aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
* seccomp man page updateLibravatar smitsohu2021-06-26
| | | | | | | | * move everything related to modification of the default seccomp filter from --seccomp to --seccomp= entry * update errno descriptions
* augment seccomp lists in firejail.configLibravatar smitsohu2021-06-20
|
* simplify X11 socket whitelistingLibravatar smitsohu2021-06-03
|
* Update manpage for whitelist2Libravatar rusty-snake2021-06-03
|
* version 0.9.66rc1 released0.9.66rc1Libravatar netblue302021-06-02
|
* reorganizing links browsers (#4320)Libravatar pirate4867431862021-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create links-common.profile * Update links.profile * Create links2.profile * Update links.profile * Update links2.profile * Update elinks.profile * Update elinks.profile * links2 * Update firecfg.config * Update xlinks.profile * .xlinks * add dbus and whitelist-usr-share-common * .xlinks doesn't exist * revert * Create xlinks2 * xlinks2 * Update xlinks2 * Update xlinks.profile * no wayland * no wayland * doesn't use /tmp/.X11-unix * doesn't use /tmp/.X11-unix * noblacklist /tmp/.X11-unix * noblacklist /tmp/.X11-unix
* --debug takes precedence over --quiet (#2743)Libravatar netblue302021-05-30
|
* fix fcoy error message (#2743)Libravatar netblue302021-05-30
|
* allow --debug if quite-by-default is set (#3125, #4168)Libravatar netblue302021-05-30
|
* fix crash during --shutdonwLibravatar netblue302021-05-29
|
* disable home dir whitelists when --private is presentLibravatar netblue302021-05-29
|
* reorganizing youtube-viewers (#4128)Libravatar pirate4867431862021-05-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Create youtube-viewers-common.profile * reorganising youtube viewers * rm globals * reorganise youtube viewers * adding pipe-viewer * adding gtk-pipe-viewer * xterm and youtube-dl cache * sort * Update youtube-viewers-common.profile * quiet * quiet * quiet * Update firecfg.config * rm vlc * rm invalid binary * noinput * rm whitelist-runuser-common.inc * rm whitelist-runuser-common.inc * rm whitelist-runuser-common.inc * whitelist-runuser-common.inc
* Merge pull request #4307 from slowpeek/masterLibravatar Reiner Herrmann2021-05-28
|\ | | | | Refine appimage example in docs
| * Refine appimage example in docsLibravatar slowpeek2021-05-26
| |
* | default gw fix - #4306Libravatar netblue302021-05-27
| |
* | remove dophin from firecfg.configLibravatar netblue302021-05-26
|/
* deprecated follow-symlink-as-user from firejail.configLibravatar netblue302021-05-26
|
* fix firejail startup raceLibravatar smitsohu2021-05-24
| | | | | | | | sandboxes can race to create RUN_RO_FILE in shared memory similiar to #1013 regression from 825ac9cdc38c4285584e69d6f29102b149914dfe
* Merge pull request #4302 from smitsohu/whitelist2Libravatar smitsohu2021-05-23
|\ | | | | Whitelist2 follow-up
| * whitelist: following up #4229Libravatar smitsohu2021-05-23
| | | | | | | | | | | | | | | | | | | | | | | | besides some cosmetic tweaks, fixes --whitelist=/a/b where /a/b is a symbolic link to /a/c/d and c is the user home directory: create path as user and not as root. (going forward, a better and more comprehensive fix would be to prevent all mount point traversals in whitelist_mkpath, but it will take a bit of time to implement)
* | support trailing comments on profile linesLibravatar netblue302021-05-21
