aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
* document protocol=bluetoothLibravatar rusty-snake2020-11-16
|
* rework chromium (#3688)Libravatar rusty-snake2020-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
* Add spectacle's profile (#3717)Libravatar Neo000012020-11-02
| | | | | | | * Update firecfg.config * Update disable-programs.inc * Create spectacle.profile
* added bluetooth to the list of protocols allowed by seccompLibravatar netblue302020-10-28
|
* reverted --bind as root - some security problemsLibravatar netblue302020-10-27
|
* compile time option to disable --private-cache and --tmpfs for regular userLibravatar netblue302020-10-27
|
* Merge pull request #3676 from rusty-snake/tmpfs-inside-homeLibravatar netblue302020-10-25
|\ | | | | Allow --tmpfs and --bind inside $HOME for unprivileged users
| * Likewise allow --bind inside $HOME for usersLibravatar rusty-snake2020-10-23
| |
| * Allow --tmpfs inside $HOME for unprivileged usersLibravatar rusty-snake2020-10-23
| | | | | | | | | | | | | | --tmpfs was added in 0.9.14 and restricted to root only in 0.9.38 due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify /etc/sudoers). This commit reintroduce it for normal users, if the realpath of it is inside users-home.
* | harden peek; update README.md; add gnome-sound-…Libravatar rusty-snake2020-10-23
|/ | | | …recorder to firecfg.config
* fix #3478Libravatar netblue302020-10-19
|
* fix manpage wanings (#3563)Libravatar netblue302020-10-19
|
* Apply --rmenv immediately to help to avoid the env var length checkLibravatar Topi Miettinen2020-10-16
| | | | | | | | | | | | | | | | | | Remove environment variables with --rmenv immediately. This fixes removing long environment variables (LS_COLORS generated by vivid), previously the length filter would trip before the command was processed. This changes user visible behavior slightly, for example --rmenv=LANG now applies also to Firejail, while earlier it would only apply to sandboxed program. Partially fixes #3673, but not handling `rmenv` in profiles. Also suggest --rmenv when there are problems with enviroment variables. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* Remove unused variablesLibravatar Reiner Herrmann2020-10-14
| | | | | Fixes clang-analyzer warnings: "Although the value stored to 'xxxxx' is used in the enclosing expression, the value is never actually read from 'xxxxx'"
* merges, fix for #3662 etc.Libravatar netblue302020-10-13
|
* allowing links in netnsLibravatar dpellegr2020-10-12
|
* man: call preproc.awk via Makefile, as the shebang hardcodes the pathLibravatar Reiner Herrmann2020-10-10
|
* build: add -fPIE to LDFLAGSLibravatar Reiner Herrmann2020-10-08
| | | | | | | according to GCC documentation (https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html): "For predictable results, you must also specify the same set of options used for compilation (-fpie, -fPIE, or model suboptions) when you specify this linker option."
* selinux: exit when selinux is enabled but opening handle failsLibravatar Reiner Herrmann2020-10-06
|
* selinux: don't try to relabel path when selinux is not enabledLibravatar Reiner Herrmann2020-10-06
| | | | Fixes: #3654
* fix indentationLibravatar Reiner Herrmann2020-10-06
|
* DHCP fixesLibravatar netblue302020-10-06
|
* Fix typoLibravatar Reiner Herrmann2020-10-05
|
* Fix spellingLibravatar Reiner Herrmann2020-10-05
|
* testing 0.9.64rc1 - disable dumpable working for this release, problems on ↵0.9.64rc1Libravatar netblue2020-10-04
| | | | Debian8; we will bring it back in the next release
* move to addgroup --system (#3632)Libravatar netblue302020-10-03
|
* New profile: equalxLibravatar rusty-snake2020-10-03
|
* chromium-freeworld profile (#3633)Libravatar rusty-snake2020-10-03
|
* more nvidia (#3644)Libravatar netblue302020-10-03
|
* temporary fix for nvidia/nogroups/noroot issue (#3644, #841)Libravatar netblue302020-10-02
|
* profstats - add count for whitelisted home dir, dbus-user noneLibravatar netblue302020-10-02
|
* fix build with clangLibravatar Reiner Herrmann2020-10-01
| | | | error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int]
* build: remove -pie from CFLAGS, as it is a linker optionLibravatar Reiner Herrmann2020-10-01
| | | | building with clang printed a warning
* some cleanup for the previous commit (#3530)Libravatar netblue302020-10-01
|
* don't execute include disable-shell.inc for appimages (#3530)Libravatar netblue302020-10-01
|
* document private-bin and private-lib disabled by default when running ↵Libravatar netblue302020-10-01
| | | | appimages (#3530)
* disable /pulse for --nosound (#3263)Libravatar netblue302020-10-01
|
* replaced --nowrap with --wrap in firemon (#2992)Libravatar netblue302020-10-01
|
* print error for /home/netblue in profile files (#3071)Libravatar netblue302020-10-01
|
* fix shell=none for --audit (#3116)Libravatar netblue302020-10-01
|
* removing fork from ls.c in order to get firetools running the file managerLibravatar netblue302020-09-30
|
* manpages: file transferLibravatar startx20172020-09-30
|
* manpages: network configurationLibravatar startx20172020-09-30
|
* manpages: configuration for dbusLibravatar startx20172020-09-30
|
* clean gcc ananlyzer warnings - #3377Libravatar netblue302020-09-28
|
* free some memory; get rid of false positive from gcc static analyzerLibravatar netblue302020-09-28
|
* new profile: xournalppLibravatar rusty-snake2020-09-25
|
* print errors to stderr and prefix them consistentlyLibravatar Reiner Herrmann2020-09-12
|
* add --include (#3571)Libravatar rusty-snake2020-09-11
| | | | | | | * add --include closes #2923 * Priorize searching in cwd
* disable dbus proxy at compile time (default enabled) - part 1Libravatar netblue302020-09-09
|
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 02:17:13 +0000