Firejail: Profiles not in firecfg

Created on 3 Mar 2019 · 8Comments · Source: netblue30/firejail

here for reference purposes, after I updated firecfg in f7925af7026fa90dd285407c0c869bfaeb3984ad
should this be a readme in src/firecfg with a comment added to firecfg.config?

commons: electron, clamav, chromium-common, firefox-common
compressors: 7z, 7za, 7zr, acat, adiff, als, apack, arepack, aunpack, bsdcat, bsdcpio, bsdtar, bunzip2, cpio, gtar, gunzip, gzip, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep, lzip, lzless, lzma, lzmadec, lzmainfo, lzmore, p7zip, tar, unlzma, unrar, unxz, unzip, xz, xzcat, xzcmp, xzdec, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
editors: emacs, nano, rnano, rview, rvim, vim, vimcat, vimdiff, vimpager, vimtutor
needs args: webui-aria2, tor, spectre-meltdown-checker, makepkg, cower, itch, fetchmail, aosp
file managers: thunar, Thunar, ranger, pcmanfm, nemo, caja, nautilus
known issues: gnome-ring, git
potential breakage: gpg-agent, gpg, gnome-pie, gnome-keyring-3, gnome-keyring, curl
special: Xvfb, default, server
terminals: x-terminal-emulator
window managers: openbox, i3, fluxbox, devilspie, devilspie2, blackbox, awesome
profiles that could probably be enabled: start-tor-browser.desktop, sftp, scp, file, mpd, gsettings, dconf
profiles included but disabled that could probably be enabled: pycharm-community, pycharm-professional, atom, atom-beta

firecfg information

Source

SkewedZeppelin

Most helpful comment

My experience with patch on Arch Linux when using makepkg (whether to build from AUR or from a repo PKGBUILD) stem from its profile not having libfakeroot included in private-lib. If memory serves I added libfakeroot to the file profile for the exact same reason. Seeing @Vincent43's comment here reminded me to check my patch.local and I've been using private-lib libfakeroot for over 2 years in there without issues. Apparently I never thought of proposing to add it to the patch profile too. Maybe something to consider.

glitsj16 on 4 Mar 2019

👍2

All 8 comments

curl is used during package updates in Arch so I wold rather avoid it in firecfg.

For things which are already enabled in firecfg but IMO shouldn't are: patch which is commonly used during building something and less which breaks manpages in ubuntu due to conflicts with their AppArmor profile (which is enabled by default there).

Vincent43 on 3 Mar 2019

@Vincent43 updated for curl

I haven't seen any issues with patch (both on its own, and nested under aosp.profile). I originally added patch because I read it was possible to execute code in it through ed.

less should be safe to remove.

SkewedZeppelin on 3 Mar 2019

also thoughts on enabling file? considering the recent CVE-2019-8904, CVE-2019-8905, and CVE-2019-8906

SkewedZeppelin on 3 Mar 2019

I remember I had issues witch patch when I build packages from AUR on Arch Linux. I don't have opinion about file, perhaps it's something to test.

Vincent43 on 4 Mar 2019

glitsj16 on 4 Mar 2019

👍2

should this be a readme in src/firecfg with a comment added to firecfg.config?

That would be nice to have yes. I went ahead and added ffmpeg redirects, pragha and transmission redirects to firecfg.config in https://github.com/netblue30/firejail/pull/2546. That leaves 2 applications not yet covered here:

gconf (and redirects) from https://github.com/netblue30/firejail/pull/2528 --> might go into profiles that could probably be enabled?
xxd (which redirects to vim) --> might go into editors?

Hope this helps to to get the proposed readme out in fully updated condition.

glitsj16 on 8 Mar 2019

👍1

Added redirect profiles for lrzip in https://github.com/netblue30/firejail/pull/2574. The included archivers (lrunzip, lrz, lrzcat, lrzip, lrztar, lrzuntar and zpaq) could fit nicely into the compressors category.

glitsj16 on 12 Mar 2019