Firejail: Creating overrides

Created on 9 Jul 2020  Â·  11Comments  Â·  Source: netblue30/firejail

Issues for discussions about https://github.com/netblue30/firejail/wiki/Creating-overrides.

wiki
Source
picture rusty-snake

All 11 comments

The "Add access to a directory" section needs more work:

  • noblacklist foo is only needed if we have blacklist foo
  • the section does not cover whitelisting profiles
rusty-snake picture rusty-snake on 9 Jul 2020

I improved it:
https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/554073749ce9a39ebe509a5b0d6a3c386b32dff7...0e5d9fcd1b780a291de7d860e07d28e7454b9a7b

NetSysFire picture NetSysFire on 29 Jul 2020
👍1

Good, it should be made clearer that whitelist may only be used if it is a whitelisting profile, otherwise it will break the program. whitelisting is olny supported in$HOME, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. So whitelist /myimportant.file will throw errors.

rusty-snake picture rusty-snake on 29 Jul 2020

I can change the path, that is no problem. The manpage is a bit unclear though, it says it could be one of those directories:
https://github.com/netblue30/firejail/blob/03550e94cb007346f9f172fafd156fb2cbd2cb5e/src/man/firejail.txt#L2612

I tested several profiles (firefox, bash, viewnior, remmina, exiftool) via globals.local and none of them broke when I tested whitelist and noblacklist or nowhitelist and blacklist. Bash should be a blacklisting profile, right? Or do you mean that it breaks when no whitelist is used? Many profiles have multiple includes so the profile will contain blacklist and whitelist.
Could you show me an example where it would break?

NetSysFire picture NetSysFire on 29 Jul 2020

site-note: bash has no profile.
If you want to allow ${DOCUMENTS} for e.g. eog and add whitelist ${DOCUMENTS}, then eog can no longer read its config. So whitelist ${HOME}/foo should only be used for whitelisting profiles (the profiles with include whitelist-common.inc).

rusty-snake picture rusty-snake on 29 Jul 2020

I fixed the page: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/0e5d9fcd1b780a291de7d860e07d28e7454b9a7b...921131df86e3216d9694b856d88f3e45005138c6

NetSysFire picture NetSysFire on 31 Jul 2020
👍1

Is a profile also a whitelisting profile if it only includes whitelist-var-common.inc but not whitelist-common.inc? An example for this would be amarok.profile.

NetSysFire picture NetSysFire on 20 Oct 2020

yes and no. yes, because whitelisting happens (even things like private-etc do whitelisting internal). However the terms whitelisting-profile and blacklisting-profile (as they used by people) refer to the protection-level of the files in your home. Finally no, it would be more confusing if we call ever profile with any whitelist a whitelisting-profile.

rusty-snake picture rusty-snake on 21 Oct 2020

The reason why I asked is because whitelist might break non-whitelisting profiles, right? Someone asked me this in an IRC channel (we really need a Firejail IRC channel btw) and I was not sure if it would break this particular profile.
The wiki page contains

If a profile does not contain include whitelist-common.inc, it is not a whitelisting profile and will break.

I suspect that it depends on the used paths but I am not sure yet. To quote the manual:

A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside.

Using features like private-etc seems to not be enough to "convert" it to a whitelisting profile, most likely because the whitelisting is internal, as mentioned. But whitelist seems to break the profile and does not "convert" it, in some cases.

What makes a profile a whitelisting profile except include whitelist-common.inc? I would like to improve the important note below the "Allow access to a file or directory" snippet.

NetSysFire picture NetSysFire on 24 Oct 2020

What makes a profile a whitelisting profile except include whitelist-common.inc?

If a profile (or any of it's includes) contain whitelist ${HOME}/… it's a whitelisting-profile. The note with include whitelist-common.inc looked like it is easier since some profiles only have include wc.inc, but only a few profiles have whitelist ${HOME} w/o wc.inc.

Here they are (at least gitter andstandartnotes-desktop should probably include wc)

$ grep -L "^# Redirect" $(grep -l "^whitelist \${HOME}" $(grep -L "^include whitelist-common.inc" /etc/firejail/*.profile)) 
/etc/firejail/gitter.profile
/etc/firejail/links.profile
/etc/firejail/mpDris2.profile
/etc/firejail/redshift.profile
/etc/firejail/rtv.profile
/etc/firejail/standardnotes-desktop.profile

The reason why I asked is because whitelist might break non-whitelisting profiles, right?

Yes, if you add whitelist ${HOME}/... to a blacklisting-profile the program has no longer access to it's config-files, documents, ... unless you whitelist them. Some profiles are opt-in whitelisting-profiles such as gitg, keepassxc, peek or flameshot.

rusty-snake picture rusty-snake on 24 Oct 2020

I tried to clarify this a bit: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/921131df86e3216d9694b856d88f3e45005138c6...aa6d4f92780bce8c578406487ac87e9cc3a8a847

NetSysFire picture NetSysFire on 2 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fl-chris picture fl-chris  Â·  4Comments
bryce-lynch picture bryce-lynch  Â·  4Comments
reinerh picture reinerh  Â·  3Comments
yourcelf picture yourcelf  Â·  4Comments
dandelionred picture dandelionred  Â·  3Comments