github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-23 22:01:54 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions
6276 commits 10 branches 71 tags 33 MiB
Commit graph

600 commits

Author SHA1 Message Date
glitsj16
ad12d90369
add element-desktop redirect profile (#3517) 
* Create element-desktop.profile

* add element-desktop dirs to disable-programs.inc

* add element-desktop to firecfg.config

* Update RELNOTES
 2020-07-16 22:32:00 +00:00
rusty-snake
deb6c12454
hardening some profiles (#3505) 
* hardening some profiles

 - harden and fix flameshot
 - wruc: frogatto, ghostwriter
 - harden gnome-latex
 - add whitelist opt-in note to keepassxc
 - add comment to minetest
 - harden openarena, tremulous, xonotic
 - add profile for xonotic-sdl-wrapper

* followup
 2020-07-09 10:49:17 +00:00
rusty-snake
fcf14758b1 new profile: gapplication 2020-07-03 17:10:15 +02:00
rusty-snake
37e4d74dff new profiles 2020-06-25 15:06:02 +02:00
Amin Vakil
e633d3f895
Add strawberry profile to README{,.md} & RELNOTES (#3467) 2020-06-15 05:55:40 +00:00
rusty-snake
91a2bedaf4 New profiles: apostrophe & quadrapassel 2020-06-11 22:11:35 +02:00
glitsj16
b67e9a9f5c
new profile: mocp (#3437) 
* Create mocp.profile

* add mocp support to disable-programs.inc

* add mocp support in firecfg.config

* update RELNOTES for mocp

* fix configuration access for mocp

Thanks to @rusty-snake for spotting this.
 2020-05-27 17:42:23 +00:00
glitsj16
f59639d94c
add new profile: plv (#3410) 
Also fixed a typo for new profiles: nicontine --> nicotine

* add plv to firecfg

* add plv to disable-programs.inc

* Create plv.profile

* Update plv.profile
 2020-05-11 15:04:10 +00:00
rusty-snake
944049c4df install vim contib files 2020-05-02 20:07:55 +02:00
netblue30
370b9db392 gitlab pipeline fixes 2020-04-21 10:12:27 -04:00
netblue30
4911e36ca5 suport mkdir and mkfile for /run/user/<PID> directory (#3346) 2020-04-13 10:07:13 -04:00
netblue30
7373cf31d4 fdns profile 2020-04-07 19:52:56 -04:00
Topi Miettinen
3f27e84831 Allow changing error action in seccomp filters 
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
 2020-04-06 16:30:20 +00:00
rusty-snake
645ca21b54 gnome games: more + fixes 
- fix description
 - add gnome-klotski, five-or-more, swell-foop

[skip ci]
 2020-04-04 19:59:34 +02:00
rusty-snake
972e4a6b17 more games 
- blobwars
 - gravity-beams-and-evaporating-stars
 - hyperrogue
 - jumpnbump-menu (alias)
 - jumpnbump
 - magicor
 - mindless
 - mirrormagic
 - mrrescue
 - scorched3d-wrapper (alias)
 - scorchwentbonkers
 - seahorse-adventures
 - wordwarvi
 - xbill
 2020-04-04 19:53:38 +02:00
rusty-snake
a954cb2162 allow using wruc on any program 
@glitsj16 thanks for the pointer that we now have whitelist globbing
 2020-04-03 17:51:17 +02:00
rusty-snake
4747e0ed7f
Whitelist runuser common (#3286) 
* introduce whitelist-runuser-common.inc

 * If an applications does not need a whitelist it can/should be
   nowhitelisted. Example:

     nowhitelist ${RUNUSER}/pulse
     include whitelist-runuser-common.inc

 * ${RUNUSER}/bus is inaccessible with nodbus regardless of the
   whitelist. (as it should)

 * strange wayland setups with an second wayland-compostior need to
   whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.

 * some display-manager store there Xauthority file in ${RUNUSER}.
   test results with fedora 31:
   - ssdm: ~/.Xauthority is used
   - lightdm: /run/lightdm/USER/Xauthority
   - gdm: /run/user/UID/gdm/Xauthority

 * IMPORTANT: ATM we can only enable this for non-graphical and GTK3
   programs because mutter (GNOMEs window-manger) stores the Xauthority
   file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
   where XXXXXX is random. Until we have whitelist globbing we can't
   whitelist this file. QT/KDE and other toolkits without full wayland
   support won't be able to start.

* wru update 1

- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.

