rusty-snake

rusty-snake

Writing software that makes life easier. Watching you through my 🔮. Minisign: RWS65FES3L8OgwhyZPHwbh1GyXsCZvJtQ5y4LXWHJKMpkhjNXNDt0Bzi

Member Since 3 years ago

Germany

Experience Points
31
follower
Lessons Completed
18
follow
Lessons Completed
65
stars
Best Reply Awards
25
repos

1014 contributions in the last year

Pinned
⚡ Linux namespaces and seccomp-bpf sandbox
⚡ Rust Language Bindings for the libseccomp Library
⚡ Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
Activity
Jan
26
1 day ago
Activity icon
issue

rusty-snake issue comment rusty-snake/firejailed-tor-browser

rusty-snake
rusty-snake

Unable to install uBlock Origin - "TB cannot modify needed file"

Using Debian 11 testing, installed firejail from source and the latest version of Tor Browser.

When trying to install uBlock Origin, addons.mozilla.org errors:

could not be installed because Tor Browser cannot modify the needed file

Oddly, uBlock Origin shows up in the addons list after this, but can't be interacted with and there's no icon in the toolbar.

push

rusty-snake push rusty-snake/firejailed-tor-browser

rusty-snake
rusty-snake

Update firejailed-tor-browser.profile

  • include disable-proc.inc
  • env GTK_THEME=Adwaita

commit sha: d60c68735715b9aebef8f4f7992b090d95fe29d5

push time in 6 hours ago
push

rusty-snake push rusty-snake/firejailed-tor-browser

rusty-snake
rusty-snake
rusty-snake
rusty-snake

It's no longer necessary to set a fake DISPLAY

rusty-snake
rusty-snake

install.sh: print proper command line (used by desktop file)

commit sha: 659d2d28e71567f130d4830fb387f2eac3dad43e

push time in 6 hours ago
Activity icon
issue

rusty-snake issue comment rusty-snake/firejailed-tor-browser

rusty-snake
rusty-snake

Unable to install uBlock Origin - "TB cannot modify needed file"

Using Debian 11 testing, installed firejail from source and the latest version of Tor Browser.

When trying to install uBlock Origin, addons.mozilla.org errors:

could not be installed because Tor Browser cannot modify the needed file

Oddly, uBlock Origin shows up in the addons list after this, but can't be interacted with and there's no icon in the toolbar.

rusty-snake
rusty-snake
  1. So the "… could not be installed because Tor Browser cannot modify the needed file" is caused by blacklist /tmp in firejailed-tor-browser.profile. I'm not going to change this in the profile as you should not install Add-Ons in the Tor Browser anyway.
  2. The "installed uB does not work, no icon" issue can be reproduced in a fresh installed tor browser (security-level=standard, no FTB). Seems to be out of scope here. You can try to report this to uB/TB.
Activity icon
issue

rusty-snake issue rusty-snake/firejailed-tor-browser

rusty-snake
rusty-snake

Unable to install uBlock Origin - "TB cannot modify needed file"

Using Debian 11 testing, installed firejail from source and the latest version of Tor Browser.

When trying to install uBlock Origin, addons.mozilla.org errors:

could not be installed because Tor Browser cannot modify the needed file

Oddly, uBlock Origin shows up in the addons list after this, but can't be interacted with and there's no icon in the toolbar.

Activity icon
issue

rusty-snake issue comment rusty-snake/firejailed-tor-browser

rusty-snake
rusty-snake

Unable to install uBlock Origin - "TB cannot modify needed file"

Using Debian 11 testing, installed firejail from source and the latest version of Tor Browser.

When trying to install uBlock Origin, addons.mozilla.org errors:

could not be installed because Tor Browser cannot modify the needed file

Oddly, uBlock Origin shows up in the addons list after this, but can't be interacted with and there's no icon in the toolbar.

rusty-snake
rusty-snake

noblacklist /tmp seems to work, can you confirm.


It's strongly discouraged to install new add-ons in Tor Browser, because they can compromise your privacy and security.

https://support.torproject.org/tbb/tbb-14/

pull request

rusty-snake merge to libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Add ScmpFilterContext::{get,set}_ctl_ssb

Add ScmpFilterContext::{get,set}_ctl_ssb() to get/set the state of ScmpFilterAttr::CtlSsb attribute.

Signed-off-by: Manabu Sugimoto [email protected]

pull request

rusty-snake merge to libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Add ScmpFilterContext::{get,set}_ctl_log

Add ScmpFilterContext::{get,set}_ctl_log() to get/set the state of ScmpFilterAttr::CtlLog attribute.

