github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5441] disable-sys.inc #2996

New issue

Open

opened 2026-05-05 09:39:07 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:39:07 -06:00

Owner

Originally created by @rusty-snake on GitHub (Oct 30, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5441

/sys exposes a lot information about Kernel and Devices.

Describe the solution you'd like

disable-sys.inc include that disables files/dirs in /sys that are rarely needed by programs that do not interact with devices directly.

Originally created by @rusty-snake on GitHub (Oct 30, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5441 ### Is your feature request related to a problem? Please describe. `/sys` exposes a lot information about Kernel and Devices. ### Describe the solution you'd like `disable-sys.inc` include that disables files/dirs in `/sys` that are rarely needed by programs that do not interact with devices directly.

gitea-mirror added the

enhancement

label 2026-05-05 09:39:07 -06:00

gitea-mirror commented

2026-05-05 09:39:09 -06:00

Author

Owner

@topimiettinen commented on GitHub (Nov 1, 2022):

For example serial numbers:

$ find /sys -xdev -iname '*serial' | wc -l
14

@topimiettinen commented on GitHub (Nov 1, 2022): For example serial numbers: ```console $ find /sys -xdev -iname '*serial' | wc -l 14 ```

gitea-mirror commented

2026-05-05 09:39:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 1, 2022):

d8a5f385bf/src/firejail/fs.c (L743-L752)

Are already blacklisted, this leaves /sys/block, /sys/bus , /sys/class, /sys/dev, /sys/devices and /sys/kernel. nNevertheless blacklisting in /sys/fs and /sys/module is needed as well for programs that need parts of them.

@rusty-snake commented on GitHub (Nov 1, 2022): https://github.com/netblue30/firejail/blob/d8a5f385bf76ad21cb8942412a370bee3e7b8ce6/src/firejail/fs.c#L743-L752 Are already blacklisted, this leaves `/sys/block`, `/sys/bus` , `/sys/class`, `/sys/dev`, `/sys/devices` and `/sys/kernel`. nNevertheless blacklisting in `/sys/fs` and `/sys/module` is needed as well for programs that need parts of them.

gitea-mirror commented

2026-05-05 09:39:11 -06:00

Author

Owner

@kmk3 commented on GitHub (Nov 4, 2022):

@topimiettinen commented on Nov 1:

For example serial numbers:
$ find /sys -xdev -iname '*serial' | wc -l
14

Blocking this sounds good; how about adding something like
disable-hardware-ids.inc?

I'm not sure about the full extent of what /sys provides and what could be
broken by blocking things in it, but I think that hardware identifiers is a
fairly commonly known concept and that hardly any program would actually need
them (and so most profiles could probably safely block them).

As an example, it might be helpful to have access to MAC addresses in
Wireshark, but hardly so in web browsers.

@kmk3 commented on GitHub (Nov 4, 2022): @topimiettinen commented [on Nov 1](https://github.com/netblue30/firejail/issues/5441#issuecomment-1298974504): > For example serial numbers: > > ``` > $ find /sys -xdev -iname '*serial' | wc -l > 14 > ``` Blocking this sounds good; how about adding something like disable-hardware-ids.inc? I'm not sure about the full extent of what /sys provides and what could be broken by blocking things in it, but I think that hardware identifiers is a fairly commonly known concept and that hardly any program would actually need them (and so most profiles could probably safely block them). As an example, it might be helpful to have access to MAC addresses in Wireshark, but hardly so in web browsers.

gitea-mirror commented

2026-05-05 09:39:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 4, 2022):

My Firefox runs fine with only
58264c8a67/firejail/firefox.local (L16-L24)
and I wouldn't say Firefox has low requirements.

@rusty-snake commented on GitHub (Nov 4, 2022): My Firefox runs fine with only https://github.com/rusty-snake/kyst/blob/58264c8a67bad7c0f65bd860d2555787a57a080e/firejail/firefox.local#L16-L24 and I wouldn't say Firefox has low requirements.

gitea-mirror commented

2026-05-05 09:39:12 -06:00

Author

Owner

@kmk3 commented on GitHub (Nov 4, 2022):

@rusty-snake commented on Nov 4:

My Firefox runs fine with only
58264c8a67/firejail/firefox.local (L16-L24)
and I wouldn't say Firefox has low requirements.

That's good to know and to be clear I don't think that both options would be
mutually exclusive.

My point was more about the debuggability/visibility of it as a user.

If a program breaks because all/most of /sys is blocked and I don't know the
full scope of /sys and how legitimate is the program's need to access it, I
would first assume that the problem is in firejail blocking too much of /sys.
That is, it would more likely to result in ignore include disable-sys.inc.

If a program breaks specifically because it cannot access hardware
idenfitifers, that seems rather sketchy, so I'd be more inclined to try to
debug it and/or try to find an alternative program.

@kmk3 commented on GitHub (Nov 4, 2022): @rusty-snake commented [on Nov 4](https://github.com/netblue30/firejail/issues/5441#issuecomment-1303857196): > My Firefox runs fine with only > https://github.com/rusty-snake/kyst/blob/58264c8a67bad7c0f65bd860d2555787a57a080e/firejail/firefox.local#L16-L24 > and I wouldn't say Firefox has low requirements. That's good to know and to be clear I don't think that both options would be mutually exclusive. My point was more about the debuggability/visibility of it as a user. If a program breaks because all/most of /sys is blocked and I don't know the full scope of /sys and how legitimate is the program's need to access it, I would first assume that the problem is in firejail blocking too much of /sys. That is, it would more likely to result in `ignore include disable-sys.inc`. If a program breaks specifically because it cannot access hardware idenfitifers, that seems rather sketchy, so I'd be more inclined to try to debug it and/or try to find an alternative program.

gitea-mirror referenced this issue

2026-05-05 10:23:17 -06:00

[PR #2998] [MERGED] Fix ebook-viewer/calibre on manjaro #4608

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2996

No description provided.

Rows
Columns