mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #2414] Feh: Standard config does not allow internet access #1611
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#1611
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @pianoslum on GitHub (Feb 17, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2414
The image viewer feh can access pictures in the internet if you pass a url. E.g.:
feh https://i.imgur.com/FzdARaX.jpgHowever, the current standard config blocks internet access; I found that you have to uncomment
net none,protocol unixandprivate-etc fehin order to make it work again.
I am not sure what a good standard would be (options in or out), but either way, we should add a comment explaining that these options are needed for web access.
What do you think?
@chiraag-nataraj commented on GitHub (Feb 17, 2019):
I think you meant comment.
In my opinion, there is absolutely no reason an image viewer(!) should have access to the internet by default.
Sure. I would actually go so far as to make a
feh-relaxed.incfile which isn't included by default. Then, if people want to allow this, they can simply includefeh-relaxed.incin theirfeh.localfile (even if you want it to have internet access, you don't need to allow access to all of/etc).@pianoslum commented on GitHub (Feb 17, 2019):
Yeah you're right :-)
Regarding private-etc: I agree with you, but there seems to be something that feh needs to access; is there an easy way how to find which this is?
@chiraag-nataraj commented on GitHub (Feb 17, 2019):
Try adding
private-etc hosts,resolv.conf,sslas another line (they're additive, which means this will be done in addition toprivate-etc feh).@pianoslum commented on GitHub (Feb 17, 2019):
I tried that, unfortunately it's not enough apparently :-(
@chiraag-nataraj commented on GitHub (Feb 17, 2019):
So it looks like it needs whatever
curlneeds (they listlibcurl4, on Debian anyway, as a dependency). Aaaand it looks like we commented outprivate-etcincurl.profile(probably because something broke lol). But maybe theprivate-etcline there is a starting point?@chiraag-nataraj commented on GitHub (Feb 17, 2019):
I just tried it and
private-etc feh,resolv.conf,sslworked for me. What error doesfehgive you when you try thatprivate-etcline?@pianoslum commented on GitHub (Feb 17, 2019):
There was a symlink in ssl to /etc/certificates, so adding this did the trick:
private-etc feh,resolv.conf,ca-certificates,sslThis might depend on the distribution, I use Arch x64
@chiraag-nataraj commented on GitHub (Feb 17, 2019):
I'm happy to add your line along with
ignore net noneinto afeh-networked.incfile which people can include if they so choose.@pianoslum commented on GitHub (Feb 18, 2019):
Thanks for that - I still need to comment
protocol unix, otherwise it doesn't work .-(@rusty-snake commented on GitHub (Feb 18, 2019):
@pianoslum or better:
protocol unix,inet,inet6@pianoslum commented on GitHub (Mar 10, 2019):
@chiraag-nataraj I would add a PR, but I do not know how to "whitelist"
protocol unix. Could you give me a hint here?Otherwise, feh-networkingis still not working :-|