[PR #3286] [MERGED] Whitelist runuser common #4709

New issue

Closed

opened 2026-05-05 10:25:10 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:25:10 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3286
Author: @rusty-snake
Created: 3/19/2020
Status: ✅ Merged
Merged: 3/31/2020
Merged by: @rusty-snake

Base: master ← Head: whitelist-runuser-common

📝 Commits (10+)

683c0ae introduce whitelist-runuser-common.inc
76ae9fe wru update 1
09b34af add wruc to more profiles
5064405 fixes
3b4e7ed fixes
67eb4bf wruc: hide pulse pid
6af310a update
48ea150 remove wruc from all the x11 profiles
575e424 fixes [skip ci]
be767ba fix ordering [skip ci]

📊 Changes

74 files changed (+116 additions, -12 deletions)

View changed files

📝 RELNOTES (+1 -0)
📝 etc/baobab.profile (+2 -0)
📝 etc/celluloid.profile (+1 -0)
📝 etc/curl.profile (+2 -0)
📝 etc/d-feet.profile (+1 -0)
📝 etc/dconf-editor.profile (+1 -0)
📝 etc/dig.profile (+2 -0)
📝 etc/elinks.profile (+2 -0)
📝 etc/enchant.profile (+1 -0)
📝 etc/eo-common.profile (+1 -0)
📝 etc/evince.profile (+1 -0)
📝 etc/evolution.profile (+2 -0)
📝 etc/feedreader.profile (+1 -0)
📝 etc/file-roller.profile (+1 -0)
📝 etc/file.profile (+1 -0)
📝 etc/filezilla.profile (+2 -0)
📝 etc/flameshot.profile (+2 -0)
📝 etc/gedit.profile (+1 -0)
📝 etc/gfeeds.profile (+1 -0)
📝 etc/gitg.profile (+1 -0)

...and 54 more files

📄 Description

introduce whitelist-runuser-common.inc
60f822e

If an applications does not need a whitelist it can/should be
nowhitelisted. Example:

nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.

wru update 1
286ae11

add wru to more profiles.
blacklist ${RUNUSER} works for the most cli programs too.

~~todo: rebase and apply to gnome-screenshot~~ done

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3286 **Author:** [@rusty-snake](https://github.com/rusty-snake) **Created:** 3/19/2020 **Status:** ✅ Merged **Merged:** 3/31/2020 **Merged by:** [@rusty-snake](https://github.com/rusty-snake) **Base:** `master` ← **Head:** `whitelist-runuser-common` --- ### 📝 Commits (10+) - [`683c0ae`](https://github.com/netblue30/firejail/commit/683c0aeacbd0245296be6daa9df3c980f4558668) introduce whitelist-runuser-common.inc - [`76ae9fe`](https://github.com/netblue30/firejail/commit/76ae9fe4963149637cb20caedec07d0f1c71a14b) wru update 1 - [`09b34af`](https://github.com/netblue30/firejail/commit/09b34afd58bfdce9ec77fb355c89887a09a99ce5) add wruc to more profiles - [`5064405`](https://github.com/netblue30/firejail/commit/5064405979670e1e01b6d33e1f5478918dd67259) fixes - [`3b4e7ed`](https://github.com/netblue30/firejail/commit/3b4e7ed3d7e628236ad8730996521e4b256958cb) fixes - [`67eb4bf`](https://github.com/netblue30/firejail/commit/67eb4bfb4f17a0eefbf5b8454c65085a175a1c59) wruc: hide pulse pid - [`6af310a`](https://github.com/netblue30/firejail/commit/6af310aad49de3bbafa23f3c06c26a70e6596da3) update - [`48ea150`](https://github.com/netblue30/firejail/commit/48ea1509f3657bcb601350f8819bfaa3a6f82341) remove wruc from all the x11 profiles - [`575e424`](https://github.com/netblue30/firejail/commit/575e4243c14646aef44135ebe548a02550405fdb) fixes [skip ci] - [`be767ba`](https://github.com/netblue30/firejail/commit/be767ba91eb686f27219151a32da0097a1cac1e2) fix ordering [skip ci] ### 📊 Changes **74 files changed** (+116 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `RELNOTES` (+1 -0) 📝 `etc/baobab.profile` (+2 -0) 📝 `etc/celluloid.profile` (+1 -0) 📝 `etc/curl.profile` (+2 -0) 📝 `etc/d-feet.profile` (+1 -0) 📝 `etc/dconf-editor.profile` (+1 -0) 📝 `etc/dig.profile` (+2 -0) 📝 `etc/elinks.profile` (+2 -0) 📝 `etc/enchant.profile` (+1 -0) 📝 `etc/eo-common.profile` (+1 -0) 📝 `etc/evince.profile` (+1 -0) 📝 `etc/evolution.profile` (+2 -0) 📝 `etc/feedreader.profile` (+1 -0) 📝 `etc/file-roller.profile` (+1 -0) 📝 `etc/file.profile` (+1 -0) 📝 `etc/filezilla.profile` (+2 -0) 📝 `etc/flameshot.profile` (+2 -0) 📝 `etc/gedit.profile` (+1 -0) 📝 `etc/gfeeds.profile` (+1 -0) 📝 `etc/gitg.profile` (+1 -0) _...and 54 more files_ </details> ### 📄 Description introduce whitelist-runuser-common.inc 60f822e * If an applications does not need a whitelist it can/should be nowhitelisted. Example: nowhitelist ${RUNUSER}/pulse include whitelist-runuser-common.inc * ${RUNUSER}/bus is inaccessible with nodbus regardless of the whitelist. (as it should) * strange wayland setups with an second wayland-compostior need to whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on. * some display-manager store there Xauthority file in ${RUNUSER}. test results with fedora 31: - ssdm: ~/.Xauthority is used - lightdm: /run/lightdm/USER/Xauthority - gdm: /run/user/UID/gdm/Xauthority * IMPORTANT: ATM we can only enable this for non-graphical and GTK3 programs because mutter (GNOMEs window-manger) stores the Xauthority file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX where XXXXXX is random. Until we have whitelist globbing we can't whitelist this file. QT/KDE and other toolkits without full wayland support won't be able to start. wru update 1 286ae11 - add wru to more profiles. - blacklist ${RUNUSER} works for the most cli programs too. ~todo: rebase and apply to gnome-screenshot~ done --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:25:10 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4709

No description provided.

Rows
Columns