mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #2030] Snapper - **/.snapshots #1366
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#1366
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Saren-Arterius on GitHub (Jul 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2030
I am using default rules for firefox and I discovered that Snapper+btrfs's /.snapshots is unmasked, which means firefox can access it, also the files intended to protect (ssh keys...)
Please
blacklist /.snapshotsor evenblacklist **/.snapshotsif possible indisable-common.inc.@chiraag-nataraj commented on GitHub (Jul 9, 2018):
Heh. This is why I usually have my own set of profiles with whitelists rather than blacklists. I'll put it in and see what @netblue30 and others think.
@chiraag-nataraj commented on GitHub (Jul 11, 2018):
@Saren-Arterius Since I don't user snapper at all and don't really know how the layout works (one
.snapshotsdirectory per filesystem? one per mountpoint? one global one?), I just blacklisted/.snapshotsfor now. Honestly, this tells me we should be working towards a generic whitelist-based system in terms of firejail defaults (right now, you can only whitelist stuff with a top directory of~/,/dev,/etc,/media,/mnt,/opt,/srv,/sys/module,/usr/share,/var, and/tmp). I'm not quite sure why we don't allow a whitelist of arbitrary paths (maybe @netblue30 can answer that?), but that is something I'd like to see (basically, let's givewhitelistthe same level of generality asblacklist).@Saren-Arterius commented on GitHub (Jul 11, 2018):
Hi, .snapshots is per filesystem or subvolumes for btrfs. I dont know about
LVM.
在 2018年7月11日週三 15:47,ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com 寫道:
@chiraag-nataraj commented on GitHub (Jul 11, 2018):
谢谢! Actually, in this case, an apparmor profile addition may be more warranted, since I'm not entirely certain how globbing works with
blacklistin firejail. That is, I'm not sure if e.g.**/.snapshotswould match any.snapshotsdirectory on the system or whether it would only match.snapshotsdirectories below a top-level directory. With AppArmor, the globbing itself is fairly well documented (as well as with a couple of examples). So we can definitely block/.snapshotsby default (as I put in), but something more dynamic like what you are looking for may be better served through AppArmor.@chiraag-nataraj commented on GitHub (Jul 11, 2018):
I could also be entirely mistaken and
**/.snapshotswould match any.snapshotsdirectory on the system... 😂@chiraag-nataraj commented on GitHub (Jul 11, 2018):
I'll change it to
**/.snapshotsand close this for now.@chiraag-nataraj commented on GitHub (Jul 11, 2018):
So...
**/.snapshotswill not do what you want. Leaving this open for now until I find a resolution.@chiraag-nataraj commented on GitHub (Jul 11, 2018):
It will only block
.snapshotsdirectories at most one level below/(e.g./home/.snapshotsis blocked, but/home/<user>/.snapshotsis not). I will look into putting in an AppArmor rule.@chiraag-nataraj commented on GitHub (Jul 11, 2018):
Okay, the AppArmor glob does what you want - it blocks all .snapshots directories no matter how deep they go. See
6108f459e3.