Giters

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

Home Page:https://firejail.wordpress.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Profile requests

netblue30 opened this issue · comments

commented

Issue to ask for and discuss about new profiles.

Progress is tracked in: https://github.com/netblue30/firejail/projects/3?fullscreen=true

Resolved

strikethrough means won't fix

Comments which are marked as resolved contain request/question to new profiles or a hint to a PR/a commit which adds a new profile

commented

macrofusion
hugin
imagej
geary

commented

@rekixex does #1154 work for you?

commented

Hey donosaurus - where is you GUI ?? Wery needed firewall like that - app goes to internet -> wirewall asks - > allow/deny/create rule.

commented

@rekixex gpicview has been added: b51d44a 😄

commented

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

2 freecad (a civil-use CAD)

3 dia (from gnome)

4 fontforge

commented

@mustaqimM We actually already have a Wire profile. 😄

commented

@Fred-Barclay Thanks for that, for some reason it wasn't in the AUR package, so now I'm using the git one. I'm having trouble creating a profile for Nylas Mail, I get

Streaming log data to /tmp/Nylas-Mail-3.log
[3:0413/071541:FATAL:udev_linux.cc(20)] Check failed: monitor_.
#0 0x000001e5855e <unknown>
#1 0x000001e6e25b <unknown>
#2 0x000000cbe6a6 <unknown>
#3 0x000001248602 <unknown>
#4 0x000001e59226 <unknown>
#5 0x000001e74755 <unknown>
#6 0x000001e74a48 <unknown>
#7 0x000001e74e9b <unknown>
#8 0x000001e4e669 <unknown>
#9 0x000001e8d41e <unknown>
#10 0x000001eac40a <unknown>
#11 0x000002707e36 <unknown>
#12 0x00000270803e <unknown>
#13 0x000001eac4ce <unknown>
#14 0x000001ea8a53 <unknown>
#15 0x7f332d63e2e7 start_thread
#16 0x7f332707f54f __GI___clone

Failed to generate minidump.
Parent is shutting down, bye...

By the way, it's an electron app.

commented

Sure, I'll take a look at it. Can you open a new issue, post the profile you're currently using, and @Fred-Barclay me so I'll get a notification?

commented

would be nice to have profiles for tvbrowser and jdownloader2 :-)

commented

Hi, I would like to make a restrictive version of the "transmission-gtk.profile". As of now, it has access to all folders within my home folder, and I would like to restrict it to a "Torrents" folder only in the home folder. How would I go about doing that? My current transmission-gtk profile is the following:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/transmission-gtk.local

# transmission-gtk bittorrent profile
noblacklist ${HOME}/.config/transmission
noblacklist ${HOME}/.cache/transmission

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog

private-bin transmission-gtk
private-dev
private-tmp
commented

The easiest way would be to start the sandbox with a different user home directory - /home/username/Torrents in your case. Create an empty ~/Torrents directory (mkdir ~/Torrents) and in your profile file add "private ~/Torrents" at the end of the file.

commented

Profile requests:

  • Riot.im
  • Wire.com
commented

cherrytree (a onenote-like app for linux)

vym/freemind

commented

@qazip - Wire is already in, grab he profile from here: https://github.com/netblue30/firejail/blob/master/etc/wire.profile

@nyancat18 - cherytree is in: https://github.com/netblue30/firejail/blob/master/etc/cherrytree.profile\

@hThoreau - If you just use the default profile, is that one working?

$ firejail --profile=/etc/firejail/transmission-gtk.profile transmision-gtk

Blacklist violations are logged in system log - /var/log/syslog or /var/log/messages depending on your distribution

commented

thanks @netblue30

but freemind/vym :D

commented

@netblue30 oh, that's weird. I don't have that file for some reason. Shouldn't I have (I've firejail 0.9.44.10).

commented

Another profile request:

commented

cinepaint

commented

jahshakavr

commented

@Razip youtube-dl

commented

Would be great if we had a profile which allow us to simulate the installation of programs, as "Arkose" used to do. Look: https://stgraber.org/category/arkose/
Maybe it could be implemented using some overlayfs.

commented

@rekixex Catfish has been added: 67a6d87
I'll try to work on Cheese as well.

commented

@ghanan - it is quite easy, this is an example using OpenShot video editor:

In a terminal start a overlayfs sandbox (you would need a kernel 3.18 or better):

$ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin

In a different terminal, join the sandbox as root and install the program - I am using apt-get on Debian:

$ sudo firejail --join=test
Switching to pid 2464, the first child process inside the sandbox
changing root to /proc/2464/root
Child process initialized in 6.05 ms
# apt-get install openshot
# exit

Back in the first terminal run the program

$ openshot

Once you close both sandboxes, overlayfs is disabled and openshot disappears.

commented

I saw it's already on the list but nevertheless I'd like to request a profile for Geary Email Client (https://github.com/GNOME/geary).

