Firejail: [enhancement] Allow more fine-grained ignore predicates

Created on 14 Jul 2018  路  8Comments  路  Source: netblue30/firejail

So right now, the way ignore works is that you use ignore <predicate> and it ignores all predicates of that type. I'm wondering if we can fine-tune this a bit to select which specific instance of the predicate to ignore. As an example, in my profiles, I have a common.inc which does most of the common stuff. But occasionally, I need to ignore one or two predicates (otherwise the program will break). Two predicates I have in this file are noexec ${HOME} and noexec /tmp. I want to ignore noexec /tmp while preserving noexec ${HOME}. Of course, one way would be to split this up into two different files (or more) to allow more granularity in my imports. But the nice thing about the current system is that I just have one import command which is easy to remember. @netblue30, what would it take to ignore a specific instance of a predicate instead of every instance?

information
Source
picture chiraag-nataraj
👍1

Most helpful comment

I'll take over and implement it, unless you guys have already something going.

picture startx2017 on 26 Jul 2018
👍3

All 8 comments

I kind of run into this problem all the time with the networking commands when I move profiles from one computer to another. The code for ignore is in profile.c. It is something very simple in this moment, if you have an idea we can expand it.

netblue30 picture netblue30 on 15 Jul 2018
👍2

@netblue30 How about matching the full line rather than just the predicate itself? That way, you can select specific instances of the predicate to ignore. If only the predicate is given, all instances are ignored (as is the current behavior).

chiraag-nataraj picture chiraag-nataraj on 16 Jul 2018
👍1

What if we add another option, --ignore-match? We can add it on top of the regular ignore code, and if we need we can always add more similar options.

netblue30 picture netblue30 on 17 Jul 2018
👍1

That seems like an okay idea. Personally, I don't see why we can't change the behavior of the current ignore predicate, but if this seems like a better idea to you, let's go with it :)

chiraag-nataraj picture chiraag-nataraj on 21 Jul 2018

I'll take over and implement it, unless you guys have already something going.

startx2017 picture startx2017 on 26 Jul 2018
👍3

Funny, the current code already allows ignoring full profile lines. Example:
firejail --ignore="net eth0" program firejail --ignore="blacklist /dev/null" program
In profile file use
ignore net eth0 ignore blacklist /dev/null
I'll modify man pages.

startx2017 picture startx2017 on 3 Aug 2018
🎉1

@startx2017 Oh man...let me try this now.

chiraag-nataraj picture chiraag-nataraj on 6 Aug 2018

Oh man, it _does_ work! Awesome.

chiraag-nataraj picture chiraag-nataraj on 6 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

francoism90 picture francoism90  路  4Comments
nuxwin picture nuxwin  路  3Comments
thiswillbeyourgithub picture thiswillbeyourgithub  路  3Comments
dandelionred picture dandelionred  路  3Comments
semente picture semente  路  4Comments