github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-23 06:02:23 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 3
7892 commits 10 branches 71 tags 33 MiB
Commit graph

7892 commits

This branch
This branch
All branches
Author SHA1 Message Date
netblue30
a63643a5b6 fix: allow tilde (home directory) in --netfilter file name 2021-11-29 17:11:25 -05:00
netblue30
1ad4d8f618 disable shell tab completion for --whitelist and --private commands 2021-11-29 15:42:14 -05:00
netblue30
483fe0622b disable by default several network tools 2021-11-24 16:46:36 -05:00
netblue30
be66948797 readme update 2021-11-23 11:30:43 -05:00
netblue30
5239eb32a2
Merge pull request #4688 from Bundy01/master 
Update firejail-local for Brave + ipfs
 2021-11-23 16:29:56 +00:00
netblue30
f976375fa5 cleanup 2021-11-23 08:57:18 -05:00
netblue30
f55e51e482
Merge pull request #4438 from caydey/master 
Added `quiet` to some CLI profiles
 2021-11-23 13:43:21 +00:00
smitsohu
6acd0d3d9f
Merge pull request #4632 from kmk3/consider-nosound-novideo-groups 
Consider nosound and novideo when keeping groups & misc refactors
 2021-11-20 15:06:27 +01:00
smitsohu
c477e00ddd testing 2021-11-20 14:06:06 +01:00
Kelvin M. Klann
9abb0a89ae
build: Stop linking pthread (#4695) 
Added on commit 137985136 ("Baseline firejail 0.9.28", 2015-08-08).  See
also commit ad6bb83fa ("consolidate makefiles", 2018-03-31).

It is not used anywhere.  And it looks like it has never been used
anywhere:

    $ git log --oneline -Gpthread.h 137985136..master
    $

Issue mentioned by @rusty-snake:
https://github.com/netblue30/firejail/issues/4642#issuecomment-955795463
 2021-11-17 18:24:32 +01:00
Kelvin M. Klann
11f3c39970 zsh-comp: update description of machine-id to match --help 
This amends commit b5de1d0f9 ("Fix inconsistent descriptions of
machine-id option").

Relates to #4689.
 2021-11-15 17:25:16 -03:00
netblue30
9fc5f0cdd6
Merge pull request #4690 from kmk3/docs-fix-machine-id 
Fix inconsistent descriptions of machine-id option
 2021-11-15 15:17:25 +00:00
Kelvin M. Klann
c374c0c5e7 RELNOTES: mention move of firecfg.config to /etc/firejail/ 
Relates to #4669.
 2021-11-15 03:06:18 -03:00
Kelvin M. Klann
b5de1d0f91 Fix inconsistent descriptions of machine-id option 
Some places say that it "preserves" the file and other places say that
it "spoofs" the file.  Based on the fs_machineid function on
src/firejail/fs_etc.c, the latter one is correct.

This amends commit d0cc960c9 ("spoof machine-id", 2016-12-05).

Fixes #4689.

Reported-by: @svc88
 2021-11-15 01:19:32 -03:00
Bundy01
fc06f34bc9 Update firejail-local for Brave + ipfs 2021-11-14 22:05:03 +00:00
rusty-snake
e2299b2a41 Profile fixes 
- Update RELNOTES and README.md
- disable-common.inc
  - blacklist ${HOME}/.local/share/ibus-typing-booster
  - blacklist /run/timeshift (closes #4660)
- fix audacity.profile (closes #4659)
 2021-11-14 16:11:29 +01:00
netblue30
1f6767c906 --ids-check/--ids-init documentation 2021-11-13 09:01:18 -05:00
netblue30
27ae036182 merges 2021-11-13 07:48:36 -05:00
netblue30
499a91ea00 merges 2021-11-13 07:47:06 -05:00
netblue30
02b9b93edb
Merge pull request #4635 from smitsohu/noorphans 
deterministic-shutdown option
 2021-11-13 12:34:29 +00:00
netblue30
92307735bd
Merge pull request #4681 from jmetrius/openstego-profile 
Add OpenStego profile
 2021-11-13 12:19:09 +00:00
netblue30
0a9330d5df
Merge pull request #4679 from pirate486743186/patch-3 
update yt-dlp.profile
 2021-11-13 12:15:00 +00:00
netblue30
044da98a02
Merge pull request #4680 from kmk3/dc-fix-slock-path 
disable-common.inc: fix paths of slock and physlock
 2021-11-13 12:13:38 +00:00
netblue30
bd49232be8 telnet and ftp 2021-11-12 16:55:18 -05:00
Jan Sonntag
0b08f8b741 implement review suggestions 2021-11-12 17:36:00 +01:00
Jan Sonntag
1ada6bd859 sort.py cleanup 2021-11-12 16:23:37 +01:00
Jan Sonntag
b645afec54 Add OpenStego profile 2021-11-12 16:14:25 +01:00
Kelvin M. Klann
b60545d3ee disable-common.inc: fix paths of slock and physlock 
Added on commit f0adf06c3 ("disable-common.inc: more SUID", 2021-11-09).

