| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Also fixed a typo for new profiles: nicontine --> nicotine
* add plv to firecfg
* add plv to disable-programs.inc
* Create plv.profile
* Update plv.profile
|
|
|
|
| |
Done to match whats stated in etc/firejail/firejail.config
|
| |
|
|
|
|
|
|
| |
Some applications like Byobu, tmux and screen like to use environment
and then 100 environment variables may be too few.
Closes: #3350
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
32bit ARM syscall table
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The profile generated by --build are quite outdated. There are still a
lot of things left to do.
- fix #2150 (whitelist-common.inc is still opened from /etc/firejail)
- include wusc and wvc (todo: remove whitelists in wusc/wvc from the
generated profile.)
- fix parsing wc / use ${HOME} macro instead of ~
- update profile headers
- include all disable includes (mustly commented) in the output
- reorder the filesystem section
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
More liberal use of an already existing fall back path in pulseaudio.c
removes issues caused by symlinks in ~/.config/pulse (issue #3351 and
some others)
Don't die, but print warnings during /home directory masking,
so that users with a symbolic link in their home directory path can
at least make it to a shell prompt (only in combination with pulseaudio fix).
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Profile for Jitsi Meet desktop app (electron)
* Update description.
* Correctly include global definitions.
* Add jitsi-meet-desktop to firecfg.
* blacklist Jitsi-meet config directory in disable-programs.inc
* Disable more things.
disable-exec.inc not included, as the application shows some error if I
include it.
* Disable more stuff.
* No need to whitelist Downloads directory.
I don't think this application has any file sharing / downloading
feature.
* Use private-bin
I needed to allow the bash executable as well for this to work.
* Add some whitelist rules.
* Use private-cache option
* include disable-exec.inc
Apparently one needs to allow execution in /tmp for the program to work.
* Redirect to electron.profile.
* Use private-etc.
* Do not whitelist Downloads directory.
electron.profile does this, but I do not think this program needs it.
* Rearrange whitelisted files to alphabetical order.
* Move nonwhitelist to appropriate section.
* Newlines as section separators.
|
|\ \
| |/
|/| |
Add new profile: nicotine
|
| | |
|
| |
| |
| |
| | |
…g.config (#3333).
|
|/ |
|
|
|
|
|
|
| |
firejail can blacklist (and now also whitelist) files based on glob
pattern. This pattern is evaluated at firejail start, and not updated
at run time. This patch documents this behavior.
|
| |
|
|
|
|
| |
Delete two unused variables.
|
| |
|
|
|
| |
See discussion in https://github.com/netblue30/firejail/pull/3326.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This patch also allows setting the DBus policies to filter even if
xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is
allowed, but a warning is emitted.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are
bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root.
Instead of relying on the default locations of the DBus sockets, the environment
variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set
accordingly.
User sockets are tried in the following order when starting the proxy:
* DBUS_SESSION_BUS_ADDRES
* /run/user/<pid>/bus
* /run/user/<pid>/dbus/user_bus_socket
These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
System sockets are tried in the following order:
* DBUS_SYSTEM_BUS_ADDRESS
* /run/dbus/system_bus_socket
These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
|
| |
|
| |
|
|
|
|
|
|
| |
The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and
--dbus-system.own control which names can be accessed and owned on the user and
system buses.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* The proxy is forked off outside the sandbox namespace to protect the
fds of the original buses from the sandboxed process.
* The /run/firejail/dbus directory (with the sticky bit set) holds the proxy
sockets. The sockets are <parent pid>-user and <parent pid>-system for the
user and system buses, respectively. Each socket is owned by the sandbox user.
* The sockets are bind-mounted over their expected locations and the
/run/firejail/dbus directory is subsequently hidden from the sandbox.
* Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets
are cleaned up.
* Filter rules will be added in a future commit.
|
|
|
|
|
|
|
|
|
| |
To contain processes forked for long time, such as the xdg-dbus-proxy,
sbox_exec_v can be used, which is the non-forking version of sbox_run_v.
Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds,
so fds needed by the subordinate process can be left open before calling
sbox_exec_v.
This flag does not makes sense for sbox_run_v, and causes an assertion failure.
|
|
|
|
|
|
| |
Allow setting a separate policy for the user and system buses.
For now, the filter policy is equivalent to the none (block) policy.
Future commits will add more configuration options and filters.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If `less` is sandboxed, then we get a similar message to below
when calling `man <anything>`
Error clone: main.c:2743 main: Operation not permitted
man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less
See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143
https://github.com/netblue30/firejail/issues/1856
Noticed on Debian 10, firejail 0.9.63
|
|\
| |
| | |
Simple sanity checks for arguments and environment
|
| |
| |
| |
| |
| | |
Restrict number of program arguments and their length as well as
number of environment variables and their length.
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
| |
- fix description
- add gnome-klotski, five-or-more, swell-foop
[skip ci]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- blobwars
- gravity-beams-and-evaporating-stars
- hyperrogue
- jumpnbump-menu (alias)
- jumpnbump
- magicor
- mindless
- mirrormagic
- mrrescue
- scorched3d-wrapper (alias)
- scorchwentbonkers
- seahorse-adventures
- wordwarvi
- xbill
|