Signed-off-by: Manabu Sugimoto [email protected]

pull request

rusty-snake merge to libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

pull request

rusty-snake merge to libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

open pull request

rusty-snake wants to merge libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

rusty-snake
rusty-snake

I would rather have noted it in both places (added and deprecated). Anyway you could also use "changed" for renamed things. IDK if ther is the one right way to do it.

open pull request

rusty-snake wants to merge libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

rusty-snake
rusty-snake
### Added
- `ScmpFilterContext::get_ctl_nnp` (replaces `ScmpFilterContext::get_no_new_privs_bit`).
- `ScmpFilterContext::set_ctl_nnp` (replaces `ScmpFilterContext::set_no_new_privs_bit`).
open pull request

rusty-snake wants to merge libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

pull request

rusty-snake merge to libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

pull request

rusty-snake merge to libseccomp-rs/libseccomp-rs

rusty-snake
rusty-snake

Rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp

To make the name of get/set functions for filter attributes consistent, rename {get,set}_no_new_privs_bit to {get,set}_ctl_nnp.

Signed-off-by: Manabu Sugimoto [email protected]

Jan
25
2 days ago
Activity icon
issue

rusty-snake issue netblue30/firejail

rusty-snake
rusty-snake

Unless netlink is added to protocol supertuxkart does not see my xbox360-compatible controller

If I want to be able to configure/use my SN30pro+ controller (wired mode) in supertuxkart I need to add netlink to

https://github.com/netblue30/firejail/blob/2164412bb54087b1c540893acf5384ef9bf03f1d/etc/profile-m-z/supertuxkart.profile#L46

This is probably xpad driver specific issue.

Activity icon
issue

rusty-snake issue comment netblue30/firejail

rusty-snake
rusty-snake

Unless netlink is added to protocol supertuxkart does not see my xbox360-compatible controller

If I want to be able to configure/use my SN30pro+ controller (wired mode) in supertuxkart I need to add netlink to

https://github.com/netblue30/firejail/blob/2164412bb54087b1c540893acf5384ef9bf03f1d/etc/profile-m-z/supertuxkart.profile#L46

This is probably xpad driver specific issue.

rusty-snake
rusty-snake

Can this be closed then?

I think so.

Jan
24
3 days ago
Activity icon
issue

rusty-snake issue comment flathub/org.gnome.gitlab.somas.Apostrophe

rusty-snake
rusty-snake

Preview error

Apostrophe shows error during to show preview.

Exception in thread preview-converter:
Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/app/lib/python3.8/site-packages/apostrophe/preview_converter.py", line 50, in __do_convert
    text = helpers.pandoc_convert(text, to="html5", args=args)
  File "/app/lib/python3.8/site-packages/apostrophe/helpers.py", line 169, in pandoc_convert
    return pypandoc.convert_text(
  File "/app/lib/python3.8/site-packages/pypandoc/__init__.py", line 102, in convert_text
    return _convert_input(source, format, 'string', to, extra_args=extra_args,
  File "/app/lib/python3.8/site-packages/pypandoc/__init__.py", line 324, in _convert_input
    raise RuntimeError(
RuntimeError: Pandoc died with exitcode "1" during conversion: b'pandoc: getCurrentDirectory:getWorkingDirectory: does not exist (Current working directory no longer exists)\n'

where is working directory?

rusty-snake
rusty-snake

For me this happens if I open file through the document portal.

STR:

  • flatpak run --file-forwarding --nofilesystem=host:reset org.gnome.gitlab.somas.Apostrophe @@ path/to/file.md @@
  • Preview
started
started time in 2 days ago
Jan
22
5 days ago
Activity icon
issue

rusty-snake issue comment netblue30/firejail

rusty-snake
rusty-snake

steam.profile: allow ~/.config/MangoHud

MangoHud is a Vulkan and OpenGL overlay for monitoring FPS, temperatures, CPU/GPU load and more, and it can be configured by user in ~/.config/MangoHud/MangoHud.conf.

This probably could also go into profiles for lutris and wine... But also for every game as well. So maybe ~/.config/MangoHud can be allowed in general in one of the whitelist-*.inc files instead?

rusty-snake
rusty-snake

perhaps also use whitelist-ro?

:+1: It's turing complete.


Just to quote me again:

https://github.com/netblue30/firejail/pull/4740#pullrequestreview-822995437

IMHO --whitelist-ro should be implemented too.

If you add a new command, here's the checklist:

  • Update manpages: firejail(1) and firejail-profile(5)
  • Update shell completions
  • Update vim syntax files
  • Update --help
push

rusty-snake push rusty-snake/fedora-extras

rusty-snake
rusty-snake

Update hardened_malloc to version 11

commit sha: 2709a17757ff7efcf5c59c8c923fbea43a651a44

push time in 4 days ago
Activity icon
commit_comment

netblue30/firejail

Jan
21
6 days ago
Activity icon
issue

rusty-snake issue comment netblue30/firejail

rusty-snake
rusty-snake

profiles: enable deterministic shutdown for ssh

ssh can start in master mode, which will spawn an additional long running process, which keeps connections to a server open, so that it can be reused by later connection attempts.

