github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #770] [enhancement] Redesign of private-tmp #521

New issue
Closed
opened 2026-05-05 06:02:23 -06:00 by gitea-mirror · 20 comments
gitea-mirror commented 2026-05-05 06:02:23 -06:00
Owner
Copy link

Originally created by @chiraag-nataraj on GitHub (Sep 6, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/770

I'm wondering if the following is feasible.

  • Recommend (in the docs, etc) that users disable the abstract X11 socket by adding -nolisten local to the X initialization script (xserverrc, .desktop file of your favorite login manager). This takes care of the messy situation with X11 abstract sockets and reduces the problem to locking down the ordinary unix socket in /tmp/.X11-unix.
  • Rewrite --private-tmp to whitelist /tmp/.X11-unix unless X11 isolation is being used so that X will continue to work even if you use --net=none and --private-tmp.

Thoughts?

Originally created by @chiraag-nataraj on GitHub (Sep 6, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/770 I'm wondering if the following is feasible. - Recommend (in the docs, etc) that users disable the abstract X11 socket by adding `-nolisten local` to the X initialization script (xserverrc, .desktop file of your favorite login manager). This takes care of the messy situation with X11 abstract sockets and reduces the problem to locking down the ordinary unix socket in `/tmp/.X11-unix`. - Rewrite `--private-tmp` to whitelist `/tmp/.X11-unix` unless X11 isolation is being used so that X will continue to work even if you use `--net=none` and `--private-tmp`. Thoughts?
gitea-mirror 2026-05-05 06:02:23 -06:00
gitea-mirror commented 2026-05-05 06:02:27 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 6, 2016):

It is a good idea, I'll put it in, thanks.

<!-- gh-comment-id:245064870 --> @netblue30 commented on GitHub (Sep 6, 2016): It is a good idea, I'll put it in, thanks.
gitea-mirror commented 2026-05-05 06:02:29 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Sep 6, 2016):

It's also possible to block access to X11 without blocking sockets by removing everything from xhost access list, so MIT-MAGIC-COOKIE-1 from .Xauthority file is used. And blacklist ~/.Xauthority file in jail.

$ xhost
access control enabled, only authorized clients can connect
$ firejail --blacklist=${HOME}/.Xauthority xclock
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 25502, child pid 25503
Child process initialized
No protocol specified
Error: Can't open display: :0.0

Parent is shutting down, bye...
<!-- gh-comment-id:245067873 --> @manevich commented on GitHub (Sep 6, 2016): It's also possible to block access to X11 without blocking sockets by removing everything from xhost access list, so `MIT-MAGIC-COOKIE-1` from `.Xauthority` file is used. And blacklist `~/.Xauthority` file in jail. ``` $ xhost access control enabled, only authorized clients can connect $ firejail --blacklist=${HOME}/.Xauthority xclock Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 25502, child pid 25503 Child process initialized No protocol specified Error: Can't open display: :0.0 Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 06:02:31 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 8, 2016):

@manevich what distro are you using?

tried the above, xclock still ran. also tried --blacklist=/tmp/.X11-unix xlock still ran. this is on ubunutu-16.04 any idea? id like to be able to disable x11 access for apps that dont need it.

<!-- gh-comment-id:245733720 --> @xahare commented on GitHub (Sep 8, 2016): @manevich what distro are you using? tried the above, xclock still ran. also tried --blacklist=/tmp/.X11-unix xlock still ran. this is on ubunutu-16.04 any idea? id like to be able to disable x11 access for apps that dont need it.
gitea-mirror commented 2026-05-05 06:02:34 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Sep 8, 2016):

@xahare
I am using Debian Stable.
May be my explanation was not so clear.
By default result of xhost command on Debian Stable is

$ xhost 
access control enabled, only authorized clients can connect
SI:localuser:user

to remove entries from access list, run xhost -something command for each line, like this:
xhost -SI:localuser:user
Everything should work after this.

