netblue30

netblue30

Member Since 6 years ago

Experience Points
139
follower
Lessons Completed
0
follow
Best Reply Awards
8
repos

397 contributions in the last year

Pinned
⚡ Linux namespaces and seccomp-bpf sandbox
⚡ Firejail GUI
⚡ Firejail DNS-over-HTTPS Proxy Server
⚡ Tunneling program for Firejail sandboxes
⚡ Tiling text editor
⚡ Regression test coverage for various projects
Activity
May
20
2 days ago
Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

nvim: add XDG_STATE_HOME path

Default paths as of neovim 0.7.0:

  • backupdir: $XDG_DATA_HOME/nvim/backup//
  • directory: $XDG_DATA_HOME/nvim/swap//
  • undodir: $XDG_DATA_HOME/nvim/undo//
  • viewdir: $XDG_DATA_HOME/nvim/view//
  • shada file: $XDG_DATA_HOME/nvim/shada/main.shada
  • log dir: $XDG_CACHE_HOME/nvim/log

Default paths as of [1]:

  • backupdir: $XDG_STATE_HOME/nvim/backup//
  • directory: $XDG_STATE_HOME/nvim/swap//
  • undodir: $XDG_STATE_HOME/nvim/undo//
  • viewdir: $XDG_STATE_HOME/nvim/view//
  • shada file: $XDG_STATE_HOME/nvim/shada/main.shada
  • log dir: $XDG_STATE_HOME/nvim/log

[1] https://github.com/neovim/neovim/pull/15583

netblue30
netblue30
push

netblue30 push netblue30/firejail

netblue30
netblue30

disable-programs.inc: remove ~/.local/share/nvim

It's already blacklisted on disable-common.inc.

Added on commit ec966d4c0 ("fix: neovim profile", 2022-01-10) / PR #4841.

netblue30
netblue30

nvim: add XDG_STATE_HOME path

Default paths as of neovim 0.7.0:

  • backupdir: $XDG_DATA_HOME/nvim/backup//
  • directory: $XDG_DATA_HOME/nvim/swap//
  • undodir: $XDG_DATA_HOME/nvim/undo//
  • viewdir: $XDG_DATA_HOME/nvim/view//
  • shada file: $XDG_DATA_HOME/nvim/shada/main.shada
  • log dir: $XDG_CACHE_HOME/nvim/log

Default paths as of [1]:

  • backupdir: $XDG_STATE_HOME/nvim/backup//
  • directory: $XDG_STATE_HOME/nvim/swap//
  • undodir: $XDG_STATE_HOME/nvim/undo//
  • viewdir: $XDG_STATE_HOME/nvim/view//
  • shada file: $XDG_STATE_HOME/nvim/shada/main.shada
  • log dir: $XDG_STATE_HOME/nvim/log

[1] https://github.com/neovim/neovim/pull/15583

netblue30
netblue30

Merge pull request #5141 from kmk3/nvim-add-xdg-state-home

nvim: add XDG_STATE_HOME path

commit sha: 8070cf6c636b2c5a358d8c7ad5118cbb847454f7

push time in 1 day ago
pull request

netblue30 pull request netblue30/firejail

netblue30
netblue30

nvim: add XDG_STATE_HOME path

Default paths as of neovim 0.7.0:

  • backupdir: $XDG_DATA_HOME/nvim/backup//
  • directory: $XDG_DATA_HOME/nvim/swap//
  • undodir: $XDG_DATA_HOME/nvim/undo//
  • viewdir: $XDG_DATA_HOME/nvim/view//
  • shada file: $XDG_DATA_HOME/nvim/shada/main.shada
  • log dir: $XDG_CACHE_HOME/nvim/log

Default paths as of [1]:

  • backupdir: $XDG_STATE_HOME/nvim/backup//
  • directory: $XDG_STATE_HOME/nvim/swap//
  • undodir: $XDG_STATE_HOME/nvim/undo//
  • viewdir: $XDG_STATE_HOME/nvim/view//
  • shada file: $XDG_STATE_HOME/nvim/shada/main.shada
  • log dir: $XDG_STATE_HOME/nvim/log

[1] https://github.com/neovim/neovim/pull/15583

Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Feature Request to change the oom_score_adj for a sandbox

Describe the solution you'd like

choom 123

in the profile will write 123 into /proc/<pid>/oom_score_adj

Additional context

  • man 1 choom and man 5 proc
  • This should be done unprivileged because writing negative numbers is a privileged task.
netblue30
netblue30

Fixed now, I forgot to check in a new file

push

netblue30 push netblue30/firejail

netblue30
netblue30

Merge branch 'master' of ssh://github.com/netblue30/firejail

commit sha: 1ceb61ca0a73d8fde147879ffb08b215045aa725

push time in 1 day ago
Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Log blocked syscall

Is your feature request related to a problem? Please describe.

By default (kernel default) only blocked syscall are only logged if --seccomp-error-action is kill or log but not Errno(EPERM).

Describe the solution you'd like

Load seccomp filter with syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog) on supported kernels (>=4.14).

Describe alternatives you've considered

N/A

Additional context

https://man7.org/linux/man-pages/man2/seccomp.2.html

Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Feature Request to change the oom_score_adj for a sandbox

Describe the solution you'd like

choom 123

in the profile will write 123 into /proc/<pid>/oom_score_adj

Additional context

  • man 1 choom and man 5 proc
  • This should be done unprivileged because writing negative numbers is a privileged task.
netblue30
netblue30

Very good idea, try it out!

May
9
1 week ago
Apr
29
3 weeks ago
push

netblue30 push netblue30/firejail

netblue30
netblue30

remove inode warning from fcopy - long list of warnings for /etc/alternatives on Debian

netblue30
netblue30
netblue30
netblue30

Merge branch 'master' of ssh://github.com/netblue30/firejail

commit sha: 9ec6288674f7473138038128c232dd198b6f509a

push time in 3 weeks ago
Apr
25
3 weeks ago
push

netblue30 push netblue30/firejail

netblue30
netblue30

Merge branch 'master' of ssh://github.com/netblue30/firejail

commit sha: afee8603f372f8c2831749ba21bf401d97dab8c9

push time in 3 weeks ago
Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Interactive configuration guide

I have resurrected firejail-welcome.sh from contrib section (author @rusty-snake), moved it under firecfg with some small modifications. It is a short interactive configuration guide for new users. Run it as:

$ sudo firecfg --guide

The script uses zenity (https://en.wikipedia.org/wiki/Zenity). In case the user doesn't have zenity installed, we redirect the calls to a small program in /usr/lib/firejail that has a similar interface and works in console - I'll bring it up in a few days.

Take a look, bugs, add/remove things, spelling, English etc.

netblue30
netblue30

Added a replacement for zenity in case zenity is not installed. To test it run "sudo firecfg --guide --debug"

push

netblue30 push netblue30/firejail

netblue30
netblue30

Update electron.profile

Add electron-flags.conf for all versions of electron

netblue30
netblue30
netblue30
netblue30

Fix glob pattern and update other profiles/includes

netblue30
netblue30

Merge pull request #5115 from m00nwtchr/patch-1

Whitelist electron-flags.conf for all versions of electron

commit sha: 632fd5ba85e07f9f5c6199ba00c23fc307dbe7c6

push time in 3 weeks ago
pull request

netblue30 pull request netblue30/firejail

netblue30
netblue30

Whitelist electron-flags.conf for all versions of electron

Different versions of electron load flags from different files.

Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Whitelist electron-flags.conf for all versions of electron

Different versions of electron load flags from different files.

Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Stop warning on safe supplementary group clean

When nogroups is used, the following warning may be issued (potentially multiple times, as drop_privs may be called more than once):

Warning: cleaning all supplementary groups

But the warning is being shown even when it seems that all supplementary groups can be safely dropped (and are thus dropped), which is likely a common scenario. This commit prevents the warning from being printed in that case, making it so that it is only shown in the non-happy paths (as was the case on firejail 0.9.66).

Misc: The added code was copied from drop_privs.

This amends commit 7abce0b4c ("Fix keeping certain groups with nogroups", 2021-11-30) / PR #4732.

Kind of relates to #4930.

pull request

netblue30 pull request netblue30/firejail

netblue30
netblue30

Stop warning on safe supplementary group clean

When nogroups is used, the following warning may be issued (potentially multiple times, as drop_privs may be called more than once):

Warning: cleaning all supplementary groups

But the warning is being shown even when it seems that all supplementary groups can be safely dropped (and are thus dropped), which is likely a common scenario. This commit prevents the warning from being printed in that case, making it so that it is only shown in the non-happy paths (as was the case on firejail 0.9.66).

Misc: The added code was copied from drop_privs.

This amends commit 7abce0b4c ("Fix keeping certain groups with nogroups", 2021-11-30) / PR #4732.

