github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1446] Allow private-dev to accept aditional devices #973

New issue
Closed
opened 2026-05-05 07:14:39 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 07:14:39 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Aug 9, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1446

Currently private-dev create default device whitelist which can't be adjusted. I think it would be good to allow expanding it with additional devices similar as in private-bin option. Example:
private-dev dvb

Above will allow default /dev whitelist + /dev/dvb. It will allow adding private-dev to much more apps which need one or two specific devices. It would be way easier than maintaining app specific device whitelists and more secure than disabling private-dev altogether, see https://github.com/netblue30/firejail/pull/1445 . Also this will lose pressure for adding additional devices to default whitelist, see https://github.com/netblue30/firejail/issues/608

Originally created by @ghost on GitHub (Aug 9, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1446 Currently `private-dev` create default device whitelist which can't be adjusted. I think it would be good to allow expanding it with additional devices similar as in `private-bin` option. Example: `private-dev dvb` Above will allow default `/dev` whitelist + `/dev/dvb`. It will allow adding `private-dev` to much more apps which need one or two specific devices. It would be way easier than maintaining app specific device whitelists and more secure than disabling `private-dev` altogether, see https://github.com/netblue30/firejail/pull/1445 . Also this will lose pressure for adding additional devices to default whitelist, see https://github.com/netblue30/firejail/issues/608
gitea-mirror 2026-05-05 07:14:39 -06:00
gitea-mirror commented 2026-05-05 07:14:44 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 9, 2017):

I guess that would also allow us to better integrate Yubikey-enabled apps

<!-- gh-comment-id:321244622 --> @smitsohu commented on GitHub (Aug 9, 2017): I guess that would also allow us to better integrate Yubikey-enabled apps
gitea-mirror commented 2026-05-05 07:14:44 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 9, 2017):

@smitsohu for Yubikey it'd still require whitelisting hidraw*, unless you could filter using vendor id.

<!-- gh-comment-id:321245882 --> @SkewedZeppelin commented on GitHub (Aug 9, 2017): @smitsohu for Yubikey it'd still require whitelisting hidraw*, unless you could filter using vendor id.
gitea-mirror commented 2026-05-05 07:14:46 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 9, 2017):

As I understand private-dev hidraw* would be enough.

<!-- gh-comment-id:321250271 --> @ghost commented on GitHub (Aug 9, 2017): As I understand `private-dev hidraw*` would be enough.
gitea-mirror commented 2026-05-05 07:14:48 -06:00
Author
Owner
Copy link

@startx2017 commented on GitHub (Aug 9, 2017):

Support for dvb is on mainline, give it a try, I don't have a dvb card.

/dev/dvb will be allowed by default in private-dev.

If it is working, I'll add a --notv command (notv in profile files), similar to novideo and nosound.

<!-- gh-comment-id:321361048 --> @startx2017 commented on GitHub (Aug 9, 2017): Support for dvb is on mainline, give it a try, I don't have a dvb card. /dev/dvb will be allowed by default in private-dev. If it is working, I'll add a --notv command (notv in profile files), similar to novideo and nosound.
gitea-mirror commented 2026-05-05 07:14:50 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 9, 2017):

Isn't better and easier to adjust private-dev? As I stated above it'll eliminate pressure for adding new devices to default list, which 90% apps doesn't ever need and introducing dozens of no3d,novideo,notv, no* options which will clutter profiles?

<!-- gh-comment-id:321369204 --> @ghost commented on GitHub (Aug 9, 2017): Isn't better and easier to adjust `private-dev`? As I stated above it'll eliminate pressure for adding new devices to default list, which 90% apps doesn't ever need and introducing dozens of `no3d,novideo,notv, no*` options which will clutter profiles?
gitea-mirror commented 2026-05-05 07:14:51 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 9, 2017):

@startx2017 I don't have TV signal in the moment :-) But I can confirm that the DVB device is availabe inside the sandbox, with private-dev enabled.

EDITED: From all media players that have Firejail support currently, it seems VLC, MPlayer, Gnome-MPlayer, SMPlayer, Totem, mpv and Kodi are DVB-capable (one could also count Mediathekview, though that is debatable). Which means that an option notv should go to all other profiles with private-dev.

<!-- gh-comment-id:321389871 --> @smitsohu commented on GitHub (Aug 9, 2017): @startx2017 I don't have TV signal in the moment :-) But I can confirm that the DVB device is availabe inside the sandbox, with `private-dev` enabled. EDITED: From all media players that have Firejail support currently, it seems VLC, MPlayer, Gnome-MPlayer, SMPlayer, Totem, mpv and Kodi are DVB-capable (one could also count Mediathekview, though that is debatable). Which means that an option `notv` should go to all other profiles with `private-dev`.
gitea-mirror commented 2026-05-05 07:14:52 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 10, 2017):

Thanks @smitsohu!

