| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |/ |
|
| |
|
| |
Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
|
| |
|
|
| |
Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
NOTE: there are several other profiles touching /usr/libexec, so untill someone on Fedora can shed some light on what files are installed under /usr/libexec, I only blacklisted ssh-keysign. I'll pick this up tomorrow, a bit pressed for time in the non-digital worlds...
|
| |
|
| |
Counterpart fix for changes in allow-ssh.inc.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
(#4461)
See #4454
|
| | |
|
| |
|
| |
As suggested in https://github.com/netblue30/firejail/pull/4420#discussion_r676929867.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3.
Note: This only reverts the changes from etc.
The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments). The main
reason is that the aliases do not meaningfully map to the original
commands. For example, the commands from each pair below seem like they
would do the exact same thing:
* `allow` and `nodeny`
* `deny` and `noallow`
Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.
The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert. Note: This is still the case
even if a commit is [ignored by `git blame`][4390].
So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.
How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):
# Find out which files have been changed on fe0f975f44, but have not
# been changed afterwards and list them on "filestorevert"
git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
comm -2 -3 allfiles filestoignore >filestorevert
# Note: There are 3 extra files on filestoignore because they were
# added after commit fe0f975f44
wc -l allfiles filestoignore filestorevert | head -n 3
# 797 allfiles
# 8 filestoignore
# 792 filestorevert
# Automatically revert files in "filestorevert"
# See https://stackoverflow.com/a/23401018/10095231
tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
git apply --reverse
printf 'Total files reverted:\n'
git diff --name-only | wc -l
# 792
Secondly, do some search/replace on the rest:
tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
-e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \
-e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \
-e 's/deny-nolog /blacklist-nolog /'
find etc -name '*.bak' -print0 | xargs -0 rm
Thirdly, verify the result. The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):
git diff fe0f975f44~1 -- etc
From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.
[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
|
| | |
|
| | |
|
| |
|
|
| |
Make ${HOME}/.rustup read-only and blacklist ${HOME}/.cargo/credentials.toml
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create node.profile
* Create node-gyp.profile
* refactor npm as redirect
* Create npx.profile
* Create nvm.profile
* Create semver.profile
* refactor yarn as redirect
* collect node.js stack configuration in common profile
* add ~/.nvm to node section
* account for node-gyp python dependency
* read-only ~/.nvm for node.js stack
* blacklist ~/.nvm for node.js stack
* move env var comment cfr. profile.template
* Delete node-gyp.profile
node-gyp is a shell script with a node shebang. We've got that covered via node.profile.
* Delete npx.profile
npx is a shell script with a node shebang. We've got that covered via node.profile.
* Delete semver.profile
semver is a shell script that calls node. We've got that covered via node.profile.
* add node and nvm to new profiles section
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* well..
Revert `include whitelist-usr-share-common.inc`
Sync with Firefox profile
* 😄 What just hapened
* 🔄 Sync with upstream
* Merge tested from PR
* 🔄 Sync with upstream
* Merge tested from PR
* Revert changes
* Add Sway profile
* Fix issue
Not working then including firefox-common-addons.profile
* Allow sway's fallback config
* So I agree with @glitsj16 and @BL4CKH47H4CK3R
so..
`No its not needed as it reveals lots of important /usr/share folders like /usr/share/fonts which can used for font fingerprinting and OS detection. Like the site or attacker will know that which font you are using. Linux and windows common font are not same so its a problem. Besides there are so many other important folders as I see. Librewolf can launch and work perfectly without this options`
* 🔄 Rebase
* 😄 What just hapened
* Merge tested from PR
* 🔄 Sync with upstream
* Merge tested from PR
* Revert changes
* Update
* Update librewolf.profile
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The paths are taken from ssh(1) and sshd(8).
$ pacman -Q openssh
openssh 8.4p1-2
These are only used by sshd(8), so always blacklist them:
* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts
Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.
Note2: From sshd(8):
> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.
So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.
This file is actually used by ssh(1), so just mark it read-only:
* ~/.ssh/config: allows arbitrary command execution on the remote
machine (with e.g.: RemoteCommand) and also defines the connection
strength
Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2]. This is the conventional
path for storing them[3], so mark it read-only:
* ~/.ssh/config.d: same as above
P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.
[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the system-wide equivalent of ~/.ssh/config.
$ pacman -Q openssh
openssh 8.4p1-2
Reasons for blacklisting both /etc/ssh and /etc/ssh/* on
disable-common.inc:
Leave /etc/ssh that way so that profiles without allow-ssh.inc remain
unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that
profiles with allow-ssh.inc are able to access only nonblacklisted files
inside of /etc/ssh.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|
| |
|
|
|
|
|
|
|
|
| |
Add the missing binaries in the DNS section, as suggested by @glitsj16:
https://github.com/netblue30/firejail/pull/3810#issuecomment-742920539
Packages and their relevant binaries:
* bind: dnssec-*
* knot: khost
* unbound: unbound-host
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
drill(1) from ldns is the first tool suggested on the Arch Wiki for DNS
lookup:
https://wiki.archlinux.org/index.php/Domain_name_resolution#Lookup_utilities
Home page: https://www.nlnetlabs.nl/projects/ldns/about/
$ pacman -Q ldns
ldns 1.7.1-2
$ pacman -Qlq ldns | grep bin
/usr/bin/
/usr/bin/drill
/usr/bin/ldns-chaos
/usr/bin/ldns-compare-zones
/usr/bin/ldns-config
/usr/bin/ldns-dane
/usr/bin/ldns-dpa
/usr/bin/ldns-gen-zone
/usr/bin/ldns-key2ds
/usr/bin/ldns-keyfetcher
/usr/bin/ldns-keygen
/usr/bin/ldns-mx
/usr/bin/ldns-notify
/usr/bin/ldns-nsec3-hash
/usr/bin/ldns-read-zone
/usr/bin/ldns-resolver
/usr/bin/ldns-revoke
/usr/bin/ldns-rrsig
/usr/bin/ldns-signzone
/usr/bin/ldns-test-edns
/usr/bin/ldns-testns
/usr/bin/ldns-update
/usr/bin/ldns-verify-zone
/usr/bin/ldns-version
/usr/bin/ldns-walk
/usr/bin/ldns-zcat
/usr/bin/ldns-zsplit
/usr/bin/ldnsd
|
| | |
|
| | |
|
| |
|
|
|
|
| |
- disable-common: read-only ${HOME}/.zfunc
- fix #3761 -- w3m with w3m-img installed does not display images when on virtual console/framebuffer
- yelp can be used to display manpages
|
| |
|
| |
Follow-up from discussion in https://github.com/netblue30/firejail/pull/3751.
|
| |
|
|
| |
- this might need to be looked into
|
| | |
|
| |
|
|
|
|
|
|
| |
- update README.md and RELNOTES
- add 'blacklist ${RUNUSER}/.flatpak-cache' to disable-common.inc
- fix #3728, fonts in openSUSE KDE with wc / wusc
- fix gnome-todo
- fix xournalpp MathTeX whitelist
|
| | |
|
| |
|
|
|
|
|
| |
* Update disable-common.inc
* Update disable-common.inc
[skip ci]
|
| | |
|
| | |
|
| |
|
|
| |
It's a collection of many tools, that might not be allowed individually.
When it's needed, it can easily be allowed again.
|
| | |
|
| |
|
netblue30
glitsj16
rusty-snake
caydey
Kelvin M. Klann
Vladislav Nepogodin
Tad
smitsohu
Reiner Herrmann
netblue30