-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firecfg: allow for ignoring specific apps #2097
Comments
How about, instead, have an |
This way, you could also use |
Ability to symlink only chosen apps would be useful too but it's something different. Usecase which I have in mind is ignoring one,two or three apps among dozens which is rather hard to type in cmdline in whitelist mode so I prefer blacklisting. EDIT: just checked that I have over 60 firejail symlinks created with firecfg. Providing all of them in cmdline in order to exempt a few of them isn't reasonable for me. |
So maybe have files like |
That sounds good! |
I propose moving More advanced features like a There's multiple issues regarding this - #408 which refers to #2829 which was closed with a comment pointing here. If I make a PR that relocates Thanks! |
I am strongly in favour of using /etc instead of /usr/lib64 for this and I don't think anyone is against it. |
Sweet, thanks! I will work on this as soon as I get a chance. |
Interesting workaround: https://github.com/kugland/nojail |
Couldn't you just symlink it to the actual binary you want, i.e. |
This should make it easier for users, and distributions, to customize which programs they want firejail to wrap. Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: netblue30#408 Bug: netblue30#2097 Bug: netblue30#2829 Bug: netblue30#3665
This should make it easier for users, and distributions, to customize which programs they want firejail to wrap. Also fixed some firecfg.cfg -> firecfg.config references. Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: netblue30#408 Bug: netblue30#2097 Bug: netblue30#2829 Bug: netblue30#3665
firecfg.config is now located in I wanted to add a note in RELNOTES about that but that got me wondering what recommendation we should give distributors
We could solve all this if we do a second relocate and implement a override mechanism. Proposal:
|
I maintain the Gentoo package of firejail, and we have a very nice mechanism for handling changes to config files: My next update to the Gentoo package was going to deploy some distro-specific changes to So, I hope this won't be chosen:
but this would be great:
I was going to suggest -, but ! also makes sense. |
The two points are linked with a logical "and" so both would be done in one PR.
Great, somebody more I know to ping for packaging issues.
Fedora: If a file is marked as |
But... do they need to be? If we will have a
Sure :)
That sounds sort of painful, but at least it is a thing. I mean really, software deploying default config files that users/admins can modify, and then it's the distro's problem to decide what to do upon upgrading the package, is a normal thing. |
Considering that firecfg.config is basically just a giant list of programs
Agreed. On Arch, if you tried to install a package that would conflict with a modified IIRC, on Debian apt asks interactively in an ncurses-based UI what to do if a So considering that configuration files like /etc/firejail/firejail.config have |
How about So a default The biggest problem with having to mutate a package-provided file for configuration, is that it does not allow for a second package to ship a configuration file. I can currently have a package which ships a variety of configurations by dropping in files in Sure, scripts could mutate the package-provided |
That's what firecfg.py does for 1,5 or 2 years now and it works great. https://github.com/rusty-snake/firecfg.py/tree/master/firecfgpy/groups It also solves the privileged-programs/chrom*/file-archivers can not be sandboxed on some systems issue by making own files for the which can be enabled/disable. |
As suggested by @WhyNotHugo[1]. [1] netblue30#2097 (comment)
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that /etc/firejail/firecfg.d/*.conf files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes netblue30#2097. [1] netblue30#2097 (comment)
As suggested by @WhyNotHugo[1]. [1] netblue30#2097 (comment)
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that /etc/firejail/firecfg.d/*.conf files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes netblue30#2097. [1] netblue30#2097 (comment)
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes netblue30#2097. [1] netblue30#2097 (comment)
PR created: Feel free to test and review. |
As suggested by @WhyNotHugo[1]. [1] netblue30#2097 (comment)
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes netblue30#2097. [1] netblue30#2097 (comment)
As suggested by @WhyNotHugo[1]. [1] netblue30#2097 (comment)
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes netblue30#2097. [1] netblue30#2097 (comment)
As suggested by @WhyNotHugo[1]. [1] netblue30#2097 (comment)
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes netblue30#2097. [1] netblue30#2097 (comment)
Currently firecfg unconditionally creates symlinks for all apps it detects. This is problematic if user doesn't want to use specific app with firejail.
I propose allowing users to prevent creating symlinks for chosen apps:
firecfg --ignore <app_name>
. The database of ignored apps could be saved same way as database of allowed users is currently.This was discussed before: #1675
The text was updated successfully, but these errors were encountered: