From 900db66204a9786696213e7803f0f6bb50b53987 Mon Sep 17 00:00:00 2001 From: KOLANICH Date: Tue, 15 Nov 2022 20:26:33 +0300 Subject: A temporary fix to the bug caused by apparmor profiles stacking. --- src/firejail/firejail.h | 1 + src/firejail/main.c | 5 +++++ src/firejail/profile.c | 16 ++++++++++++++++ src/firejail/sandbox.c | 9 ++++++++- 4 files changed, 30 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee..65f93d9d1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage extern int arg_apparmor; // apparmor extern char *apparmor_profile; // apparmor profile +extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 extern int arg_x11_xorg; // use X11 security extension diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99..54479dc0c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage int arg_apparmor = 0; // apparmor char *apparmor_profile = NULL; // apparmor profile +bool apparmor_replace = false; // apparmor profile int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extension @@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) { arg_apparmor = 1; apparmor_profile = argv[i] + 11; } + else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { + arg_apparmor = 1; + apparmor_replace = true; + } #endif else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d..15e833288 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -956,6 +956,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "apparmor-replace") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_replace = true; +#endif + return 0; + } + + if (strcmp(ptr, "apparmor-stack") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_replace = false; +#endif + return 0; + } + if (strncmp(ptr, "protocol ", 9) == 0) { if (checkcfg(CFG_SECCOMP)) { const char *add = ptr + 9; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a3..3295362e1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -130,7 +130,14 @@ static void set_caps(void) { static void set_apparmor(void) { EUID_ASSERT(); if (checkcfg(CFG_APPARMOR) && arg_apparmor) { - if (aa_stack_onexec(apparmor_profile)) { + int res = 0; + if(apparmor_replace){ + fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); + res = aa_change_onexec(apparmor_profile); + } else { + res = aa_stack_onexec(apparmor_profile); + } + if (res) { fwarning("Cannot confine the application using AppArmor.\n" "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" "As root, run \"aa-enforce firejail-default\" to load it.\n"); -- cgit v1.2.3-70-g09d2 From 3af6c406834d5f18d1422ce95ebd02646862ce74 Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sat, 24 Dec 2022 23:21:43 +0100 Subject: Add Chatterino profile --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/chatterino.profile | 116 +++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 3 files changed, 118 insertions(+) create mode 100644 etc/profile-a-l/chatterino.profile (limited to 'src') diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b52bcaa11..698ee7eca 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -876,6 +876,7 @@ blacklist ${HOME}/.local/share/caja-python blacklist ${HOME}/.local/share/calligragemini blacklist ${HOME}/.local/share/cantata blacklist ${HOME}/.local/share/cdprojektred +blacklist ${HOME}/.local/share/chatterino blacklist ${HOME}/.local/share/clipit blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate blacklist ${HOME}/.local/share/contacts diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile new file mode 100644 index 000000000..bbb536827 --- /dev/null +++ b/etc/profile-a-l/chatterino.profile @@ -0,0 +1,116 @@ +# Firejail profile for Chatterino +# Description: Chat client for https://twitch.tv +# This file is overwritten after every install/update +# Persistent local customizations +include chatterino.local +# Persistent global definitions +include globals.local + +# Also allow access to mpv/vlc, they're usable via streamlink. +noblacklist ${HOME}/.cache/vlc +noblacklist ${HOME}/.config/aacs +noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.config/pulse +noblacklist ${HOME}/.config/vlc +noblacklist ${HOME}/.local/share/chatterino +noblacklist ${HOME}/.local/share/vlc +# To upload images, whitelist/noblacklist their path in chatterino.local. +#noblacklist ${HOME}/Pictures/ +# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. +#noblacklist ${HOME}/Music/ + +# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +# Allow Lua for mpv (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# disable-*.inc includes +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-xdg.inc + +# Also allow access to mpv/vlc, they're usable via streamlink. +mkdir ${HOME}/.cache/vlc +mkdir ${HOME}/.config/aacs +mkdir ${HOME}/.config/mpv +mkdir ${HOME}/.config/pulse +mkdir ${HOME}/.config/vlc +mkdir ${HOME}/.local/share/chatterino +mkdir ${HOME}/.local/share/vlc +whitelist ${HOME}/.cache/vlc +whitelist ${HOME}/.config/aacs +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.config/pulse +whitelist ${HOME}/.config/vlc +whitelist ${HOME}/.local/share/chatterino +whitelist ${HOME}/.local/share/vlc +# To upload images, whitelist/noblacklist their path in chatterino.local. +#whitelist ${HOME}/Pictures/ +# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. +#whitelist ${HOME}/Music/ +# whitelist-*.inc includes +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# Streamlink+VLC doesn't seem to close properly with apparmor enabled. +#apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noprinters +noroot +notv +nou2f +# Netlink is required for streamlink integration. +protocol unix,inet,inet6,netlink +# Seccomp may break browser integration. +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +# Add more private-bin lines for browsers or video players to chatterino.local if wanted. +private-bin chatterino,pgrep +private-bin ffmpeg,python*,streamlink +private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc +private-bin env,mpv,python*,waf,youtube-dl,yt-dlp +# private-cache may cause issues with mpv (see #2838) +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 +private-opt none +private-srv none +private-tmp + +dbus-user filter +dbus-user.own com.chatterino.* +# Session Bus Policy from flatpak +dbus-user.talk com.canonical.AppMenu.Registrar +dbus-user.talk org.kde.kconfig.notify +dbus-user.talk org.kde.KGlobalSettings +dbus-user.talk org.freedesktop.Flatpak +# Allow notifications. +dbus-user.talk org.freedesktop.Notifications +# For media player integration. +dbus-user.talk org.freedesktop.ScreenSaver +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.mpris.MediaPlayer2.Player +dbus-system none + +# Prevents browsers/players from lingering after Chatterino is closed. +#deterministic-shutdown +# Add to chatterino.local to force Qt to use its wayland QPA plugin. +#env QT_QPA_PLATFORM=wayland +# memory-deny-write-execute may break streamlink and browser integration. +#memory-deny-write-execute +restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 152263f04..15169f983 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -130,6 +130,7 @@ catfish cawbird celluloid chafa +chatterino checkbashisms cheese cherrytree -- cgit v1.2.3-70-g09d2