| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create links-common.profile
* Update links.profile
* Create links2.profile
* Update links.profile
* Update links2.profile
* Update elinks.profile
* Update elinks.profile
* links2
* Update firecfg.config
* Update xlinks.profile
* .xlinks
* add dbus and whitelist-usr-share-common
* .xlinks doesn't exist
* revert
* Create xlinks2
* xlinks2
* Update xlinks2
* Update xlinks.profile
* no wayland
* no wayland
* doesn't use /tmp/.X11-unix
* doesn't use /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
* noblacklist /tmp/.X11-unix
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create youtube-viewers-common.profile
* reorganising youtube viewers
* rm globals
* reorganise youtube viewers
* adding pipe-viewer
* adding gtk-pipe-viewer
* xterm and youtube-dl cache
* sort
* Update youtube-viewers-common.profile
* quiet
* quiet
* quiet
* Update firecfg.config
* rm vlc
* rm invalid binary
* noinput
* rm whitelist-runuser-common.inc
* rm whitelist-runuser-common.inc
* rm whitelist-runuser-common.inc
* whitelist-runuser-common.inc
|
|\
| |
| | |
Refine appimage example in docs
|
| | |
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
| |
sandboxes can race to create RUN_RO_FILE in shared memory
similiar to #1013
regression from 825ac9cdc38c4285584e69d6f29102b149914dfe
|
|\
| |
| | |
Whitelist2 follow-up
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
besides some cosmetic tweaks, fixes --whitelist=/a/b
where /a/b is a symbolic link to /a/c/d
and c is the user home directory: create
path as user and not as root.
(going forward, a better and more comprehensive fix
would be to prevent all mount point traversals in
whitelist_mkpath, but it will take a bit of time
to implement)
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Try to fix #2310 -- Can't create run directory without suid-root
|
| | | |
|
|\ \ \
| | |/
| |/| |
Whitelist2
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
rename noautopulse to keep-config-pulse
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* add the keep-config-pulse option
* make noautopulse an alias for keep-config-pulse
* deprecate the noautopulse option
* misc: fix indentation of --keep-dev-shm on src/firejail/usage.c
Even though noautopulse is not intended for hardening, it looks like it
is, because it starts with "no", just like no3d, noroot, etc). In fact,
it is the only "no" option that differs in such a way.
And it has been accidentally misused as such before; see PR #4269 and
commit e4beaeaa8 ("drop noautopulse from agetpkg").
So effectively rename it to keep-config-pulse in order to avoid
confusion. This is similar to the keep-var-tmp and keep-dev-shm
options, which are used to "leave a path alone", just like noautopulse.
Note: The changes on this patch are based on the ones from commit
617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854.
See #4269 for the discussion.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Cosmetics, align RUN_UTMP_FILE open flags
with others in 825ac9cdc38c4285584e69d6f29102b149914dfe
Fix fslogger
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Dumb patch that adds O_CLOEXEC to all open/fopen
calls, even where it is obviously pointless.
While at it, also add O_EXCL where it might be
considered useful, for example to clear Coverity
warnings, or on files that subsequently are used
to configure a join sandbox.
Pure defense in depth, this patch should have no
observable effects.
|
|/ / / |
|
| | |
| | |
| | |
| | | |
See #4274
|
| | |
| | |
| | |
| | | |
Subdirs for private-etc has been implemented since 6ebe8925.
|
| | |
| | |
| | |
| | | |
~/.config/pulse directory unchanged
|
| |/
|/| |
|
| | |
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
davidebeatrici/private-dev-input-support-and-noinput-option
Map /dev/input with "--private-dev", add "--no-input" option to disable it
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By default only joystick devices ("/dev/input/js*") can be accessed.
At least, that's the case on Debian: the other entries have more restrictive permissions.
The original owner and group are "root" and "input", respectively.
However, until we have granular input control options, allowing access to joysticks only is better than nothing.