Kind of relates to #4930.

push

netblue30 push netblue30/firejail

netblue30
netblue30

Stop warning on safe supplementary group clean

When nogroups is used, the following warning may be issued (potentially multiple times, as drop_privs may be called more than once):

Warning: cleaning all supplementary groups

But the warning is being shown even when it seems that all supplementary groups can be safely dropped (and are thus dropped), which is likely a common scenario. This commit prevents the warning from being printed in that case, making it so that it is only shown in the non-happy paths (as was the case on firejail 0.9.66).

Misc: The added code was copied from drop_privs.

This amends commit 7abce0b4c ("Fix keeping certain groups with nogroups", 2021-11-30) / PR #4732.

Kind of relates to #4930.

netblue30
netblue30

Merge pull request #5114 from kmk3/stop-warn-group-clean

Stop warning on safe supplementary group clean

commit sha: f35ac464dbb3bcbe7df5f6513bdf723b3f034274

push time in 3 weeks ago
push

netblue30 push netblue30/firejail

netblue30
netblue30

more on firecfg --guide: fzenity

netblue30
netblue30

Merge branch 'master' of ssh://github.com/netblue30/firejail

commit sha: 9633d7d04e2bb5d6d40a637f60514ff934931fbe

push time in 3 weeks ago
Apr
22
1 month ago
Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Interactive configuration guide

I have resurrected firejail-welcome.sh from contrib section (author @rusty-snake), moved it under firecfg with some small modifications. It is a short interactive configuration guide for new users. Run it as:

$ sudo firecfg --guide

The script uses zenity (https://en.wikipedia.org/wiki/Zenity). In case the user doesn't have zenity installed, we redirect the calls to a small program in /usr/lib/firejail that has a similar interface and works in console - I'll bring it up in a few days.

Take a look, bugs, add/remove things, spelling, English etc.

netblue30
netblue30

Fixed: "sudo -u username zenity", where username comes as a script argument.

Apr
21
1 month ago
Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Log blocked syscall

Is your feature request related to a problem? Please describe.

By default (kernel default) only blocked syscall are only logged if --seccomp-error-action is kill or log but not Errno(EPERM).

Describe the solution you'd like

Load seccomp filter with syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog) on supported kernels (>=4.14).

Describe alternatives you've considered

N/A

Additional context

https://man7.org/linux/man-pages/man2/seccomp.2.html

netblue30
netblue30
Activity icon
issue

netblue30 issue netblue30/firejail

netblue30
netblue30

Interactive configuration guide

I have resurrected firejail-welcome.sh from contrib section (author @rusty-snake), moved it under firecfg with some small modifications. It is a short interactive configuration guide for new users. Run it as:

$ sudo firecfg --guide

The script uses zenity (https://en.wikipedia.org/wiki/Zenity). In case the user doesn't have zenity installed, we redirect the calls to a small program in /usr/lib/firejail that has a similar interface and works in console - I'll bring it up in a few days.

Take a look, bugs, add/remove things, spelling, English etc.

Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

[Website Text Amends] What is SUID, and how does it affect me?

Is your feature request related to a problem? Please describe.

The following line of text in What is SUID, and how does it affect me could be misleading:

"If you are not using Chromium or a browser based on Chromium (Opera, etc.) turn on force-nonewprivs flag in /etc/firejail/firejail.config file."

I'm informed (by this discussion here: https://github.com/netblue30/firejail/discussions/5106) that Chromium actually works fine with force-nonewprivs yes set. UNLESS you've set kernel.unprivileged_userns_clone=0 or are on one of the very few distros which have it configured like that by default. So for many people there's no reason to be warned off simply because they use Chromium.

Describe the solution you'd like

I don't really know what I'm talking about, but in the interest of trying to be helpful here's how I'd restructure the text.

3. Set force-nonewprivs flag

Turn on force-nonewprivs flag in /etc/firejail/firejail.config file. As root, open the file in a text editor and add this line:

force-nonewprivs yes

The flag prevents rising privileges after the sandbox was started. It is believed to clean most SUID problems that will ever be attributed to Firejail.

Note you should avoid doing this if you use a Chromium-based browser and have set kernel.unprivileged_userns_clone=0 (or are on one of the few distros which do this by default.) Unfortunately, Chromium-based browsers need to rise privileges in order to install their own SUID sandbox.

Describe alternatives you've considered

As previously mentioned I basically don't know what I'm talking about, so consider this with a HUGE handful of salt.

But I'm getting the impression that for most users, setting force-nonewprivs yes provides a slither of extra security with no negative ramifications. So maybe you could just make that the default?

netblue30
netblue30
Activity icon
issue

netblue30 issue netblue30/firejail

netblue30
netblue30

[Website Text Amends] What is SUID, and how does it affect me?

