aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
...
* | Allow changing error action in seccomp filtersLibravatar Topi Miettinen2020-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call.
* | cleanup, fixes, more profstatsLibravatar netblue302020-04-06
| |
* | Fix `man` break - remove less from firecfg by defaultLibravatar Fred Barclay2020-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If `less` is sandboxed, then we get a similar message to below when calling `man <anything>` Error clone: main.c:2743 main: Operation not permitted man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143 https://github.com/netblue30/firejail/issues/1856 Noticed on Debian 10, firejail 0.9.63
* | Merge pull request #3319 from topimiettinen/sanity-check-for-args-envsLibravatar netblue302020-04-05
|\ \ | | | | | | Simple sanity checks for arguments and environment
| * | Simple sanity checks for arguments and environmentLibravatar Topi Miettinen2020-04-05
| | | | | | | | | | | | | | | Restrict number of program arguments and their length as well as number of environment variables and their length.
* | | compile cleanupLibravatar netblue302020-04-05
| | |
* | | fixing my previous commitLibravatar netblue302020-04-05
|/ /
* | profile fixesLibravatar netblue302020-04-04
| |
* | gnome games: more + fixesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | - fix description - add gnome-klotski, five-or-more, swell-foop [skip ci]
* | more gamesLibravatar rusty-snake2020-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - blobwars - gravity-beams-and-evaporating-stars - hyperrogue - jumpnbump-menu (alias) - jumpnbump - magicor - mindless - mirrormagic - mrrescue - scorched3d-wrapper (alias) - scorchwentbonkers - seahorse-adventures - wordwarvi - xbill
* | misc fixes & hardeningLibravatar rusty-snake2020-04-03
| |
* | seccomp/join fixLibravatar netblue302020-04-03
| |
* | Merge branch 'master' of https://github.com/netblue30/firejailLibravatar netblue302020-04-02
|\ \
| * \ Merge pull request #3310 from Liorst4/ac-preserve-cflagsLibravatar netblue302020-04-02
| |\ \ | | | | | | | | Preserve CFLAGS given to configure in common.mk.in
| | * | Preserve CFLAGS given to configure in common.mk.inLibravatar Lior Stern2020-03-31
| | | |
* | | | fixed firecfg man page, update READMELibravatar netblue302020-04-02
|/ / /
* | | whitelist globing man pageLibravatar netblue302020-04-01
| | |
* | | globbing support for whitelistsLibravatar netblue302020-04-01
| | |
* | | profstatsLibravatar netblue302020-04-01
| | |
* | | Mention --seccomp.32 etc in usageLibravatar Topi Miettinen2020-03-31
| | |
* | | extra x11 hardeningLibravatar smitsohu2020-03-31
|/ /
* | abiword and more gnome-gamesLibravatar rusty-snake2020-03-29
| | | | | | | | | | | | | | | | | | | | | | - four-in-a-row - gnome-mahjongg - gnome-robots - gnome-sudoku - gnome-taquin - gnome-tetravex harden gnome-chess
* | Merge pull request #3296 from 0x7969/masterLibravatar rusty-snake2020-03-29
|\ \ | | | | | | Create ferdi.profile
| * | Added ferdi to firecfg.configLibravatar 0x79692020-03-29
| | |
* | | seccomp: allow defining separate filters for 32-bit archLibravatar Topi Miettinen2020-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* | | fsec-print: print address of BPF_JA jump in hexLibravatar Topi Miettinen2020-03-26
|/ / | | | | | | | | Since target addresses for other (conditional) jumps are in hex, it's very confusing to have one jump address in decimal.
