github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6459] Support "include" directive for conditionals and negative conditionals #3281

New issue
Open
opened 2026-05-05 09:53:15 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 09:53:15 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Sep 1, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6459

Is your feature request related to a problem? Please describe.

I want to create very restrictive sandbox when net is enabled because the biggest risk is stealing private data. If net is NOT enabled, then I would like to have a looser profile that enables more data access.

In addition, support of negative conditionals.

Describe the solution you'd like

?HAS_NET: include super-restrictive-rules.inc

?!HAS_NET: include looser-rules.inc

Describe alternatives you've considered

Nothing as clean as this. Currently I have to use a loader script to load different profiles. Would be much easier to be able to add a conditional to global.inc to make software-wide.

I looked at #2158 and could not see any real reason why include was excluded.

Originally created by @ghost on GitHub (Sep 1, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6459 ### Is your feature request related to a problem? Please describe. I want to create very restrictive sandbox when net is enabled because the biggest risk is stealing private data. If net is NOT enabled, then I would like to have a looser profile that enables more data access. In addition, support of negative conditionals. ### Describe the solution you'd like ``` ?HAS_NET: include super-restrictive-rules.inc ?!HAS_NET: include looser-rules.inc ``` ### Describe alternatives you've considered Nothing as clean as this. Currently I have to use a loader script to load different profiles. Would be much easier to be able to add a conditional to global.inc to make software-wide. I looked at #2158 and could not see any real reason why `include` was excluded.
gitea-mirror added the
enhancement
 label 2026-05-05 09:53:15 -06:00
gitea-mirror commented 2026-05-05 09:53:17 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 1, 2024):

There is one thing you have to consider. globals.local is usually included at the top (after foo.local). Meaning ?HAS_NET: will be false in 99% for the times you reach it in globals.local.

Also ?HAS_NET: will be true once net is used, right? Be it net none or net eth0.

Edit actually we already have ?HAS_NET

I want to create very restrictive sandbox when net is enabled because the biggest risk is stealing private data.
If net is NOT enabled, then I would like to have a looser profile that enables more data access.

I'm happy to see that you have a more real world thread model than "I want to protect root because it is the user with the highest privileges". But keep in mind that a looser profile might allow data stealing thought other means than direct networking.

negative conditionals

workaround:

?HAS_NET: include super-restrictive-rules.inc
?HAS_NET: ignore include looser-rules.inc
include looser-rules.inc

?!HAS_NET:

Should be easy to implement, copy HAS_NET and negate the condition.

<!-- gh-comment-id:2323493437 --> @rusty-snake commented on GitHub (Sep 1, 2024): There is one thing you have to consider. `globals.local` is usually included at the top (after `foo.local`). Meaning `?HAS_NET:` will be false in 99% for the times you reach it in `globals.local`. Also `?HAS_NET:` will be true once `net` is used, right? Be it `net none` or `net eth0`. ### Edit actually we already have `?HAS_NET` > I want to create very restrictive sandbox when net is enabled because the biggest risk is stealing private data. > If net is NOT enabled, then I would like to have a looser profile that enables more data access. I'm happy to see that you have a more real world thread model than "I want to protect root because it is the user with the highest privileges". But keep in mind that a looser profile might allow data stealing thought other means than *direct* networking. > negative conditionals workaround: ``` ?HAS_NET: include super-restrictive-rules.inc ?HAS_NET: ignore include looser-rules.inc include looser-rules.inc ``` > ?!HAS_NET: Should be easy to implement, copy HAS_NET and negate the condition.
gitea-mirror commented 2026-05-05 09:53:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 1, 2024):

But keep in mind that a looser profile might allow data stealing thought other means than direct networking.

I am not a security expert, so would you mind elaborating a malicious app could steal data if it's networking is disabled? Is there an easy way to break out of the network jail so it can upload data to a remote server?

Or would it require some type of user action, such as the program with no net-access modifies another program that it hopes will be run unsandboxed (such as modifying the .profile file), so then that program can upload the data?

There is one thing you have to consider. globals.local is usually included at the top (after foo.local). Meaning ?HAS_NET: will be false in 99% for the times you reach it in globals.local.

Hmmm, I see what you mean that for most people that would be the case. I modified it so firejail is always run with firejail --net=none, so in this case it would be aware of when to include each profile (even if the profile itself will disable net later that is okay).

