Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firecfg: allow for ignoring specific apps #2097

Closed
Vincent43 opened this issue Aug 27, 2018 · 18 comments · Fixed by #5876
Closed

firecfg: allow for ignoring specific apps #2097

Vincent43 opened this issue Aug 27, 2018 · 18 comments · Fixed by #5876
Labels
enhancement New feature request firecfg Anything related to firecfg and not firejail itself

Comments

@Vincent43
Copy link
Collaborator

Vincent43 commented Aug 27, 2018

Currently firecfg unconditionally creates symlinks for all apps it detects. This is problematic if user doesn't want to use specific app with firejail.

I propose allowing users to prevent creating symlinks for chosen apps: firecfg --ignore <app_name>. The database of ignored apps could be saved same way as database of allowed users is currently.

This was discussed before: #1675

@Vincent43 Vincent43 added the enhancement New feature request label Aug 27, 2018
@chiraag-nataraj
Copy link
Collaborator

How about, instead, have an -a/--all flag which would replicate the behaviour seen here and otherwise, only link the apps listed on the command-line?

@chiraag-nataraj
Copy link
Collaborator

This way, you could also use --clean to clean up only specific links or --clean --all to clean all links.

@Vincent43
Copy link
Collaborator Author

Vincent43 commented Aug 27, 2018

Ability to symlink only chosen apps would be useful too but it's something different. Usecase which I have in mind is ignoring one,two or three apps among dozens which is rather hard to type in cmdline in whitelist mode so I prefer blacklisting.

EDIT: just checked that I have over 60 firejail symlinks created with firecfg. Providing all of them in cmdline in order to exempt a few of them isn't reasonable for me.

@chiraag-nataraj
Copy link
Collaborator

chiraag-nataraj commented Aug 27, 2018

So maybe have files like firecfg.allow and firecfg.deny (names up for debate)? That way, if you only want to allow specific programs, edit firecfg.allow. If you only want to deny specific programs, edit firecfg.deny. If neither of those exists, we get the existing behavior.

@Vincent43
Copy link
Collaborator Author

That sounds good!

@hlein
Copy link
Contributor

hlein commented Nov 21, 2020

I propose moving firecfg.config under /etc/ - /etc/firejail/firecfg.config, or whatever.

More advanced features like a .local, .deny, .allow, or whatever, are all well and good to keep discussing, but in the meantime I would argue simply: these amount to configuration files, they should go in a path that a) system administrators expect to find configs in and b) distribution packaging tools expect to store configs in, and therefore won't silently overwrite local customizations during version upgrades.

There's multiple issues regarding this - #408 which refers to #2829 which was closed with a comment pointing here.

If I make a PR that relocates firecfg.config from LIBDIR/firejail/ to SYSCONFDIR/firejail/, is it likely to be accepted?

Thanks!

@rusty-snake
Copy link
Collaborator

I am strongly in favour of using /etc instead of /usr/lib64 for this and I don't think anyone is against it.

@hlein
Copy link
Contributor

hlein commented Nov 24, 2020

I am strongly in favour of using /etc instead of /usr/lib64 for this and I don't think anyone is against it.

Sweet, thanks! I will work on this as soon as I get a chance.

@rusty-snake
Copy link
Collaborator

Interesting workaround: https://github.com/kugland/nojail

@rieje
Copy link

rieje commented Oct 2, 2021

Couldn't you just symlink it to the actual binary you want, i.e. /usr/bin/<app>? But I agree, an option to ignore apps so no needless symlinks are needed is ideal.

hlein added a commit to hlein/firejail that referenced this issue Nov 6, 2021
This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: netblue30#408
Bug: netblue30#2097
Bug: netblue30#2829
Bug: netblue30#3665
hlein added a commit to hlein/firejail that referenced this issue Nov 6, 2021
This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap. Also fixed some
firecfg.cfg -> firecfg.config references.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: netblue30#408
Bug: netblue30#2097
Bug: netblue30#2829
Bug: netblue30#3665
@rusty-snake
Copy link
Collaborator

firecfg.config is now located in /etc/firejail which make overwriting by users easier.

I wanted to add a note in RELNOTES about that but that got me wondering what recommendation we should give distributors

  1. Replace user changes (current situation): If a user adds/removes program to/from firecfg.config an update of firejail will undo this.
    • Pro: Users get entries in firecfg.config for new programs
    • Pro: Users get entries in firecfg.config removed if the are known to break
    • Con: User added programs are (silently) now longer jailed
    • Con: User removed programs start breaking again
  2. Noreplace user changes: If a user modifies firecfg.config it will not be updated on updated of firejail.
    • Pro: User modifications are still in effect
    • Con: New programs do not get jailed automatically

We could solve all this if we do a second relocate and implement a override mechanism.

Proposal:

  • Relocate firecfg.config to LIBDIR/firecfg.config back
  • Add a /etc/firejail/firecfg.config.local file like:
    # This is a comment
    !firefox        <--- skip firefox
    ffmpeg     <--- add ffmpeg
    

@hlein
Copy link
Contributor

hlein commented Nov 14, 2021

I wanted to add a note in RELNOTES about that but that got me wondering what recommendation we should give distributors

I maintain the Gentoo package of firejail, and we have a very nice mechanism for handling changes to config files: etc-update. It knows which files being deployed/updated count as "config files", and gives a nice menu/diff/editor-based way to merge/arbitrate changes. I believe many other distros have similar mechanisms although maybe they are package-specific.

My next update to the Gentoo package was going to deploy some distro-specific changes to firecfg.config (things I know don't work well on Gentoo for whatever reason, but aren't worth disabling across the board for all firejail installs IMO). Users can also make their own local edits to firecfg.config, and etc-update will prevent stomping on their changes across upgrades.

So, I hope this won't be chosen:

  • Relocate firecfg.config to LIBDIR/firecfg.config back

but this would be great:

  • Add a /etc/firejail/firecfg.config.local file like:
    # This is a comment
    !firefox        <--- skip firefox
    ffmpeg     <--- add ffmpeg
    

I was going to suggest -, but ! also makes sense.

@rusty-snake
Copy link
Collaborator

So, I hope this won't be chosen:

The two points are linked with a logical "and" so both would be done in one PR.

I maintain the Gentoo package of firejail

Great, somebody more I know to ping for packaging issues.

I believe many other distros have similar mechanisms although maybe they are package-specific.

Fedora: If a file is marked as %config, it will be saved as FILENAME.rpmsave if it has user modifications. If it is marked as %config(noreplace), it is installed as FILENAME.rpmnew. There is rpmconf and python3-dnf-plugin-rpmconf which provide such install/keep/diff/... features but they are not installed by default nor do the have an effect if you update your system via gnome-software (what I not recommend to do).

@hlein
Copy link
Contributor

hlein commented Nov 14, 2021

So, I hope this won't be chosen:

The two points are linked with a logical "and" so both would be done in one PR.

But... do they need to be? If we will have a firecfg.config.local for site-local changes (and there's symmetry there for profile .local files), why not let firecfg.config live under /etc/ ? We don't put profiles under LIBDIR, after all.

I maintain the Gentoo package of firejail

Great, somebody more I know to ping for packaging issues.

Sure :)

I believe many other distros have similar mechanisms although maybe they are package-specific.

Fedora: If a file is marked as %config, it will be saved as FILENAME.rpmsave if it has user modifications. If it is marked as %config(noreplace), it is installed as FILENAME.rpmnew. There is rpmconf and python3-dnf-plugin-rpmconf which provide such install/keep/diff/... features but they are not installed by default nor do the have an effect if you update your system via gnome-software (what I not recommend to do).

That sounds sort of painful, but at least it is a thing. I mean really, software deploying default config files that users/admins can modify, and then it's the distro's problem to decide what to do upon upgrading the package, is a normal thing.

@kmk3
Copy link
Collaborator

kmk3 commented Nov 15, 2021

@hlein commented on Nov 15:

So, I hope this won't be chosen:

The two points are linked with a logical "and" so both would be done in one
PR.

But... do they need to be? If we will have a firecfg.config.local for
site-local changes (and there's symmetry there for profile .local files),
why not let firecfg.config live under /etc/ ? We don't put profiles under
LIBDIR, after all.

Considering that firecfg.config is basically just a giant list of programs
(rather than having many individual options like in firejail.config), I also
think that having a separate file for admin modifications would be better, as
it seems that conflicts would happen much more often and that the diff would be
harder to read (compared to that of firejail.config).

I believe many other distros have similar mechanisms although maybe they
are package-specific.

