github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
9974 commits 10 branches 71 tags 33 MiB
Commit graph

4637 commits

Author SHA1 Message Date
Kelvin M. Klann
0060b5105b
profiles: rename disable-X11.inc to disable-x11.inc (#6294) 
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections.  That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.

Also, keep the old include as a redirect to the new one for now to avoid
breakage.

Commands used to search and replace:

    git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
    git grep -Ilz 'disable-X11' -- etc | xargs -0 \
      perl -pi -e 's/disable-X11/disable-x11/'

Relates to #4462 #4854 #6070 #6289.

This is a follow-up to #6286.
 2024-03-27 12:13:47 +00:00
Kelvin M. Klann
0d8fb3d1b4
profiles: sort blacklist sections (#6289) 
See etc/templates/profile.template.

This is a follow-up to #6286.
 2024-03-27 12:13:21 +00:00
Kelvin M. Klann
7047e1a689
New profile: qemu-common.profile (#6287) 
Add a common profile to deduplicate entries and make qemu-related
profiles redirect to it.

Relates to #6255.
 2024-03-25 06:42:07 +00:00
RundownRhino
009212b832
firefox: Add org.kde.kdeconnect to plasma integration comment (#6285) 
I recently set up KDE connect and plasma-browser-integration for firefox
(Linux Mint 21.2) and needed this line in addition to the ones mentioned
in the profile. Found it via running `firejail
--profile=/etc/firejail/firefox.profile --dbus-user.log firefox`, trying
to send links to device, and seeing what events get logged.
 2024-03-24 11:28:31 +00:00
Kelvin M. Klann
eaee3367d2
Merge pull request #6286 from kmk3/x11-none-improvements 
profiles: replace x11 socket blacklist with disable-X11.inc
 2024-03-24 06:50:30 +00:00
Kelvin M. Klann
945ad858ed
profiles: deny access to ~/.config/autostart (#6257) 
The files in this directory are intended to be automatically executed
when the user logs in.

In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).

Misc: This was noticed on #6244.
 2024-03-24 06:44:22 +00:00
Kelvin M. Klann
04efbb2763 profiles: replace x11 socket blacklist with disable-X11.inc 
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.

Commands used to search and replace:

    $ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
      etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
        s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
        s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
        s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'

Note: The following files were also edited manually:

* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile

Relates to #4462 #4854.
 2024-03-24 03:42:59 -03:00
Kelvin M. Klann
5ec7c2292c sstmp.profile: sort disable includes 
Move disable-X11.inc before disable-xdg.inc for consistency with other
profiles.

Added on commit 73a6fced2 ("New profile: ssmtp (#5544)", 2022-12-21).
 2024-03-23 09:09:00 -03:00
Kelvin M. Klann
781b57dea8 gconf-editor: remove X11 socket blacklist 
It is a GUI program.

It was apparently added by accident on commit 73321c597 ("Fixes
(#2816)", 2019-07-01).

Reported by @glitsj16 at
https://github.com/netblue30/firejail/pull/6286#discussion_r1536618241
 2024-03-23 09:08:20 -03:00
glitsj16
96d66fa624
New profile: tqemu.profile (#6255) 
Description: QEMU frontend without libvirt.

https://github.com/thanoulis/tqemu
 2024-03-23 06:10:41 +00:00
Kelvin M. Klann
37724d6b21
k3b.profile: fix dvd drive detection (private-dev) (#6280) 
@hedgehog29 commented[1]:

> It prevents k3b from detecting all dvd drives, incudling USB ones, and
> it seems that also SATA.

Fixes #6279.

[1] https://github.com/netblue30/firejail/issues/6279#issue-2191392448
 2024-03-23 06:07:18 +00:00
glitsj16
3f4d6df041
New profile: metadata-cleaner.profile (#6246) 
Description: Python GTK3 application to view and clean metadata in
files, using mat2.

https://gitlab.com/rmnvgr/metadata-cleaner
 2024-03-20 11:42:44 +00:00
pirate486743186
ae1e5e3e9c
remove porn-cli.profile (#6284) 
Co-authored-by: exponential <echo ZXhwb25lbnRpYWxtYXRyaXhAcHJvdG9ubWFpbC5jb20K | base64 -d>
 2024-03-20 08:29:53 +00:00
glitsj16
2d6d4c59e6
Rename etc/session-desktop.profile to etc/profile-m-z/session-desktop.profile 2024-03-19 12:14:28 +00:00
glitsj16
3c6016e6b3
New profile: session-desktop.profile (#6259) 
Description: Encrypted messenger.

https://github.com/oxen-io/session-desktop/
https://aur.archlinux.org/packages/session-desktop
https://aur.archlinux.org/packages/session-desktop-bin
https://aur.archlinux.org/packages/session-desktop-appimage

Note: The AUR packages all work with the profiles.
 2024-03-19 11:57:10 +00:00
glitsj16
161318dc2b
New profile: mimetype.profile (#6247) 
Description: Determines the file type.