| |
* | --buid fixesLibravatar netblue302021-05-20
| |
* | new profilesLibravatar netblue302021-05-20
| |
* | jailtest -> jailcheck (#4268)Libravatar netblue302021-05-18
| |
* | Merge pull request #4273 from rusty-snake/fix-2310Libravatar netblue302021-05-18
|\ \ | | | | | | Try to fix #2310 -- Can't create run directory without suid-root
| * | Try to fix #2310 -- Can't create run directory without suid-rootLibravatar rusty-snake2021-05-14
| | |
* | | Merge pull request #4229 from smitsohu/whitelist2Libravatar netblue302021-05-18
|\ \ \ | | |/ | |/| Whitelist2
| * | add /run whitelist supportLibravatar smitsohu2021-05-08
| | |
| * | tweakLibravatar smitsohu2021-05-08
| | |
| * | add support for arbitrary whitelist directoriesLibravatar smitsohu2021-05-03
| | |
| * | introduce safer_openat functionLibravatar smitsohu2021-05-03
| | |
| * | enhance clean_pathname functionLibravatar smitsohu2021-05-03
| | |
* | | Merge pull request #4278 from kmk3/rename-noautopulseLibravatar Kelvin M. Klann2021-05-16
|\ \ \ | | | | | | | | rename noautopulse to keep-config-pulse
| * | | rename arg_noautopulse var to arg_keep_config_pulseLibravatar Kelvin M. Klann2021-05-14
| | | |
| * | | rename noautopulse to keep-config-pulseLibravatar Kelvin M. Klann2021-05-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: * add the keep-config-pulse option * make noautopulse an alias for keep-config-pulse * deprecate the noautopulse option * misc: fix indentation of --keep-dev-shm on src/firejail/usage.c Even though noautopulse is not intended for hardening, it looks like it is, because it starts with "no", just like no3d, noroot, etc). In fact, it is the only "no" option that differs in such a way. And it has been accidentally misused as such before; see PR #4269 and commit e4beaeaa8 ("drop noautopulse from agetpkg"). So effectively rename it to keep-config-pulse in order to avoid confusion. This is similar to the keep-var-tmp and keep-dev-shm options, which are used to "leave a path alone", just like noautopulse. Note: The changes on this patch are based on the ones from commit 617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854. See #4269 for the discussion.
* | | | O_CLOEXEC follow-upLibravatar smitsohu2021-05-16
| | | |
* | | | utmp follow-upLibravatar smitsohu2021-05-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Cosmetics, align RUN_UTMP_FILE open flags with others in 825ac9cdc38c4285584e69d6f29102b149914dfe Fix fslogger
* | | | fix firemon signal handler - #4274Libravatar smitsohu2021-05-16
| | | |
* | | | fix utmp error messageLibravatar smitsohu2021-05-16
| | | |
* | | | open files O_CLOEXEC|O_EXCLLibravatar smitsohu2021-05-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Dumb patch that adds O_CLOEXEC to all open/fopen calls, even where it is obviously pointless. While at it, also add O_EXCL where it might be considered useful, for example to clear Coverity warnings, or on files that subsequently are used to configure a join sandbox. Pure defense in depth, this patch should have no observable effects.
* | | | Add noinput to usage.c and _firejail.inLibravatar rusty-snake2021-05-16
|/ / /
* | | check if allocation was successfulLibravatar Reiner Herrmann2021-05-13
| | | | | | | | | | | | See #4274
* | | Manpage fixesLibravatar rusty-snake2021-05-13
| | | | | | | | | | | | Subdirs for private-etc has been implemented since 6ebe8925.
