aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAge
* update manpages and RELNOTESLibravatar rusty-snake2021-01-08
|
* fbuilder: check Yama permissionsLibravatar smitsohu2021-01-08
| | | | closes #3237
* fbuilder: whitelist-common.inc processingLibravatar smitsohu2021-01-08
|
* simplify clean_pathname functionLibravatar smitsohu2021-01-08
|
* mount private-lib directories read-onlyLibravatar smitsohu2021-01-06
| | | | avoids creating holes in the basic read-only filesystem
* join: misc improvementsLibravatar smitsohu2021-01-06
| | | | | | | | | * don't mess with umask of root, it could be more strict than user umask and relaxing it may catch root by surprise * join needs execveat syscall, need to drop it post-exec * make things more explicit
* new profile: tutanota-desktop (#3870)Libravatar glitsj162021-01-05
| | | | | | | | | * new profile: tutanota-desktop * add tutanota-desktop to firecfg * blacklist tutanota-desktop files * Create tutanota-desktop.profile
* Merge pull request #3850 from smitsohu/smitsohu-shellLibravatar netblue302020-12-30
|\ | | | | join: add fexecve fallback for shells
| * join: add fexecve fallback for shellsLibravatar smitsohu2020-12-29
| | | | | | | | | | | | | | | | Allows users to join a sandbox and get a shell even if there is none in the sandbox mount namespace. There are few limitations: 1. This will fail with scripted shells (see man 3 fexecve for an explanation) 2. Shell process names are not user friendly
* | Merge pull request #3852 from rusty-snake/fix-3846Libravatar netblue302020-12-30
|\ \ | | | | | | Implement netns in profiles, closes #3846
| * | Implement netns in profiles, closes #3846Libravatar rusty-snake2020-12-29
| | |
* | | Merge branch 'master' into browsersLibravatar Reiner Herrmann2020-12-29
|\ \ \
| * | | profiles: add redirect from matrix-mirage to mirage (#3854)Libravatar Reiner Herrmann2020-12-29
| | | |
| * | | manpage: /bin/bash -> user's perferred shellLibravatar rusty-snake2020-12-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We do not start /bin/bash in the sandbox, we use $SHELL (which is usually /bin/bash). See #3434 and #3844. This commit updates the manpage accordingly until #3434 is resolved with a final solution like using /bin/bash or /bin/sh as hardcoded default. Close #3844. The descriptions of --join* are not updated as there is currenly some work, see #2934 and #3850.
| * | | cleanupLibravatar smitsohu2020-12-28
| | | | | | | | | | | | case is handled in guess_shell()
* | | | On Debian/Ubunbtu microsoft-edge redirects to dev-channel right nowLibravatar bbhtt2020-12-29
| | | |
* | | | Add profiles for MS Edge dev build for Linux and LibrewolfLibravatar bbhtt2020-12-28
|/ / /
* | | shell autoselection fixupLibravatar smitsohu2020-12-22
| | |
* | | rework previous commit 45c28b808df9529aca32fdd755ac14e8101af3c1Libravatar smitsohu2020-12-22
| | |
* | | noroot option: create mapping of firejail groupLibravatar smitsohu2020-12-21
| | | | | | | | | | | | | | | issue #3604 follow-up to a7607e423f3336f67daf2ec296414d55c6740f84
* | | fix forwarding of login option to restricted shellLibravatar smitsohu2020-12-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If firejail is the login shell, the SHELL environment variable is set to the path of the firejail executable. This leads to execution of a 'firejail -l' command, but firejail inside the sandbox does not know what to do with the -l option and just starts bash without forwarding this option. Fix this by not checking $SHELL when guessing which shell should be used. run_no_sandbox(), which relies on reading the environment, runs before setting the login_shell variable, and is not affected.