Thank you very much and keep up with the good work.

commented

I'm using the nautilus profile provided here in the etc folder. It blocks the extensions clamtk-gnome (5.24-1) and nautilus-compare (0.0.4+po1-1), though other extensions that I also have installed, nautilus-wipe (0.3-1) and onionshare (0.9.2-1), work fine. Therefore, I ask for an amendment to nautilus' profile that could allow it to use these extensions as well. Thank you.

commented

Tribler, a onion routing torrent client: https://github.com/Tribler/tribler

commented

utox (a light tox client)

commented

Enpass password manager, enpass.io

commented

Minecraft Server (Java), only allow java and server files

commented

@wiredrunner Enpass added in 78b6a1d 😄

commented

I'd like to make another request, this time for Leonflix (http://leonflix.net/). It's not open source so this one's better be Firejailed.

Thanks for everything once again!

commented

Lightly tested discord profile in #1715

commented

@idnovic VS Code added in f6502eb 😁

commented

Would like to have upwork desktop profile and base profile for other time tracking systems.
Nice to have:

  • disabled/random system hardware information
  • window sandbox by default
commented

Copying from #1878: Coyim (suggested by @bn0785ac)

commented

I have put together a profile for Citra (Nintendo 3DS game system emulator), and would like to contribute it.

(Note that the private-dev line might be uncommented once #2203 is resolved.)

commented

@qazip Can you try this profile for qownnotes?

# Firejail profile for QOwnNotes
# Description: Plain-text file notepad with markdown support and ownCloud integration
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/QOwnNotes.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/Nextcloud/Notes
noblacklist ${HOME}/.config/PBE
noblacklist ${HOME}/.local/share/PBE

mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}.config/PBE
mkdir ${HOME}/.local/share/PBE
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog

disable-mnt
private-bin QOwnNotes,gio
private-dev
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
private-tmp

noexec ${HOME}
noexec /tmp
commented

@Fred-Barclay I tested Qownotes profile and it works good. I wonder if we should add:

noblacklist ${DOCUMENTS}
whitelist ${DOCUMENTS}
commented

@qazip feedreader was added a few days ago in cc898c1

commented

In #2273 profiles for Quake3 and UrbanTerror have been requested.

commented

Hello, a profile for makemkv (https://www.makemkv.com/) would be nice since it's one of the only GNU/Linux proprietary softwares without alternative.

commented

@q3cpma there is handbrake which seems to do the same and already has an existing profile

commented
commented

Maybe mpv can this if libdvdcss is installed.

EDIT: or other libs.
See: https://wiki.archlinux.org/index.php/Blu-ray

commented
commented

the default konversation profile do not contains the netlink protocol so the logs are spammed with errors, i'm not sure about the consequences for the app or if it's intended by the profile author.

2019-01-16_14-24

netfilter in warzone2100 profile is breaking the game hosting function for me, not sure if it's because i'm using --net eth0 --ip.. to bypass my vpn

commented

@Lockdis konvrsation profile is fixed in master now, thx.

commented

https://github.com/netblue30/firejail/blob/master/etc/flameshot.profile

flameshot is not working (the application hang and refuse to take screenshot, i can't find errors in log) for me with the default profile, by removing memory-deny-write-execute it works

commented

@Lockdis fixed in master, thx. 6e8ced5

commented

Mellowplayer please. :-) It depends on flashplayer.

