Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor electron.profile and electron based programs #3806

Closed
34 tasks done
rusty-snake opened this issue Dec 10, 2020 · 3 comments · Fixed by #3807
Closed
34 tasks done

Refactor electron.profile and electron based programs #3806

rusty-snake opened this issue Dec 10, 2020 · 3 comments · Fixed by #3807

Comments

@rusty-snake
Copy link
Collaborator

rusty-snake commented Dec 10, 2020
edited
Loading

  • Allow chrome-sandbox

Add caps.keep sys_admin,sys_chroot to electron.profile and remove the following.
Additional add #include chromium-common-hardened.inc with a note.

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
  • Move include whitelist-common.inc to electron.profile
  • Discover which command are common enough to be part of electron.profile. Consider these:
    • include disable-devel.inc
    • include disable-exec.inc
    • include disable-interpreters.inc
    • include disable-xdg.inc
    • shell none
    • private-bin electron[0-9],electron[0-9][0-9]
    • nou2f
    • novideo
    • private-tmp
    • include whitelist-var-common.inc
    • include whitelist-usr-share-common.inc
    • include whitelist-runuser-common.inc
    • disable-mnt
    • private-cache
    • private-dev
  • consistent include globals.local
  • Make all electron based programs, electron redirect profiles. Current redirect profiles are below. If you know any missing post it.
$ grep -l "include electron.profile" /etc/firejail/*.profile
/etc/firejail/beaker.profile
/etc/firejail/freetube.profile
/etc/firejail/jitsi-meet-desktop.profile
/etc/firejail/nuclear.profile
/etc/firejail/riot-web.profile
/etc/firejail/rocketchat.profile
/etc/firejail/teams-for-linux.profile
/etc/firejail/teams.profile
/etc/firejail/twitch.profile
/etc/firejail/whalebird.profile
/etc/firejail/wire-desktop.profile
/etc/firejail/youtubemusic-nativefier.profile
/etc/firejail/youtube.profile
/etc/firejail/ytmdesktop.profile

Needs update:

  • beaker.profile
  • freetube.profile
  • jitsi-meet-desktop.profile
  • nuclear.profile
  • riot-web.profile
  • rocketchat.profile
  • teams-for-linux.profile
  • teams.profile
  • twitch.profile
  • whalebird.profile
  • wire-desktop.profile
  • youtubemusic-nativefier.profile
  • youtube.profile
  • ytmdesktop.profile
@rusty-snake
Copy link
Collaborator Author

rusty-snake commented Dec 10, 2020
edited
Loading

  • atom
  • slack
  • signal-desktop
  • skypeforlinux
  • github-desktop
  • discord-common
  • zoom

@rusty-snake rusty-snake mentioned this issue Dec 10, 2020
Merged
@rusty-snake rusty-snake linked a pull request Dec 10, 2020 that will close this issue
profiles: refactor electron.profile and electron-based programs #3807
Merged
@glitsj16
Copy link
Collaborator

Very nice idea 👍, love it.

rusty-snake added a commit to rusty-snake/firejail that referenced this issue Jan 7, 2021
@rusty-snake
refactor mattermost-desktop as electron redirect (netblue30#3806)
278bc31
rusty-snake added a commit that referenced this issue Jan 8, 2021
@rusty-snake
refactor mattermost-desktop as electron redirect (#3806)
c338760
@Neo00001 Neo00001 mentioned this issue Mar 23, 2021
Closed
@mYnDstrEAm mYnDstrEAm mentioned this issue Jul 26, 2021
Open
7 tasks
@rusty-snake
Copy link
Collaborator Author

  • bitwarden
  • code
  • mattermost-desktop

@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

profiles: refactor electron.profile and electron-based programs rusty-snake/firejail
2 participants
@glitsj16 @rusty-snake