* | Add a profile for X2GoClientLibravatar Tad2020-03-23
| |
* | penguin-commadLibravatar netblue302020-03-23
| |
* | kmplayer etcLibravatar netblue302020-03-22
| |
* | fix profstats to print warning for nonexistent include filesLibravatar netblue302020-03-22
| |
* | new profiles: agenda, gnome-pomodoro, gnome-todoLibravatar rusty-snake2020-03-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rules for xdg-dbus-proxy: dbus-user filter dbus-user.own org.gnome.Pomodoro dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.Shell dbus-system none dbus-user filter dbus-user.own org.gnome.Todo dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 dbus-user.talk org.gnome.evolution.dataserver.Calendar8 dbus-user.talk org.gnome.evolution.dataserver.Sources5 dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* dbus-user.talk org.gnome.OnlineAccounts dbus-user.talk org.gnome.SettingsDaemon.Color dbus-system filter dbus-system.talk org.freedesktop.login1 dbus-user filter dbus.own com.github.dahenson.agenda dbus.talk ca.desrt.dconf dbus-system block
* | iagno profileLibravatar netblue302020-03-21
| |
* | Merge pull request #3275 from ↵Libravatar smitsohu2020-03-19
|\ \ | | | | | | | | | | | | dmfreemon/add-name-or-private-dir-to-xpra-window-title add name or private directory being used to the window title when xpra is being used
| * | handle malloc() failures; use gnu_basename() instead of basenaem()Libravatar dmfreemon@users.noreply.github.com2020-03-15
| | |
| * | add name or basename of private directory being used to the window title ↵Libravatar dmfreemon@users.noreply.github.com2020-03-10
| | | | | | | | | | | | when xpra is being used
* | | new profiles: ripperx, sound-juicerLibravatar netblue302020-03-19
| | |
* | | profile statsLibravatar netblue302020-03-19
| | |
* | | nslookup, host profilesLibravatar netblue302020-03-18
| | |
* | | remount fix - #3280Libravatar smitsohu2020-03-16
| | |
* | | Merge pull request #3278 from rusty-snake/has-nosound-conditionLibravatar smitsohu2020-03-15
|\ \ \ | | | | | | | | new condition: HAS_NOSOUND
| * | | new condition: HAS_NOSOUNDLibravatar rusty-snake2020-03-15
| | | |
* | | | add gnome-screenshot.profileLibravatar rusty-snake2020-03-15
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | patch for xdg-dbus-proxy ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -45,3 +45,8 @@ private-bin gnome-screenshot private-dev private-etc dconf,fonts,gtk-3.0,localtime,machine-id private-tmp + +dbus-user filter +dbus-user.own org.gnome.Screenshot +dbus-user.talk org.gnome.Shell.Screenshot +dbus-system block ``` patch for whitelist-runuser-common.inc ``` --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile @@ -17,11 +17,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${RUNUSER}/bus -whitelist ${RUNUSER}/pulse -whitelist ${RUNUSER}/gdm/Xauthority -whitelist ${RUNUSER}/wayland-0 include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor ```
* | | improve the previous fix: don't remount FUSE without permissionLibravatar smitsohu2020-03-14
| | | | | | | | | | | | previous commit 3d35c039074cc11fbacf8de5bc8cb1a0952ceae4 issue #3277
* | | tentative: don't remount FUSE without permissionLibravatar smitsohu2020-03-14
| | | | | | | | | issue #3277
* | | Merge pull request #3268 from smitsohu/remountLibravatar startx20172020-03-13
|\ \ \ | |/ / |/| | remount hardening: move to file descriptor based mounts
| * | fail if opening the resolved path failsLibravatar smitsohu2020-03-06
| | |
| * | remount hardening: move to file descriptor based mountsLibravatar smitsohu2020-03-06
| |/
* | integrate AppArmor with join options (#3242)Libravatar smitsohu2020-03-02
| | | | | | | | | | add AppArmor confinement to processes started with --join and, more importantly, --join-or-start
* | add xournal.profileLibravatar Hans-Christoph Steiner2020-02-27
| |
* | minor sbox hardeningLibravatar smitsohu2020-02-26
| | | | | | | | blacklist process_vm_readv and process_vm_writev while we're at it also remove duplicate iopl blacklisting
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 07:18:14 +0000