github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[PR #1837] [MERGED] WIP: Blacklist common programming interpreters. #4085

New issue

Closed

opened 2026-05-05 10:13:28 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:13:28 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/1837
Author: @Fred-Barclay
Created: 3/26/2018
Status: ✅ Merged
Merged: 4/2/2018
Merged by: @Fred-Barclay

Base: master ← Head: disable-interpreters

📝 Commits (10+)

b78e2d0 more restrictive private-lib
8fbbb5a Use path variable instead of full path when blacklisting devel tools.
c4384a7 Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc
9e238e0 Part 2: allow access to java as needed
cfa25b1 Typo: missing blacklist
60836f9 Part 3: allow perl access as needed
be80d53 typo
6f3cb65 Merge pull request #1831 from glitsj16/eog
3c2f0c8 Add xreader thumbnailer and previewer profiles
2e0730c Add xplayer audio-preview and thumbnailer profiles

📊 Changes

380 files changed (+1301 additions, -758 deletions)

View changed files

📝 .gitignore (+2 -0)
📝 Makefile.in (+3 -1)
📝 README.md (+18 -4)
📝 RELNOTES (+4 -4)
📝 configure (+21 -4)
📝 configure.ac (+13 -3)
📝 etc/0ad.profile (+2 -0)
📝 etc/2048-qt.profile (+1 -0)
📝 etc/7z.profile (+1 -1)
📝 etc/Cryptocat.profile (+1 -0)
📝 etc/Fritzing.profile (+1 -0)
📝 etc/Mathematica.profile (+1 -0)
📝 etc/Thunar.profile (+1 -0)
📝 etc/Viber.profile (+1 -0)
📝 etc/akonadi_control.profile (+9 -4)
📝 etc/akregator.profile (+1 -0)
📝 etc/amarok.profile (+1 -0)
📝 etc/amule.profile (+1 -0)
📝 etc/apktool.profile (+1 -2)
📝 etc/arch-audit.profile (+1 -0)

...and 80 more files

📄 Description

See discussion in #1823
This is like disable-devel, but for python, perl, etc.

These profiles still need python access:
nautilus
pithos
qutebrowser
sdat2img
deluge
meld
catfish
gajim --- Python 2.7
xpra
display
gnome-music
macrofusion
caja
xchat
nemo
torbrowser-launcher
filezilla
hexchat
arm
xed uses python plugins, but private-bin already excludes python.

These still need java access:
pdfsam
dex2jar
imagej

These still need perl access:
playonlinux
exiftool

xchat needs perl and python (at least) so I didn't add disable-interpreters

I haven't tested all of the new profiles, so there might be some (a lot?) of breaks, most likely from python blacklisting. I suspect there may still be some issues in mate, cinnamon, and gnome profiles. I also relied a lot on the pre-existing private-bin filters to tell if a program needed python or not, so if a profiledoesn't have a private-bin filter and needs python, this will break it.

I'm most confident about the profiles that already had private-bin without python, or memory-deny-write-executable, since I seem to recall this line breaking a lot of python-based programs. dnscrypt-proxy may be an exception.

If we're close to releasing 0.9.54 it might be better to wait until after the release to merge so we can have more testing time. @netblue30 thoughts?