MellowPlayer is a free, open source and cross-platform desktop app with cloud music integration.

commented

Fractal (It's a matrix client: https://gitlab.gnome.org/GNOME/fractal)

commented

Quaternion (It's a matrix client: https://github.com/QMatrixClient/Quaternion/)

commented

Stubby https://github.com/getdnsapi/stubby, a dns resolver, think a profile like unbound maybe?

commented

webui-aria2, the popular web UI for the aria2 download manager, has now also a profile. (Could be included via PR.)

commented

@schtobia Please open the PR! It'd be great to have this. 😉

commented

Postfix

Specifically the smtp executable. Seems non-trivial; this script fails with a useless error message:

#!/bin/sh

keys=$(postconf -h smtp_tls_CAfile)
dir_keys=${keys%/*}
dir_cfg=${dir_keys%/*}

alias_maps_param=$(postconf -h alias_maps)
alias_maps=${alias_maps_param##*:}

firejail --whitelist="$alias_maps"\
         --whitelist="$dir_cfg"\
         --whitelist="$(postconf -h daemon_directory)"\
         --whitelist="$(postconf -h data_directory)"\
         --whitelist="$(postconf -h smtp_tls_CApath)"\
         --whitelist="$(postconf -h myorigin)"\
         /usr/lib/postfix/sbin/smtp "$@"

(edit)

If I run that script directly from the CLI, firejail gives: "invalid whitelist path: /etc/aliases". If I remove that whitelist entry, firejail complains about the next one.. and so on. The only path firejail allows me to whitelist from the above list is /var/lib/postfix (the data_directory).

SpamAssassin

There are data leaks, so sandboxing S/A is important for security. I've not tried the default config so I'm not sure if a profile is needed but there are essential config files so I guess it's likely.

commented

@libBletchley Did you try the server profile yet for PostFix/smtp? The default profile is a generic GUI one (like it says inside the file). On another note, IMHO it would be more appropriate for a daemon like smtp to use native systemd hardening techniques.

commented

@glitsj16 I didn't know about server.profile. Maybe I'll try that and add port 25 loosening in the netfilter. I plan to use firejail to force it through a Tor middlebox so systemd changes wouldn't be sufficient.

commented

I have a working smtp.profile. Note that it was tested in a firejail that is isolated on a Tor middlebox. I've removed anything Tor-specific but did not test it that way. Anyway, this is the profile if someone wants to integrate it. Note that postfix_smtp.profile may be a better name.

# Firejail profile for postfix/smtp

# This was derived from the generic server.profile, which allows /sbin
# and /usr/sbin directories.  This is where servers are installed
# depending on your usage.  This configuration was then customized for
# postfix/smtp.

# Recommended script to use for this profile (which you may want to
# save as "$(postconf -h daemon_directory)/smtp_firejail)":
#
# #!/bin/bash
# typeset -r cmd_dir=$(/usr/sbin/postconf -h command_directory); # literal path used here for security reasons
# typeset -r exec_smtp=$("$cmd_dir"/postconf -h daemon_directory)/smtp
# firejail --profile=smtp.profile\
#          --noblacklist="$cmd_dir"\
#          --whitelist="$("$cmd_dir"/postconf -h queue_directory)"\
#          --whitelist="$("$cmd_dir"/postconf -h data_directory)"\
#          "$exec_smtp" "$@"

## Postfix/smtp custom rules ##

# Needed for the two whitelist specifications that follow:
writable-var

# Directory needed for writing lockfiles is generally
# /var/spool/postfix/pid.  The common literal parent directory is
# hard-coded here.  It's recommended to include this in your script to
# enforce configuration consistency:
#   --whitelist="$(postconf -h queue_directory)"
whitelist /var/spool/postfix

# It has not been confirmed whether write access to /var/lib/postfix
# is needed.  It's hard-coded here for good measure.  It's recommended
# to include this in your script to enforce configuration consistency:
#   --whitelist="$(postconf -h data_directory)"
whitelist /var/lib/postfix

# Directory needed for executables: /usr/bin.  The common literal
# directory is hard-coded here.  It's recommended to include this in
# your script to enforce configuration consistency:
#   --noblacklist="$(postconf -h command_directory)"
noblacklist /usr/sbin


## Defaults inherited from server.profile ##

blacklist /tmp/.X11-unix

noblacklist /sbin

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps
no3d
nosound
private
private-dev
private-tmp
seccomp
shell none

# too new for author's firejail version to test
# (so you may want to remove these comments):
#
# nodvd
# notv
# nou2f
# novideo

Postfix/smtp seems to write to /var/log without any issues, even though it's not whitelisted. I'm not sure how that's possible.

commented

bitwarden

commented

Added pull request #2710

commented
  • Adobe reader
  • standalone flashplayer
  • Adobe AIR

Requested in #2731 by @jose1711

commented

@Fred-Barclay that seems to be an unoffical fork of the original
http://autotrace.sourceforge.net/

fedora ships a patched version of the original
arch aur has the unofficial
debian used to ship the original
gentoo doesn't ship either

https://blogs.gentoo.org/ago/2017/05/20/autotrace-multiple-vulnerabilities-the-autotrace-nightmare/

commented

@qazip can you try this profile for jerry-chess?

