This is currently only present in `private-etc` in mutt.profile, though
it may also be used by other programs that use GNU TLS.
This was added to mutt.profile on commit a8a8e33bc ("Add whitelisting to
mutt; improve geary, new profile for neomutt", 2020-12-28) / PR #3849.
Relates to #6400.
mpv crashes if luajit is blocked:
$ firejail --quiet --noprofile \
--include=/etc/firejail/disable-interpreters.inc /usr/bin/mpv
/usr/bin/mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied
So make sure that allow-lua.inc is always included when mpv paths (such
as ~/.config/mpv) are allowed.
Environment: luajit 2.1.1727870382-1, mpv 1:0.39.0-3 on Artix Linux.
Related commits:
* db2bdaadd ("add lua support for mpv (#3243)", 2020-02-24) /
PR #3243
* d6a6fb905 ("Allow Lua for mpv in dolphin.profile", 2020-04-18) /
issue #3363
* f3585e539 ("fixes, closes, enhances, improvements, and so on",
2020-11-09) /
issue #3686
* 3ec523f11 ("profiles: anki: allow lua", 2024-11-14) /
PR #6545
As reported by @kmille[1]:
The current `tesseract` profile breaks `ocrmypdf`:
kmille@linbox:scans ocrmypdf C.pdf del.pdf
Scanning contents ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1/1 0:00:00
1 Error, could not create hOCR output file: No such file or directory tesseract.py:253
1 Error, could not create TXT output file: No such file or directory tesseract.py:253
OCR ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% 0/1 -:--:--
An exception occurred while executing the pipeline _common.py:294
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/ocrmypdf/_pipelines/_common.py", line 259, in
cli_exception_handler
return fn(options, plugin_manager)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
File "/usr/lib/python3.12/pathlib.py", line 840, in stat
return os.stat(self, follow_symlinks=follow_symlinks)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ocrmypdf.io.0od81kk5/000001_ocr_hocr.hocr'
These are some of the commands that run in background:
[...]
2024/11/23 22:13:53 PID=403915 UID=0 CMD=/usr/bin/firejail /usr/bin/tesseract --list-langs
2024/11/23 22:13:53 PID=403917 UID=0 CMD=/run/firejail/lib/fcopy /usr/bin/text2image /run/firejail/mnt/bin
2024/11/23 22:13:53 PID=403939 UID=1000 CMD=gs -dQUIET [...] -f /tmp/ocrmypdf.io.0od81kk5/origin.pdf
[...]
2024/11/23 22:14:03 PID=403953 UID=0 CMD=tesseract -l eng /tmp/ocrmypdf.io.0od81kk5/000001_ocr.png [...]
Fixes#6550.
[1] https://github.com/netblue30/firejail/issues/6550#issue-2686607038
Reported-by: @kmille
Suggested-by: @kmille
According to @rusty-snake[1]:
> Distributions started to replace wget with wget2 (I.e. `wget` and
> `wget2` are the same binary where one of them is a symlink to the
> other).
So move all custom entries (other than `private-bin`) from wget2.profile
into wget.profile and turn wget2.profile into more of a redirect to
wget.profile.
[1] https://github.com/netblue30/firejail/pull/6542#pullrequestreview-2426287045
wget appears to require access to this directory for HSTS & HPKP.
Without access to this directory, I get the following error when running
wget:
Failed to read HSTS data
Failed to read HPKP data
Failed to write HSTS file
This fixes it.
Make them match the comments in profile.template.
Command used to search for potential issues:
$ git grep -E '# Allow [A-Z][A-Za-z]+ .* \(blacklisted'
Added on commit 3af6c4068 ("Add Chatterino profile", 2022-12-24) /
PR #5556.
Anki uses mpv to play media, which requires the lua interpreter.
Without this, anki displays this error in the console and falls back to
mplayer:
mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 854, in setup_audio
mpvManager = MpvManager(base_folder, media_folder)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 408, in __init__
super().__init__(window_id=None, debug=False)
File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 442, in __init__
super().__init__(*args, **kwargs)
File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 104, in __init__
self._start_socket()
File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 194, in _start_socket
raise MPVProcessError("unable to start process")
aqt.mpv.MPVProcessError: unable to start process
mpv too old or failed to open, reverting to mplayer
While gamepads apparently work fine in the Steam client itself, `nou2f`
appears to make gamepads unresponsive inside certain games while using
"Steam Input" (possibly due to `nou2f` blocking access to `/dev/hidraw*`
devices).
This issue reportedly affects at least the following games on Steam:
"Undertale", "Persona 4 Golden" and "Persona 5 Royal".
Disable nou2f to ensure that gamepads can be used.
Relates to #6523.
Reported-by: @opqriu
This fixes access to Thunderbird system policies, which can be set
system-wide via `/etc/thunderbird/policies/policies.json`.
