github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3148] firejail allows wlr-screencopy by default #1979

New issue

Closed

opened 2026-05-05 08:38:37 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:38:37 -06:00

Owner

Originally created by @GovanifY on GitHub (Jan 15, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3148

Wayland theoretically adds on protection between applications so that they can't snoop on each others. Unfortunately the wayland standard willingly does not define ways to implement screenshots, and as such window managers are left to implement it on their own.
sway currently implements the wlr-screencopy protocol, which is enabled by default in every jail definition I can think of.

Here is an example: Let us assume I'm using this jail definition for mutt

whitelist ${HOME}/.cache/mutt
noblacklist ${HOME}/.cache/mutt

whitelist ${HOME}/.config/mutt

whitelist ${HOME}/.local/share/mail


noblacklist ${HOME}/.config/msmtp
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.vim
noblacklist ${HOME}/.viminfo
noblacklist ${HOME}/.vimrc
noblacklist ${HOME}/.gnupg

whitelist ${HOME}/.config/msmtp
whitelist ${HOME}/.config/nvim
whitelist ${HOME}/.local/share/nvim
whitelist ${HOME}/.vim
whitelist ${HOME}/.viminfo
whitelist ${HOME}/.vimrc
whitelist ${HOME}/.gnupg


blacklist /tmp/.X11-unix

include disable-common.inc
include disable-devel.inc
# neovim uses interpreters
#include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

caps.drop all
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none

private-dev
writable-run-user

This jail is pretty tightened already and should not be able to look at the user's screen, as it's a command line mail client.
But a "sandbox escape" if we can call it this way is possible by simply replying to any mail, which starts up your editor, in my case vim, and execute the command :!grim ~/.config/mutt/screenshot.png

NB: this config is actually more tightened than the standard mutt one except for interpreters, as it uses a whitelist

As such I believe we should add an option into firejail configuration to disable certain wayland protocols and add it to every jail default, enabling it on a need-basis(not a lot of programs should need to screenshot your screen, hopefully)

Originally created by @GovanifY on GitHub (Jan 15, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3148 Wayland theoretically adds on protection between applications so that they can't snoop on each others. Unfortunately the wayland standard willingly does not define ways to implement screenshots, and as such window managers are left to implement it on their own. sway currently implements the wlr-screencopy protocol, which is enabled by default in every jail definition I can think of. Here is an example: Let us assume I'm using this jail definition for mutt ``` whitelist ${HOME}/.cache/mutt noblacklist ${HOME}/.cache/mutt whitelist ${HOME}/.config/mutt whitelist ${HOME}/.local/share/mail noblacklist ${HOME}/.config/msmtp noblacklist ${HOME}/.config/nvim noblacklist ${HOME}/.local/share/nvim noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo noblacklist ${HOME}/.vimrc noblacklist ${HOME}/.gnupg whitelist ${HOME}/.config/msmtp whitelist ${HOME}/.config/nvim whitelist ${HOME}/.local/share/nvim whitelist ${HOME}/.vim whitelist ${HOME}/.viminfo whitelist ${HOME}/.vimrc whitelist ${HOME}/.gnupg blacklist /tmp/.X11-unix include disable-common.inc include disable-devel.inc # neovim uses interpreters #include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none private-dev writable-run-user ``` This jail is pretty tightened already and should not be able to look at the user's screen, as it's a command line mail client. But a "sandbox escape" if we can call it this way is possible by simply replying to any mail, which starts up your editor, in my case vim, and execute the command `:!grim ~/.config/mutt/screenshot.png` NB: this config is actually more tightened than the standard mutt one except for interpreters, as it uses a whitelist As such I believe we should add an option into firejail configuration to disable certain wayland protocols and add it to every jail default, enabling it on a need-basis(not a lot of programs should need to screenshot your screen, hopefully)

gitea-mirror

2026-05-05 08:38:37 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 08:38:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 15, 2020):

Does grim work if you add blacklist ${RUNUSER}/wayland-*?
FWIW: gnome-screenshot works with blacklist ${RUNUSER}/wayland-* (under GNOME/mutter), because it uses D-Bus. firejail --nodbus gnome-screenshot stops it.

@rusty-snake commented on GitHub (Jan 15, 2020): Does grim work if you add `blacklist ${RUNUSER}/wayland-*`? FWIW: `gnome-screenshot` works with `blacklist ${RUNUSER}/wayland-*` (under GNOME/mutter), because it uses D-Bus. `firejail --nodbus gnome-screenshot` stops it.

gitea-mirror commented

2026-05-05 08:38:41 -06:00

Author

Owner

@GovanifY commented on GitHub (Jan 15, 2020):

grim doesn't work this way, but this is hardly a solution as this would block any wayland communication, correct? In that case any GUI would also fail to run. I believe we would need some kind of protocol filtering in place, but this blacklist indeed helps for any non graphical application

@GovanifY commented on GitHub (Jan 15, 2020): grim doesn't work this way, but this is hardly a solution as this would block any wayland communication, correct? In that case any GUI would also fail to run. I believe we would need some kind of protocol filtering in place, but this blacklist indeed helps for any non graphical application

gitea-mirror commented

2026-05-05 08:38:42 -06:00

Author

Owner

@GovanifY commented on GitHub (Jan 15, 2020):

Also I just realized but this ends up being possibly unwanted too: it breaks wayland copy-paste functionnality from inside the sandbox. If your vim interacts with your wayland clipboard then all of this will be broken

@GovanifY commented on GitHub (Jan 15, 2020): Also I just realized but this ends up being possibly unwanted too: it breaks wayland copy-paste functionnality from inside the sandbox. If your vim interacts with your wayland clipboard then all of this will be broken

gitea-mirror commented

2026-05-05 08:38:43 -06:00

Author

Owner

@mat8913 commented on GitHub (Aug 22, 2020):

I don't think there's much firejail can do here. If wayland compositors decide to implement extensions, then it should be up to those compositors to implement them securely.

It looks like sway used to have a way to restrict which applications could use these extensions (see d9a08b7a9d/sway/sway-security.7.txt), but that feature has since been removed for some reason.

@mat8913 commented on GitHub (Aug 22, 2020): I don't think there's much firejail can do here. If wayland compositors decide to implement extensions, then it should be up to those compositors to implement them securely. It looks like sway used to have a way to restrict which applications could use these extensions (see https://github.com/swaywm/sway/blob/d9a08b7a9df64ba434252d6adfa08aabb4c5c31e/sway/sway-security.7.txt), but that feature has since been removed for some reason.

gitea-mirror commented

2026-05-05 08:38:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 1, 2020):

I think @mat8913 it right, we can not do anything here. Closing.

@rusty-snake commented on GitHub (Sep 1, 2020): I think @mat8913 it right, we can not do anything here. Closing.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1979

No description provided.

Rows
Columns