github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2287] restrict KDE sockets better #1526

New issue

Closed

opened 2026-05-05 08:11:15 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 08:11:15 -06:00

Owner

Originally created by @smitsohu on GitHub (Dec 3, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2287

In disable-common.inc, we currently restrict kdeinit sockets like so

# kdeinit socket
blacklist /run/user/*/kdeinit5__*
# blacklist /run/user/*/ksocket-*/kdeinit4__*
# blacklist /tmp/ksocket-*/kdeinit4__*
#  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4

These lines were introduced to defend against sandbox escapes. However, there are still the KIO slave sockets, which, if I understand it right now, are also problematic (though abusing them is maybe more difficult).

So I proposed #2285 as a fix. This patch works, but not in every situation. The problem is that the slave sockets are created dynamically, and we cannot cover changes after having set up the sandbox.

Two solutions come to mind:

One is adding support for whitelisting in /run or at least in /run/user/$UID. I don't know about the first, but I guess the second can be done easily without adding much attack surface (as the user already controls the content anyway). However, this wouldn't be sufficient... we would need globbing support for whitelisting on top (which is many wishes at once):

?HAS_NODBUS: nowhitelist ${RUNUSER}/kdeinit_5
?HAS_NODBUS: nowhitelist ${RUNUSER}/*.slave-socket
?HAS_NODBUS: whitelist ${RUNUSER}/*

It could be baked right into the nodbus option. I think the fs_resolvconf function does something similar...

Originally created by @smitsohu on GitHub (Dec 3, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2287 In disable-common.inc, we currently restrict kdeinit sockets like so ``` # kdeinit socket blacklist /run/user/*/kdeinit5__* # blacklist /run/user/*/ksocket-*/kdeinit4__* # blacklist /tmp/ksocket-*/kdeinit4__* # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 ``` These lines were introduced to defend against sandbox escapes. However, there are still the KIO slave sockets, which, if I understand it right now, are also problematic (though abusing them is maybe more difficult). So I proposed #2285 as a fix. This patch works, but not in every situation. The problem is that the slave sockets are created dynamically, and we cannot cover changes after having set up the sandbox. Two solutions come to mind: 1) One is adding support for whitelisting in /run or at least in /run/user/$UID. I don't know about the first, but I guess the second can be done easily without adding much attack surface (as the user already controls the content anyway). However, this wouldn't be sufficient... we would need globbing support for whitelisting on top (which is many wishes at once): ``` ?HAS_NODBUS: nowhitelist ${RUNUSER}/kdeinit_5 ?HAS_NODBUS: nowhitelist ${RUNUSER}/*.slave-socket ?HAS_NODBUS: whitelist ${RUNUSER}/* ``` 2) It could be baked right into the nodbus option. I think the [fs_resolvconf](https://github.com/netblue30/firejail/blob/cc9db57343c3df0a9fc191e31273c955314c8f72/src/firejail/fs_hostname.c#L91) function does something similar...

gitea-mirror

2026-05-05 08:11:15 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 08:11:19 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 7, 2018):

pushing the changes from #2285 as a provisional fix

@smitsohu commented on GitHub (Dec 7, 2018): pushing the changes from #2285 as a provisional fix

gitea-mirror commented

2026-05-05 08:11:20 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 7, 2018):

provisional fix in 4292f8ab6f and c083a7b737

@smitsohu commented on GitHub (Dec 7, 2018): provisional fix in 4292f8ab6fcb53d4036e0b2c2cd55debf2a50298 and c083a7b737050c532977b46fac6400f1dbc24ff6

gitea-mirror commented

2026-05-05 08:11:22 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Dec 8, 2018):

These changes cause problems for me (on Manjaro KDE). When launching dolphin I get:

Reading profile /etc/firejail/dolphin.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 4914, child pid 4915
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 109.07 ms
"Session bus not found\nTo circumvent this problem try the following command (with Linux and bash)\nexport $(dbus-launch)"

@curiosity-seeker commented on GitHub (Dec 8, 2018): These changes cause problems for me (on Manjaro KDE). When launching dolphin I get: ``` Reading profile /etc/firejail/dolphin.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 4914, child pid 4915 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 109.07 ms "Session bus not found\nTo circumvent this problem try the following command (with Linux and bash)\nexport $(dbus-launch)" ```

gitea-mirror commented

2026-05-05 08:11:23 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 8, 2018):

Thanks for the feedback!

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.

Dolphin doesn't like nodbus, is it possible you're setting this somewhere in your profiles?
You can also play with

firejail --ignore=nodbus dolphin
firejail --rmenv=KDE_FORK_SLAVES --noblacklist='${RUNUSER}/*' --nodbus dolphin

@smitsohu commented on GitHub (Dec 8, 2018): Thanks for the feedback! > Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Dolphin doesn't like `nodbus`, is it possible you're setting this somewhere in your profiles? You can also play with ``` firejail --ignore=nodbus dolphin firejail --rmenv=KDE_FORK_SLAVES --noblacklist='${RUNUSER}/*' --nodbus dolphin ```

gitea-mirror commented

2026-05-05 08:11:24 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Dec 8, 2018):

Ah, yes - I forgot that. I've set nodbusin globals.local. After adding

ignore nodbus

to dolphin.local it works again. Sorry for the trouble!

@curiosity-seeker commented on GitHub (Dec 8, 2018): Ah, yes - I forgot that. I've set `nodbus`in `globals.local`. After adding `ignore nodbus` to `dolphin.local` it works again. Sorry for the trouble!

gitea-mirror commented

2026-05-05 08:11:25 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 8, 2018):

That's no trouble :)

@smitsohu commented on GitHub (Dec 8, 2018): That's no trouble :)

gitea-mirror commented

2026-05-05 08:11:26 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 26, 2019):

closed in 94b8f2cd3b

there is still no globbing, but something simple iike

whitelist ${RUNUSER}/bus
whitelist ${RUNUSER}/pulse

is probably enough for almost all applications

@smitsohu commented on GitHub (Feb 26, 2019): closed in 94b8f2cd3bf5237e78f33757332deb56580eed04 there is still no globbing, but something simple iike ``` whitelist ${RUNUSER}/bus whitelist ${RUNUSER}/pulse ``` is probably enough for almost all applications

gitea-mirror referenced this issue

2026-05-05 10:11:59 -06:00

[PR #1526] [MERGED] tighten some capability sets further #4005

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1526

No description provided.

Rows
Columns