Users can also use this directory to set different default preferences.
Relates to #6400#6435.
See etc/templates/profile.template.
Added on commit f3d126bf1 ("disable curl and wget in browsers based on
firefox and chromium", 2021-12-18).
Relates to #4852.
Based on the report by @Saren-Arterius[1]:
Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and
`ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp.
Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount
with nautilus will fail with a meaningless error message shown in the
UI.
Steps to reproduce[1]:
Prepare ssh server or localhost, then run:
ssh -o"ForwardX11 no" -o"ForwardAgent no" \
-o"PermitLocalCommand no" -o"ClearAllForwardings yes" \
-o"NoHostAuthenticationForLocalhost yes" \
-o"ControlMaster auto" \
-o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \
-s {SSH_HOST} sftp
stderr shows:
unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory
And ssh exits with error code 255.
Fixes#5816.
[1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931
Reported-by: @Saren-Arterius
Suggested-by: @Saren-Arterius
Reported-by: @Alex-Farol
Reported-by: @mirko
It appears that LibreWolf 129 uses `io.gitlab.firefox.*` as the dbus
name.
Commands used to check the dbus name:
$ busctl --user --no-legend | grep -v '^:' | grep librewolf |
sed -E 's/(^[^ ]+\.)[^. ]+ .*/\1/'
io.gitlab.firefox.
Commands used to test dbus communication:
# Open a new browser instance:
$ firejail --name=lwtest --ignore=name --ignore='dbus-user none' \
--dbus-user=filter --dbus-user.own='io.gitlab.firefox.*' \
--private --net=none --ignore=net /usr/bin/librewolf
# In another shell, try to open a new tab:
$ firejail --join=lwtest /usr/bin/librewolf --new-tab about:blank
# Check that the new tab was opened
Related commits:
* c3f299620 ("Let programs outside librewolf sandbox open new tabs in
librewolf (#4546)", 2021-09-19)
* a8ad9cad1 ("Update librewolf.profile: use new message bus",
2022-02-03) / PR #4897
* 4211ee323 ("merges", 2022-02-04)
Fixes#6413.
Misc: This was noticed on #6444.
Reported-by: @Lonniebiz
These paths are apparently used for attachments.
Disable private-tmp to make it easier to open attachments with external
programs.
Relates to #5101.
Reported-by: @githlp
Suggested-by: @rusty-snake
It's used by libdvdcss (which is used to play copy-restricted dvds).
It seems to be just a cache directory, so just allow without mkdir.
Relates to #5391.
Suggested-by: @reinerh
Changes:
- Allow shell access (bitwarden-desktop may be a shell script)
- Enable whitelist-usr-share-common.inc
- Introduce a new redirect for bitwarden-desktop
- Add the new redirect to firecfg
Relates to #6442.
By default, Zoom records meetings to ~/Documents/Zoom. Add that folder
to the whitelist so that future users don't lose their meeting
recordings upon shutting Zoom down.
Fixes#4006.
It was enabled in firefox-common.inc on commit 34d004892 ("private-etc:
corss-distro test for curl, gimp, inkscape, firefox, warzone2100",
2023-01-28), but not in the profiles that include it.
Enable it in the including profiles as well.
Note: This was already done for firefox.profile on commit 76249284f
("firefox: fix private-etc firefox", 2023-06-02) / PR #5844.
Relates to #6400.
If a custom GPG homedir is used, a hash of its path is used in the path
of the gpg agent socket[1].
For example, when running:
gpgconf --list-dirs agent-ssh-socket
With a custom homedir it returns:
/run/user/1000/gnupg/<hashed homedir>/S.gpg-agent.ssh
Environment: gnupg 2.4.5-4 on Arch Linux.
[1] 91532dc3f4/common/homedir.c (L1342)
Much like the i3 IPC socket (#6361), the sway IPC socket also allows
arbitrary code execution via the `exec` subcommand. Access should only
be permitted to sway itself by default.
The location of the IPC socket is set in sway/ipc-server.c:
7e74a49142/sway/ipc-server.c (L126)
There are a lot of common options in the `d-feet` and `d-spy` profiles.
Create a new common include file and refactor the existing profiles as
redirects.
Relates to #2492#6328.
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
Fractal 7 (and possibly earlier) stores messages and key material in
${XDG_DATA_DIR}/fractal which defaults to ~/.local/share/fractal.
Lack of access causes it to be unable to load messages offline and
de- or encrypt messages even when online without sharing keys again.
It is apparently used by the (widely used) "Fancy" plugin, which
"Renders HTML e-mail using the WebKit library".
https://www.claws-mail.org/plugins.php
Relates to #6377.
Note: etc/profile-a-l/email-common.profile contains `private-cache`.
