firejail - Mirror of https://github.com/netblue30/firejail

	Commit message (Collapse)	Author	Age
...
\| * \|	x11=none: don't fail on abstract socket if netns …	rusty-snake	2020-12-19
\| \|/ \| \| \| \| \| \| \| \| \| \|	…is used. fix #3838 -- --x11=none --netns=isolated invalidly errors on the abstract X11 socket being accessible
* \|	increase verbosity if masking ~/.config/pulse fails	smitsohu	2020-12-21
\| \| \| \| \| \| \| \|	plus very minor cosmetic improvements
* \|	noroot option: don't drop firejail supplementary group	smitsohu	2020-12-21
\| \| \| \| \| \| \| \| \| \|	see suggested setup in man 5 firejail-users also related to issue #3604
* \|	declare seccomp_debug function static	smitsohu	2020-12-21
\| \|
* \|	simplify private option code	smitsohu	2020-12-21
\|/
*	New profiles for alacarte,tootle,photoflare (#3816)	kortewegdevries	2020-12-16
\| \| \| \| \| \| \|	* New profiles for alacarte,tootle,photoflare * Fix dbus Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
*	drill profile	netblue30	2020-12-12
\|
*	check --mac= for multicast addresses (#3784)	netblue30	2020-12-07
\|
*	Merge pull request #3772 from smitsohu/smitsohu-openat2	netblue30	2020-12-07
\|\ \| \| \| \|	use openat2 syscall when available
\| *	use openat2 syscall when available	smitsohu	2020-11-23
\| \|
* \|	profile fixes from issues	rusty-snake	2020-12-07
\| \| \| \| \| \| \| \|	closes #3786; closes #3776
* \|	Add profile for authenticator-rs, improve falkon (#3747)	kortewegdevries	2020-12-07
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Add profile for authenticator-rs, improve falkon, balsa * Fix * Add private-tmp to falkon * Revert balsa
* \|	fix #3782 -- Man pages have #ifdefs in them	rusty-snake	2020-12-01
\| \|
* \|	a more portable implementation for time measurements	netblue30	2020-12-01
\| \|
* \|	Add a profile for dolphin-emu	Tad	2020-11-29
\| \| \| \| \| \| \| \| \| \|	Games folder must be whitelisted in a dolphin-emu.local Its private-etc can likely be shortened
* \|	Small fixes	Tad	2020-11-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	- gimp: allow mbind syscall. no start on Fedora 33 without - minetest: disable private-cache. without persistent cache connecting to servers can take many minutes - supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers - supertuxkart: comment private-dev to allow controller use - profiles: unify controller support comments - firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
* \|	revisit join-or-start hidepid fix	smitsohu	2020-11-25
\| \| \| \| \| \| \| \| \| \| \| \|	cf. 9eb9e8d4c1b8995f0e7af4d604f3becd5dc91f62 No need to expect pid's in profile files.
