|\ \
| |/
|/| |
remount hardening: move to file descriptor based mounts
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
add AppArmor confinement to processes started with --join and,
more importantly, --join-or-start
|
| | |
|
| |
| |
| |
| | |
blacklist process_vm_readv and process_vm_writev
while we're at it also remove duplicate iopl blacklisting
|
|/ |
|