https://metacpan.org/release/File-MimeInfo
https://archlinux.org/packages/extra/any/perl-file-mimeinfo/
 2024-03-19 06:08:35 +00:00
glitsj16
898273ac8e
New profile: tvnamer.profile (#6256) 
Description: Automatic TV episode file renamer.

https://github.com/dbr/tvnamer
 2024-03-18 15:08:22 +00:00
glitsj16
d6c32c1105
New profile: textroom.profile (#6254) 
Description: Full Screen text editor heavily inspired by Q10 and
JDarkRoom.

https://code.google.com/p/textroom/
https://aur.archlinux.org/packages/textroom
 2024-03-18 14:32:55 +00:00
glitsj16
5aa533f9e1
New profile: rymdport.profile (#6251) 
Description: Encrypted sharing of files, folders, and text between
devices.

https://github.com/Jacalz/rymdport
 2024-03-18 14:31:05 +00:00
glitsj16
99e9c6abad
New profile: localsend_app.profile (#6244) 
Description: An open source cross-platform alternative to AirDrop.

https://github.com/localsend/localsend
 2024-03-18 14:30:26 +00:00
glitsj16
f48f55f91b
New profile: editorconfiger.profile (#6235) 
Description: Plain tool to validate and compare .editorconfig files.

https://github.com/aegoroff/editorconfiger
https://aur.archlinux.org/packages/editorconfiger
https://aur.archlinux.org/packages/editorconfiger-bin
 2024-03-18 10:45:50 +00:00
glitsj16
c334f62e78
New profile: koreader.profile (#6243) 
Description: Ebook reader application.

https://koreader.rocks/
 2024-03-16 20:26:41 +00:00
glitsj16
8636d32664
New profile: dexios.profile (#6234) 
Description: CLI encryption tool

https://github.com/brxken128/dexios
https://aur.archlinux.org/packages/dexios-bin
 2024-03-16 20:26:12 +00:00
glitsj16
42ef45b5db
firejail-local: be less restrictive with torbrowser-launcher 
Cfr. https://github.com/netblue30/firejail/issues/6269#issuecomment-2002021790.
 2024-03-16 15:49:07 +00:00
glitsj16
856890e718
New profile: deadlink.profile (#6233) 
Description: Checks and fixes URLs in code and documentation.

https://github.com/nschloe/deadlink
https://aur.archlinux.org/packages/deadlink
 2024-03-15 00:04:49 +00:00
glitsj16
259062d952
New profile: cloneit (#6232) 
Description: A CLI tool to download specific GitHub directories or
files.

https://github.com/alok8bb/cloneit
https://aur.archlinux.org/packages/cloneit-git
 2024-03-15 00:04:13 +00:00
glitsj16
a97d53383f
New profile: statusof.profile (#6253) 
Description: Python script to check the status of a list of URLs.

https://github.com/Arthurdw/statusof
 2024-03-14 18:48:02 +00:00
glitsj16
a03e345a86
New profile: lyriek.profile (#6245) 
Description: A multi-threaded GTK application to fetch lyrics of
currently playing songs.

https://gitlab.com/bartwillems/lyriek
 2024-03-14 18:47:32 +00:00
glitsj16
138a9edb8c
New profile: erd.profile (#6236) 
Description: Multi-threaded file-tree visualizer and disk usage
analyzer.

https://github.com/solidiquis/erdtree
https://archlinux.org/packages/extra/x86_64/erdtree/

Note: The repo and package are called `erdtree`, but the executable is
`erd`.
 2024-03-14 18:46:27 +00:00
glitsj16
9d01119c1c
New profile: bpftop.profile (#6231) 
Description: Dynamic real-time view of running eBPF programs.

https://github.com/Netflix/bpftop
https://aur.archlinux.org/packages/bpftop
https://aur.archlinux.org/packages/bpftop-bin
https://aur.archlinux.org/packages/bpftop-git
 2024-03-14 18:44:37 +00:00
glitsj16
2b5dfef742
qt6ct: add dbus-filtering rules (#6272) 
Add support for qt6ct packages that use XDG desktop portal.

https://github.com/MikeWalrus/qt6ct#branch=colorscheme-portal
https://aur.archlinux.org/packages/qt6ct-xdg-colorscheme-git
 2024-03-12 14:45:30 +00:00
glitsj16
d506bbe7e2
torbrowser-launcher fixes (#6270) 
Apparently Tor Browser 13.0.11 (based on Mozilla Firefox 115.8.0esr)
changed a few things. The former versions installed under
`${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser`
and now under
`${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser`.

All of our tor-browser-foo.profile profiles redirect to
torbrowser-launcher.profile and are covered by the fixes.

torbrowser.profile was not tested. It redirects to
firefox-common.profile and seems to be Gentoo-specific.

Fixes #6269.
 2024-03-09 16:44:30 +00:00
Kelvin M. Klann
c16f7a2902
Merge pull request #6261 from kmk3/sort-py-strip-commas 
build: sort.py: filter empty and duplicate items
 2024-03-08 13:14:22 +00:00
Kelvin M. Klann
77e7512635
landlock: use PATH macro in landlock-common.inc (#6260) 
To reduce duplication.