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/1837 **Author:** [@Fred-Barclay](https://github.com/Fred-Barclay) **Created:** 3/26/2018 **Status:** ✅ Merged **Merged:** 4/2/2018 **Merged by:** [@Fred-Barclay](https://github.com/Fred-Barclay) **Base:** `master` ← **Head:** `disable-interpreters` --- ### 📝 Commits (10+) - [`b78e2d0`](https://github.com/netblue30/firejail/commit/b78e2d0b5bad1154fa68f9680c37f9c28f114eaa) more restrictive private-lib - [`8fbbb5a`](https://github.com/netblue30/firejail/commit/8fbbb5a54f5eb877d7ae140753e9f0c258176376) Use path variable instead of full path when blacklisting devel tools. - [`c4384a7`](https://github.com/netblue30/firejail/commit/c4384a7af4d3f823a687ffbb101dfe7aed6832cc) Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc - [`9e238e0`](https://github.com/netblue30/firejail/commit/9e238e0009acfd76880cfa9d76dd68c1659c0a9b) Part 2: allow access to java as needed - [`cfa25b1`](https://github.com/netblue30/firejail/commit/cfa25b1c994d09735b7825722ef6450924cbf1a6) Typo: missing blacklist - [`60836f9`](https://github.com/netblue30/firejail/commit/60836f9c69b36251b9e93f4fd280f582d525fc3f) Part 3: allow perl access as needed - [`be80d53`](https://github.com/netblue30/firejail/commit/be80d532883e8f43c80a8fcc816aa701e3fdc303) typo - [`6f3cb65`](https://github.com/netblue30/firejail/commit/6f3cb65d45337f1948266c9f3d47dc51172ae869) Merge pull request #1831 from glitsj16/eog - [`3c2f0c8`](https://github.com/netblue30/firejail/commit/3c2f0c85f267d0607995e61da4d728dc19e765de) Add xreader thumbnailer and previewer profiles - [`2e0730c`](https://github.com/netblue30/firejail/commit/2e0730cc0d75a4f8ba35be9da8d650c451f20483) Add xplayer audio-preview and thumbnailer profiles ### 📊 Changes **380 files changed** (+1301 additions, -758 deletions) <details> <summary>View changed files</summary> 📝 `.gitignore` (+2 -0) 📝 `Makefile.in` (+3 -1) 📝 `README.md` (+18 -4) 📝 `RELNOTES` (+4 -4) 📝 `configure` (+21 -4) 📝 `configure.ac` (+13 -3) 📝 `etc/0ad.profile` (+2 -0) 📝 `etc/2048-qt.profile` (+1 -0) 📝 `etc/7z.profile` (+1 -1) 📝 `etc/Cryptocat.profile` (+1 -0) 📝 `etc/Fritzing.profile` (+1 -0) 📝 `etc/Mathematica.profile` (+1 -0) 📝 `etc/Thunar.profile` (+1 -0) 📝 `etc/Viber.profile` (+1 -0) 📝 `etc/akonadi_control.profile` (+9 -4) 📝 `etc/akregator.profile` (+1 -0) 📝 `etc/amarok.profile` (+1 -0) 📝 `etc/amule.profile` (+1 -0) 📝 `etc/apktool.profile` (+1 -2) 📝 `etc/arch-audit.profile` (+1 -0) _...and 80 more files_ </details> ### 📄 Description See discussion in #1823 This is like disable-devel, but for python, perl, etc. These profiles still need python access: nautilus pithos qutebrowser sdat2img deluge meld catfish gajim --- Python 2.7 xpra display gnome-music macrofusion caja xchat nemo torbrowser-launcher filezilla hexchat arm xed uses python plugins, but private-bin already excludes python. These still need java access: pdfsam dex2jar imagej These still need perl access: playonlinux exiftool xchat needs perl and python (at least) so I didn't add disable-interpreters I haven't tested all of the new profiles, so there might be some (a lot?) of breaks, most likely from python blacklisting. I suspect there may still be some issues in mate, cinnamon, and gnome profiles. I also relied a lot on the pre-existing private-bin filters to tell if a program needed python or not, so if a profiledoesn't have a private-bin filter and needs python, this will break it. I'm most confident about the profiles that already had private-bin without python, or memory-deny-write-executable, since I seem to recall this line breaking a lot of python-based programs. dnscrypt-proxy may be an exception. If we're close to releasing 0.9.54 it might be better to wait until after the release to merge so we can have more testing time. @netblue30 thoughts? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:13:28 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:30:55 -06:00

[PR #4085] [MERGED] Document enabling debugging for Node.js #5025

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4085

No description provided.

Rows
Columns