github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

Fixes for slack 4.4

Browse source 
I'd like to tighten this up more esp. for seccomp

- caps.keep sys_chroot needed or fails with
Cannot chroot into /proc/ directory: Operation not permitted
1. caps.drop all replaced with caps.keep
- caps.keep sys_admin needed or fails with
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

2. nonewprivs dropped to avoid failure:
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

3. noroot dropped to avoid failure:
[22:0404/121643.400578:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/slack/chrome-sandbox is owned by root and has mode 4755.

4. Removed protocol filter
to avoid:
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

5. Unable to get a working seccomp filter
See
https://github.com/netblue30/firejail/issues/2946#issuecomment-598612520
seccomp !chroot seems to have worked for earlier versions of slack

6. private-tmp means no tray icon

Observed on Debian 10, Slack 4.4.0
This commit is contained in:
Fred Barclay 2020-04-04 12:20:01 -05:00
parent 6d308b36d5
commit 516d08114f
No known key found for this signature in database
GPG key ID: 0B5AA1337E516DE1
1 changed files with 1 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
etc/slack.profile
View file

@ -19,16 +19,12 @@ whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-var-common.inc
caps.drop all
caps.keep sys_chroot,sys_admin
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
protocol unix,inet,inet6,netlink
seccomp !chroot
shell none
disable-mnt
@ -36,4 +32,3 @@ private-bin locale,slack
private-cache
private-dev
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
private-tmp