[GH-ISSUE #1734] private-etc templates

gitea-mirror commented

2026-05-05 07:35:38 -06:00

Owner

Originally created by @SkewedZeppelin on GitHub (Jan 16, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1734

I've been testing many of the profiles under Fedora 27 and quite a few are broken due to private-etc. See [0], [1], [2]. I think we should try and create some standardized templates for private-etc, test that they work across many distros, and then update all of the profiles. Optionally even create aliases (private-etc @[template]) to make it easier to maintain.

To start:

Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
Sound: alsa,asound.conf,machine-id,openal,pulse
Window Frameworks: fonts,gtk-2.0,gtk-3.0,pango,xdg

We also need to figure out when the following are necessary

group,host*,localtime,passwd,selinux,drirc

[0] - 68ccf1efee
[1] - 4efa2d8ee1
[2] - https://github.com/netblue30/firejail/issues/1724#issuecomment-356993922

Originally created by @SkewedZeppelin on GitHub (Jan 16, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1734 I've been testing many of the profiles under Fedora 27 and quite a few are broken due to private-etc. See [0], [1], [2]. I think we should try and create some standardized templates for private-etc, test that they work across many distros, and then update all of the profiles. Optionally even create aliases (`private-etc @[template]`) to make it easier to maintain. To start: - Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl - Sound: alsa,asound.conf,machine-id,openal,pulse - Window Frameworks: fonts,gtk-2.0,gtk-3.0,pango,xdg We also need to figure out when the following are necessary - group,host*,localtime,passwd,selinux,drirc [0] - 68ccf1efee030470bf3f1666429e31374f2ae3a6 [1] - 4efa2d8ee13bc2b7e802f628d8b953a4fcfd9eec [2] - https://github.com/netblue30/firejail/issues/1724#issuecomment-356993922

gitea-mirror added the

enhancement

help wanted

labels 2026-05-05 07:35:38 -06:00

gitea-mirror commented

2026-05-05 07:35:41 -06:00

Author

Owner

@d2s commented on GitHub (Jan 16, 2018):

It might make sense to have an ability to run the test suite on multiple distributions more easily.

Would it make sense to use whole virtual machines, or do Docker containers (or similar) provide enough of help for testing different platforms more frequently? Knowing that different distributions package applications in different ways (and most likely with different compiler settings), there are various ways same applications can work on different systems.

@d2s commented on GitHub (Jan 16, 2018): It might make sense to have an ability to run the test suite on multiple distributions more easily. Would it make sense to use whole virtual machines, or do Docker containers (or similar) provide enough of help for testing different platforms more frequently? Knowing that different distributions package applications in different ways (and most likely with different compiler settings), there are various ways same applications can work on different systems.

gitea-mirror commented

2026-05-05 07:35:43 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jan 16, 2018):

Great idea @SpotComms!
I'm curious if we always need localtime to be included. There are probably some instances like Tor where we might not want to expose the local time inside the sandbox.
machine-id is another one that we might not want to include for every profile... but if I understand your post correctly it would only be included for programs that need audio.

@Fred-Barclay commented on GitHub (Jan 16, 2018): Great idea @SpotComms! I'm curious if we always need `localtime` to be included. There are probably some instances like Tor where we might not want to expose the local time inside the sandbox. `machine-id` is another one that we might not want to include for every profile... but if I understand your post correctly it would only be included for programs that need audio.

gitea-mirror commented

2026-05-05 07:35:44 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jan 16, 2018):

@Fred-Barclay Yes, we definitely need to figure out when localtime and those others are needed. And machine-id does seem to be necessary for PulseAudio now.

@SkewedZeppelin commented on GitHub (Jan 16, 2018): @Fred-Barclay Yes, we definitely need to figure out when localtime and those others are needed. And machine-id does seem to be necessary for PulseAudio now.

gitea-mirror commented

2026-05-05 07:35:47 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jan 16, 2018):

I don't remember - can we use the machine-id filter (not the private-etc argument, but the one that spoofs a new /etc/machine-id) and still have working audio?

@Fred-Barclay commented on GitHub (Jan 16, 2018): I don't remember - can we use the `machine-id` filter (not the private-etc argument, but the one that spoofs a new /etc/machine-id) and still have working audio?

gitea-mirror commented

2026-05-05 07:35:48 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jan 16, 2018):

@SpotComms How about we set up a checklist of distros and programs to test various private-etc filters and programmes so we can do this without duplicating each other's work? Something like

Ubuntu
- firefox
- vlc
Arch
- firefox
- vlc
Fedora
- firefox
- vlc
Debian Stable
- firefox
- vlc
Debian Sid
- firefox
- vlc

EDIT: actually it might be better to set up a Project to keep track - what do you think?

