[PR #3766] [MERGED] Miscellaneous whitelist-runuser-common fixes #4875

New issue

Closed

opened 2026-05-05 10:28:10 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:28:10 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3766
Author: @kris7t
Created: 11/22/2020
Status: ✅ Merged
Merged: 11/22/2020
Merged by: @netblue30

Base: master ← Head: runuser-fixes

📝 Commits (2)

31b50be Fix typo in thunderbird.profile
e24679e Whitelist wayland-1 socket

📊 Changes

2 files changed (+2 additions, -1 deletions)

View changed files

📝 etc/inc/whitelist-runuser-common.inc (+1 -0)
📝 etc/profile-m-z/thunderbird.profile (+1 -1)

📄 Description

We must ignore include whitelist-runuser-common.profile because it breaks Enigmail (TB 68) and GnuPG smartcard (TB 78) support. The current thunderbird.profile had a small typo, so the include wasn't ignored.

However, since the update to Thunderbird 78, Thunderbird does not call the gnupg agent for any GPG public key operations, and only calls it for private key operations if mail.openpgp.allow_external_gnupg is set (to allow the use of smart cards). So, this being a quite niche use-case, we might think about including whitelist-runuser-common.profile anyways, and leaving only a comment for gnupg agent users.

Alternatively, I had some success with just whitelist ${RUNUSER}/gnupg (in conjunction with writable-run-user already in thunderbird.profile), but that only works if ${RUNUSER}/gnupg already exists, I think. Maybe mkdir ${RUNUSER}/gnupg could help here?

If the GDM display manager runs with Wayland support, and it starts a desktop environment other than (?) GNOME, the desktop environment will use the wayland-1 socket instead of the wayland-0 socket. Here, I just allow wayland-1, too.

Situations where wayland-2 or higher ends up being the default socket seem much rarer (but might be possible to trigger with nested compositors, see e.g. sway's wayland backend). So we might think about allowing higher numbers, too.

I'm not sure about the pipewire-0 (and possibly higher) sockets. Screen sharing with browsers under Wayland (with wlr-desktop-portal) might rely on them, but I haven't had the chance to experiment.

Note that exposing multiple Wayland sockets might be a security hole if multiple sockets are created (e.g. with nested compositors, proxies à la dbus-proxy, or security features provided by compositors) for different application. Such setups are probably extremely niche currently. If they become popular, we might try to add direct support for them inside firejail (like dbus-user and dbus-system). In the meantime, those require manual configuration, but we should document which Wayland sockets are allowed by default (so they can be blocked when desired).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3766 **Author:** [@kris7t](https://github.com/kris7t) **Created:** 11/22/2020 **Status:** ✅ Merged **Merged:** 11/22/2020 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `runuser-fixes` --- ### 📝 Commits (2) - [`31b50be`](https://github.com/netblue30/firejail/commit/31b50beedea0c5e525d5b5e7bdfe03705b882dc2) Fix typo in thunderbird.profile - [`e24679e`](https://github.com/netblue30/firejail/commit/e24679e1cdf9591fa4ad5abf663c6ede7094e77e) Whitelist wayland-1 socket ### 📊 Changes **2 files changed** (+2 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `etc/inc/whitelist-runuser-common.inc` (+1 -0) 📝 `etc/profile-m-z/thunderbird.profile` (+1 -1) </details> ### 📄 Description 1. We must ignore include `whitelist-runuser-common.profile` because it breaks Enigmail (TB 68) and GnuPG smartcard (TB 78) support. The current `thunderbird.profile` had a small typo, so the include wasn't ignored. However, since the update to Thunderbird 78, Thunderbird does not call the gnupg agent for any GPG public key operations, and only calls it for private key operations if `mail.openpgp.allow_external_gnupg` is set (to allow the use of smart cards). So, this being a quite niche use-case, we might think about including `whitelist-runuser-common.profile` anyways, and leaving only a comment for gnupg agent users. Alternatively, I had some success with just `whitelist ${RUNUSER}/gnupg` (in conjunction with `writable-run-user` already in `thunderbird.profile`), but that only works if `${RUNUSER}/gnupg` already exists, I think. Maybe `mkdir ${RUNUSER}/gnupg` could help here? 2. If the GDM display manager runs with Wayland support, and it starts a desktop environment other than (?) GNOME, the desktop environment will use the `wayland-1` socket instead of the `wayland-0` socket. Here, I just allow `wayland-1`, too. Situations where `wayland-2` or higher ends up being the default socket seem much rarer (but might be possible to trigger with nested compositors, see e.g. sway's wayland backend). So we might think about allowing higher numbers, too. I'm not sure about the `pipewire-0` (and possibly higher) sockets. Screen sharing with browsers under Wayland (with `wlr-desktop-portal`) might rely on them, but I haven't had the chance to experiment. Note that exposing multiple Wayland sockets might be a security hole if multiple sockets are created (e.g. with nested compositors, proxies à la dbus-proxy, or security features provided by compositors) for different application. Such setups are probably extremely niche currently. If they become popular, we might try to add direct support for them inside firejail (like `dbus-user` and `dbus-system`). In the meantime, those require manual configuration, but we should document which Wayland sockets are allowed by default (so they can be blocked when desired). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:28:10 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:35:43 -06:00

[PR #4898] [MERGED] shellcheck.profile: remove mdwe #5291

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4875

No description provided.

Rows
Columns