* \|	join-or-start hidepid fix	smitsohu	2020-11-24
\| \|
* \|	fix hidepid mount detection	smitsohu	2020-11-24
\| \| \| \| \| \| \| \|	kernel >= 5.8 now translates mode "1" to "noaccess" and mode "2" to "invisible", which breaks Firejail's hidepid detection
* \|	Merge pull request #3762 from smitsohu/smitsohu-private-cache	netblue30	2020-11-22
\|\ \ \| \| \| \| \| \|	reimplement --private-cache using --tmpfs
\| * \|	reimplement --private-cache using --tmpfs	smitsohu	2020-11-20
\| \| \|
* \| \|	Merge pull request #3752 from smitsohu/smitsohu-get-to-cat	netblue30	2020-11-22
\|\ \ \ \| \|/ / \|/\| \|	reimplement --get using --cat
\| * \|	reimplement --get using --cat	smitsohu	2020-11-18
\| \| \|
* \| \|	add macro, globbing support to --tmpfs option	smitsohu	2020-11-19
\| \| \|
* \| \|	Merge pull request #3746 from netblue30/private-lib-fcopy	Reiner Herrmann	2020-11-18
\|\ \ \ \| \| \| \| \| \| \| \|	install libraries needed by fcopy when using private-lib
\| * \| \|	install libraries needed by fcopy when using private-lib	Reiner Herrmann	2020-11-12
\| \| \|/ \| \|/\| \| \| \| \| \| \|	Fixes #3741
* \| \|	Add profile for straw-viewer (#3742)	kortewegdevries	2020-11-18
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Add profile for straw-viewer * Remove blacklist, fixes
* \| \|	document protocol=bluetooth	rusty-snake	2020-11-16
\|/ /
* \|	rework chromium (#3688)	rusty-snake	2020-11-09
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
* \|	Add spectacle's profile (#3717)	Neo00001	2020-11-02
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Update firecfg.config * Update disable-programs.inc * Create spectacle.profile
* \|	added bluetooth to the list of protocols allowed by seccomp	netblue30	2020-10-28
\| \|
* \|	reverted --bind as root - some security problems	netblue30	2020-10-27
\| \|
* \|	compile time option to disable --private-cache and --tmpfs for regular user	netblue30	2020-10-27
\| \|
* \|	Merge pull request #3676 from rusty-snake/tmpfs-inside-home	netblue30	2020-10-25
\|\ \ \| \| \| \| \| \|	Allow --tmpfs and --bind inside $HOME for unprivileged users
\| * \|	Likewise allow --bind inside $HOME for users	rusty-snake	2020-10-23
\| \| \|
\| * \|	Allow --tmpfs inside $HOME for unprivileged users	rusty-snake	2020-10-23
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	--tmpfs was added in 0.9.14 and restricted to root only in 0.9.38 due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify /etc/sudoers). This commit reintroduce it for normal users, if the realpath of it is inside users-home.
* \| \|	harden peek; update README.md; add gnome-sound-…	rusty-snake	2020-10-23
\|/ / \| \| \| \| \| \|	…recorder to firecfg.config
* \|	fix #3478	netblue30	2020-10-19
\| \|
* \|	fix manpage wanings (#3563)	netblue30	2020-10-19
\| \|
* \|	Apply --rmenv immediately to help to avoid the env var length check	Topi Miettinen	2020-10-16
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Remove environment variables with --rmenv immediately. This fixes removing long environment variables (LS_COLORS generated by vivid), previously the length filter would trip before the command was processed. This changes user visible behavior slightly, for example --rmenv=LANG now applies also to Firejail, while earlier it would only apply to sandboxed program. Partially fixes #3673, but not handling `rmenv` in profiles. Also suggest --rmenv when there are problems with enviroment variables. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* \|	Remove unused variables	Reiner Herrmann	2020-10-14
\| \| \| \| \| \| \| \| \| \|	Fixes clang-analyzer warnings: "Although the value stored to 'xxxxx' is used in the enclosing expression, the value is never actually read from 'xxxxx'"
* \|	merges, fix for #3662 etc.	netblue30	2020-10-13
\| \|
* \|	allowing links in netns	dpellegr	2020-10-12
\| \|
* \|	man: call preproc.awk via Makefile, as the shebang hardcodes the path	Reiner Herrmann	2020-10-10
\| \|
* \|	build: add -fPIE to LDFLAGS	Reiner Herrmann	2020-10-08
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	according to GCC documentation (https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html): "For predictable results, you must also specify the same set of options used for compilation (-fpie, -fPIE, or model suboptions) when you specify this linker option."
* \|	selinux: exit when selinux is enabled but opening handle fails	Reiner Herrmann	2020-10-06
\| \|
* \|	selinux: don't try to relabel path when selinux is not enabled	Reiner Herrmann	2020-10-06
\| \| \| \| \| \| \| \|	Fixes: #3654
* \|	fix indentation	Reiner Herrmann	2020-10-06
\| \|
* \|	DHCP fixes	netblue30	2020-10-06
\| \|
* \|	Fix typo	Reiner Herrmann	2020-10-05
\| \|