Is your feature request related to a problem? Please describe.

The following line of text in What is SUID, and how does it affect me could be misleading:

"If you are not using Chromium or a browser based on Chromium (Opera, etc.) turn on force-nonewprivs flag in /etc/firejail/firejail.config file."

I'm informed (by this discussion here: https://github.com/netblue30/firejail/discussions/5106) that Chromium actually works fine with force-nonewprivs yes set. UNLESS you've set kernel.unprivileged_userns_clone=0 or are on one of the very few distros which have it configured like that by default. So for many people there's no reason to be warned off simply because they use Chromium.

Describe the solution you'd like

I don't really know what I'm talking about, but in the interest of trying to be helpful here's how I'd restructure the text.

3. Set force-nonewprivs flag

Turn on force-nonewprivs flag in /etc/firejail/firejail.config file. As root, open the file in a text editor and add this line:

force-nonewprivs yes

The flag prevents rising privileges after the sandbox was started. It is believed to clean most SUID problems that will ever be attributed to Firejail.

Note you should avoid doing this if you use a Chromium-based browser and have set kernel.unprivileged_userns_clone=0 (or are on one of the few distros which do this by default.) Unfortunately, Chromium-based browsers need to rise privileges in order to install their own SUID sandbox.

Describe alternatives you've considered

As previously mentioned I basically don't know what I'm talking about, so consider this with a HUGE handful of salt.

But I'm getting the impression that for most users, setting force-nonewprivs yes provides a slither of extra security with no negative ramifications. So maybe you could just make that the default?

Apr
17
1 month ago
push

netblue30 push netblue30/firejail

netblue30
netblue30

Merge branch 'master' of ssh://github.com/netblue30/firejail

commit sha: 27ab5b3654470b525e18a9caf219fcaa32aecad5

push time in 1 month ago
Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

[Website Text Amends] What is SUID, and how does it affect me?

Is your feature request related to a problem? Please describe.

The following line of text in What is SUID, and how does it affect me could be misleading:

"If you are not using Chromium or a browser based on Chromium (Opera, etc.) turn on force-nonewprivs flag in /etc/firejail/firejail.config file."

I'm informed (by this discussion here: https://github.com/netblue30/firejail/discussions/5106) that Chromium actually works fine with force-nonewprivs yes set. UNLESS you've set kernel.unprivileged_userns_clone=0 or are on one of the very few distros which have it configured like that by default. So for many people there's no reason to be warned off simply because they use Chromium.

Describe the solution you'd like

I don't really know what I'm talking about, but in the interest of trying to be helpful here's how I'd restructure the text.

3. Set force-nonewprivs flag

Turn on force-nonewprivs flag in /etc/firejail/firejail.config file. As root, open the file in a text editor and add this line:

force-nonewprivs yes

The flag prevents rising privileges after the sandbox was started. It is believed to clean most SUID problems that will ever be attributed to Firejail.

Note you should avoid doing this if you use a Chromium-based browser and have set kernel.unprivileged_userns_clone=0 (or are on one of the few distros which do this by default.) Unfortunately, Chromium-based browsers need to rise privileges in order to install their own SUID sandbox.

Describe alternatives you've considered

As previously mentioned I basically don't know what I'm talking about, so consider this with a HUGE handful of salt.

But I'm getting the impression that for most users, setting force-nonewprivs yes provides a slither of extra security with no negative ramifications. So maybe you could just make that the default?

netblue30
netblue30

Fixed on the web page, thanks!

Activity icon
issue

netblue30 issue comment netblue30/firejail

netblue30
netblue30

Allow resolution of .local names with avahi-daemon in the apparmor profile.

Without this change here is what I see in syslog when running for example firejail --profile=ssh /usr/bin/ssh test.local:

Apr  2 14:59:29 kek kernel: [  177.596180] audit: type=1400 audit(1648900769.222:29): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/avahi-daemon/socket" pid=2562 comm="ssh" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

So it can't access the socket hence can't resolve the name.

netblue30
netblue30

Merged! Thanks for the fix.

push

netblue30 push netblue30/firejail

netblue30
netblue30

Update firejail-default

Allow access to avahi-daemon socket in the apparmor profile.

netblue30
netblue30

Merge pull request #5088 from slowpeek/master

Allow resolution of .local names with avahi-daemon in the apparmor profile.

commit sha: ce0ca294f636fcc817179ff556a0f416536ee095

push time in 1 month ago
Previous