diff options
author | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2020-04-04 12:20:01 -0500 |
---|---|---|
committer | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2020-04-04 12:20:01 -0500 |
commit | 516d08114f73133f8f3d8330b361f79843a06254 (patch) | |
tree | 8be7ed515ef69fb1a4bb38b78cb6c1e5ee19f4a1 /etc | |
parent | Harden signal-desktop.profile and add rules for Firefox (diff) | |
download | firejail-516d08114f73133f8f3d8330b361f79843a06254.tar.gz firejail-516d08114f73133f8f3d8330b361f79843a06254.tar.zst firejail-516d08114f73133f8f3d8330b361f79843a06254.zip |
Fixes for slack 4.4
I'd like to tighten this up more esp. for seccomp
- caps.keep sys_chroot needed or fails with
Cannot chroot into /proc/ directory: Operation not permitted
1. caps.drop all replaced with caps.keep
- caps.keep sys_admin needed or fails with
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
2. nonewprivs dropped to avoid failure:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
3. noroot dropped to avoid failure:
[22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755.
4. Removed protocol filter
to avoid:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
5. Unable to get a working seccomp filter
See
https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
seccomp !chroot seems to have worked for earlier versions of slack
6. private-tmp means no tray icon
Observed on Debian 10, Slack 4.4.0
Diffstat (limited to 'etc')
-rw-r--r-- | etc/slack.profile | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/etc/slack.profile b/etc/slack.profile index 9a10e38fe..79e427dce 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -19,16 +19,12 @@ whitelist ${DOWNLOADS} | |||
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.keep sys_chroot,sys_admin |
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | 26 | notv |
29 | nou2f | 27 | nou2f |
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp !chroot | ||
32 | shell none | 28 | shell none |
33 | 29 | ||
34 | disable-mnt | 30 | disable-mnt |
@@ -36,4 +32,3 @@ private-bin locale,slack | |||
36 | private-cache | 32 | private-cache |
37 | private-dev | 33 | private-dev |
38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 34 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
39 | private-tmp | ||