| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |\
| |
| | |
Add bug report template
|
| | |
| |
| | |
(Mostly) auto-generated with GitHub, will need tweaking over time
|
| |/
|
|
| |
caps are already handled by caps.keep ... in this profile
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
See
- 07fac581f6b9b5ed068f4c54a9521b51826375c5 for new dbus filters
- https://github.com/netblue30/firejail/pull/3326#issuecomment-610423183
Except for ocenaudio, access/restrictions on dbus options should
be unchanged
Ocenaudio profile: dbus filters were sandboxed (initially `nodbus`
was enabled) since comments indicated blocking dbus meant
preferences were broken
|
| | |
|
| | |
|
| |\
| |
| | |
Fine-grained DBus sandboxing
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
This patch also allows setting the DBus policies to filter even if
xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is
allowed, but a warning is emitted.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are
bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root.
Instead of relying on the default locations of the DBus sockets, the environment
variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set
accordingly.
User sockets are tried in the following order when starting the proxy:
* DBUS_SESSION_BUS_ADDRES
* /run/user/<pid>/bus
* /run/user/<pid>/dbus/user_bus_socket
These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
System sockets are tried in the following order:
* DBUS_SYSTEM_BUS_ADDRESS
* /run/dbus/system_bus_socket
These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and
--dbus-system.own control which names can be accessed and owned on the user and
system buses.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* The proxy is forked off outside the sandbox namespace to protect the
fds of the original buses from the sandboxed process.
* The /run/firejail/dbus directory (with the sticky bit set) holds the proxy
sockets. The sockets are <parent pid>-user and <parent pid>-system for the
user and system buses, respectively. Each socket is owned by the sandbox user.
* The sockets are bind-mounted over their expected locations and the
/run/firejail/dbus directory is subsequently hidden from the sandbox.
* Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets
are cleaned up.
* Filter rules will be added in a future commit.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
To contain processes forked for long time, such as the xdg-dbus-proxy,
sbox_exec_v can be used, which is the non-forking version of sbox_run_v.
Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds,
so fds needed by the subordinate process can be left open before calling
sbox_exec_v.
This flag does not makes sense for sbox_run_v, and causes an assertion failure.
|
| |/
|
|
|
|
| |
Allow setting a separate policy for the user and system buses.
For now, the filter policy is equivalent to the none (block) policy.
Future commits will add more configuration options and filters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| | |
|
| |
|
| |
fix #3321
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If `less` is sandboxed, then we get a similar message to below
when calling `man <anything>`
Error clone: main.c:2743 main: Operation not permitted
man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page grep(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$-R MAN_PN=grep(1) less
See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899143
https://github.com/netblue30/firejail/issues/1856
Noticed on Debian 10, firejail 0.9.63
|
| |\
| |
| | |
Simple sanity checks for arguments and environment
|
| | |
| |
| |
| |
| | |
Restrict number of program arguments and their length as well as
number of environment variables and their length.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| |/
|/| |
Speedup the buildsystem
|
| | |
| |
| |
| |
| |
| |
| | |
- replaing 'include /etc/firejail/foobar.inc' with
'include $(sysconfdir)/firejail/foobar.inc' is useless since 0.9.58
- onetime calling install with globbing is faster the a loop calling
install nearly 1000 times
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
nc is a symlink to ncat on some distros
|
| | |
| |
| |
| | |
see https://github.com/netblue30/firejail/pull/3292#issuecomment-603467884
|
| | |
| |
| |
| | |
Syslog is spammed with the following message otherwise:
Could not create AF_NETLINK socket
|
| | |
| |
| |
| |
| |
| |
| | |
- fix description
- add gnome-klotski, five-or-more, swell-foop
[skip ci]
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- blobwars
- gravity-beams-and-evaporating-stars
- hyperrogue
- jumpnbump-menu (alias)
- jumpnbump
- magicor
- mindless
- mirrormagic
- mrrescue
- scorched3d-wrapper (alias)
- scorchwentbonkers
- seahorse-adventures
- wordwarvi
- xbill
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'd like to tighten this up more esp. for seccomp
- caps.keep sys_chroot needed or fails with
Cannot chroot into /proc/ directory: Operation not permitted
1. caps.drop all replaced with caps.keep
- caps.keep sys_admin needed or fails with
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
2. nonewprivs dropped to avoid failure:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
3. noroot dropped to avoid failure:
[22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755.
4. Removed protocol filter
to avoid:
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
5. Unable to get a working seccomp filter
See
https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
seccomp !chroot seems to have worked for earlier versions of slack
6. private-tmp means no tray icon
Observed on Debian 10, Slack 4.4.0
|
| | |
|
| |
|
| |
Access to ${HOME}/.cache/mozilla actually not necessary to let Firefox open links
|
| | |
|
| |
|
|
| |
@glitsj16 thanks for the pointer that we now have whitelist globbing
|
| | |
|
| |\ |
|
| | |\
| | |
| | | |
steam.profile: correctly blacklist unneeded directories in user's home
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"noblacklist" directives prevent following ones from blacklisting the specified directory/file.
The profile currently has a "noblacklist" directive for each directory used by Steam and/or its games, which is fine.
However, there are no directives blacklisting the user's home, thus all directories and files inside it are accessible by Steam.
This commit fixes the issue by adding "whitelist" directives, which automatically blacklist the parent directory (in this case the user's home).
"mkdir" and "mkfile" directives are added so that the directories/files are created if they don't exist.
Thanks to @SkewedZeppelin for suggesting to keep "noblacklist" and use "mkdir" and "mkfile".
|
| | |\ \
| | | |
| | | | |
thunderbird.profile: harden and enable the rules necessary to make Firefox open links
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
open links
See issue #3291
|
| | |\ \ \
| | | | |
| | | | | |
Preserve CFLAGS given to configure in common.mk.in
|
| | | | | | |
|
| |/ / / / |
|
Fred Barclay
rusty-snake
glitsj16
Kristóf Marussy
Topi Miettinen
netblue30
Tad
SkewedZeppelin
curiosityseeker
Davide Beatrici
Lior Stern