# Firejail profile for jerry
# Description: Chess GUI
# This file is overwritten after every install/update
# Persistent local customizations
include jerry.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/dkl

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

caps.drop all
machine-id
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin jerry,stockfish,sh,bash
private-dev
private-etc fonts,gtk-2.0,gtk-3.0
private-tmp

memory-deny-write-execute
commented

@Fred-Barclay, I no longer use jerry-chess. But I'll see if I can test it sometime this week!

commented

Tbb (http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html)

Last Update: 2017-03-08 (tor-browser 6.x.x)
No Support for Ubuntu 17.10, 18.04, 18.10, 19.04

Tor Messenger: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily (No future development https://blog.torproject.org/sunsetting-tor-messenger)

Gnome-boxes (a nice gui for kvm system)

firejail --noprofile gnome-boxes don't work.

UPDTE: firejail --noprofile --writable-var gnome-boxes can start VMs but if you shutdown them, gnome-boxes coredumps.

gnome-online-miners

cannot be jailed by firejail because it has only binaries in libexec that are started via dbus.

I suggest to close these requests.

commented

closed everything expect gnome-boxes (firejail --noprofile --writable-var gnome-boxes works) I will write a profile this week.

@qazip Have you found the time

commented

No, sorry. I tried to install jerry from AUR but it's giving an error. I don't want to compile it myself..

But if it works for you, it probably works for me too!

commented

Give up writing a profile for gnome-boxes, poweroff a VM always ends in a coredump.

commented

I would appreciate a profile for zotero (Reference management software)

commented

neovim, setup script (or adding to firecfg) for desktop files for AppImage in $HOME/.local/bin

commented

Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases
thank you so much

commented
Draft for RTV 
# Firejail profile for rtv
# Description: Browse Reddit from your terminal
# This file is overwritten after every install/update
# Persistent local customizations
include rtv.local
# Persistent global definitions
include globals.local

blacklist /tmp/.X11-unix

noblacklist ${HOME}/.config/rtv
noblacklist ${HOME}/.local/share/rtv

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.config/rtv
mkdir ${HOME}/.local/share/rtv
whitelist ${HOME}/.config/rtv
whitelist ${HOME}/.local/share/rtv
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
netfilter
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-bin python*,rtv
private-cache
private-dev
private-etc ca-certificates,alternatives,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
commented

@rusty-snake Looks good! One thing, on Arch I need to add sh,xdg-settings to private-bin for the rtv.profile to work. 😉

commented

amuled is the deamon version of amule.

I run it like this:
firejail --private-bin=amuled --profile=/etc/firejail/amule.profile /usr/bin/amuled

commented

WPS-Office (http://www.wps.com/)
[Moved form #3040]

commented

Some profile requests... This looks like the right place to post them, but if I should open a separate ticket(s), just let me know.

The Elementary OS's Pantheon desktop is really nice. While the project is planning to move towards using Flatpaks for their major apps, the change doesn't seem imminent and having pre-defined jails would be awesome for those of us running Pantheon on non Elementary OS systems.

  • Calculator (io.elementary.calculator)
  • Calendar
    • io.elementary.calendar
    • io.elementary.calendar-daemon
  • Camera (io.elementary.camera)
  • Captive Portal Assistant (io.elementary.capnet-assist)
  • Code (io.elementary.code)
  • Files
    • io.elementary.files
    • io.elementary.files-daemon
    • io.elementary.files-pkexec
  • Music (io.elementary.music)
  • Photos (io.elementary.photos) - Based on the old Shotwell code
  • Terminal (io.elementary.terminal)
  • Videos (io.elementary.videos)

Some other profiles that would be awesome to have:

commented

Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases
thank you so much

@rusty-snake any update on supporting this profile?

commented

Also:
https://www.tweaking4all.com/home-theatre/rename-my-tv-series-v2/
Renames TV Series, code is not open source, so ideally a profile would be needed to block everything but internet and main folder where all TV Series lies.

I tried running default profile but i get these errors:

Parent pid 17333, child pid 17334
Warning: cleaning all supplementary groups
Child process initialized in 84.83 ms
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.
Exception at 00000000004570FE: EAccessViolation:
Access violation.
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.

Parent is shutting down, bye...