github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #733] how are unix sockets handled outside of the whitelist? #498

New issue

Closed

opened 2026-05-05 05:58:56 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented

2026-05-05 05:58:56 -06:00

Owner

Originally created by @xahare on GitHub (Aug 19, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/733

can a firejailed with whitelists read from a unix socket outside its whitelists? for example, can firefox mess with /tmp/ssh-*

for now, my firefox profile looks like this. (i still call it with private, net, and x11)

blacklist /tmp/ssh-*
include /etc/firejail/firefox.profile

Originally created by @xahare on GitHub (Aug 19, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/733 can a firejailed with whitelists read from a unix socket outside its whitelists? for example, can firefox mess with /tmp/ssh-* for now, my firefox profile looks like this. (i still call it with private, net, and x11) ``` blacklist /tmp/ssh-* include /etc/firejail/firefox.profile ```

gitea-mirror

2026-05-05 05:58:56 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:59:02 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 20, 2016):

I'll have to blacklist /tmp/ssh-* in all browser profiles, thanks for the idea. If you use firejail --net=... all unix sockets are disabled.

@netblue30 commented on GitHub (Aug 20, 2016): I'll have to blacklist /tmp/ssh-\* in all browser profiles, thanks for the idea. If you use firejail --net=... all unix sockets are disabled.

gitea-mirror commented

2026-05-05 05:59:06 -06:00

Author

Owner

@xahare commented on GitHub (Aug 20, 2016):

how about the top secret section of disable-common? wouldn't want the gimp in my ssh either.

@xahare commented on GitHub (Aug 20, 2016): how about the top secret section of disable-common? wouldn't want the gimp in my ssh either.

gitea-mirror commented

2026-05-05 05:59:08 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 20, 2016):

how about the top secret section of disable-common? wouldn't want the gimp in my ssh either.

re gimp specifically: just use net none in the profile - there's generally no reason gimp should have internet access 😉

@chiraag-nataraj commented on GitHub (Aug 20, 2016): > how about the top secret section of disable-common? wouldn't want the gimp in my ssh either. re gimp specifically: just use `net none` in the profile - there's generally no reason gimp should have internet access :wink:

gitea-mirror commented

2026-05-05 05:59:12 -06:00

Author

Owner

@xahare commented on GitHub (Aug 20, 2016):

even without internet access, i dont want that gimp in my sockets ;)

evil file opened by gimp (or evince, totem, libreoffice etc)
evil gimp extracts ssh key (some unknown vuln)
insert favorite covert channel here
all your base are belong to us

@xahare commented on GitHub (Aug 20, 2016): even without internet access, i dont want that gimp in my sockets ;) 1. evil file opened by gimp (or evince, totem, libreoffice etc) 2. evil gimp extracts ssh key (some unknown vuln) 3. insert favorite covert channel here 4. all your base are belong to us

gitea-mirror commented

2026-05-05 05:59:14 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 20, 2016):

That's true, but they can't actually get anything out to the world though since gimp won't have internet access 😉

@chiraag-nataraj commented on GitHub (Aug 20, 2016): That's true, but they can't actually get anything out to the world though since gimp won't have internet access :wink:

gitea-mirror commented

2026-05-05 05:59:17 -06:00

Author

Owner

@xahare commented on GitHub (Aug 20, 2016):

... insert favorite covert channel here

for example steganography. its a matter of least access required.

so really, the gimp should have a private temp. o,r one shared by apps your using with it, like blender calling it for texture painting.

@xahare commented on GitHub (Aug 20, 2016): ... insert favorite covert channel here for example steganography. its a matter of least access required. so really, the gimp should have a private temp. o,r one shared by apps your using with it, like blender calling it for texture painting.

gitea-mirror commented

2026-05-05 05:59:21 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 20, 2016):

Oh man, interesting point - I didn't realize there are people who are more paranoid than me 😄

Just as a note, though, the biggest attack vectors are your email client and your web browser. Generally speaking, people don't normally go through images to steal information - they just hack in through an ssh back-door 😉

@chiraag-nataraj commented on GitHub (Aug 20, 2016): Oh man, interesting point - I didn't realize there are people who are more paranoid than me :smile: Just as a note, though, the biggest attack vectors are your email client and your web browser. Generally speaking, people don't normally go through images to steal information - they just hack in through an ssh back-door :wink:

gitea-mirror commented

2026-05-05 05:59:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 20, 2016):

OK, we disable them all over the place in disable-common.inc

@netblue30 commented on GitHub (Aug 20, 2016): OK, we disable them all over the place in disable-common.inc

gitea-mirror commented

2026-05-05 05:59:26 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 22, 2016):

I've disabled them in disable-programs.inc and modified ssh.profile.

@netblue30 commented on GitHub (Aug 22, 2016): I've disabled them in disable-programs.inc and modified ssh.profile.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#498

No description provided.

Rows
Columns