But the lingering master process will prevent the jail from shutting down, when firejail ssh tries to exit. This breaks for example ansible when using a firejailed ssh, as it calls ssh with ControlMaster flags.

deterministic-shutdown will kill the other process when the parent exits.


does anyone see something negative with enabling this flag?

Activity icon
issue

rusty-snake issue comment arkenfox/user.js

rusty-snake
rusty-snake

Google will not stay signed in after latest user.js

v. 96.0.01 latest updated user.js

Firefox Profile for Google:

I have had this profile across many machines and after recent run of update.bat for user.js if I close the browser it no longer keeps me signed in for google. In past I had to put these settings in the user-overrides to get things to work via google and allow sign-in via google on other sites as well. Can you please provide any suggestions that might lead me in the right direction for anything new that would be affecting this.

user-overrides.js: user_pref("browser.startup.page", 3); user_pref("browser.privatebrowsing.autostart",false); user_pref("privacy.clearOnShutdown.cookies", false); user_pref("privacy.cpd.cookies", false); user_pref("browser.sessionstore.privacy_level", 0); user_pref("network.cookie.cookieBehavior", 0); user_pref("network.cookie.thirdparty.sessionOnly", false); user_pref("network.cookie.thirdparty.nonsecureSessionOnly", false); user_pref("privacy.clearOnShutdown.cache", false); user_pref("privacy.clearOnShutdown.cookies", false); user_pref("privacy.clearOnShutdown.history", false); // Browsing & Download History user_pref("privacy.clearOnShutdown.offlineApps", false); // Offline Website Data user_pref("privacy.clearOnShutdown.sessions", false); // Active Logins user_pref("privacy.cpd.history", false; ser_pref("privacy.cpd.sessions", false); user_pref("privacy.clearOnShutdown.openWindows", false);

rusty-snake
rusty-snake

#1080 :small_red_triangle_down: enable session restore

to keep cookies for selected sites, add site exceptions as Allow, see 2801

Activity icon
issue

rusty-snake issue comment netblue30/firejail

rusty-snake
rusty-snake

Unless netlink is added to protocol supertuxkart does not see my xbox360-compatible controller

If I want to be able to configure/use my SN30pro+ controller (wired mode) in supertuxkart I need to add netlink to

https://github.com/netblue30/firejail/blob/2164412bb54087b1c540893acf5384ef9bf03f1d/etc/profile-m-z/supertuxkart.profile#L46

This is probably xpad driver specific issue.

rusty-snake
rusty-snake
  • supertuxkart.profile still lacks protocol netlink
  • 39654d01661ea9310b9b886a572ee24b1e4c9cfb add a lot of duplicated code
Activity icon
issue

rusty-snake issue netblue30/firejail

rusty-snake
rusty-snake

Unless netlink is added to protocol supertuxkart does not see my xbox360-compatible controller

If I want to be able to configure/use my SN30pro+ controller (wired mode) in supertuxkart I need to add netlink to

https://github.com/netblue30/firejail/blob/2164412bb54087b1c540893acf5384ef9bf03f1d/etc/profile-m-z/supertuxkart.profile#L46

This is probably xpad driver specific issue.

Activity icon
issue

rusty-snake issue comment netblue30/firejail

rusty-snake
rusty-snake

Shellcheck crashes with firejail.

Description

Running shellcheck results in the following error when using firejail

$ /usr/local/bin/shellcheck
/usr/bin/shellcheck: error while loading shared libraries: libHSrts-ghc9.0.2.so: cannot enable executable stack as shared object requires: Operation not permitted

But succeeds when running directly

$ /usr/bin/shellcheck
No files specified.

<usage output, etc.>

shellcheck version: 0.8.0 firejail version: 0.9.66

Steps to Reproduce

Steps to reproduce the behavior

  1. Try to run shellcheck
  2. observe crash

Expected behavior

shellcheck should be able to run.

Actual behavior

Shellcheck aborts with the error message /usr/bin/shellcheck: error while loading shared libraries: libHSrts-ghc9.0.2.so: cannot enable executable stack as shared object requires: Operation not permitted

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

The program runs as expected.

Additional context

Environment

  • Linux Distro: Arch Linux, up to date as of 2022-01-21 10:42:38+0100
  • Firejail version: 0.9.66
  • shellcheck version: 0.8.0

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

/usr/bin/shellcheck: error while loading shared libraries: libHSrts-ghc9.0.2.so: cannot enable executable stack as shared object requires: Operation not permitted

Output of LC_ALL=C firejail --debug /path/to/program

rusty-snake
rusty-snake

Does firejail --ignore=memory-deny-write-execute /usr/bin/shellcheck … work?

Jan
20
1 week ago
Previous