* add wruc to more profiles

* fixes

* fixes

* wruc: hide pulse pid

* update

* remove wruc from all the x11 profiles

* fixes

* fix ordering

* read-only

* revert read-only

* update

*
 2020-03-31 16:51:02 +00:00
rusty-snake
54d817c8a0 abiword and more gnome-games 
- four-in-a-row
 - gnome-mahjongg
 - gnome-robots
 - gnome-sudoku
 - gnome-taquin
 - gnome-tetravex

harden gnome-chess
 2020-03-29 16:47:21 +02:00
rusty-snake
6309857565 more game profiles 
- frogatto
 - gnome_games-common.profile
   - gnome-2048 (make redirect)
   - gnome-mines
   - gnome-nibbles
   - lightsoff
 - ts3client_runscript.sh (fix #3279)
 - warmux (don't get confused with the warmux/wormux thing)
 2020-03-29 13:01:05 +02:00
Tad
e4cb6b4274 Add a profile for X2GoClient 2020-03-23 17:01:31 -04:00
rusty-snake
05819c0584 new profiles: agenda, gnome-pomodoro, gnome-todo 
rules for xdg-dbus-proxy:

dbus-user filter
dbus-user.own org.gnome.Pomodoro
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.Shell
dbus-system none

dbus-user filter
dbus-user.own org.gnome.Todo
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
dbus-user.talk org.gnome.evolution.dataserver.Calendar8
dbus-user.talk org.gnome.evolution.dataserver.Sources5
dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
dbus-user.talk org.gnome.OnlineAccounts
dbus-user.talk org.gnome.SettingsDaemon.Color
dbus-system filter
dbus-system.talk org.freedesktop.login1

dbus-user filter
dbus.own com.github.dahenson.agenda
dbus.talk ca.desrt.dconf
dbus-system block
 2020-03-22 13:20:55 +01:00
smitsohu
ace47d9394
Merge pull request #3278 from rusty-snake/has-nosound-condition 
new condition: HAS_NOSOUND
 2020-03-15 13:39:24 +01:00
rusty-snake
35443058b6 add gnome-screenshot.profile 
patch for xdg-dbus-proxy
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -45,3 +45,8 @@ private-bin gnome-screenshot
 private-dev
 private-etc dconf,fonts,gtk-3.0,localtime,machine-id
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system block
```

patch for whitelist-runuser-common.inc
```
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 apparmor
```
 2020-03-15 12:55:09 +01:00
rusty-snake
18ee4e1555 new condition: HAS_NOSOUND 2020-03-15 10:34:51 +01:00
Hans-Christoph Steiner
72f5e97327
add xournal.profile 2020-02-27 14:13:24 +01:00
rusty-snake
6c4de95c40 merges & RELNOTES 2020-02-23 11:17:06 +01:00
rusty-snake
df1c73a00f Add a lot of profiles 2020-02-10 09:24:06 +01:00
rusty-snake
4ad0b26c03 Add gnome-hexgl.profile 2020-02-03 14:58:49 +01:00
rusty-snake
cc57e0ceec Add profiles for the WPS-Office 2020-01-29 20:38:24 +01:00
glitsj16
44bf295c1a
Update RELNOTES 2020-01-29 13:48:03 +00:00
rusty-snake
baf72cb8f8 new profile: gnome-passwordsafe 2020-01-25 19:38:00 +01:00
rusty-snake
0bccffc97e Add a profile for clipgrab 
Thanks @DurtyDev for testing (netblue30/firetools#47)
 2020-01-25 11:39:48 +01:00
rusty-snake
512ed2882e create rtv.profile 2020-01-19 10:25:50 +01:00
rusty-snake
eba10ae24f add tvbrowser.profile 
Thanks @Micha-Btz for all the testing.
 2020-01-18 14:03:53 +01:00
rusty-snake
41887172d6 Update RELNOTES, README.md|Add firefox-x11.profile 2020-01-13 15:51:58 +01:00
glitsj16
ac725e78cc
Update RELNOTES 2019-11-25 17:13:30 +00:00
glitsj16
f46f2a89d2
Add new profile: gist (#3061) 
* Create gist.profile

* Add gist config to disable-programs.inc

* Add gist to firecfg.config

* Update RELNOTES

* Update README.md
 2019-11-25 17:05:58 +00:00
rusty-snake
90b7dd85be various fixups 2019-11-25 14:24:22 +01:00
Tad
aecee8b4b8 merges 2019-11-24 12:31:16 -05:00
netblue30
4c2fb4e1b3 readme/relnotes updates 2019-11-13 14:29:42 -05:00
smitsohu
63ed58354e add kfind profile 2019-11-09 15:14:32 +01:00
Fred Barclay
2444854927 Add amuled profile (redirect from amule) 
See 
https://github.com/netblue30/firejail/issues/1139#issuecomment-546683127
 2019-10-27 10:08:41 -05:00
netblue30
e1a40cf6ab readme/relnotes update 2019-10-24 09:58:03 -04:00
rusty-snake
79a3aefdbc kalgebra.profile, kalgebramobile.profile 2019-10-12 17:48:24 +02:00
rusty-snake
875193d03f Create pngquant.profile 2019-09-21 11:19:52 +02:00
rusty-snake
5c7f993216 Create gnome-latex.profile 2019-09-20 18:43:53 +02:00
netblue30
f8f08eeea7 readme/relnotes 2019-08-29 16:57:12 -04:00
rusty-snake
282bab5ced misc fixes 
- fix for #2038
 - update RELNOTES
 - fix #2925
 2019-08-26 09:23:04 +02:00
Tad
8194f8fb2f profiles: add kiwix-desktop 2019-08-18 04:53:47 -04:00
smitsohu
7b37c90240 add bzcat profile 2019-08-12 17:24:55 +02:00