<!-- gh-comment-id:245747205 --> @manevich commented on GitHub (Sep 8, 2016): @xahare I am using Debian Stable. May be my explanation was not so clear. By default result of `xhost` command on Debian Stable is ``` $ xhost access control enabled, only authorized clients can connect SI:localuser:user ``` to remove entries from access list, run `xhost -something` command for each line, like this: `xhost -SI:localuser:user` Everything should work after this.
gitea-mirror commented 2026-05-05 06:02:36 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 8, 2016):

@manevich Thanks for that - that's an interesting way to go about it! I guess I don't inherently trust X11's "security" model 😉

<!-- gh-comment-id:245776334 --> @chiraag-nataraj commented on GitHub (Sep 8, 2016): @manevich Thanks for that - that's an interesting way to go about it! I guess I don't inherently trust X11's "security" model :wink:
gitea-mirror commented 2026-05-05 06:02:38 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 9, 2016):

is there a way to block an apps access to x11 without depending on x11s access control or giving it its own x server?

<!-- gh-comment-id:245780004 --> @xahare commented on GitHub (Sep 9, 2016): is there a way to block an apps access to x11 without depending on x11s access control or giving it its own x server?
gitea-mirror commented 2026-05-05 06:02:39 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 9, 2016):

@xahare, you can do what I suggested be the default (i.e. look at the opening post). Basically, you have to disable the abstract socket and then blacklist the regular unix socket in order to make sure the program doesn't have access to X11. What I suggested above does that.

<!-- gh-comment-id:245781330 --> @chiraag-nataraj commented on GitHub (Sep 9, 2016): @xahare, you can do what I suggested be the default (i.e. look at the opening post). Basically, you have to disable the abstract socket and then blacklist the regular unix socket in order to make sure the program doesn't have access to X11. What I suggested above does that.
gitea-mirror commented 2026-05-05 06:02:40 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 9, 2016):

@netblue30, you may want to provide a --blacklist-xsocket or something so that people who really want to block access to X can do so if you implement this suggestion.

<!-- gh-comment-id:245781572 --> @chiraag-nataraj commented on GitHub (Sep 9, 2016): @netblue30, you may want to provide a `--blacklist-xsocket` or something so that people who really want to block access to X can do so if you implement this suggestion.
gitea-mirror commented 2026-05-05 06:02:42 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Sep 9, 2016):

@chiraag-nataraj Welcome!
Well, I also don't trust it too much, but this is simple and works fine as addition or if blocking abstract sockets is not solution.

<!-- gh-comment-id:245782003 --> @manevich commented on GitHub (Sep 9, 2016): @chiraag-nataraj Welcome! Well, I also don't trust it too much, but this is simple and works fine as addition or if blocking abstract sockets is not solution.
gitea-mirror commented 2026-05-05 06:02:43 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 9, 2016):

thought i knew how this worked. really glad this thread started! im missing something.

$ ss -lnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 5 192.168.122.1:53 :
LISTEN 0 5 127.0.1.1:53 :
LISTEN 0 128 :22 *:
LISTEN 0 128 :::22 :::*

didnt see anything on udp ports either.

yet,
firejail --net=none --private-tmp xlogo
firejail --net=none --blacklist=/tmp/.X11-unix xlogo

are needed to disable x. leave not --net=none or one of the tmp blockers and xlogo runs. whats going on?

the goal is allowing network, but not x11. also, now i just want to know whats going on!

<!-- gh-comment-id:245784485 --> @xahare commented on GitHub (Sep 9, 2016): thought i knew how this worked. really glad this thread started! im missing something. $ ss -lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 5 192.168.122.1:53 _:_ LISTEN 0 5 127.0.1.1:53 _:_ LISTEN 0 128 _:22 *:_ LISTEN 0 128 :::22 :::* didnt see anything on udp ports either. yet, firejail --net=none --private-tmp xlogo firejail --net=none --blacklist=/tmp/.X11-unix xlogo are needed to disable x. leave not --net=none or one of the tmp blockers and xlogo runs. whats going on? the goal is allowing network, but not x11. also, now i just want to know whats going on!
gitea-mirror commented 2026-05-05 06:02:44 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 9, 2016):

@xahare Here's what's going on.
By default, there are two different sockets (most distributions disable the tcp socket by default). There's the abstract socket (which requires a network namespace to disable generally speaking) and the standard unix socket (usually located in /tmp).

With respect to X11, you can handle both of these without having to create a new network namespace. You can disable the abstract socket as I described above, obviating the necessity of a network namespace. You can disable the unix socket by blacklisting it. Does that make sense? 😄

<!-- gh-comment-id:245790725 --> @chiraag-nataraj commented on GitHub (Sep 9, 2016): @xahare Here's what's going on. By default, there are two different sockets (most distributions disable the tcp socket by default). There's the abstract socket (which requires a network namespace to disable generally speaking) and the standard unix socket (usually located in `/tmp`). With respect to X11, you can handle both of these without having to create a new network namespace. You can disable the abstract socket as I described above, obviating the necessity of a network namespace. You can disable the unix socket by blacklisting it. Does that make sense? :smile:
gitea-mirror commented 2026-05-05 06:02:45 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 9, 2016):

@chiraag-nataraj yes! somehow i missed the memo on abstract sockets.

<!-- gh-comment-id:245827873 --> @xahare commented on GitHub (Sep 9, 2016): @chiraag-nataraj yes! somehow i missed the memo on abstract sockets.
gitea-mirror commented 2026-05-05 06:02:47 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 11, 2016):

The more i think about it, '-nolisten local' really belongs at the distro level, or maybe xorg itself as a default when installing to linux.

<!-- gh-comment-id:246165923 --> @xahare commented on GitHub (Sep 11, 2016): The more i think about it, '-nolisten local' really belongs at the distro level, or maybe xorg itself as a default when installing to linux.
gitea-mirror commented 2026-05-05 06:02:49 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 11, 2016):

how do you do this?

[edit] found it in /usr/share/lightdm/lightdm.conf.d/50-xserver-command.conf

<!-- gh-comment-id:246170068 --> @xahare commented on GitHub (Sep 11, 2016): how do you do this? [edit] found it in /usr/share/lightdm/lightdm.conf.d/50-xserver-command.conf
gitea-mirror commented 2026-05-05 06:02:51 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 11, 2016):

@xahare I agree that it should be a distro-level default, but apparently people don't seem to exactly care about this :( I think if distros started sandboxing programs by default (using firejail or apparmor or selinux or something), then you'd see a push to make this default.

<!-- gh-comment-id:246180044 --> @chiraag-nataraj commented on GitHub (Sep 11, 2016): @xahare I agree that it should be a distro-level default, but apparently people don't seem to exactly care about this :( I think if distros started sandboxing programs by default (using firejail or apparmor or selinux or something), then you'd see a push to make this default.
gitea-mirror commented 2026-05-05 06:02:54 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 15, 2016):

I think this project cares about this, https://github.com/QubesOS/qubes-gui-agent-linux/compare/master...xahare:patch-1

<!-- gh-comment-id:247298008 --> @xahare commented on GitHub (Sep 15, 2016): I think this project cares about this, https://github.com/QubesOS/qubes-gui-agent-linux/compare/master...xahare:patch-1
gitea-mirror commented 2026-05-05 06:02:55 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 19, 2016):

Modified --private-tmp as a whitelist of /tmp/.X11-unix directory. Now I need to document how to disable the abstract x11 socket. Give it a try and if is breaking something else, let me know.

<!-- gh-comment-id:248061190 --> @netblue30 commented on GitHub (Sep 19, 2016): Modified --private-tmp as a whitelist of /tmp/.X11-unix directory. Now I need to document how to disable the abstract x11 socket. Give it a try and if is breaking something else, let me know.
gitea-mirror commented 2026-05-05 06:02:57 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 19, 2016):

Awesome! I presume that if you wanted to blacklist /tmp/.X11-unix (as is currently the case), you could use the blacklist command?

<!-- gh-comment-id:248069178 --> @chiraag-nataraj commented on GitHub (Sep 19, 2016): Awesome! I presume that if you _wanted_ to blacklist /tmp/.X11-unix (as is currently the case), you could use the blacklist command?
gitea-mirror commented 2026-05-05 06:02:59 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 19, 2016):

yes, so for a server you would do "--private-tmp --blacklist=/tmp/.X11-unix". I'll have to modify all server profiles there.

<!-- gh-comment-id:248117656 --> @netblue30 commented on GitHub (Sep 19, 2016): yes, so for a server you would do "--private-tmp --blacklist=/tmp/.X11-unix". I'll have to modify all server profiles there.
gitea-mirror commented 2026-05-05 06:03:01 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 19, 2016):

Perfect! Thanks @netblue30!

<!-- gh-comment-id:248148429 --> @chiraag-nataraj commented on GitHub (Sep 19, 2016): Perfect! Thanks @netblue30!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#521
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?