@Fred-Barclay commented on GitHub (Jan 16, 2018): @SpotComms How about we set up a checklist of distros and programs to test various private-etc filters and programmes so we can do this without duplicating each other's work? Something like - [ ] Ubuntu - [ ] firefox - [ ] vlc - [ ] Arch - [ ] firefox - [ ] vlc - [ ] Fedora - [ ] firefox - [ ] vlc - [ ] Debian Stable - [ ] firefox - [ ] vlc - [ ] Debian Sid - [ ] firefox - [ ] vlc EDIT: actually it might be better to set up a [Project](https://github.com/netblue30/firejail/projects) to keep track - what do you think?

gitea-mirror commented

2026-05-05 07:35:50 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jan 16, 2018):

@Fred-Barclay the checklist is simpler. I'll test the machine-id option right now on Fedora.

Edit:

So I tested machine-id with Lollypop on Fedora
neither = no audio
private-etc machine-id = working audio
machine-id = no audio
machine-id and private-etc machine-id = no audio

on Arch however, it appears neither are necessary for audio to work

@SkewedZeppelin commented on GitHub (Jan 16, 2018): @Fred-Barclay the checklist is simpler. I'll test the machine-id option right now on Fedora. Edit: So I tested machine-id with Lollypop on Fedora neither = no audio `private-etc machine-id` = working audio `machine-id` = no audio `machine-id` and `private-etc machine-id` = no audio on Arch however, it appears neither are necessary for audio to work

gitea-mirror commented

2026-05-05 07:35:51 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jan 16, 2018):

Hmmm... oh well. I wonder why machine-id and private-etc machine-id break audio?

Somewhat unrelated question - are you running firejail 0.9.53 on Fedora? I haven't figured out how to build it without errors (see #1583, which we need to get fixed).

@Fred-Barclay commented on GitHub (Jan 16, 2018): Hmmm... oh well. I wonder why `machine-id` and `private-etc machine-id` break audio? Somewhat unrelated question - are you running firejail 0.9.53 on Fedora? I haven't figured out how to build it without errors (see #1583, which we need to get fixed).

gitea-mirror commented

2026-05-05 07:35:52 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jan 16, 2018):

@Fred-Barclay 0.9.52, I too haven't figured out how to get either of the RPM build scripts to work.

@SkewedZeppelin commented on GitHub (Jan 16, 2018): @Fred-Barclay 0.9.52, I too haven't figured out how to get either of the RPM build scripts to work.

gitea-mirror commented

2026-05-05 07:35:53 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jan 16, 2018):

I wonder how @netblue30 builds the rpms? We could probably figure out how to fix the scripts from that.

@Fred-Barclay commented on GitHub (Jan 16, 2018): I wonder how @netblue30 builds the rpms? We could probably figure out how to fix the scripts from that.

gitea-mirror commented

2026-05-05 07:35:54 -06:00

Author

Owner

@d2s commented on GitHub (Jan 17, 2018):

Is there a visible error message on a terminal if an application (like Firefox, etc.) does not have access to the required files? Could that be used as a part of automated tests in the future, if the issue is happening more frequently?

@d2s commented on GitHub (Jan 17, 2018): Is there a visible error message on a terminal if an application (like Firefox, etc.) does not have access to the required files? Could that be used as a part of automated tests in the future, if the issue is happening more frequently?

gitea-mirror commented

2026-05-05 07:35:55 -06:00

Author

Owner

@topimiettinen commented on GitHub (Jan 17, 2018):

Pulseaudio uses machine id for some purposes, so audio may break in all programs using Pulseaudio with random machine-id.

@topimiettinen commented on GitHub (Jan 17, 2018): Pulseaudio uses machine id for some purposes, so audio may break in all programs using Pulseaudio with random machine-id.

gitea-mirror commented

2026-05-05 07:35:56 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 1, 2018):

For KDE apps, the following seems to be a consensus: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg. I've tested some apps on Arch, Fedora, Debian, KDE Neon (Ubuntu), and updated their profiles in 8aec7694cb

Without machine-id I found the apps fail to start on Fedora Gnome (with D-Bus error).

I omitted passwd for now, everything seems to run ok without.... kdenlive already had passwd before, and I don't feel comfortable dropping it because I'm not overly familiar with the program

@smitsohu commented on GitHub (Feb 1, 2018): For KDE apps, the following seems to be a consensus: `fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg`. I've tested some apps on Arch, Fedora, Debian, KDE Neon (Ubuntu), and updated their profiles in 8aec7694cb4c7c0d07b333b689ab19faacb519f9 Without `machine-id` I found the apps fail to start on Fedora Gnome (with D-Bus error). I omitted `passwd` for now, everything seems to run ok without.... kdenlive already had `passwd` before, and I don't feel comfortable dropping it because I'm not overly familiar with the program

gitea-mirror commented

2026-05-05 07:35:58 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 2, 2018):

It is only a detail, but do we actually need pulse in private-etc? Not that it hurts much to include it, but from my understanding firejail ensures that there is a local client.conf, so the global one in /etc should be always ignored.

