From 9ca0d7a75756e786db4777f27ef7395a92d74700 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:03:17 +0200 Subject: kcmp is allowed by default, no need to add seccomp exceptions for it anylonger --- etc/profile-a-l/chromium-common-hardened.inc.profile | 3 +-- etc/profile-m-z/minitube.profile | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index 87a0a0994..19addd285 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile @@ -6,5 +6,4 @@ caps.drop all nonewprivs noroot protocol unix,inet,inet6,netlink -# kcmp is required for ozone-platform=wayland, see #3783. -seccomp !chroot,!kcmp +seccomp !chroot diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 3fe3428d0..b8a551b6c 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile @@ -47,7 +47,7 @@ notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp !kcmp +seccomp shell none tracelog -- cgit v1.2.3-70-g09d2 From fd973654c7f541d01b76e5e6260a26defea85797 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:04:34 +0200 Subject: Update RELNOTES --- RELNOTES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 49b88ac08..405888cc4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,7 +2,8 @@ firejail (0.9.67) baseline; urgency=low * work in progress * deprecated --disable-whitelist at compile time * deprecated whitelist=yes/no in /etc/firejail/firejail.config - * new profiles: microsoft-edge-beta + * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim + * new profiles: io.github.lainsce.Notejot, rednotebook -- netblue30 Mon, 28 Jun 2021 09:00:00 -0500 firejail (0.9.66) baseline; urgency=low -- cgit v1.2.3-70-g09d2 From 8f867d029a6ae7b757190d9f273886d4bbc1344b Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:05:32 +0200 Subject: Refactor code.profile as electron redirect closes #4408 --- etc/profile-a-l/code.profile | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile index e19b78908..fdf94ec41 100644 --- a/etc/profile-a-l/code.profile +++ b/etc/profile-a-l/code.profile @@ -5,6 +5,21 @@ include code.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include disable-devel.inc +ignore include disable-exec.inc +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore disable-mnt +ignore dbus-user none +ignore dbus-system none + noblacklist ${HOME}/.config/Code noblacklist ${HOME}/.config/Code - OSS noblacklist ${HOME}/.vscode @@ -13,31 +28,13 @@ noblacklist ${HOME}/.vscode-oss # Allows files commonly used by IDEs include allow-common-devel.inc -include disable-common.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -noinput -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-cache -private-dev -private-tmp # Disabling noexec ${HOME} for now since it will # probably interfere with running some programmes # in VS Code # noexec ${HOME} noexec /tmp + +# Redirect +include electron.profile -- cgit v1.2.3-70-g09d2 From bf886377ae43022c066c68b8de36ad1608d2198f Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:30:16 +0200 Subject: Update etc/templates/syscalls.txt Rework + suggest --seccomp-error-action=log --- etc/templates/syscalls.txt | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 3992c984a..38f789923 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -89,18 +89,24 @@ Inheritance of groups What to do if seccomp breaks a program -------------------------------------- +Start `journalctl --grep=SECCOMP --follow` in a terminal and run +`firejail --seccomp-error-action=log /path/to/program` in a second terminal. +Now switch back to the first terminal (where `journalctl` is running) and look +for the numbers of the blocked syscall(s) (`syscall=`). As soon as you +have found them, you can stop `journalctl` (^C) and execute +`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. +In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. +Now you can add a seccomp exception using `seccomp !NAME`. + +If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. + ``` -$ journalctl --grep=syscall --follow -<...> audit[…]: SECCOMP <...> syscall=161 <...> -$ firejail --debug-syscalls | grep 161 -161 - chroot +term1$ journalctl --grep=SECCOMP --follow +term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop +term1$ (journalctl --grep=SECCOMP --follow) +audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... +^C +term1$ firejail --debug-syscalls | grep "^161[[:space:]]" +161 - chroot ``` Profile: `seccomp -> seccomp !chroot` - -Start `journalctl --grep=syscall --follow` in a terminal, then start the broken -program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. -Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You -will see something like `NUMBER - NAME`, because you now know the name of the -syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. - -If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. -- cgit v1.2.3-70-g09d2 From 48a97c265e19beed611af44c25f5671c3762ff86 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:33:21 +0200 Subject: Add support for ignore to profcleaner.sh --- src/tools/profcleaner.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh index 709008e08..96402aed6 100755 --- a/src/tools/profcleaner.sh +++ b/src/tools/profcleaner.sh @@ -38,8 +38,8 @@ else fi sed -i -E \ - -e "s/^(# |#)?blacklist/\1deny/" \ - -e "s/^(# |#)?noblacklist/\1nodeny/" \ - -e "s/^(# |#)?whitelist/\1allow/" \ - -e "s/^(# |#)?nowhitelist/\1noallow/" \ + -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \ + -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \ + -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \ + -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \ "${profiles[@]}" -- cgit v1.2.3-70-g09d2 From 34b9d508b399ed8df32b74eed55b6d9def047188 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:56:07 +0200 Subject: kodi.profile: Add Lutris Kodi Addon note Closes #3785 -- Allowing calling specific apps outside the sandbox or with a different firejail profile The idea isn't worng but should be reweiten in a seperate issue without all the kodi/lutris clutter. --- etc/profile-a-l/kodi.profile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index b7091f1fc..f909728a5 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile @@ -12,6 +12,12 @@ ignore noexec ${HOME} #ignore nogroups #ignore noroot #ignore private-dev +# Add the following to your kodi.local if you use the Lutris Kodi Addon +#noblacklist /sbin +#noblacklist /usr/sbin +#noblacklist ${HOME}/.cache/lutris +#noblacklist ${HOME}/.config/lutris +#noblacklist ${HOME}/.local/share/lutris noblacklist ${HOME}/.kodi noblacklist ${MUSIC} -- cgit v1.2.3-70-g09d2