mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #793] Overhaul of Profiles #536
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#536
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @SkewedZeppelin on GitHub (Sep 18, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/793
So profiles right now are a mess, they're all in different formats by different people and profiles get added without disable-programs.inc getting updated. So I made a program that handles all programs in a streamlined XML file and then generates .profiles from that. I have manually rewritten all current profiles into said XML, and the generator spits out nice and tidy .profiles. I plan on making a pull request soon that replaces all the old profiles with the new ones. But I'd like some people to take a look over to make sure I didn't forget anything too major. A few profiles were also added and some were made more strict.
Links:
Repository
XML
Profiles
Program
Help Test
@chiraag-nataraj commented on GitHub (Sep 19, 2016):
+1 for anything that streamlines the profiles. I've gotten to the point where I've just created my own profiles for every program that I use since I'm never sure exactly what's being blocked by which profile and it's usually easier to whitelist rather than blacklist (as the default profiles do).
@netblue30 commented on GitHub (Sep 19, 2016):
This is very cool! How difficult would be to port the code to C or C++ and merge it in firecfg utility (src/firecfg directory)? We can make it part of the build, and also let the user generate an xml file with all the configuration and later move it to a different computer.
@SkewedZeppelin commented on GitHub (Sep 19, 2016):
I could give it a go and port to C++, do you have a specific XML parser in mind? As for merging it into firecfg, shouldn't it be along side? My goal was that people should stop making .profiles (because they don't update disable-programs.inc) and instead update the .xml. So the .XML gets bundled with firejail and when they 'make' the project, a standalone program converts the .XML into the .profiles (streamlined in the build process) to be packaged. The end goal is to have firejail directly support the .XML and stop using .profiles. In the mean time the generator program is a stop-gap. And after/before that I was thinking about making a (foss) website that list all the currently available profiles and lets users create their own and request changes to existing ones. It'll also allow users to report whether or not they work, which would help declutter the Github issues page of firejail. So that more users can have more firejailed applications. Obviously those are major changes and this is your project, so what are your thoughts?
@netblue30 commented on GitHub (Sep 19, 2016):
Sure, make it standalone C++ and look at tinyxml2 (http://www.grinninglizard.com/tinyxml2/). It is available probably in all distributions, if not, it is small enough to include a copy of it in the program. For the next release we can just run it on all profiles in etc/firejail directory during the build and clean them up. In the phase 2 we distribute only the xml file and generate the profiles at install time, or we can go with xml support directly in firejail.
@Anyon3 commented on GitHub (Sep 23, 2016):
Hi,
I'm using firejail for almost (if it's not all) my app but I have a different approch and not sure if it's the right/best way to tight them
I'm making for each of then a small script bash, most of them end like this :
(exemple for surf browser of suckless.org, some of the displayed variable are set in the top of this line in my script)
firejail --nogroups --private-tmp --private-dev --noprofile --seccomp --private=~/$datadir --noroot --nonewprivs --caps.drop=all --nosound --env=http_proxy=socks5://127.0.0.1:9052 tabbed surf -d -g -a @ -s -u "$useragent" -e;Any comment about this way of use ? Thanks
@SkewedZeppelin commented on GitHub (Sep 23, 2016):
@Anyon3 afaik you can't use symlink invocation without using the .profiles. Also assuming you didn't know about that feature here is a link to the post about it (tl;dr 'sudo ln -s /usr/bin/firejail /usr/local/bin/[app you want to sanbox]'), so you can launch your apps using normal .desktop files instead of a bunch of bash scripts. But I see you're setting some extra flags anyway, you know what works best for you.
@Anyon3 commented on GitHub (Sep 23, 2016):
Thanks for the tips
I'm using fluxbox as wm and have no icons in my desktop, every bash script are registered in the menu (.fluxbox/menu), some of them actually use the default (when --noprofile isn't use)
Is there any gain of security to symlink invocation or, as showed in my example (in line), it can get the same feature/level of restriction ?
@SkewedZeppelin commented on GitHub (Sep 23, 2016):
@Anyon3 Nope same security.