| Commit message (Collapse) | Author | Age |
... | |
| |
| |
| | |
The final profile in the include chain - torbrowser-launcher.profile - already includes globals.local. Unless there's some kind of potential race condition that needs to be avoided by changing this 'logic' we should avoid doubled includes.
|
| |
| |
| | |
The final profile in the include chain - torbrowser-launcher.profile - already includes globals.local. Unless there's some kind of potential race condition that needs to be avoided by changing this 'logic' we should avoid doubled includes.
|
|/
|
| |
Follow up for https://github.com/netblue30/firejail/pull/3988. We need to allow access to torbrowser-launcher executables installed under ${HOME}. Thanks @rusty-snake and @Vincent43 for motivational input.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit bd1819a8641e0eeae016846b28a41e625bcc215b, reversing
changes made to 807af3dce05786f10747cc0938cc98af484c8e97.
The hole PR looks like a single crap, it is not even syntactically
correct. Has anyone at least started kmail with this profile before it
was merged? See #3979, thanks @creideiki for reporting.
> First, there are syntax errors. Several mkdir lines have file names containing asterisks.
> This gives the following error:
>
> Error: "${HOME}/.cache/akonadi*" is an invalid filename: rejected character: "*"
>
> I am not sure what they intend to do, but whatever it is it's not working.
> Especially confusing is the line
>
> mkdir /tmp/akonadi-*
>
> Yes, Akonadi creates a directory in /tmp, but its name is random and seems to have been created
> using mkstemp(3) or similar. I'm not sure how Firejail is supposed to be able to pre-create it.
>
> Removing the asterisks makes Firejail at least accept the profile syntactically and try to run
> the program.
It is rejected by syntax. Has anyone tested?
> At startup, Firejail now prints the following warning:
>
> ***
> *** Warning: cannot whitelist ${DOCUMENTS} directory
> *** Any file saved in this directory will be lost when the sandbox is closed.
> ***
Why was 'include disable-xdg.inc' added together with 'whitelist ${DOCUMENTS}', but
no 'nobalcklist ${DOCUMENTS}'? It can not work.
> The actual error is that PostgreSQL needs access to /usr/lib64/postgresql-13/ in order to run.
> Adding the following line to kmail.profile fixes that:
>
> whitelist /usr/share/postgresql*
Again, has anyone thested this?
> The next problem is this message on the console:
>
> kf.config.core: Couldn't write "/home/creideiki/.config/kmail2rc" . Disk full?
>
> Which may have something to do with the profile creating a directory with that name:
>
> mkdir ${HOME}/.config/kmail2rc
>
> when it's supposed to be a file:
>
> $ stat ~/.config/kmail2rc
> File: /home/creideiki/.config/kmail2rc
> Size: 24660 Blocks: 56 IO Block: 4096 regular file
Has anyone tested this or is this just a blind copy of the noblacklist
from above with noblacklist replaced by mkdir?
> However, the error message
>
> kf.config.core: Couldn't write "/home/creideiki/.config/kmail2rc" . Disk full?
>
> still appears.
Looks like #1793. HAS ANYONE TESTED THIS PROFILE??!
> Finally, when exiting KMail, it crashes with a SIGSEGV:
>
> *** KMail got signal 11 (Exiting)
> *** Dead letters dumped.
> KCrash: crashing... crashRecursionCounter = 2
> KCrash: Application Name = kmail path = /usr/bin pid = 20
> KCrash: Arguments: /usr/bin/kmail
Has any...
> I tried restoring an older kmail.profile, from commit 319f2dc, and it has none of the above problems.
... I give up asking if anyone tested this.
> Given the multitude of problems with commit 5532fbd, I'd suggest reverting it until it can be fixed.
Yes, definitely.
|
| |
|
| |
|
|
|
| |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
|
|
| |
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
|
|
|
|
|
|
|
|
| |
This configuration is to be applied in order to get screen sharing
working under Wayland (via pipewire and a xdg-desktop-portal backend).
Note that {chrome|chromium} does not need the dbus filters (at least
as of today) because dbus filtering is not enabled (dbus-user not set
to none).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5df1f27c638c487dfd664ea3a0f756565e1e57bd.
