github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
10159 commits 10 branches 71 tags 33 MiB
Commit graph

10159 commits

This branch
This branch
All branches
Author SHA1 Message Date
Fidel Ramos
c45e83e609 profiles: firecfg: enable anki 2024-11-19 14:45:02 -03:00
Fidel Ramos
024f421e30 profiles: anki: allow sound 
Anki needs sound access for recording and playing media.
 2024-11-19 14:44:59 -03:00
Fidel Ramos
3ec523f110 profiles: anki: allow lua 
Anki uses mpv to play media, which requires the lua interpreter.

Without this, anki displays this error in the console and falls back to
mplayer:

    mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied
    Traceback (most recent call last):
    File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 854, in setup_audio
    mpvManager = MpvManager(base_folder, media_folder)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 408, in __init__
    super().__init__(window_id=None, debug=False)
    File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 442, in __init__
    super().__init__(*args, **kwargs)
    File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 104, in __init__
    self._start_socket()
    File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 194, in _start_socket
    raise MPVProcessError("unable to start process")
    aqt.mpv.MPVProcessError: unable to start process

    mpv too old or failed to open, reverting to mplayer
 2024-11-19 14:44:40 -03:00
Kelvin M. Klann
3a03bcd513 profiles: anki: allow mpv/mplayer 
Anki relies on mpv/mplayer for playing audio and video files.
 2024-11-19 14:44:33 -03:00
Fidel Ramos
c974e17361 profiles: anki: add mpv/mplayer to private-bin 
Without this change, Anki fails to start.

Fixes #6544.
 2024-11-19 13:31:54 -03:00
Kelvin M. Klann
d01e1779d6 RELNOTES: improve modif item 
Format and add missing PR reference.

Relates to #5378 #5957.
 2024-11-08 07:40:55 -03:00
Kelvin M. Klann
a11d1536a6 RELNOTES: add profile items 
Relates to #6533 #6534.
 2024-11-08 07:36:54 -03:00
Kelvin M. Klann
26be7180fa
profiles: game-launchers: disable nou2f (#6534) 
While gamepads apparently work fine in the Steam client itself, `nou2f`
appears to make gamepads unresponsive inside certain games while using
"Steam Input" (possibly due to `nou2f` blocking access to `/dev/hidraw*`
devices).

This issue reportedly affects at least the following games on Steam:
"Undertale", "Persona 4 Golden" and "Persona 5 Royal".

Disable nou2f to ensure that gamepads can be used.

Relates to #6523.

Reported-by: @opqriu
 2024-11-08 10:34:00 +00:00
Kelvin M. Klann
096d5a2a2d
profiles: firecfg.config: disable dnsmasq (#6533) 
There are multiple reports in #6121 that dnsmasq does not work when
called by libvirt:

    $ sudo virsh net-start default
    error: Failed to start network default
    error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq [...]) unexpected exit status 1: Error: PATH environment variable not set

Also, note that this is a server program, so it might be better to
disable it by default anyway.

Reported-by: @marek22k
 2024-11-08 10:33:26 +00:00
Kelvin M. Klann
9f1d2c7ed5 RELNOTES: add docs and profile items 
Relates to #3314 #6524 #6526 #6531.
 2024-11-06 23:36:21 -03:00
Kelvin M. Klann
9a3dc2c0c3
keepassxc: allow access to ssh-agent socket (#6531) 
Fixes #3314.

Relates to #6529.
 2024-11-07 02:30:28 +00:00
Ted Robertson
d763fb73ca
docs: clarify intro and build section in README (#6524) 
Make the introduction friendlier for non-kernel geeks and clarify the
build section.

Relates to #4049.
 2024-11-04 18:58:24 +00:00
dependabot[bot]
4ded6b7774 build(deps): bump github/codeql-action from 3.26.10 to 3.27.0 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.10 to 3.27.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](e2b3eafc8d...662472033e)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-01 16:41:26 +00:00
dependabot[bot]
d1ffe4532a build(deps): bump actions/checkout from 4.2.0 to 4.2.2 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](d632683dd7...11bd71901b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-01 16:41:18 +00:00
Ted Robertson
cf02e8dd4f
docs: fix typos of --enable-selinux configure option (#6526) 2024-10-31 18:48:37 +00:00
Kelvin M. Klann
b2be4870d1 RELNOTES: add feature items 
Relates to #6435 #6514 #6515.
 2024-10-25 11:23:24 -03:00
Kelvin M. Klann
040c42c54c
profiles: firefox-esr: allow /etc/firefox-esr (#6515) 
This path is apparently used on Debian.

