| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
(hopefully) fixes the issues that led to reverting
commits 6abb65d328af61d67361890743190bd4c57f8e3c and 98e42dc6da4e4b1e47ed2aa020012d4dedc1e80e
|
| |\
| |
| | |
join: add fexecve fallback for shells
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Allows users to join a sandbox and get a shell even
if there is none in the sandbox mount namespace.
There are few limitations:
1. This will fail with scripted shells (see man 3 fexecve for an explanation)
2. Shell process names are not user friendly
|
| |\ \
| | |
| | | |
Implement netns in profiles, closes #3846
|
| | | | |
|
| |\ \ \ |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We do not start /bin/bash in the sandbox, we use $SHELL (which is
usually /bin/bash). See #3434 and #3844. This commit updates the
manpage accordingly until #3434 is resolved with a final solution like
using /bin/bash or /bin/sh as hardcoded default. Close #3844.
The descriptions of --join* are not updated as there is currenly some
work, see #2934 and #3850.
|
| | | | |
| | | |
| | | | |
case is handled in guess_shell()
|
| | | | | |
|
| |/ / / |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
issue #3604
follow-up to a7607e423f3336f67daf2ec296414d55c6740f84
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If firejail is the login shell, the SHELL environment variable
is set to the path of the firejail executable. This leads to execution of a
'firejail -l' command, but firejail inside the sandbox does
not know what to do with the -l option and just starts bash without
forwarding this option.
Fix this by not checking $SHELL when guessing which shell should be used.
run_no_sandbox(), which relies on reading the environment, runs before
setting the login_shell variable, and is not affected.
|
| | | |
| | |
| | |
| | |
| | | |
issue #3784
related commit 4bc92b8fd0a5c22c7d4c6f9323378501c60ff149
|
| |/ / |
|
| |\ \
| | |
| | | |
x11=none: don't fail on abstract socket if netns …
|
| | |/
| |
| |
| |
| |
| | |
…is used.
fix #3838 -- --x11=none --netns=isolated invalidly errors on the abstract X11 socket being accessible
|
| | |
| |
| |
| | |
plus very minor cosmetic improvements
|
| | |
| |
| |
| |
| | |
see suggested setup in man 5 firejail-users
also related to issue #3604
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
| |
* New profiles for alacarte,tootle,photoflare
* Fix dbus
Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
|
| | |
|
| | |
|
| |\
| |
| | |
use openat2 syscall when available
|
| | | |
|
| | |
| |
| |
| | |
closes #3786; closes #3776
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add profile for authenticator-rs, improve falkon, balsa
* Fix
* Add private-tmp to falkon
* Revert balsa
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Games folder must be whitelisted in a dolphin-emu.local
Its private-etc can likely be shortened
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
- gimp: allow mbind syscall. no start on Fedora 33 without
- minetest: disable private-cache. without persistent cache connecting to servers can take many minutes
- supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers
- supertuxkart: comment private-dev to allow controller use
- profiles: unify controller support comments
- firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
|
| | |
| |
| |
| |
| |
| | |
cf. 9eb9e8d4c1b8995f0e7af4d604f3becd5dc91f62
No need to expect pid's in profile files.
|
| | | |
|
| | |
| |
| |
| | |
kernel >= 5.8 now translates mode "1" to "noaccess" and mode "2" to "invisible", which breaks
Firejail's hidepid detection
|
| |\ \
| | |
| | | |
reimplement --private-cache using --tmpfs
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
reimplement --get using --cat
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
install libraries needed by fcopy when using private-lib
|
| | | |/
| |/|
| | |
| | | |
Fixes #3741
|
| | | |
| | |
| | |
| | |
| | | |
* Add profile for straw-viewer
* Remove blacklist, fixes
|
| |/ / |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
|
| | |
| |
| |
| |
| |
| |
| | |
* Update firecfg.config
* Update disable-programs.inc
* Create spectacle.profile
|
| | | |
|
| | | |
|
smitsohu
netblue30
rusty-snake
Reiner Herrmann
bbhtt
kortewegdevries
netblue30
kortewegdevries
Tad
Neo00001