Another way to do this that is perhaps more generalizable

  1. Make it so ?CONDITION can utilize include directive

  2. Make "conditions" passable via command line switches: --conditional="foo=1" --conditional="bar=1"

Then, allow these to be conditionals. For example:

?HAS_XXX: where XXX is the passed flag, in this case ?HAS_FOO and ?HAS_BAR

This resolves the issue of these "flags" not being known.

Then, users can pass a flag. This is especially important when wanting to use the "default" program on a new program.

For example:

firejail --conditional="net=0" --conditional="personal=0" --conditional="images=1"

Then the conditions the user created would include whatever was needed based on the flag data they passed.

What do you think about this idea?

<!-- gh-comment-id:2323506180 --> @ghost commented on GitHub (Sep 1, 2024): > But keep in mind that a looser profile might allow data stealing thought other means than _direct_ networking. I am not a security expert, so would you mind elaborating a malicious app could steal data if it's networking is disabled? Is there an easy way to break out of the network jail so it can upload data to a remote server? Or would it require some type of user action, such as the program with no net-access modifies another program that it hopes will be run unsandboxed (such as modifying the .profile file), so then that program can upload the data? > There is one thing you have to consider. `globals.local` is usually included at the top (after `foo.local`). Meaning `?HAS_NET:` will be false in 99% for the times you reach it in `globals.local`. Hmmm, I see what you mean that for most people that would be the case. I modified it so firejail is always run with `firejail --net=none`, so in this case it would be aware of when to include each profile (even if the profile itself will disable net later that is okay). **Another way to do this that is perhaps more generalizable** 1) Make it so `?CONDITION` can utilize `include` directive 2) Make "conditions" passable via command line switches: `--conditional="foo=1" --conditional="bar=1"` Then, allow these to be conditionals. For example: `?HAS_XXX:` where XXX is the passed flag, in this case `?HAS_FOO` and `?HAS_BAR` This resolves the issue of these "flags" not being known. Then, users can pass a flag. This is especially important when wanting to use the "default" program on a new program. For example: ```sh firejail --conditional="net=0" --conditional="personal=0" --conditional="images=1" ``` Then the conditions the user created would include whatever was needed based on the flag data they passed. What do you think about this idea?
gitea-mirror commented 2026-05-05 09:53:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 1, 2024):

The concept of user-defineable conditionals seems useful even without "include" directive support. Should it be made into a separate feature enhancement for tracking?

In general, some conditionals could be useful even for standard profiles. For example: paranoid=1

Currently, many profiles enable net access for example to not break some very rarely used feature. So, basically net access was enabled for a feature 1% of people use like maybe a music program uses it to fetch lyrics on request as an example. Expanded use of conditions could allow profiles to be written to have more aggressive profiles when it's okay if the program works 99% instead of 100%.

<!-- gh-comment-id:2323507600 --> @ghost commented on GitHub (Sep 1, 2024): The concept of user-defineable conditionals seems useful even without "include" directive support. Should it be made into a separate feature enhancement for tracking? In general, some conditionals could be useful even for standard profiles. For example: paranoid=1 Currently, many profiles enable net access for example to not break some very rarely used feature. So, basically net access was enabled for a feature 1% of people use like maybe a music program uses it to fetch lyrics on request as an example. Expanded use of conditions could allow profiles to be written to have more aggressive profiles when it's okay if the program works 99% instead of 100%.
gitea-mirror commented 2026-05-05 09:53:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 1, 2024):

Or would it require some type of user action, such as the program with no net-access modifies another program that it hopes will be run unsandboxed (such as modifying the .profile file), so then that program can upload the data?

Yes, anything in that direction.

?HAS_XXX:

I somewhere suggested a ?HAS(...) but I can not find it anymore.

--conditional

If you already need to construct a firejail cmd, you can simply add the wanted includes. Conditionals an interesting for the firecfg case where you don't have a firejail cmd.

<!-- gh-comment-id:2323509907 --> @rusty-snake commented on GitHub (Sep 1, 2024): > Or would it require some type of user action, such as the program with no net-access modifies another program that it hopes will be run unsandboxed (such as modifying the .profile file), so then that program can upload the data? Yes, *anything* in that direction. > ?HAS_XXX: I somewhere suggested a `?HAS(...)` but I can not find it anymore. > --conditional If you already need to construct a firejail cmd, you can simply add the wanted includes. Conditionals an interesting for the firecfg case where you don't have a firejail cmd.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3281
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?