Relates to #5518 #6400 #6435.

Reported-by: @Boruch-Baum
 2024-10-25 14:20:27 +00:00
celenityy
bfa00e385e
profiles: thunderbird: allow /etc/thunderbird (#6514) 
This fixes access to Thunderbird system policies, which can be set
system-wide via `/etc/thunderbird/policies/policies.json`.

Users can also use this directory to set different default preferences.

Relates to #6400 #6435.
 2024-10-23 21:05:58 +00:00
Foxreef
07ff98385f
profiles: steam: add ~/.config/UNDERTALE (#6503) 
Whitelist ~/.config/UNDERTALE to allow the game to save.
 2024-10-11 06:55:13 +00:00
Kelvin M. Klann
116f7bf833 RELNOTES: add private-etc rework feature item 
And move the #6104 item into it.

Relates to #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 #5650 #5655.
Relates to #5681 #5737 #5844 #5989 #6016 #6104 #6400.
 2024-10-04 21:07:15 -03:00
Kelvin M. Klann
f2b0d91ae9 RELNOTES: add profile items 
Relates to #6444 #6498 #6499.
 2024-10-04 18:12:17 -03:00
Kelvin M. Klann
aa6b08ffd0
profiles: firefox-common: allow org.freedesktop.portal.Documents (#6499) 
This fixes drag and drop for at least Dolphin.

Fixes #6444.

Reported-by: @Utini2000
Suggested-by: @rusty-snake
 2024-10-04 21:11:04 +00:00
Kelvin M. Klann
ff2c7bd10d profiles: kube: sort dbus entries 
This amends commit 7df28c1ed ("New profiles for balsa,trojita,kube
(#3603)", 2020-09-03).
 2024-10-01 12:06:48 -03:00
Kelvin M. Klann
3470a3721e profiles: signal-desktop: sort dbus entries 
This amends commit 047d86f46 ("Add access to D-Bus freedesktop.org
secret API", 2024-10-01) / PR #6498.
 2024-10-01 11:54:42 -03:00
netblue30
c926850b5b
Merge pull request #6494 from netblue30/dependabot/github_actions/github/codeql-action-3.26.10 
build(deps): bump github/codeql-action from 3.26.6 to 3.26.10
 2024-10-01 10:47:32 -04:00
netblue30
0c470aa6c5
Merge pull request #6495 from netblue30/dependabot/github_actions/actions/checkout-4.2.0 
build(deps): bump actions/checkout from 4.1.7 to 4.2.0
 2024-10-01 10:47:14 -04:00
netblue30
3be06e1bcf
Merge pull request #6496 from netblue30/dependabot/github_actions/step-security/harden-runner-2.10.1 
build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1
 2024-10-01 10:46:56 -04:00
netblue30
80aaa8c806
Merge pull request #6498 from corsac-s/patch-1 
profiles: signal-desktop - Add access to D-Bus freedesktop.org secret API
 2024-10-01 10:46:22 -04:00
Yves-Alexis Perez
047d86f46e
Add access to D-Bus freedesktop.org secret API 
Signal recently started storing a local key in the freedesktop.org secret API so allow access in the profile
 2024-10-01 12:08:06 +02:00
dependabot[bot]
a7918b0575
build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.9.1 to 2.10.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](5c7944e73c...91182cccc0)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-01 06:51:41 +00:00
dependabot[bot]
65fd5bbaaa
build(deps): bump actions/checkout from 4.1.7 to 4.2.0 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](692973e3d9...d632683dd7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-01 06:51:37 +00:00
dependabot[bot]
6a6d493260
build(deps): bump github/codeql-action from 3.26.6 to 3.26.10 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.6 to 3.26.10.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4dd16135b6...e2b3eafc8d)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-01 06:51:33 +00:00
Kelvin M. Klann
0e7296bef3 RELNOTES: add build item 
Added on commit ba00d135f ("fix for old compilers", 2023-04-06).