* | | force --noautopulse when running --noprofile in order to leave ↵Libravatar netblue302021-05-12
| | | | | | | | | | | | ~/.config/pulse directory unchanged
* | | more --buildLibravatar netblue302021-05-12
| |/ |/|
* | more --buildLibravatar netblue302021-05-06
| |
* | --build fixesLibravatar netblue302021-05-04
| |
* | Merge pull request #4209 from ↵Libravatar netblue302021-05-04
|\ \ | | | | | | | | | | | | davidebeatrici/private-dev-input-support-and-noinput-option Map /dev/input with "--private-dev", add "--no-input" option to disable it
| * | Map /dev/input with "--private-dev", add "--no-input" option to disable itLibravatar Davide Beatrici2021-04-23
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default only joystick devices ("/dev/input/js*") can be accessed. At least, that's the case on Debian: the other entries have more restrictive permissions. The original owner and group are "root" and "input", respectively. However, until we have granular input control options, allowing access to joysticks only is better than nothing. $ ls -l /dev total 0 lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrom -> /dev/sr0 lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 cdrw -> /dev/sr0 drwxr-xr-x 3 nobody nogroup 100 22 apr 19.18 dri lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvd -> /dev/sr0 lrwxrwxrwx 1 nobody nogroup 8 23 apr 07.22 dvdrw -> /dev/sr0 lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 fd -> /proc/self/fd crw-rw-rw- 1 nobody nogroup 1, 7 23 apr 07.22 full crw-rw----+ 1 nobody nogroup 244, 0 22 apr 19.18 hidraw0 crw-rw----+ 1 nobody nogroup 244, 1 22 apr 19.18 hidraw1 crw-rw----+ 1 nobody nogroup 244, 2 22 apr 19.18 hidraw2 crw-rw----+ 1 nobody nogroup 244, 3 22 apr 19.18 hidraw3 crw-rw----+ 1 nobody nogroup 244, 4 22 apr 19.18 hidraw4 crw-rw----+ 1 nobody nogroup 244, 5 22 apr 19.18 hidraw5 drwxr-xr-x 4 nobody nogroup 760 23 apr 07.22 input srw-rw-rw- 1 nobody nogroup 0 22 apr 19.18 log crw-rw-rw- 1 nobody nogroup 1, 3 23 apr 07.22 null lrwxrwxrwx 1 nobody nogroup 13 23 apr 07.22 ptmx -> /dev/pts/ptmx drwxr-xr-x 2 nobody nogroup 0 23 apr 07.22 pts crw-rw-rw- 1 nobody nogroup 1, 8 23 apr 07.22 random drwxrwxrwt 2 nobody nogroup 40 23 apr 07.22 shm drwxr-xr-x 4 nobody nogroup 500 22 apr 19.18 snd brw-rw----+ 1 nobody nogroup 11, 0 23 apr 00.24 sr0 lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stderr -> /proc/self/fd/2 lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdin -> /proc/self/fd/0 lrwxrwxrwx 1 nobody nogroup 15 23 apr 07.22 stdout -> /proc/self/fd/1 crw-rw-rw- 1 nobody nogroup 5, 0 23 apr 07.22 tty crw-rw-rw- 1 nobody nogroup 1, 9 23 apr 07.22 urandom drwxr-xr-x 2 nobody nogroup 120 22 apr 19.18 usb crw-rw----+ 1 nobody video 81, 0 22 apr 19.18 video0 crw-rw----+ 1 nobody video 81, 1 22 apr 19.18 video1 crw-rw----+ 1 nobody video 81, 2 22 apr 19.18 video2 crw-rw----+ 1 nobody video 81, 3 22 apr 19.18 video3 crw-rw-rw- 1 nobody nogroup 1, 5 23 apr 07.22 zero $ ls -l /dev/input total 0 drwxr-xr-x 2 nobody nogroup 280 23 apr 07.22 by-id drwxr-xr-x 2 nobody nogroup 300 23 apr 07.22 by-path crw-rw---- 1 nobody nogroup 13, 64 22 apr 19.18 event0 crw-rw---- 1 nobody nogroup 13, 65 22 apr 19.18 event1 crw-rw---- 1 nobody nogroup 13, 74 22 apr 19.18 event10 crw-rw---- 1 nobody nogroup 13, 75 22 apr 19.18 event11 crw-rw---- 1 nobody nogroup 13, 76 22 apr 19.18 event12 crw-rw---- 1 nobody nogroup 13, 77 22 apr 19.18 event13 crw-rw---- 1 nobody nogroup 13, 78 22 apr 19.18 event14 crw-rw---- 1 nobody nogroup 13, 79 22 apr 19.18 event15 crw-rw---- 1 nobody nogroup 13, 80 22 apr 19.18 event16 crw-rw---- 1 nobody nogroup 13, 81 22 apr 19.18 event17 crw-rw---- 1 nobody nogroup 13, 82 22 apr 19.18 event18 