Let's go for --notv. I'll add it to all profiles after the current round of merges from @SpotComms.

I'm not too worried about cluttering, we'll clean them later. I think we can collapse several of them into something like "service sound,video,tv,3d" the way we did we "protocol inet,inet6,unix..."

<!-- gh-comment-id:321424156 --> @netblue30 commented on GitHub (Aug 10, 2017): Thanks @smitsohu! Let's go for --notv. I'll add it to all profiles after the current round of merges from @SpotComms. I'm not too worried about cluttering, we'll clean them later. I think we can collapse several of them into something like "service sound,video,tv,3d" the way we did we "protocol inet,inet6,unix..."
gitea-mirror commented 2026-05-05 07:14:55 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 10, 2017):

@startx2017 Thanks for fixing!

<!-- gh-comment-id:321500698 --> @smitsohu commented on GitHub (Aug 10, 2017): @startx2017 Thanks for fixing!
gitea-mirror commented 2026-05-05 07:14:56 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 10, 2017):

@netblue30

I'm not too worried about cluttering, we'll clean them later. I think we can collapse several of them into something like "service sound,video,tv,3d" the way we did we "protocol inet,inet6,unix..."

My proposition will look exactly like this without inventing new config options: private-dev dri,video,dvb... Also this way private-dev can be an universal option which can be added to every profile as tailoring it to problematic app doesn't need further changing code in firejail to expand whitelist then change code again to provide new no* option and so on...

I don't see the point of creating many new options which purpose is to blacklist one single file. It weakens private-dev as it's default whitelist is getting bigger and bigger, therefore adding it would involve need to add most no* options at the same time to counter this effect. I bet many new profile submissions will miss some of those which means that maintainers would have to constantly monitoring and adjusting new profiles.

Is there something I miss? Why you are reluctant to adjust private-dev instead?

<!-- gh-comment-id:321529665 --> @ghost commented on GitHub (Aug 10, 2017): @netblue30 > I'm not too worried about cluttering, we'll clean them later. I think we can collapse several of them into something like "service sound,video,tv,3d" the way we did we "protocol inet,inet6,unix..." My proposition will look exactly like this without inventing new config options: `private-dev dri,video,dvb...` Also this way `private-dev` can be an universal option which can be added to every profile as tailoring it to problematic app doesn't need further changing code in firejail to expand whitelist then change code again to provide new `no*` option and so on... I don't see the point of creating many new options which purpose is to blacklist one single file. It weakens `private-dev` as it's default whitelist is getting bigger and bigger, therefore adding it would involve need to add most `no*` options at the same time to counter this effect. I bet many new profile submissions will miss some of those which means that maintainers would have to constantly monitoring and adjusting new profiles. Is there something I miss? Why you are reluctant to adjust `private-dev` instead?
gitea-mirror commented 2026-05-05 07:14:58 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 11, 2017):

I don't see the point of creating many new options which purpose is to blacklist one single file.

It is more than a single file. For example --nosound has some files in /dev and also PulseAudio. For --novideo (videocamera) there are files in /dev and they are already taking about doing something similar to PulseAudio, bringing in daemons and sockets. --notv and --no3d are strictly based on /dev but this can also change. Going forward we can also start integrating them with private-bin and private-lib.

Yes, in the short run we'll clutter the profile files, but we'll clean them at some point and collapse all of them on a single line, something like "service sound,video,tv,etc...", or "subsystem sound,video,tv..." to give it a better name. My feeling is we should target subsystems in the profile files instead of individual files - the files are changing all the time. I am looking now at /dev/dvd and /dev/cdrom - it is quite a mess, no two distributions are the same.

Anyway, we can always go back to managing individual files under /dev as you propose, we already have support for /dev under --whitelist command.

<!-- gh-comment-id:321832042 --> @netblue30 commented on GitHub (Aug 11, 2017): > I don't see the point of creating many new options which purpose is to blacklist one single file. It is more than a single file. For example --nosound has some files in /dev and also PulseAudio. For --novideo (videocamera) there are files in /dev and they are already taking about doing something similar to PulseAudio, bringing in daemons and sockets. --notv and --no3d are strictly based on /dev but this can also change. Going forward we can also start integrating them with private-bin and private-lib. Yes, in the short run we'll clutter the profile files, but we'll clean them at some point and collapse all of them on a single line, something like "service sound,video,tv,etc...", or "subsystem sound,video,tv..." to give it a better name. My feeling is we should target subsystems in the profile files instead of individual files - the files are changing all the time. I am looking now at /dev/dvd and /dev/cdrom - it is quite a mess, no two distributions are the same. Anyway, we can always go back to managing individual files under /dev as you propose, we already have support for /dev under --whitelist command.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#973
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?