[GH-ISSUE #5190] Too many features

gitea-mirror commented

2026-05-05 09:34:21 -06:00

Owner

Originally created by @netblue30 on GitHub (Jun 10, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5190

Done so far:

removed cgroups code
changed --disable-firetunnel into --enable-firetunnel in configure.ac
disabled chroot by default in /etc/firejail/firejail.config
shell none set as default
removed --shell=
private-lib disabled by defautl in /etc/firejail/firejail.config

Discussed in https://github.com/netblue30/firejail/discussions/5183

^{Originally posted by SkewedZeppelin June 8, 2022}
The past few versions have been adding more and more arguable unnecessary features further increasing attack surface of firejail.

The best part of firejail is the collection of ready to use profiles for programs, nothing else offers this.
What ever happened to the minimal LTS version?

Can these be #ifdef'ed out?

ids is --disable-ids
--appimage
--bandwidth, --netstats, --nettrace are --disable-network
--build?
--cpu?
--tunnel is --disable-firetunnel

any others?

^{Originaly posted by rusty-snake June 8, 2022}

Can these be #ifdef'ed out?

While for us #ifdef works good, the most users will get their firejail binary from their package-manager. Therefore we should make sure that there are options in firejail.config to disable those features too (--appimage has one).

any others?

--cgroup
--shutdown
--trace (subset of --build)
--tracelog?

Originally created by @netblue30 on GitHub (Jun 10, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5190 Done so far: * removed cgroups code * changed --disable-firetunnel into --enable-firetunnel in configure.ac * disabled chroot by default in /etc/firejail/firejail.config * shell none set as default * removed --shell= * private-lib disabled by defautl in /etc/firejail/firejail.config ### Discussed in https://github.com/netblue30/firejail/discussions/5183 <div type='discussions-op-text'> <sup>Originally posted by **SkewedZeppelin** June 8, 2022</sup> The past few versions have been adding more and more arguable unnecessary features further increasing attack surface of firejail. The best part of firejail is the collection of ready to use profiles for programs, nothing else offers this. What ever happened to the minimal LTS version? Can these be #ifdef'ed out? - [x] ids is --disable-ids - [ ] --appimage - [x] --bandwidth, --netstats, --nettrace are --disable-network - [ ] --build? - [ ] --cpu? - [x] --tunnel is --disable-firetunnel any others?</div> <sup>Originaly posted by **rusty-snake** June 8, 2022</sup> > Can these be #ifdef'ed out? While for us #ifdef works good, the most users will get their firejail binary from their package-manager. Therefore we should make sure that there are options in firejail.config to disable those features too (--appimage has one). > any others? - [ ] --cgroup - [ ] --shutdown - [ ] --trace (subset of --build) - [ ] --tracelog?

gitea-mirror

2026-05-05 09:34:21 -06:00

closed this issue
added the
enhancement

removal
labels

gitea-mirror commented

2026-05-05 09:34:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 10, 2022):

And that's exactly what we are going to do! I would say for most features we'll have compile time and run time configuration. Then we need to talk what we keep in the default configuration most people are using.

@netblue30 commented on GitHub (Jun 10, 2022): And that's exactly what we are going to do! I would say for most features we'll have compile time and run time configuration. Then we need to talk what we keep in the default configuration most people are using.

gitea-mirror commented

2026-05-05 09:34:25 -06:00

Author

Owner

@amano-kenji commented on GitHub (Jun 10, 2022):

You can split privileged parts into a much smaller binary. Then, you can add more features in another binary.

@amano-kenji commented on GitHub (Jun 10, 2022): You can split privileged parts into a much smaller binary. Then, you can add more features in another binary.

gitea-mirror commented

2026-05-05 09:34:26 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 11, 2022):

#510 and a few other places

Also #5157.

@rusty-snake commented on GitHub (Jun 11, 2022): #510 and a few other places Also #5157.

gitea-mirror commented

2026-05-05 09:34:27 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 12, 2022):

You can split privileged parts into a much smaller binary. Then, you can add more features in another binary.

We've been doing it for a few years now. The files starting in "f" in /usr/lib/firejail directory (fseccomp, fcopy etc.) have been split out from SUID binary and are run in a temporary sandbox (see src/firejail/sbox.c). We even run external some programs this way - the largest one is ISC DHCP client (dhclient). I would say adding new fancy features in this moment is quite easy.

@netblue30 commented on GitHub (Jun 12, 2022): > You can split privileged parts into a much smaller binary. Then, you can add more features in another binary. We've been doing it for a few years now. The files starting in "f" in /usr/lib/firejail directory (fseccomp, fcopy etc.) have been split out from SUID binary and are run in a temporary sandbox (see src/firejail/sbox.c). We even run external some programs this way - the largest one is ISC DHCP client (dhclient). I would say adding new fancy features in this moment is quite easy.

gitea-mirror commented

2026-05-05 09:34:28 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 12, 2022):

Is anybody using --tracelog or --cgroup? I would take them out, I mean completely gone!

@netblue30 commented on GitHub (Jun 12, 2022): Is anybody using --tracelog or --cgroup? I would take them out, I mean completely gone!

gitea-mirror commented

2026-05-05 09:34:29 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 12, 2022):

--cgroup

Does it even work with an unified hierarchy (aka. v2)?

No, I don't think there is any relevant use.

--tracelog

It's still useful I think. Maybe we can keep libtracelog.so and make --tracelog just an alias for env LD_PRELOAD=....

@rusty-snake commented on GitHub (Jun 12, 2022): > --cgroup Does it even work with an unified hierarchy (aka. v2)? No, I don't think there is any relevant use. > --tracelog It's still useful I think. Maybe we can keep libtracelog.so and make --tracelog just an alias for `env LD_PRELOAD=...`.

gitea-mirror commented

2026-05-05 09:34:29 -06:00

Author

Owner

@ghost commented on GitHub (Jun 12, 2022):

Is anybody using --tracelog or --cgroup? I would take them out, I mean completely gone!

I do use tracelog quite extensively for auditing sandbox violations. IMO it's a nice tool to get a finer-grained view on what's happening in a Firejail sandbox. As such it provides valuable information in the context of creating tighter sandbox profiles.

Although I've used the cgroup option on occasion, I don't have particularly strong feelings about it personally.

BUT, and this is a general comment on this topic, I don't (fully) agree with the view that Firejail has too many features, hence a larger attack surface . Sure, we should implement a finer-grained compile/run time configuration model and have a 'reasonable' set of defaults. Cutting out pieces left and right haphazardly - in the spirit of tightening Firejail's attack surface - feels a bit awkward though. Attack surfaces will always exist and IMHO it's best to leave that up to users and their (more or less) educated guesses regarding personal threat-model(s).

Personally I always liked Firejail's more universal approach (for the lack of a better word): offering a very broad toolset and motivating users to customize the hell out of their profiles. It's very much possible I misunderstand the rationale behind this specific issue. Yet, it feels like a shift towards a more set-and-forget mindset, which I for one would deplore.

Just my two cents. I do understand this is a very complex and important issue and I do appreciate all the efforts and hard work that is continuously being done by the community to keep Firejail in the best of shapes. A big thank you to all involved. Let's take the time to think this through in the spirit of open-mindedness and collaboration worthy of its importance and future development.

@ghost commented on GitHub (Jun 12, 2022): > Is anybody using --tracelog or --cgroup? I would take them out, I mean completely gone! I do use `tracelog` quite extensively for auditing sandbox violations. IMO it's a nice tool to get a finer-grained view on what's happening in a Firejail sandbox. As such it provides valuable information in the context of creating tighter sandbox profiles. Although I've used the `cgroup` option on occasion, I don't have particularly strong feelings about it personally. BUT, and this is a `general` comment on this topic, I don't (fully) agree with the view that Firejail has too many features, hence a larger attack surface . Sure, we should implement a finer-grained compile/run time configuration model and have a 'reasonable' set of defaults. Cutting out pieces left and right haphazardly - in the spirit of tightening Firejail's attack surface - feels a bit awkward though. Attack surfaces will always exist and IMHO it's best to leave that up to users and their (more or less) educated guesses regarding personal threat-model(s). Personally I always liked Firejail's more `universal` approach (for the lack of a better word): offering a very broad toolset and motivating users to customize the hell out of their profiles. It's very much possible I misunderstand the rationale behind this specific issue. Yet, it feels like a shift towards a more `set-and-forget` mindset, which I for one would deplore. `Just my two cents`. I do understand this is a very complex and important issue and I do appreciate all the efforts and hard work that is continuously being done by the community to keep Firejail in the best of shapes. `A big thank you to all involved`. Let's take the time to think this through in the spirit of open-mindedness and collaboration worthy of its importance and future development.

gitea-mirror commented

2026-05-05 09:34:30 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 12, 2022):

My two cents to your two cents: Firstly I fully agree with "implement[ing] a finer-grained compile/run time configuration model and have a 'reasonable' set of defaults." Secondly I think we should cut of code/feature. More precisely features that are less used, have high complexity and haven't seen any love since they were implemented.

@rusty-snake commented on GitHub (Jun 12, 2022): My two cents to your two cents: Firstly I fully agree with "implement[ing] a finer-grained compile/run time configuration model and have a 'reasonable' set of defaults." Secondly I think we should cut of code/feature. More precisely features that are less used, have high complexity and haven't seen any love since they were implemented.

gitea-mirror commented

2026-05-05 09:34:30 -06:00

Author

Owner

@ghost commented on GitHub (Jun 12, 2022):

@rusty-snake Thanks for your reply. I don't see much - if any - difference in our stance here. Underdeveloped features are indeed a sore point and I can understand if those would get dropped. Currently we have zero profiles that carry the cgroup option. Yet tracelog is part of quite a lot of profiles. Not that I would personally mind doing the work on removing it from those if it is decided to take that option out. I just happen to think it is valuable :-)

@ghost commented on GitHub (Jun 12, 2022): @rusty-snake Thanks for your reply. I don't see much - if any - difference in our stance here. Underdeveloped features are indeed a sore point and I can understand if those would get dropped. Currently we have zero profiles that carry the `cgroup` option. Yet `tracelog` is part of quite a lot of profiles. Not that I would personally mind doing the work on removing it from those if it is decided to take that option out. I just happen to think it is valuable :-)

gitea-mirror commented

2026-05-05 09:34:31 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 13, 2022):

OK, let's keep trackelog in, but we disable it by default in /etc/firejail/firejail.config

I have removed cgroups code, maybe we will bring it back if we ever implement the "unified" cgroups interface in the kernel.

More to come, I'll keep a list with what was done on the top item.

@netblue30 commented on GitHub (Jun 13, 2022): OK, let's keep trackelog in, but we disable it by default in /etc/firejail/firejail.config I have removed cgroups code, maybe we will bring it back if we ever implement the "unified" cgroups interface in the kernel. More to come, I'll keep a list with what was done on the top item.

gitea-mirror commented

2026-05-05 09:34:31 -06:00

Author

Owner

@WhyNotHugo commented on GitHub (Jun 14, 2022):

Has there been discussion on eventually dropping blacklist in favour of a plain whitelist approach? The existence of both makes firejail quite harder to grasp, and profiles a bit tricker to read/write.

whitelist has a more hardened approach too, since it starts with a "deny all" approach, which is usually the safe way to approach things.

@WhyNotHugo commented on GitHub (Jun 14, 2022): Has there been discussion on eventually dropping `blacklist` in favour of a plain `whitelist` approach? The existence of both makes firejail quite harder to grasp, and profiles a bit tricker to read/write. `whitelist` has a more hardened approach too, since it starts with a "deny all" approach, which is usually the safe way to approach things.

gitea-mirror commented

2026-05-05 09:34:31 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 14, 2022):

@netblue30 commented on Jun 13:

OK, let's keep trackelog in, but we disable it by default in
/etc/firejail/firejail.config

I have removed cgroups code, maybe we will bring it back if we ever implement
the "unified" cgroups interface in the kernel.

