| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
| |
1) copy xauth binary into the sandbox and set mode to 0711, so it runs
with cleared dumpable flag for unprivileged users
2) run xauth in an sbox sandbox
3) generate Xauthority file in runtime directory instead of /tmp;
this way xauth is able to connect to the X11 socket even if the
abstract socket doesn't exist, for example because a new network
namespace was instantiated
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When redirecting output via --output or --output-stderr, firejail was
concatenating all command line arguments into a single string
that was passed to a shell. As the arguments were no longer escaped,
the shell was able to interpret them.
Someone who has control over the command line arguments of the
sandboxed application could use this to run arbitrary other commands.
Instead of passing it through a shell for piping the output to ftee,
the pipeline is now manually created and the processes are executed
directly.
Fixes: CVE-2020-17368
Reported-by: Tim Starling <tstarling@wikimedia.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.
Fixes: CVE-2020-17367
Reported-by: Tim Starling <tstarling@wikimedia.org>
|
|
|
|
| |
closes #1139
|
|
|
|
|
|
|
| |
* Add profile for otter-browser
Initial
* private-bin,sorting
|
|
|
|
|
|
| |
Ensure that all standard streams are open and we don't inadvertently print to files opened for a different reason; in general we can expect glibc
to take care of this, but it doesn't cover the case where a sandbox is started by root. The added code also serves as a fallback.
Unrelated: For what it's worth, shift umask call closer to main start, so it runs before lowering privileges and before anything can really go wrong.
|
|
|
|
|
|
|
|
|
|
|
| |
* Added git-cola profile
Initial
* Edit private-etc
Add alternatives,pki
* Add disable-xdg
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Added lyx profile
Initial
* Rmoved whitelists
Make home directory more accessible
|
|
|
|
|
|
|
|
|
| |
* Added minitube profile
Initial
* Second
Removed no3d,added novideo
|
|
|
| |
Initial
|
|
|
|
|
|
|
|
|
| |
* Added mtpaint profile
Initial
* Second
Remove IPC-namespace,netfilter
|
| |
|
|\
| |
| | |
integrate join(-or-start) with dbus options (partial fix)
|
| |
| |
| |
| |
| | |
update D-Bus environment variables during join, so that
a joining process is able to use D-Bus, too
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Added minecraft-launcher-profile
Initial
* Changed minecraft-launcher profile
Added space,tracelog,nodvd
* Third
Fixed private-etc,added notes about path,java
* Sorting
|
|\ \
| | |
| | | |
Added xfce4-screenshooter profile
|
| | |
| | |
| | |
| | | |
Initial,removed common blaclist,add netfilter,private-etc
|
|\ \ \
| |/ /
|/| | |
Ignore SIGTTOU during flush_stdin()
|
| | |
| | |
| | |
| | | |
fixes #3500
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Added freetube profile
Initial
* Added freetube profile
Second:drop ignore seccomp,add disable-shell
See https://github.com/netblue30/firejail/pull/3535
|
| | |
| | |
| | |
| | |
| | |
| | | |
* Added cawbird profile
See https://github.com/netblue30/firejail/pull/3533
Squash commits for merging
|
|\ \ \
| | | |
| | | | |
Add Mattermost desktop profile
|
| | |/
| |/| |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Add files via upload
New profile for homebank
* Update etc/profile-a-l/homebank.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Update etc/profile-a-l/homebank.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Update homebank.profile
* Update firecfg.config
homebank added
* Update disable-programs.inc
Added blacklist.
* Update homebank.profile
Added disable-shell,removed whitelisted docs
* Update disable-programs.inc
Changed sorting
* Update homebank.profile
Changed sorting
* Added cawbird profile
Initial
* Revert "Added cawbird profile"
This reverts commit 6b045976adf62a91882236600c55926af34b6a52.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
I too saw some breaktages with programs using it.
It can still be used like this:
firejail pandoc -t foo bar.tex
closes #3524
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create element-desktop.profile
* add element-desktop dirs to disable-programs.inc
* add element-desktop to firecfg.config
* Update RELNOTES
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
* hardening some profiles
- harden and fix flameshot
- wruc: frogatto, ghostwriter
- harden gnome-latex
- add whitelist opt-in note to keepassxc
- add comment to minetest
- harden openarena, tremulous, xonotic
- add profile for xonotic-sdl-wrapper
* followup
|
|
|
|
|
|
|
| |
2345cc4 broke environment variable passing for seccomp error action
for fseccomp.
Closes #3488.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
|
| |
|
|
|
|
|
|
|
|
|
| |
* Man pages: link to .profile resolution, urls
* Man pages: firejail-profile add link to wiki profile creation
* Man pages: line break, slash in path
* Man pages remove space before dots
|
|
|
|
|
|
|
|
| |
Add verbiage to the man pages clarifying that the files/directories in
the lists given to options such as --private-bin must be relative to
the directory that is being limited (e.g., --private-opt requires a
list of files/directories that are relative to /opt).
Signed-off-by: Jeff Squyres <jeff@squyres.com>
|
|
|
|
|
| |
* firecfg: Only use fix_desktop_files when --fix is specified
* firecfg: Only use fix_desktop_files automatically when run through sudo
|
|\
| |
| | |
DBus filtering enhancements
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
D-Bus audit is now more in line with D-Bus filtering settings:
* Checks both the DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS
environment variables.
* Also checks common paths for fallback sockets in /run.
* Will report GOOD when D-Bus filtering is enabled.
|
| |
| |
| |
| |
| |
| |
| | |
--dbus-user.log and --dbus-system.log instruct xdg-dbus-proxy to log
interactions with the session and system buses, respectively.
--dbus-log= can specify the location of the log file. If no location is
specified, log output is written to stdout.
|
| |
| |
| |
| |
| | |
This allows setting per-member and per-object path policies for
xdg-dbus-proxy.
|
| |
| |
| |
| |
| |
| |
| | |
The SEE policy of xdg-dbus-proxy allows clients to see objects and bus
names, but not interact with them. The --call and --broadcast can allow
interactions with objects that have the SEE policy set. Profile support
for these proxy options will be added in a future commit.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Create mocp.profile
* add mocp support to disable-programs.inc
* add mocp support in firecfg.config
* update RELNOTES for mocp
* fix configuration access for mocp
Thanks to @rusty-snake for spotting this.
|
| |
| |
| | |
Ubuntu packages dino as dino-im
|