That commit breaks things, as pointed out by @rusty-snake[1]:
> @kmk3 @glitsj16 The xdg macros are treated literally if they have sub
> components (#2359):
>
> ```
> Error: "${DOCUMENTS}/KeePassXC" is an invalid filename: rejected character: "{"
> ```
[1]: https://github.com/netblue30/firejail/commit/3fa2927c3c1c5cf583864746538ea791c1ba2dc4#commitcomment-46913219
|
|\
| |
| | |
Email part (2)
|
| | |
|
| |
| |
| |
| | |
mutt,neomuut; some sorting
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
to both geary and evolution; add dbus permissions fromflatpak
|
| | |
|
| |
| |
| |
| |
| | |
Just `find . -not \( -name .git -prune -o -name *.AppImage -prune \) -type f -print0 | xargs -0 perl -pi -e 's/ +$//'`
and filter to avoid unwanted changes (especially .md files)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, some paths are hard-coded:
$ grep -Fnr '${HOME}/Documents' etc etc-fixes
etc/profile-m-z/Mathematica.profile:19:mkdir ${HOME}/Documents/Wolfram Mathematica
etc/profile-m-z/Mathematica.profile:22:whitelist ${HOME}/Documents/Wolfram Mathematica
etc/profile-a-l/keepassxc.profile:34:# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
etc/profile-a-l/keepassxc.profile:35:#mkdir ${HOME}/Documents/KeePassXC
etc/profile-a-l/keepassxc.profile:36:#whitelist ${HOME}/Documents/KeePassXC
Commands used to search and replace:
$ find etc etc-fixes/ -type f -exec \
sed -i.bak -e 's|\${HOME}/Documents|${DOCUMENTS}|' '{}' +
Related to that, the (lack of) usage of ${DOWNLOADS} has been recently
fixed on commit deae31301 ("use ${DOWNLOADS} in lutris.profile
(#3955)").
With the above change, all macros other than ${DOCUMENTS} seem to be
already used appropriately:
$ grep -Fnr '${HOME}/Desktop' etc etc-fixes
$ grep -Fnr '${HOME}/Downloads' etc etc-fixes
$ grep -Fnr '${HOME}/Music' etc etc-fixes
$ grep -Fnr '${HOME}/Pictures' etc etc-fixes
$ grep -Fnr '${HOME}/Videos' etc etc-fixes
See src/firejail/macros.c for details.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
And mark it as a redirect profile.
This is done so when including other *-common.inc profiles, such as
firefox-common.profile.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Create calligragemini.profile
* Update calligra.profile
* Update calligra.profile
* Update firecfg.config
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
And sort the paths on allow-gjs.inc.
$ pacman -Q js78
js78 78.6.0-1
$ pacman -Qlq js78 | grep -v /usr/include/
/usr/
/usr/bin/
/usr/bin/js78
/usr/bin/js78-config
/usr/lib/
/usr/lib/libmozjs-78.so
/usr/lib/pkgconfig/
/usr/lib/pkgconfig/mozjs-78.pc
This appears to be the only counterpart path missing when looking at the
current lib64 entries with:
$ grep -Fnr lib64 etc
|
| | |
|
| |
| |
| | |
uim is a multilingual input method framework, so any program that takes user input potentially needs it to work.
|
| |
| |
| |
| | |
damn, forgotten to add
|
| | |
|
| |
| |
| |
| |
| |
| | |
blacklist ${HOME}/.vwmare is already in disable-programs.inc
I did not add it to firecfg.config because it has many extra features
such as usb-redirection that I could not test.
|
| |
| |
| |
| | |
ungoogled-chromium won't work with keepassxc (#3941)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Update disable-programs.inc
* Update firecfg.config
* Create avidemux.profile
* Update avidemux.profile
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
webkit2gtk uses a bwrap based sandbox by default since 4.0, see #3647.
This is good as it means more security by default on for linux system.
Unfortunately is it not possible to run bwrap inside firejail if bwrap
is started with --unshare-pid --proc /proc at all. In general we should
exclude a program from firecfg until a final solution is found. But
bijiben is special, while epiphany or evolution display random stuff
from the internet is webkit2gtk in bijiben used to display local files
create by the user. Bijiben has a thight profile (net none, whitelist,
private-bin, ...) therefore my decision here was to disable the
webkit2gtk sandbox rather then firejail.
|
| |
| |
| |
| |
| | |
* add quiet to lzdiff
* add quiet to lzmadec
|
|\ \
| | |
| | | |
follow-up fixes for #3914
|
| | |
| | |
| | |
| | | |
https://github.com/netblue30/firejail/commit/43aa71f8c608ec5bd92fd2c7323c603fa37f6d30
|
|\ \ \
| | | |
| | | | |
ssh: Refactor, fix bugs & harden
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The paths are taken from ssh(1) and sshd(8).
$ pacman -Q openssh
openssh 8.4p1-2
These are only used by sshd(8), so always blacklist them:
* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts
Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.
Note2: From sshd(8):
> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.
So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.
This file is actually used by ssh(1), so just mark it read-only:
* ~/.ssh/config: allows arbitrary command execution on the remote
machine (with e.g.: RemoteCommand) and also defines the connection
strength
Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2]. This is the conventional
path for storing them[3], so mark it read-only:
* ~/.ssh/config.d: same as above
P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.
[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1). The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile. Path examples from
sshd(8):
* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc
$ pacman -Q openssh
openssh 8.4p1-2
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is the system-wide equivalent of ~/.ssh/config.
$ pacman -Q openssh
openssh 8.4p1-2
Reasons for blacklisting both /etc/ssh and /etc/ssh/* on
disable-common.inc:
Leave /etc/ssh that way so that profiles without allow-ssh.inc remain
unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that
profiles with allow-ssh.inc are able to access only nonblacklisted files
inside of /etc/ssh.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|