More to come, I'll keep a list with what was done on the top item.

I don't have strong feelings on either change related to the issues below, but
please finish the ongoing removals before starting a new one:

#5200
#5201

@kmk3 commented on GitHub (Jun 14, 2022): @netblue30 commented [on Jun 13](https://github.com/netblue30/firejail/issues/5190#issuecomment-1153943166): > OK, let's keep trackelog in, but we disable it by default in > /etc/firejail/firejail.config > > I have removed cgroups code, maybe we will bring it back if we ever implement > the "unified" cgroups interface in the kernel. > > More to come, I'll keep a list with what was done on the top item. I don't have strong feelings on either change related to the issues below, but please finish the ongoing removals before starting a new one: * #5200 * #5201

gitea-mirror commented

2026-05-05 09:34:32 -06:00

Author

Owner

@ghost commented on GitHub (Jun 15, 2022):

Has there been discussion on eventually dropping blacklist in favour of a plain whitelist approach?

@WhyNotHugo I don't think that's part of the discussion here. It can be awkward to get used to the difference between those options, very true. I prefer whitelisting profiles (too), but not every application can (easily) be sandboxed like that. So I guess a blacklist option (or whatever one would prefer to call it) is here to stay for the foreseeable future. Good points though. Nothing stops you from opening a separate discussion thread for it :-)

@ghost commented on GitHub (Jun 15, 2022): > Has there been discussion on eventually dropping blacklist in favour of a plain whitelist approach? @WhyNotHugo I don't think that's part of the discussion here. It can be awkward to get used to the difference between those options, very true. I prefer whitelisting profiles (too), but not every application can (easily) be sandboxed like that. So I guess a `blacklist` option (or whatever one would prefer to call it) is here to stay for the foreseeable future. Good points though. Nothing stops you from opening a separate discussion thread for it :-)

gitea-mirror commented

2026-05-05 09:34:32 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 15, 2022):

Agreeing with @glitsj16 making blacklist/whitelist is outside of the scope of this issue an far more complex as you need to redesign both because

you need a way for blacklisting profile because not all programs work with whitelisting profiles.
there are use cases like whitelist ${DOCUMENTS} but blacklist ${DOCUMENTS}/Secret

@rusty-snake commented on GitHub (Jun 15, 2022): Agreeing with @glitsj16 making `blacklist`/`whitelist` is outside of the scope of this issue an far more complex as you need to redesign both because 1. you need a way for blacklisting profile because not all programs work with whitelisting profiles. 2. there are use cases like `whitelist ${DOCUMENTS}` but `blacklist ${DOCUMENTS}/Secret`

gitea-mirror commented

2026-05-05 09:34:33 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 23, 2022):

I disabled private-lib in /etc/firejail/firejail.config. Out of 1191 profiles only 70 were using it.

@netblue30 commented on GitHub (Jun 23, 2022): I disabled private-lib in /etc/firejail/firejail.config. Out of 1191 profiles only 70 were using it.

gitea-mirror commented

2026-05-05 09:34:33 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 23, 2022):

private-lib is still initialized as 1, isn't it?

db0349a5ec/src/firejail/checkcfg.c (L49-L63)

@rusty-snake commented on GitHub (Jun 23, 2022): private-lib is still initialized as `1`, isn't it? https://github.com/netblue30/firejail/blob/db0349a5eccbd6a31fa6642a3f22c542383edc9a/src/firejail/checkcfg.c#L49-L63

gitea-mirror commented

2026-05-05 09:34:34 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 23, 2022):

Fixed, thanks!

@netblue30 commented on GitHub (Jun 23, 2022): Fixed, thanks!

gitea-mirror commented

2026-05-05 09:34:34 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 29, 2022):