Łukasz Mariański
49494e919b
Fix glob pattern and update other profiles/includes
2022-04-23 18:55:50 +02:00
m00nwtchr
5840c707bd
Update electron.profile
2022-04-23 14:20:41 +00:00
m00nwtchr
9ef5693319
Update electron.profile
...
Add electron-flags.conf for all versions of electron
2022-04-23 14:12:04 +00:00
Reiner Herrmann
acced522dd
CI: run apt-get update before install to get updated package lists
2022-04-22 22:16:07 +00:00
netblue30
d4106f7aaa
fix firecfg --guide
2022-04-21 22:02:12 -04:00
rusty-snake
c8c69ca2f6
firejail-welcome.sh fixes
...
- fix shellcheck
- break long lines
- remove unseless $? check
- remove needless \\
2022-04-21 21:24:44 +02:00
netblue30
62e33cfc37
more on firecfg --guide
2022-04-21 11:41:40 -04:00
netblue30
0cfb641395
firecfg --guide
2022-04-19 08:49:24 -04:00
netblue30
37032636d4
resurecting welcome.sh
2022-04-19 08:09:51 -04:00
dependabot[bot]
16bc93ca27
build(deps): bump actions/checkout from 3.0.0 to 3.0.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](a12a3943b4...dcd71f6466
2022-04-18 17:58:50 +00:00
netblue30
27ab5b3654
Merge branch 'master' of ssh://github.com/netblue30/firejail
2022-04-17 12:04:58 -04:00
netblue30
0aff61d8d9
documentation ( #5107 )
2022-04-17 12:04:29 -04:00
netblue30
ce0ca294f6
Merge pull request #5088 from slowpeek/master
...
Allow resolution of .local names with avahi-daemon in the apparmor profile.
2022-04-17 11:13:33 -04:00
rusty-snake
56ebc8ac98
Fix chromium browsers in firejail 0.9.68
...
closes #4965
2022-04-14 22:15:54 +02:00
netblue30
81e12a45b7
fix --writable-etc
2022-04-12 08:15:52 -04:00
netblue30
a1921293d3
Merge branch 'master' of ssh://github.com/netblue30/firejail
2022-04-12 08:15:04 -04:00
dependabot[bot]
0e934bdcba
build(deps): bump github/codeql-action from 2.1.6 to 2.1.8
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.6 to 2.1.8.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](28eead2408...1ed1437484
2022-04-11 17:40:38 +00:00
netblue30
f29f815c00
small fixes
2022-04-10 20:25:28 -04:00
smitsohu
142ab7ea29
Merge pull request #5092 from smitsohu/vlc
...
harden vlc
2022-04-10 20:36:14 +02:00
smitsohu
bfab0a6789
harden vlc
...
apparmor doesn't disable D-Bus anymore, so add it back
remove memory-deny-write-execute comment, as this also breaks JIT compiled QtQuick nowadays
2022-04-10 20:19:42 +02:00
smitsohu
f3de2e37fd
libvirt dnsmasq: more fixes ( #5089 )
...
following up ce6f792efd
2022-04-10 18:32:17 +02:00
smitsohu
d334449480
harden dnsmasq
...
private option implies private-cache,
so it is safe to remove
2022-04-10 18:15:16 +02:00
smitsohu
ce6f792efd
libvirt dnsmasq fix ( #5089 )
2022-04-10 18:03:35 +02:00
smitsohu
af2b81b612
unbound: fixes, blacklist all of ${RUNUSER}
2022-04-10 17:50:28 +02:00
Kelvin M. Klann
024e62f31d
steam: add HotLine Miami ( #5097 )
...
https://store.steampowered.com/app/219150/Hotline_Miami/
2022-04-08 15:59:04 +00:00
netblue30
0674295d0c
compile fix
2022-04-08 11:46:19 -04:00
netblue30
68a2d01b6b
nettrace
2022-04-08 11:15:51 -04:00
netblue30
f861764dfa
nettrace dns and sni
2022-04-08 08:49:51 -04:00
netblue30
852f703a87
Merge branch 'master' of ssh://github.com/netblue30/firejail
2022-04-07 07:02:53 -04:00
netblue30
54b7c31a78
nettrace fixes
2022-04-05 06:55:06 -04:00
smitsohu
2252985dd4
more snap blacklisting ( #5093 )
2022-04-04 22:36:37 +00:00
dependabot[bot]
5cbdfadb47
build(deps): bump github/codeql-action from 1.1.5 to 2.1.6
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 1.1.5 to 2.1.6.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](8834766498...28eead2408
2022-04-04 17:26:15 +00:00
slowpeek
2d10e60342
Update firejail-default
...
