mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #2120] nonewprivs exceptions? #1436
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#1436
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @b-misc on GitHub (Sep 24, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2120
Is it possible to allow specified exceptions from nonewprivs ("friend")?
What I want to achieve is the following:
Firefox runs in its sandbox. Firefox is allowed to start pass by using the passff add-on. Pass needs access to both .gnupg and .password-store. By adding a pass profile and adding an exception for firefox' nonewprivs, firefox could invoke pass with the pass firejail profile, while all other subprocesses are still restricted by the firefox profile and I wouldn't have to allow firefox access to .gnupg and .password-store.
Would this be a security concern?
Are there better ways to achieve this?
@Vincent43 commented on GitHub (Sep 24, 2018):
Currently there is no support to launch different profile from an existing one like in AppArmor. It can be achieved by exploiting holes in sandbox , i.e. through dbus escape but it's not something intended.
@b-misc commented on GitHub (Sep 25, 2018):
Other idea: use a kind of a pasff, passff-host-daemon and a socket.
Should that work?
I think of splitting passff-host in two binaries, the first ("passff-host-new") invoked by pass, running with firefox' rights. It cannot access .gnupg and .password-store, but is allowed to access a socket.
The second ("passff-host-d") gets started either at login time or whenever firefox is started. It has its own firejail profile and listens for connections by passff-host-new via the socket.
Do you think this will work?
Are there any negative security implications?
(Also posted at https://github.com/passff/passff)
@chiraag-nataraj commented on GitHub (Sep 25, 2018):
@b-misc Yes, a daemon/client model should work. For example, mpd works like this and I can give the client access to the specific socket while sandboxing the daemon separately.
@Vincent43 commented on GitHub (Sep 25, 2018):
The problem would be how to restrict access to that socket to
passff-host-newonly and prevent access from everything else.@chiraag-nataraj commented on GitHub (Sep 25, 2018):
@Vincent43 Right, but if it's a regular socket on the filesystem, that restriction is trivial. Abstract sockets are harder, of course.
@chiraag-nataraj commented on GitHub (Oct 3, 2018):
I don't think we can do much on this end, so I'm going to close this. The easiest way to fix this is to pester the
passffpeople to implement a daemon/client model. Until then, you're unfortunately going to have to either allowfirefoxto access.password-store(and everything else necessary) or runpassexternally (what I currently do).