Relates to #4668.
 2021-11-11 20:59:18 -03:00
pirate486743186
85a9f7f313
update yt-dlp.profile 
ffprobe used for embedding images in difficult cases.
 2021-11-11 15:05:37 +01:00
netblue30
34605b3cc1 readme update 2021-11-10 21:55:13 -05:00
netblue30
98b8172946
Merge pull request #4676 from hlein/firejail_envchecks 
Make env/arg sanity check failure messages more useful
 2021-11-11 02:39:41 +00:00
netblue30
3c68903c68
Merge pull request #4652 from kmk3/fix-toctou-easy 
Fix TOCTOU/CodeQL CWE-367 warnings (easy ones + fs.c)
 2021-11-11 02:38:21 +00:00
netblue30
ba78abd252
Merge pull request #4669 from hlein/firecfg_location 
Relocate firecfg.config to /etc/firejail/
 2021-11-11 02:23:59 +00:00
netblue30
fbad5a533b
Merge pull request #4675 from glitsj16/ssh-fixes 
more ssh fixes
 2021-11-11 02:22:02 +00:00
Hank Leininger
0d06369a80
Make env/arg sanity check failure messages more useful 
This change doesn't alter any checks, but it gives more specific
errors when a sanity check of env vars or argv does not pass, which
can point to limits to raise or at least give us better detailed bug
reports.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://github.com/netblue30/firejail/issues/3678
Bug: https://github.com/netblue30/firejail/issues/3851
Bug: https://github.com/netblue30/firejail/issues/4633
 2021-11-10 15:58:29 -07:00
glitsj16
4e3145fb57
change Fedora ssh fix 
Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
 2021-11-10 11:55:49 +00:00
glitsj16
6ec4028c11
add Fedora fix 
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
NOTE: there are several other profiles touching /usr/libexec, so untill someone on Fedora can shed some light on what files are installed under /usr/libexec, I only blacklisted ssh-keysign. I'll pick this up tomorrow, a bit pressed for time in the non-digital worlds...
 2021-11-10 11:26:31 +00:00
glitsj16
4240274169
add Fedora fixes 
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
 2021-11-10 11:19:48 +00:00
glitsj16
a3836acad5
fixes for ssh 
Counterpart fix for changes in allow-ssh.inc.
 2021-11-10 10:27:23 +00:00
glitsj16
437043c9dd
fixes for ssh 
After seeing 9a81078ddb it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths.
 2021-11-10 10:24:15 +00:00
netblue30
9a81078ddb disable-common.inc: fix ssh 2021-11-09 13:00:07 -05:00
netblue30
f0adf06c31 disable-common.inc: more SUID 2021-11-09 12:54:57 -05:00
netblue30
2352920cb0 disable-common.inc: vmware SUID binaries 2021-11-09 12:50:52 -05:00
netblue30
2652beb091 disable-common.inc: disable chrome-sandbox 2021-11-09 07:25:49 -05:00
netblue30
e479ac0000 disable-common.inc: blacklist ssh 2021-11-09 07:18:31 -05:00
Hank Leininger
cbbe9ab40f
Relocate firecfg.config to /etc/firejail/ 
This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap. Also fixed some
firecfg.cfg -> firecfg.config references.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://github.com/netblue30/firejail/issues/408
Bug: https://github.com/netblue30/firejail/issues/2097
Bug: https://github.com/netblue30/firejail/issues/2829
Bug: https://github.com/netblue30/firejail/issues/3665
 2021-11-05 23:46:21 -06:00
Kelvin M. Klann
a75645f068
Merge pull request #4574 from a1346054/shellcheck-fix 
Fix shellcheck warnings
 2021-11-05 06:14:39 +00:00
a1346054
efcd54c0db Fix some shellcheck warnings 
Note: This does not modify the configure script, which is a source of a
lot of the remaining shellcheck warnings, because it comes from autoconf
and so it makes little sense to try to fix it here.

Also, it does not modify the scripts in contrib, because they possibly
are maintained at some other place. Similarly with the other scripts
that don't appear to be called from any of the makefiles.
 2021-11-05 02:59:23 -03:00
netblue30
d681e0e2d9 adding more SUID executables to disable-common.inc 2021-11-04 14:35:08 -04:00
Reiner Herrmann
d739f2d3d0 README: bump debian stable codename 2021-11-03 23:48:48 +01:00