Allow access to avahi-daemon socket in the apparmor profile.
2022-04-02 23:52:44 +03:00
glitsj16
7a2078ee08
teams: drop doubled option ( #5087 )
2022-04-01 06:58:22 +00:00
glitsj16
bff74b6d37
man: typo fixes ( #5084 )
2022-03-31 19:49:22 +00:00
netblue30
5b4b1ce916
merges
2022-03-29 11:46:13 -04:00
netblue30
06c70b4b25
Merge pull request #5078 from kmk3/docs-mention-caps-man
...
docs: mention capabilities(7) on --caps
2022-03-29 11:42:33 -04:00
netblue30
e5e12ca522
Merge pull request #5077 from kmk3/dc-add-pkcs11
...
disable-common.inc: make ~/.config/pkcs11 read-only
2022-03-29 11:41:59 -04:00
netblue30
108b7e3a2d
Merge pull request #5071 from kmk3/add-appimage-dir
...
appimage: blacklist and make ~/Applications dir read-only
2022-03-29 11:41:30 -04:00
Kelvin M. Klann
2183e4d296
docs: mention capabilities(7) on --caps
...
As hinted by @rusty-snake[1].
[1] https://github.com/netblue30/firejail/discussions/5064#discussioncomment-2417395
2022-03-27 18:01:16 -03:00
Kelvin M. Klann
14428e6904
disable-common.inc: make ~/.config/pkcs11 read-only
...
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c#1646 ").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069 .
2022-03-27 17:16:31 -03:00
NetSysFire
73756b41b9
megaglest.profile: Add allow-lua.inc ( #5066 )
...
* megaglest.profile: Add allow-lua.inc
* Move comment to line above
2022-03-25 06:33:14 +00:00
Jose Riha
f63e84cd95
Fix Hugin profile. ( #5072 )
...
Fixes #5068 .
2022-03-25 06:30:31 +00:00
Kelvin M. Klann
d1336c9927
disable-programs.inc: blacklist ~/Applications dir
...
It is used for storing AppImages.
Note that even when blacklisting a directory, it is possible to execute
an AppImage from it. For example, the following works:
firejail --noprofile --blacklist='${HOME}/Applications' --appimage \
~/Applications/foo.AppImage
While the resulting process does not appear to have access to the
blacklisted directory.
2022-03-24 20:10:06 -03:00
Kelvin M. Klann
2dc957d1c5
disable-common.inc: make ~/Applications dir read-only
...
This directory is monitored by both appimaged[1] and
AppImageLauncher[2]. Also, when opening an AppImage with
AppImageLauncher, it may prompt the user to move the AppImage to
~/Applications.
[1] 2323f1825e/README.md (monitored-directories)https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
2022-03-24 14:47:12 -03:00
Kelvin M. Klann
edbecfb676
RELNOTES: add gcov dummy functions bugfix and docs
...
Relates to #5028 #5043 #5052 .
2022-03-24 12:18:11 -03:00
netblue30
63591c975b
adding ping in firecfg list ( #1912 )
2022-03-24 08:58:24 -04:00
netblue30
b8c41ea8fd
Merge branch 'master' of ssh://github.com/netblue30/firejail
2022-03-24 08:36:09 -04:00
netblue30
c254873bbe
merges
2022-03-24 08:35:53 -04:00
netblue30
70184cbf86
Merge pull request #5061 from glitsj16/ping-fixes
...
ping: (extra) hardening
2022-03-24 08:32:24 -04:00