Support for it was added on commit bf5a99360 ("landlock: add support for
PATH macro", 2023-12-22).

See also commit 19e108248 ("landlock: expand simple macros in commands",
2023-11-11) / PR #6125.

Relates to #6078.
 2024-03-08 13:12:30 +00:00
glitsj16
4c0dbfaf86
profiles: remove blacklisting of qt5ct/qt6ct paths (#6266) 
Blacklisting qt5ct/qt6ct configuration and data paths breaks styling in all
apps that use them.

This was working as expected before #6249 and #6250, so remove the
blacklisting.
 2024-03-06 08:56:36 +00:00
glitsj16
a456e5182c
New profile: green-recoder.profile (#6237) 
Simple screen recorder for Linux desktop, supports Wayland & Xorg.

https://github.com/dvershinin/green-recorder
https://aur.archlinux.org/packages/green-recorder
https://aur.archlinux.org/packages/green-recorder-git
 2024-03-05 17:20:34 +00:00
Kelvin M. Klann
9b0f03f1af disable-programs.inc: blacklist /tmp/lwjgl_* 
Fix `noblacklist` entry without an equivalent `blacklist` entry.

Added on commit 1a2e8ab85 ("multimc: instances not running, because of
missing permissions", 2024-02-19) / PR #6216.
 2024-03-05 14:11:47 -03:00
Michele Sorcinelli
b9d11ed33c
ssh: whitelist gcr-ssh-agent unix socket (#6258) 
Since gnome-keyring 1.46, the ssh-agent functionality has been removed
and gcr-ssh-agent is the recommended alternative.

Source:
  - https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67
  - https://wiki.archlinux.org/title/GNOME/Keyring#SSH_keys
 2024-03-05 14:02:40 +00:00
glitsj16
06d160fc16
archiver-common: add mkinitcpio support to private-etc (#5656) 
mkinitcpio (used to generate initramfs images) supports several
compression formats:
https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/blob/master/mkinitcpio.conf#L54-L64.

On Arch Linux (based distributions) at least this implies the supported
archivers to have access to mkinitcpio-related files under /etc.

This was no problem before 29da82d added `private-etc` to
`archivers-common.profile`.

This adds the now needed extra private-etc items to
archiver-common.profile, for mkinitcpio's supported compressors (which
seem to be at least cpio, gzip and zstd).

Relates to #5610.
 2024-03-05 13:56:57 +00:00
glitsj16
5b1bddd652
archivers: drop private-etc now that it's in archiver-common (#5655) 
Commit 29da82d added `private-etc` to `archiver-common.profile`.

To avoid doubled options this PR removes it from archiver profiles which
already had it.

Relates to #5610.
 2024-03-05 09:19:42 +00:00
glitsj16
0822dd6352
iagno: ordering fixes (#5681) 2024-03-05 09:15:10 +00:00
glitsj16
41b8cba505
New profile: qt6ct (#6250) 2024-03-05 09:03:40 +00:00
glitsj16
301826a674
New profile: qt5ct (#6249) 2024-03-05 08:59:11 +00:00
glitsj16
ea62569ce6
New profiles: lz4 and redirects (#6241) 2024-03-05 08:54:34 +00:00
glitsj16
13da9b9528
gnome-boxes: deny access to /usr/libexec (#6239) 2024-03-05 08:50:50 +00:00
glitsj16
d1c6080e02
virt-manager: deny access to /usr/libexec (#6238) 2024-03-05 08:50:08 +00:00
glitsj16
8eeff292a5
makepkg: fix ordering (#6265) 2024-03-05 08:48:37 +00:00
rusty-snake
32688ce86e Add quiet to enchant-2, it has a cli 2024-03-03 16:38:57 +01:00
Kelvin M. Klann
908e5a1a43 build: sort.py: filter empty and duplicate items 
Note: This seems to already be done for `protocol` lines.

Before:

    $ ./contrib/sort.py test.profile
    sort.py: checking 1 profile(s)...
    test.profile:1:-private-etc ,,bar,,foo,,bar,,,
    test.profile:1:+private-etc ,,,,,,,bar,bar,foo
    test.profile:2:-protocol ,,unix,,bluetooth,,unix,,inet,,,
    test.profile:2:+protocol unix,inet,bluetooth
    [ Fixed ] test.profile

After:

    $ ./contrib/sort.py test.profile
    sort.py: checking 1 profile(s)...
    test.profile:1:-private-etc ,,bar,,foo,,bar,,,
    test.profile:1:+private-etc bar,foo
    test.profile:2:-protocol ,,unix,,bluetooth,,unix,,inet,,,
    test.profile:2:+protocol unix,inet,bluetooth
    [ Fixed ] test.profile
 2024-03-03 10:10:39 -03:00
netblue30
071a5dabb2
Merge pull request #6219 from haplo/ledger-live-desktop 
Profile for Ledger Live desktop app
 2024-02-29 10:08:48 -05:00