$ ls -l /dev
total 0
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrom -> /dev/sr0
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrw -> /dev/sr0
drwxr-xr-x 3 nobody nogroup 100 22 apr 19.18 dri
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvd -> /dev/sr0
lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvdrw -> /dev/sr0
lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 fd -> /proc/self/fd
crw-rw-rw- 1 nobody nogroup 1, 7 23 apr 07.22 full
crw-rw----+ 1 nobody nogroup 244, 0 22 apr 19.18 hidraw0
crw-rw----+ 1 nobody nogroup 244, 1 22 apr 19.18 hidraw1
crw-rw----+ 1 nobody nogroup 244, 2 22 apr 19.18 hidraw2
crw-rw----+ 1 nobody nogroup 244, 3 22 apr 19.18 hidraw3
crw-rw----+ 1 nobody nogroup 244, 4 22 apr 19.18 hidraw4
crw-rw----+ 1 nobody nogroup 244, 5 22 apr 19.18 hidraw5
drwxr-xr-x 4 nobody nogroup 760 23 apr 07.22 input
srw-rw-rw- 1 nobody nogroup 0 22 apr 19.18 log
crw-rw-rw- 1 nobody nogroup 1, 3 23 apr 07.22 null
lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 nobody nogroup 0 23 apr 07.22 pts
crw-rw-rw- 1 nobody nogroup 1, 8 23 apr 07.22 random
drwxrwxrwt 2 nobody nogroup 40 23 apr 07.22 shm
drwxr-xr-x 4 nobody nogroup 500 22 apr 19.18 snd
brw-rw----+ 1 nobody nogroup 11, 0 23 apr 00.24 sr0
lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdout -> /proc/self/fd/1
crw-rw-rw- 1 nobody nogroup 5, 0 23 apr 07.22 tty
crw-rw-rw- 1 nobody nogroup 1, 9 23 apr 07.22 urandom
drwxr-xr-x 2 nobody nogroup 120 22 apr 19.18 usb
crw-rw----+ 1 nobody video 81, 0 22 apr 19.18 video0
crw-rw----+ 1 nobody video 81, 1 22 apr 19.18 video1
crw-rw----+ 1 nobody video 81, 2 22 apr 19.18 video2
crw-rw----+ 1 nobody video 81, 3 22 apr 19.18 video3
crw-rw-rw- 1 nobody nogroup 1, 5 23 apr 07.22 zero
$ ls -l /dev/input
total 0
drwxr-xr-x 2 nobody nogroup 280 23 apr 07.22 by-id
drwxr-xr-x 2 nobody nogroup 300 23 apr 07.22 by-path
crw-rw---- 1 nobody nogroup 13, 64 22 apr 19.18 event0
crw-rw---- 1 nobody nogroup 13, 65 22 apr 19.18 event1
crw-rw---- 1 nobody nogroup 13, 74 22 apr 19.18 event10
crw-rw---- 1 nobody nogroup 13, 75 22 apr 19.18 event11
crw-rw---- 1 nobody nogroup 13, 76 22 apr 19.18 event12
crw-rw---- 1 nobody nogroup 13, 77 22 apr 19.18 event13
crw-rw---- 1 nobody nogroup 13, 78 22 apr 19.18 event14
crw-rw---- 1 nobody nogroup 13, 79 22 apr 19.18 event15
crw-rw---- 1 nobody nogroup 13, 80 22 apr 19.18 event16
crw-rw---- 1 nobody nogroup 13, 81 22 apr 19.18 event17
crw-rw---- 1 nobody nogroup 13, 82 22 apr 19.18 event18
crw-rw---- 1 nobody nogroup 13, 83 22 apr 19.18 event19
crw-rw---- 1 nobody nogroup 13, 66 22 apr 19.18 event2
crw-rw---- 1 nobody nogroup 13, 84 22 apr 19.18 event20
crw-rw---- 1 nobody nogroup 13, 85 22 apr 19.18 event21
crw-rw---- 1 nobody nogroup 13, 86 22 apr 19.18 event22
crw-rw---- 1 nobody nogroup 13, 87 22 apr 19.18 event23
crw-rw---- 1 nobody nogroup 13, 88 22 apr 19.18 event24
crw-rw---- 1 nobody nogroup 13, 89 22 apr 19.18 event25
crw-rw---- 1 nobody nogroup 13, 90 22 apr 19.18 event26
crw-rw---- 1 nobody nogroup 13, 91 22 apr 19.18 event27
crw-rw----+ 1 nobody nogroup 13, 92 23 apr 07.22 event28
crw-rw---- 1 nobody nogroup 13, 67 22 apr 19.18 event3
crw-rw---- 1 nobody nogroup 13, 68 22 apr 19.18 event4
crw-rw---- 1 nobody nogroup 13, 69 22 apr 19.18 event5
crw-rw---- 1 nobody nogroup 13, 70 22 apr 19.18 event6
crw-rw---- 1 nobody nogroup 13, 71 22 apr 19.18 event7
crw-rw---- 1 nobody nogroup 13, 72 22 apr 19.18 event8
crw-rw---- 1 nobody nogroup 13, 73 22 apr 19.18 event9
crw-rw-r-- 1 nobody nogroup 13, 0 22 apr 19.18 js0
crw-rw-r--+ 1 nobody nogroup 13, 1 23 apr 07.22 js1
crw-rw---- 1 nobody nogroup 13, 63 22 apr 19.18 mice
crw-rw---- 1 nobody nogroup 13, 32 22 apr 19.18 mouse0
crw-rw---- 1 nobody nogroup 13, 33 22 apr 19.18 mouse1
$ ls -l /dev/input/by-id
total 0
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-if01 -> ../event9
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-kbd -> ../event8
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-kbd -> ../event11
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-mouse -> ../event12
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-if01-mouse -> ../mouse1
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-if01 -> ../event5
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-mouse -> ../event2
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-if01-event-kbd -> ../event3
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-mouse -> ../mouse0
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-Sonix_Technology_Co.__Ltd._H264_USB_Camera_SN0001-event-if00 -> ../event27
lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-event-joystick -> ../event28
lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-joystick -> ../js1
$ ls -l /dev/input/by-path
total 0
lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-event-joystick -> ../event28
lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-joystick -> ../js1
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-event-mouse -> ../event2
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-mouse -> ../mouse0
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event -> ../event5
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event-kbd -> ../event3
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.0-event-kbd -> ../event8
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event -> ../event9
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-kbd -> ../event11
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-mouse -> ../event12
lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-mouse -> ../mouse1
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:0c:00.3-usb-0:4:1.0-event -> ../event27
lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 platform-pcspkr-event-spkr -> ../event13
|
|\ \
| | |
| | | |
New profile for neochat
|
| | | |
|
|\ \ \
| | | |
| | | | |
Add support for subdirs in private-etc
|
| |/ / |
|
|\ \ \
| | | |
| | | | |
man: corrections regarding --private-FOO options
|