Merge branch 'master' of ssh://github.com/netblue30/firejail

author: netblue30 <netblue30@protonmail.com> 2021-07-28 08:30:43 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-07-28 08:30:43 -0400
commit: e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77 (patch)
tree: d192dd8a45efceea6e543bab70ab00c9867ce6ed /etc
parent: intrusion detection system (diff)
parent: kodi.profile: Add Lutris Kodi Addon note (diff)
download: firejail-e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77.tar.gz
firejail-e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77.tar.zst
firejail-e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77.zip
5 files changed, 44 insertions, 36 deletions
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 87a0a0994..19addd285 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -6,5 +6,4 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
-# kcmp is required for ozone-platform=wayland, see #3783.
+seccomp !chroot
-seccomp !chroot,!kcmp
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index e19b78908..fdf94ec41 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -5,6 +5,21 @@ include code.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/Code
 noblacklist ${HOME}/.config/Code - OSS
 noblacklist ${HOME}/.vscode
@@ -13,31 +28,13 @@ noblacklist ${HOME}/.vscode-oss
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-private-cache
-private-dev
-private-tmp
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
 # noexec ${HOME}
 noexec /tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b7091f1fc..f909728a5 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -12,6 +12,12 @@ ignore noexec ${HOME}
 #ignore nogroups
 #ignore noroot
 #ignore private-dev
+# Add the following to your kodi.local if you use the Lutris Kodi Addon
+#noblacklist /sbin
+#noblacklist /usr/sbin
+#noblacklist ${HOME}/.cache/lutris
+#noblacklist ${HOME}/.config/lutris
+#noblacklist ${HOME}/.local/share/lutris
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 3fe3428d0..b8a551b6c 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp !kcmp
+seccomp
 shell none
 tracelog
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 3992c984a..38f789923 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -89,18 +89,24 @@ Inheritance of groups
 What to do if seccomp breaks a program
 --------------------------------------
+Start `journalctl --grep=SECCOMP --follow` in a terminal and run
+`firejail --seccomp-error-action=log /path/to/program` in a second terminal.
+Now switch back to the first terminal (where `journalctl` is running) and look
+for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
+have found them, you can stop `journalctl` (^C) and execute
+`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
+In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`.
+Now you can add a seccomp exception using `seccomp !NAME`.
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
 ```
-$ journalctl --grep=syscall --follow
+term1$ journalctl --grep=SECCOMP --follow
-<...> audit[…]: SECCOMP <...> syscall=161 <...>
+term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop
-$ firejail --debug-syscalls | grep 161
+term1$ (journalctl --grep=SECCOMP --follow)
-161 - chroot
+audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ...
+^C
+term1$ firejail --debug-syscalls | grep "^161[[:space:]]"
+161     - chroot
 ```
 Profile: `seccomp -> seccomp !chroot`
-Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
-program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
-Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
-will see something like `NUMBER  - NAME`, because you now know the name of the
-syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
-If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
author	netblue30 <netblue30@protonmail.com>	2021-07-28 08:30:43 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-07-28 08:30:43 -0400
commit	e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77 (patch)
tree	d192dd8a45efceea6e543bab70ab00c9867ce6ed /etc
parent	intrusion detection system (diff)
parent	kodi.profile: Add Lutris Kodi Addon note (diff)
download	firejail-e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77.tar.gz firejail-e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77.tar.zst firejail-e7f3c2acde1b4a0f2f99426d57a50c1928ae2c77.zip