Relates to #5778.
 2024-09-28 10:15:35 -03:00
Kelvin M. Klann
fd915d6c8f RELNOTES: add profile items 
Relates to #5337 #5447 #5902 #6391 #6486.
 2024-09-28 10:00:50 -03:00
qdii
c2cd8b72c6
profiles: keepassxc: add new socket location (#6391) 
The KeePassXC browser extension looks for the KeePassXC socket at
`${RUNUSER}/app/org.keepassxc.KeePassXC`[1].

But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the
flatpak section[2], so the KeePassXC extension cannot connect to it.

Fixes #5447.

Relates to #3984.

[1] 6b1ab1a5ed/src/browser/BrowserShared.cpp (L41)
[2] b89ec81892/etc/inc/disable-common.inc (L667)
 2024-09-28 12:54:24 +00:00
Kelvin M. Klann
92f4820256
Merge pull request #6486 from kmk3/browsers-improve-comments 
profiles: browsers: centralize/sync/improve comments
 2024-09-28 12:26:43 +00:00
Kelvin M. Klann
49d21b0740 profiles: browsers: format and improve comments 2024-09-28 05:34:28 -03:00
Kelvin M. Klann
21a5775b30 profiles: firefox-common: centralize dbus comments 
Relates to #3326 #6285 #6444.
 2024-09-28 05:34:20 -03:00
Kelvin M. Klann
4fb5189a0d profiles: firefox-common: centralize migration wizard comment 
Relates to #3014.
 2024-09-24 21:05:25 -03:00
Kelvin M. Klann
b787548b1d profiles: browsers: centralize/sync keepassxc extension comment 
Centralize it on firefox-common and copy it to chromium-common.

Relates to #3984 #6391.
 2024-09-24 21:05:14 -03:00
Kelvin M. Klann
98e81eab8f profiles: browsers: sort blacklist entries 
See etc/templates/profile.template.

Added on commit f3d126bf1 ("disable curl and wget in browsers based on
firefox and chromium", 2021-12-18).

Relates to #4852.
 2024-09-24 20:59:07 -03:00
Kelvin M. Klann
1b2d18e7f4 RELNOTES: add profile items 
Relates to #5816 #5877 #6002 #6477 #6478 #6479.
 2024-09-19 11:40:16 -03:00
Kelvin M. Klann
bd8ed0b4ea
profiles: firecfg: disable text editors (#6477) 
Disable common general-purpose text editors.

They are likely to be the default OS text editor and users may want to
use them for editing most/all files, which could include common
sensitive files such as ~/.bashrc and profiles in ~/.config/firejail.

Fixes #6002.

Relates to #924 #941 #1154.

Reported-by: @ilikenwf
 2024-09-19 14:37:11 +00:00
Kelvin M. Klann
f833a492cd tests: partially disable private-home.exp to fix ci 
This test started failing today with "TESTING ERROR 3".

Log from a CI re-run of test-fs on commit 897f12dd8 ("build(deps): bump
step-security/harden-runner from 2.9.0 to 2.9.1", 2024-09-01) /
PR #6455[1]:

    2024-09-19T13:39:04.5681290Z TESTING: private home (test/fs/private-home.exp)
    2024-09-19T13:39:04.5713434Z spawn /bin/bash
    2024-09-19T13:39:05.2772248Z touch ~/_firejail_test_file1
    2024-09-19T13:39:05.2773779Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2774475Z <jail/firejail/test/fs$ touch ~/_firejail_test_file1
    2024-09-19T13:39:05.2775175Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2776506Z <jail/firejail/test/fs$ touch ~/_firejail_test_file2
    2024-09-19T13:39:05.2777841Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2778918Z <ejail/firejail/test/fs$ mkdir ~/_firejail_test_dir1
    2024-09-19T13:39:05.2780080Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2780903Z <fs$ mkdir ~/_firejail_test_dir1/_firejail_test_dir2
    2024-09-19T13:39:05.2781613Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2782461Z <_test_dir1/_firejail_test_dir2/_firejail_test_file3
    2024-09-19T13:39:05.2783224Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2784047Z <firejail/test/fs$ ln -s /etc ~/_firejail_test_link1
    2024-09-19T13:39:05.2784851Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2785861Z < ln -s ~/_firejail_test_dir1 ~/_firejail_test_link2
    2024-09-19T13:39:05.2787008Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2788303Z <test_file1,_firejail_test_file2,_firejail_test_dir1
    [...]
    2024-09-19T13:39:05.4971716Z runner@fv-az1247-944:~$ find ~
    2024-09-19T13:39:05.4989255Z /home/runner
    2024-09-19T13:39:05.4990116Z /home/runner/_firejail_test_file1
    2024-09-19T13:39:05.4990768Z /home/runner/_firejail_test_file2
    2024-09-19T13:39:05.4991299Z /home/runner/_firejail_test_dir1
    2024-09-19T13:39:05.4992082Z /home/runner/_firejail_test_dir1/_firejail_test_dir2
    2024-09-19T13:39:05.4992760Z /home/runner/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3
    [...]
    2024-09-19T13:39:15.4995765Z runner@fv-az1247-944:~$ TESTING ERROR 3
    2024-09-19T13:39:15.5000367Z

Misc: This was noticed on #6477.

[1] https://github.com/netblue30/firejail/actions/runs/10655583953/job/30378507249
 2024-09-19 10:54:41 -03:00
Kelvin M. Klann
271fb1bfc7
profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#6479) 
Based on the report by @Saren-Arterius[1]:

Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and
`ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp.

Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount
with nautilus will fail with a meaningless error message shown in the
UI.

Steps to reproduce[1]:

Prepare ssh server or localhost, then run:

    ssh -o"ForwardX11 no" -o"ForwardAgent no" \
        -o"PermitLocalCommand no" -o"ClearAllForwardings yes" \
        -o"NoHostAuthenticationForLocalhost yes" \
        -o"ControlMaster auto" \
        -o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \
        -s {SSH_HOST} sftp

stderr shows:

    unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory

And ssh exits with error code 255.

Fixes #5816.

[1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931

Reported-by: @Saren-Arterius
Suggested-by: @Saren-Arterius
Reported-by: @Alex-Farol
Reported-by: @mirko
 2024-09-19 10:55:35 +00:00
Kelvin M. Klann
3bbc6b59e1 profiles: ssh: sort entries 
Related commits:

* 4747e0ed7 ("Whitelist runuser common (#3286)", 2020-03-31)
* ebd4b3eea ("profiles: ssh: allow gpgagent socket for custom homedir
  (#6419)", 2024-08-07)
 2024-09-16 11:03:12 -03:00
Kelvin M. Klann
4f7cc368f8
profiles: nextcloud: fix access to ~/Nextcloud (#6478) 
Related commits:

* 7c481eb43 ("Add QOwnNotes profile", 2018-10-20)
* 49a381c70 ("Add nextcloud-desktop", 2021-02-20) / PR #3997

Fixes #5877.

Reported-by: @Sadoon-AlBader
 2024-09-16 13:22:57 +00:00
Kelvin M. Klann
f9ddf2f037 profiles: nextcloud: sort entries 
Relates to #3997.
 2024-09-14 07:38:55 -03:00
Kelvin M. Klann
eba4a1c090
profiles: wesnoth: allow lua (#6476) 
Fixes the following error:

    $ LC_ALL=C firejail /usr/bin/wesnoth
    [...]
    /usr/bin/wesnoth: error while loading shared libraries: liblua++.so.5.4: cannot open shared object file: Permission denied

Environment: lua 5.4.7-1, wesnoth 1:1.18.2-2 on Arch Linux.

Fixes #6475.

Reported-by: @marek22k
 2024-09-14 09:36:12 +00:00
Kelvin M. Klann
009110a971 RELNOTES: improve removal items 
Reword and add commit references.

Related commits:

* 0e48f9933 ("remove firemon --interface option - it is a duplication of
  firejail --net.print", 2023-03-08)
* db09546f2 ("remove LTS and FIRETUNNEL support", 2023-12-23)
 2024-09-13 07:51:00 -03:00