| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
| |
(cherry picked from commit ff30ea354fa8fb46db2c03282c086110bff16689)
|
| |
|
|\
| |
| | |
New profile for CoyIM
|
| | |
|
|\ \
| | |
| | | |
Add profile for kdiff3
|
| | | |
|
| | | |
|
|/ / |
|
| | |
|
|\ \
| | |
| | | |
Add $PATH expansion to private-lib
|
| | | |
|
|\ \ \
| | | |
| | | | |
private-lib: add new timetrace
|
| |/ / |
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
as modern-day Debian only keeps a single symbolic link in
/lib64, going through both directories systematically adds
virtually no overhead (as indicated by the timetrace). At
the same time it is simpler and more robust in producing a correct
representation of the filesystem.
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
return to non-dumpable plugins
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
(hopefully) fixes the issues that led to reverting
commits 6abb65d328af61d67361890743190bd4c57f8e3c and 98e42dc6da4e4b1e47ed2aa020012d4dedc1e80e
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add new profile: qnapi
* add new profile: qnapi
* Create qnapi.profile
* add qnapi configs
* Update README.md
* Update README.md
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* new profile: shotwell
* Create shotwell.profile
* new profile: shotwell
* add shotwell blacklists
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
closes #3237
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
avoids creating holes in the basic read-only filesystem
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* don't mess with umask of root, it could be more strict
than user umask and relaxing it may catch root by surprise
* join needs execveat syscall, need to drop it post-exec
* make things more explicit
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
* new profile: tutanota-desktop
* add tutanota-desktop to firecfg
* blacklist tutanota-desktop files
* Create tutanota-desktop.profile
|
|\ \
| | |
| | | |
join: add fexecve fallback for shells
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allows users to join a sandbox and get a shell even
if there is none in the sandbox mount namespace.
There are few limitations:
1. This will fail with scripted shells (see man 3 fexecve for an explanation)
2. Shell process names are not user friendly
|
|\ \ \
| | | |
| | | | |
Implement netns in profiles, closes #3846
|
| | | | |
|
|\ \ \ \ |
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We do not start /bin/bash in the sandbox, we use $SHELL (which is
usually /bin/bash). See #3434 and #3844. This commit updates the
manpage accordingly until #3434 is resolved with a final solution like
using /bin/bash or /bin/sh as hardcoded default. Close #3844.
The descriptions of --join* are not updated as there is currenly some
work, see #2934 and #3850.
|
| | |_|/
| |/| |
| | | | |
case is handled in guess_shell()
|
| | | | |
|
|/ / / |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
issue #3604
follow-up to a7607e423f3336f67daf2ec296414d55c6740f84
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If firejail is the login shell, the SHELL environment variable
is set to the path of the firejail executable. This leads to execution of a
'firejail -l' command, but firejail inside the sandbox does
not know what to do with the -l option and just starts bash without
forwarding this option.
Fix this by not checking $SHELL when guessing which shell should be used.
run_no_sandbox(), which relies on reading the environment, runs before
setting the login_shell variable, and is not affected.
|
| | |
| | |
| | |
| | |
| | | |
issue #3784
related commit 4bc92b8fd0a5c22c7d4c6f9323378501c60ff149
|
|/ / |
|
|\ \
| | |
| | | |
x11=none: don't fail on abstract socket if netns …
|