@smitsohu commented on GitHub (Feb 2, 2018): ~~It is only a detail, but do we actually need `pulse` in private-etc? Not that it hurts much to include it, but from my understanding firejail ensures that there is a local client.conf, so the global one in /etc should be always ignored.~~

gitea-mirror commented

2026-05-05 07:36:00 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 2, 2018):

We also need to figure out when the following are necessary
group,host*,localtime,passwd,selinux

I don't know close to anything about selinux, but it is maybe worth noting that we blacklist /etc/selinux in disable-common.inc

@smitsohu commented on GitHub (Feb 2, 2018): > We also need to figure out when the following are necessary group,host*,localtime,passwd,selinux I don't know close to anything about `selinux`, but it is maybe worth noting that we blacklist /etc/selinux in disable-common.inc

gitea-mirror commented

2026-05-05 07:36:02 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 2, 2018):

@smitsohu I agree we might be able to remove pulse and in general blacklist selinux (although some programs do seem to fopen it, they still seem to work without). If possible I'd like to remove passwd and related files.

@SkewedZeppelin commented on GitHub (Feb 2, 2018): @smitsohu I agree we might be able to remove pulse and in general blacklist selinux (although some programs do seem to fopen it, they still seem to work without). If possible I'd like to remove passwd and related files.

gitea-mirror commented

2026-05-05 07:36:03 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 4, 2018):

Regarding localtime: The current Apparmor base abstraction contains the following

  # The __canary_death_handler function writes a time-stamped log
  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  # and localisations of date should be available EVERYWHERE, so
  # StackGuard, FormatGuard, etc., alerts can be properly logged.
  /dev/log                       w,
  /dev/random                    r,
  /dev/urandom                   r,
  /etc/locale/**                 r,
  /etc/locale.alias              r,
  /etc/localtime                 r,
  /etc/writable/localtime        r,
  /usr/share/locale-bundle/**    r,
  /usr/share/locale-langpack/**  r,
  /usr/share/locale/**           r,
  /usr/share/**/locale/**        r,
  /usr/share/zoneinfo/           r,
  /usr/share/zoneinfo/**         r,
  /usr/share/X11/locale/**       r,
  /{,var/}run/systemd/journal/dev-log w,
  # systemd native journal API (see sd_journal_print(4))
  /{,var/}run/systemd/journal/socket w,
  # Nested containers and anything using systemd-cat need this. 'r' shouldn't
  # be required but applications fail without it. journald doesn't leak
  # anything when reading so this is ok.
  /{,var/}run/systemd/journal/stdout rw,

  /usr/lib{,32,64}/locale/**             mr,
  /usr/lib{,32,64}/gconv/*.so            mr,
  /usr/lib{,32,64}/gconv/gconv-modules*  mr,
  /usr/lib/@{multiarch}/gconv/*.so           mr,
  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,

Do we consider this relevant for us?

On another note, we probably will want to make /etc/dconf available to most Gnome apps, as settings can be locked there and will then override the local configuration (KDE keeps its global overrides in kde4rc, kde5rc and xdg).

@smitsohu commented on GitHub (Feb 4, 2018): Regarding `localtime`: The current Apparmor base abstraction contains the following ``` # The __canary_death_handler function writes a time-stamped log # message to /dev/log for logging by syslogd. So, /dev/log, timezones, # and localisations of date should be available EVERYWHERE, so # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, /dev/random r, /dev/urandom r, /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, /etc/writable/localtime r, /usr/share/locale-bundle/** r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /usr/share/X11/locale/** r, /{,var/}run/systemd/journal/dev-log w, # systemd native journal API (see sd_journal_print(4)) /{,var/}run/systemd/journal/socket w, # Nested containers and anything using systemd-cat need this. 'r' shouldn't # be required but applications fail without it. journald doesn't leak # anything when reading so this is ok. /{,var/}run/systemd/journal/stdout rw, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/gconv-modules* mr, /usr/lib/@{multiarch}/gconv/*.so mr, /usr/lib/@{multiarch}/gconv/gconv-modules* mr, ``` Do we consider this relevant for us? On another note, we probably will want to make /etc/dconf available to most Gnome apps, as settings can be locked there and will then override the local configuration (KDE keeps its global overrides in kde4rc, kde5rc and xdg).

gitea-mirror referenced this issue

2026-05-05 10:09:25 -06:00

[PR #1174] [MERGED] firejail.config cleanup #3868

Rows
Columns

[GH-ISSUE #1734] private-etc templates #1174