github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1553] private-dev disables access for U2F #1034

New issue

Closed

opened 2026-05-05 07:20:02 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented

2026-05-05 07:20:02 -06:00

Owner

Originally created by @hlieberman on GitHub (Sep 15, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1553

Because private-dev doesn't allow access to raw USB HID devices, it's currently not possible to use a firejailed version of a browser.

I think it makes a lot of sense for private-dev to restrict access to these devices in the general case, but perhaps a way to allow you to white-list additional devices would be a way to work around this issue? That way, browsers could opt-in to slightly increase their attack surface by just allowing usb HID access (/dev/usb/hiddev*), as opposed to disabling private-dev altogether.

Originally created by @hlieberman on GitHub (Sep 15, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1553 Because private-dev doesn't allow access to raw USB HID devices, it's currently not possible to use a firejailed version of a browser. I think it makes a lot of sense for private-dev to restrict access to these devices in the general case, but perhaps a way to allow you to white-list additional devices would be a way to work around this issue? That way, browsers could opt-in to slightly increase their attack surface by just allowing usb HID access (/dev/usb/hiddev*), as opposed to disabling private-dev altogether.

gitea-mirror

2026-05-05 07:20:02 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:20:07 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 15, 2017):

See #1176 and #1381
Duplicate of #1446

@SkewedZeppelin commented on GitHub (Sep 15, 2017): See #1176 and #1381 Duplicate of #1446

gitea-mirror commented

2026-05-05 07:20:08 -06:00

Author

Owner

@hlieberman commented on GitHub (Sep 15, 2017):

@SpotComms, forgive me, but... #1446 doesn't seem to indicate you're able to mix whitelisting with private-dev.

When I try the simple thing of

whitelist /dev/usb/hiddev0
private-dev

It launches Firefox in a way that it can't write to the screen, and quickly crashes. I don't think you can whitelist devices inside of private-dev?

@hlieberman commented on GitHub (Sep 15, 2017): @SpotComms, forgive me, but... #1446 doesn't seem to indicate you're able to mix whitelisting with private-dev. When I try the simple thing of ``` whitelist /dev/usb/hiddev0 private-dev ``` It launches Firefox in a way that it can't write to the screen, and quickly crashes. I don't think you can whitelist devices inside of private-dev?

gitea-mirror commented

2026-05-05 07:20:09 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 15, 2017):

Yes, #1446 was closed but the idea (fine-grained control of /dev) has still not been implemented. private-dev doesn't take into account whitelist. For now the only option is just commenting private-dev.

@SkewedZeppelin commented on GitHub (Sep 15, 2017): Yes, #1446 was closed but the idea (fine-grained control of /dev) has still not been implemented. `private-dev` doesn't take into account `whitelist`. For now the only option is just commenting `private-dev`.

gitea-mirror commented

2026-05-05 07:20:10 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 15, 2017):

I don't think you can whitelist devices inside of private-dev?

It is actually possible to run without private-dev

whitelist /dev/dri
whitelist /dev/full
whitelist /dev/log
whitelist /dev/null
whitelist /dev/ptmx
whitelist /dev/pts
whitelist /dev/random
whitelist /dev/shm
whitelist /dev/snd
whitelist /dev/tty
whitelist /dev/urandom
whitelist /dev/zero
whitelist /dev/usb/hiddev0

and it will replicate what private-dev does, plus whitelisting the HID. It is possible you need to take out whitelist /dev/log.
Maybe it can serve as a workaround for you until we have something better.

@smitsohu commented on GitHub (Sep 15, 2017): > I don't think you can whitelist devices inside of private-dev? It is actually possible to run _without_ private-dev ``` whitelist /dev/dri whitelist /dev/full whitelist /dev/log whitelist /dev/null whitelist /dev/ptmx whitelist /dev/pts whitelist /dev/random whitelist /dev/shm whitelist /dev/snd whitelist /dev/tty whitelist /dev/urandom whitelist /dev/zero whitelist /dev/usb/hiddev0 ``` and it will replicate what private-dev does, plus whitelisting the HID. It is possible you need to take out `whitelist /dev/log`. Maybe it can serve as a workaround for you until we have something better.

gitea-mirror commented

2026-05-05 07:20:12 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 18, 2017):

I think we should do it. What entries in /dev are these devices bringing in?

@netblue30 commented on GitHub (Sep 18, 2017): I think we should do it. What entries in /dev are these devices bringing in?

gitea-mirror commented

2026-05-05 07:20:13 -06:00

Author

Owner

@hlieberman commented on GitHub (Sep 21, 2017):

/dev/usb/hiddev[0-9]+.

Both FF (nightly) and Chrome will need it.

@hlieberman commented on GitHub (Sep 21, 2017): /dev/usb/hiddev[0-9]+. Both FF (nightly) and Chrome will need it.

gitea-mirror commented

2026-05-05 07:20:13 -06:00

Author

Owner

@hlieberman commented on GitHub (Sep 21, 2017):

For the record, the whitelisting trick doesn't work. I'm not sure exactly why; I can see the device when I navigate to /dev/usb through the browser, but it doesn't work even on u2f demo pages. (https://demo.yubico.com/u2f).

@hlieberman commented on GitHub (Sep 21, 2017): For the record, the whitelisting trick doesn't work. I'm not sure exactly why; I can see the device when I navigate to /dev/usb through the browser, but it doesn't work even on u2f demo pages. (https://demo.yubico.com/u2f).

gitea-mirror commented

2026-05-05 07:20:15 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 11, 2018):

@hlieberman I had the same issue until I tried plugging in the Yubikey before starting firefox. That works perfectly fine. My guess is that the Yubikey gets confused for some reason and switches into OTP mode, thus not allowing U2F authentication. I'm opening a separate bug for that.

@chiraag-nataraj commented on GitHub (Jun 11, 2018): @hlieberman I had the same issue until I tried plugging in the Yubikey _before_ starting firefox. That works perfectly fine. My guess is that the Yubikey gets confused for some reason and switches into OTP mode, thus not allowing U2F authentication. I'm opening a separate bug for that.

gitea-mirror commented

2026-05-05 07:20:15 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 12, 2018):

Solved with 197bcc86c1 (read the comments at #1990 if you're curious as to why the Yubikey doesn't work if you remove it and plug it back in while the firejail'd program is running).

@chiraag-nataraj commented on GitHub (Jun 12, 2018): Solved with 197bcc86c1a1f4c75d6a42a850e0619b3268db1e (read the comments at #1990 if you're curious as to why the Yubikey doesn't work if you remove it and plug it back in while the `firejail`'d program is running).

gitea-mirror referenced this issue

2026-05-05 10:08:41 -06:00

[PR #1034] [MERGED] etc: Support local customizations in *.inc #3831

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1034

No description provided.

Rows
Columns