* | | add mac multicast address check to profile_check_lineLibravatar smitsohu2020-12-21
| | | | | | | | | | | | | | | issue #3784 related commit 4bc92b8fd0a5c22c7d4c6f9323378501c60ff149
* | | minor cleanup, cosmeticsLibravatar smitsohu2020-12-21
|/ /
* | Merge pull request #3839 from rusty-snake/fix-3838Libravatar smitsohu2020-12-21
|\ \ | | | | | | x11=none: don't fail on abstract socket if netns …
| * | x11=none: don't fail on abstract socket if netns …Libravatar rusty-snake2020-12-19
| |/ | | | | | | | | | | …is used. fix #3838 -- --x11=none --netns=isolated invalidly errors on the abstract X11 socket being accessible
* | increase verbosity if masking ~/.config/pulse failsLibravatar smitsohu2020-12-21
| | | | | | | | plus very minor cosmetic improvements
* | noroot option: don't drop firejail supplementary groupLibravatar smitsohu2020-12-21
| | | | | | | | | | see suggested setup in man 5 firejail-users also related to issue #3604
* | declare seccomp_debug function staticLibravatar smitsohu2020-12-21
| |
* | simplify private option codeLibravatar smitsohu2020-12-21
|/
* New profiles for alacarte,tootle,photoflare (#3816)Libravatar kortewegdevries2020-12-16
| | | | | | | * New profiles for alacarte,tootle,photoflare * Fix dbus Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
* drill profileLibravatar netblue302020-12-12
|
* check --mac= for multicast addresses (#3784)Libravatar netblue302020-12-07
|
* Merge pull request #3772 from smitsohu/smitsohu-openat2Libravatar netblue302020-12-07
|\ | | | | use openat2 syscall when available
| * use openat2 syscall when availableLibravatar smitsohu2020-11-23
| |
* | profile fixes from issuesLibravatar rusty-snake2020-12-07
| | | | | | | | closes #3786; closes #3776
* | Add profile for authenticator-rs, improve falkon (#3747)Libravatar kortewegdevries2020-12-07
| | | | | | | | | | | | | | | | | | * Add profile for authenticator-rs, improve falkon, balsa * Fix * Add private-tmp to falkon * Revert balsa
* | fix #3782 -- Man pages have #ifdefs in themLibravatar rusty-snake2020-12-01
| |
* | a more portable implementation for time measurementsLibravatar netblue302020-12-01
| |
* | Add a profile for dolphin-emuLibravatar Tad2020-11-29
| | | | | | | | | | Games folder must be whitelisted in a dolphin-emu.local Its private-etc can likely be shortened
* | Small fixesLibravatar Tad2020-11-29
| | | | | | | | | | | | | | | | | | - gimp: allow mbind syscall. no start on Fedora 33 without - minetest: disable private-cache. without persistent cache connecting to servers can take many minutes - supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers - supertuxkart: comment private-dev to allow controller use - profiles: unify controller support comments - firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
* | revisit join-or-start hidepid fixLibravatar smitsohu2020-11-25
| | | | | | | | | | | | cf. 9eb9e8d4c1b8995f0e7af4d604f3becd5dc91f62 No need to expect pid's in profile files.
* | join-or-start hidepid fixLibravatar smitsohu2020-11-24
| |
* | fix hidepid mount detectionLibravatar smitsohu2020-11-24
| | | | | | | | kernel >= 5.8 now translates mode "1" to "noaccess" and mode "2" to "invisible", which breaks Firejail's hidepid detection
* | Merge pull request #3762 from smitsohu/smitsohu-private-cacheLibravatar netblue302020-11-22
|\ \ | | | | | | reimplement --private-cache using --tmpfs
| * | reimplement --private-cache using --tmpfsLibravatar smitsohu2020-11-20
| | |
* | | Merge pull request #3752 from smitsohu/smitsohu-get-to-catLibravatar netblue302020-11-22
|\ \ \ | |/ / |/| | reimplement --get using --cat
| * | reimplement --get using --catLibravatar smitsohu2020-11-18
| | |
* | | add macro, globbing support to --tmpfs optionLibravatar smitsohu2020-11-19
| | |
* | | Merge pull request #3746 from netblue30/private-lib-fcopyLibravatar Reiner Herrmann2020-11-18
|\ \ \ | | | | | | | | install libraries needed by fcopy when using private-lib
| * | | install libraries needed by fcopy when using private-libLibravatar Reiner Herrmann2020-11-12
| | |/ | |/| | | | | | | Fixes #3741
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-09 00:10:07 +0000