crw-rw---- 1 nobody nogroup 13, 83 22 apr 19.18 event19 crw-rw---- 1 nobody nogroup 13, 66 22 apr 19.18 event2 crw-rw---- 1 nobody nogroup 13, 84 22 apr 19.18 event20 crw-rw---- 1 nobody nogroup 13, 85 22 apr 19.18 event21 crw-rw---- 1 nobody nogroup 13, 86 22 apr 19.18 event22 crw-rw---- 1 nobody nogroup 13, 87 22 apr 19.18 event23 crw-rw---- 1 nobody nogroup 13, 88 22 apr 19.18 event24 crw-rw---- 1 nobody nogroup 13, 89 22 apr 19.18 event25 crw-rw---- 1 nobody nogroup 13, 90 22 apr 19.18 event26 crw-rw---- 1 nobody nogroup 13, 91 22 apr 19.18 event27 crw-rw----+ 1 nobody nogroup 13, 92 23 apr 07.22 event28 crw-rw---- 1 nobody nogroup 13, 67 22 apr 19.18 event3 crw-rw---- 1 nobody nogroup 13, 68 22 apr 19.18 event4 crw-rw---- 1 nobody nogroup 13, 69 22 apr 19.18 event5 crw-rw---- 1 nobody nogroup 13, 70 22 apr 19.18 event6 crw-rw---- 1 nobody nogroup 13, 71 22 apr 19.18 event7 crw-rw---- 1 nobody nogroup 13, 72 22 apr 19.18 event8 crw-rw---- 1 nobody nogroup 13, 73 22 apr 19.18 event9 crw-rw-r-- 1 nobody nogroup 13, 0 22 apr 19.18 js0 crw-rw-r--+ 1 nobody nogroup 13, 1 23 apr 07.22 js1 crw-rw---- 1 nobody nogroup 13, 63 22 apr 19.18 mice crw-rw---- 1 nobody nogroup 13, 32 22 apr 19.18 mouse0 crw-rw---- 1 nobody nogroup 13, 33 22 apr 19.18 mouse1 $ ls -l /dev/input/by-id total 0 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-if01 -> ../event9 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-event-kbd -> ../event8 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-kbd -> ../event11 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-BY_Tech_Usb-if01-event-mouse -> ../event12 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-BY_Tech_Usb-if01-mouse -> ../mouse1 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-if01 -> ../event5 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-event-mouse -> ../event2 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-if01-event-kbd -> ../event3 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 usb-SOAI_USB_Gaming_Mouse-mouse -> ../mouse0 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 usb-Sonix_Technology_Co.__Ltd._H264_USB_Camera_SN0001-event-if00 -> ../event27 lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-event-joystick -> ../event28 lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 usb-ZEROPLUS_Controller_3136303033313032354246323543-joystick -> ../js1 $ ls -l /dev/input/by-path total 0 lrwxrwxrwx 1 nobody nogroup 10 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-event-joystick -> ../event28 lrwxrwxrwx 1 nobody nogroup 6 23 apr 07.22 pci-0000:05:00.1-usb-0:6.1:1.0-joystick -> ../js1 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-event-mouse -> ../event2 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.0-mouse -> ../mouse0 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event -> ../event5 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.3:1.1-event-kbd -> ../event3 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.0-event-kbd -> ../event8 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event -> ../event9 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-kbd -> ../event11 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-event-mouse -> ../event12 lrwxrwxrwx 1 nobody nogroup 9 22 apr 19.18 pci-0000:05:00.3-usb-0:6.4:1.1-mouse -> ../mouse1 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 pci-0000:0c:00.3-usb-0:4:1.0-event -> ../event27 lrwxrwxrwx 1 nobody nogroup 10 22 apr 19.18 platform-pcspkr-event-spkr -> ../event13
* | Merge pull request #4230 from Kishore96in/neochat_profileLibravatar netblue302021-05-04
|\ \ | | | | | | New profile for neochat
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 18:53:06 +0000