Fedora: If a file is marked as %config, it will be saved as
FILENAME.rpmsave if it has user modifications. If it is marked as
%config(noreplace), it is installed as FILENAME.rpmnew. There is
rpmconf and python3-dnf-plugin-rpmconf which provide such
install/keep/diff/... features but they are not installed by default nor do
the have an effect if you update your system via gnome-software (what I not
recommend to do).

That sounds sort of painful, but at least it is a thing. I mean really,
software deploying default config files that users/admins can modify, and
then it's the distro's problem to decide what to do upon upgrading the
package, is a normal thing.

Agreed.

On Arch, if you tried to install a package that would conflict with a modified
/etc/firejail/firecfg.config, pacman would just save the new version as
/etc/firejail/firecfg.config.pacnew, print a warning and then finish installing
normally. After the install, these files could be compared and merged by
running pacdiff (which would open them in vimdiff by default), if/when you
felt like doing so. Details:

IIRC, on Debian apt asks interactively in an ncurses-based UI what to do if a
configuration conflict happens (personally, I'd much rather not have upgrades
interrupted by default just because of that, but I suppose that it could be
useful in places where any breakage at all would be a big problem).

So considering that configuration files like /etc/firejail/firejail.config have
been around for a long time without having .local versions and that at least
apt, emerge, pacman and rpm apparently support conflict resolution in /etc in
seemingly good enough ways, to me it seems that this is a pretty standard
feature of package managers.

@WhyNotHugo
Copy link
Contributor

How about /etc/firejail/firecfg.d/ which can include many files, processed in-order.

So a default 10-default.config can include the current defaults, but one can include overrides such as 20-no-mpv.config with !mpv?

The biggest problem with having to mutate a package-provided file for configuration, is that it does not allow for a second package to ship a configuration file. I can currently have a package which ships a variety of configurations by dropping in files in /etc/modprobe.d/, usr/lib/tmpfiles.d/ , etc. However, it can't provide a file that's already installed by another package.

Sure, scripts could mutate the package-provided /etc/firejail/firecfg.config, but that requires making sure it's kept aligned with new versions after each update somehow. In the end, the idea of "mutable package-provided files" is always tricky. Being able to use drop-in files would solve this (which is what happens with the *.local files now for profiles.

@rusty-snake
Copy link
Collaborator

That's what firecfg.py does for 1,5 or 2 years now and it works great.

https://github.com/rusty-snake/firecfg.py/tree/master/firecfgpy/groups

It also solves the privileged-programs/chrom*/file-archivers can not be sandboxed on some systems issue by making own files for the which can be enabled/disable.

kmk3 added a commit to kmk3/firejail that referenced this issue Jul 1, 2023
kmk3 added a commit to kmk3/firejail that referenced this issue Jul 1, 2023
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that /etc/firejail/firecfg.d/*.conf files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any
item in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
kmk3 added a commit to kmk3/firejail that referenced this issue Jul 1, 2023
kmk3 added a commit to kmk3/firejail that referenced this issue Jul 1, 2023
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that /etc/firejail/firecfg.d/*.conf files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any
item in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
kmk3 added a commit to kmk3/firejail that referenced this issue Jul 1, 2023
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
@kmk3
Copy link
Collaborator

kmk3 commented Jul 1, 2023

PR created:

Feel free to test and review.

kmk3 added a commit to kmk3/firejail that referenced this issue Jul 14, 2023
kmk3 added a commit to kmk3/firejail that referenced this issue Jul 14, 2023
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
kmk3 added a commit to kmk3/firejail that referenced this issue Aug 4, 2023
kmk3 added a commit to kmk3/firejail that referenced this issue Aug 4, 2023
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
kmk3 added a commit to kmk3/firejail that referenced this issue Aug 4, 2023
kmk3 added a commit to kmk3/firejail that referenced this issue Aug 4, 2023
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
kmk3 added a commit that referenced this issue Jan 4, 2024
@github-project-automation github-project-automation bot moved this to Done (on RELNOTES) in Release 0.9.74 Aug 28, 2024
@kmk3 kmk3 added this to Papercuts Sep 13, 2024
@kmk3 kmk3 moved this to Done in Papercuts Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature request firecfg Anything related to firecfg and not firejail itself
Projects
Status: Done
Status: Done (on RELNOTES)
Development

Successfully merging a pull request may close this issue.

7 participants