github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 06:06:02 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions

[PR #6436] WIP: feature: add support for wayland-security-context-v1 #6018

New issue
Open
opened 2026-05-05 10:49:12 -06:00 by gitea-mirror · 0 comments
gitea-mirror commented 2026-05-05 10:49:12 -06:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/6436
Author: @qwertviop
Created: 8/18/2024
Status: 🔄 Open

Base: masterHead: wayland-security-context

📝 Commits (1)

  • ed80013 WIP: add support for wayland-security-context-v1

📊 Changes

5 files changed (+37 additions, -1 deletions)

View changed files

📝 src/firejail/checkcfg.c (+6 -0)
📝 src/firejail/env.c (+2 -1)
📝 src/firejail/firejail.h (+1 -0)
📝 src/firejail/main.c (+6 -0)
src/firejail/wayland.c (+22 -0)

📄 Description

Add support for limiting access to privileged wayland protocols via security-context-v1

To do this firejail needs to create a new wayland socket and attach a security context to it, which it then passes to the sandboxed application.

See also: flatpak#4920

Todo:

  • build:
    • add wayland-protocols and wayland-scanner as build dependencies when building with HAVE_WAYLAND_SECURITY_CONTEXT
  • profiles:
    • check which programs can run natively under wayland. Start by looking for programs whitelisting the wayland socket and go from there.
  • src:
    • man: document changes
    • firemon: list which wayland display is in use and information about the attached security context
    • bash_completion, zsh_completion: add --wayland cli flag
    • jailcheck: test for presence of security-context global and creating a security context for an application
    • firejail:
      • implement wayland filter (either wayland for using a security context, or wayland none to disable access to wayland)
      • create wayland security context and attach it to a process. Should be pretty simple, I already wrote a small program that does it here.

Open Questions:

  • what to do with WAYLAND_SOCKET, see flatpak#5614:
    • unset it by default and add a global setting to allow it, which can be done on DEs which use them (KDE)
    • unset it by default and use a special filter option and enable it in profiles that commonly use this feature (check on flathub for apps which enable it). (this is the one that I find the most sensible)
    • don't unset it by default
  • sandbox_engine to use. Flatpak uses org.flatpak, use com.wordpress.firejail, thanks @rusty-snake
  • app_id to use. Flatpak uses the flatpak application ID (e.g. org.signal.Signal for the Signal messenger app), maybe use the name of the profile in use?
  • instance_id to use. Has to be unique to the currently running sandbox and should never be reused. Just use a (secure) random identifier from /dev/urandom or similar?

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/6436 **Author:** [@qwertviop](https://github.com/qwertviop) **Created:** 8/18/2024 **Status:** 🔄 Open **Base:** `master` ← **Head:** `wayland-security-context` --- ### 📝 Commits (1) - [`ed80013`](https://github.com/netblue30/firejail/commit/ed80013f4f554a40dff280aad1be0562067db0e8) WIP: add support for wayland-security-context-v1 ### 📊 Changes **5 files changed** (+37 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/checkcfg.c` (+6 -0) 📝 `src/firejail/env.c` (+2 -1) 📝 `src/firejail/firejail.h` (+1 -0) 📝 `src/firejail/main.c` (+6 -0) ➕ `src/firejail/wayland.c` (+22 -0) </details> ### 📄 Description Add support for limiting access to privileged wayland protocols via [security-context-v1](https://gitlab.freedesktop.org/wayland/wayland-protocols/-/tree/main/staging/security-context) To do this firejail needs to create a new wayland socket and attach a security context to it, which it then passes to the sandboxed application. See also: [flatpak#4920](https://github.com/flatpak/flatpak/pull/4920) Todo: - [ ] build: - [ ] add wayland-protocols and wayland-scanner as build dependencies when building with `HAVE_WAYLAND_SECURITY_CONTEXT` - [ ] profiles: - [ ] check which programs can run natively under wayland. Start by looking for programs whitelisting the wayland socket and go from there. - [ ] src: - [ ] man: document changes - [ ] firemon: list which wayland display is in use and information about the attached security context - [ ] bash_completion, zsh_completion: add `--wayland` cli flag - [ ] jailcheck: test for presence of `security-context` global and creating a security context for an application - [ ] firejail: - [ ] implement wayland filter (either `wayland` for using a security context, or `wayland none` to disable access to wayland) - [ ] create wayland security context and attach it to a process. Should be pretty simple, I already wrote a small program that does it [here](https://github.com/FelixPehla/run_with_wayland_security_context_v1). Open Questions: - what to do with `WAYLAND_SOCKET`, see [flatpak#5614](https://github.com/flatpak/flatpak/issues/5614): - unset it by default and add a global setting to allow it, which can be done on DEs which use them (KDE) - unset it by default and use a special filter option and enable it in profiles that commonly use this feature (check on flathub for apps which enable it). (this is the one that I find the most sensible) - don't unset it by default - `sandbox_engine` to use. Flatpak uses `org.flatpak`, use `com.wordpress.firejail`, thanks @rusty-snake - `app_id` to use. Flatpak uses the flatpak application ID (e.g. `org.signal.Signal` for the Signal messenger app), maybe use the name of the profile in use? - `instance_id` to use. Has to be unique to the currently running sandbox and should never be reused. Just use a (secure) random identifier from `/dev/urandom` or similar? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
gitea-mirror added the
pull-request
 label 2026-05-05 10:49:12 -06:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6018
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?