Create allow-INTERPETER.inc

[rusty-snake]

• allow-lua.inc
• allow-perl.inc
• allow-python2.inc
• allow-python3.inc
• allow-java.inc

See #2735 (comment)

[SkewedZeppelin]

I think I got most of them.
I left out the template to not break #2735

[rusty-snake]

meld, natron, qutebrowser, ranger need to be updated.

[SkewedZeppelin]

That should be it.
Aside from placement here or there.

I should probably rewrite the program from #1427 and run it again.

[Vincent43]

HEADER
COMMENTS
BLACKLISTS
NOBLACKLISTS
ALLOW INCLUDES

I think NOBLACKLISTS + ALLOW INCLUDES should be before BLACKLISTS otherwise they won't work 😃

[rusty-snake]

@Vincent43 to have the following in a profile make no sense:

noblacklist ${HOME}/something
blacklist ${HOME}/something

BLACKLIST means blacklist commands in the profile.

[glitsj16]

To accomodate Arch Linux's Perl policy I'm wondering whether we should add

noblacklist ${PATH}/site_perl
noblacklist ${PATH}/vendor_perl

to the new allow-perl.inc.

[Fred-Barclay]

@glitsj16 I think we should

[rusty-snake]

@glitsj16 feel free to commit.

[Vincent43]

to have the following in a profile make no sense:

noblacklist ${HOME}/something
blacklist ${HOME}/something

The opposite order also doesn't make sense. It doesn't make sense having noblacklist and blacklist for the same path in profile in general but noblacklist rule should precede blacklist one to be effective elsewhere and I think keeping that order here wold be consistent.

[rusty-snake]

@Vincent43 to do that to have a consistent/consequent order sounds good. I use this order above because every profile with blacklist and noblacklist has this order.
grep "^blacklist" --context=5 /etc/profile/*.profile

OK then lets have the following:

HEADER
COMMENTS -- don't know what this is.
IGNORES
NOBLACKLISTS
ALLOW INCLUDES
BLACKLISTS
DISABLE INCLUDES
MKDIRS
WHITELISTS
WHITELIST INCLUDES
OPTIONS (aa, caps, ipc-namespace, machine-id, net*, no*, protocol, seccomp, shell, tracelog)
PRIVATE OPTIONS (disable-mnt, private*)
SPECIAL OPTIONS (env, mdwx, noexec, read-only, join-or-start)
REDIRECT INCLUDES

@glitsj16 where do we blacklist ${PATH}/site_perl & blacklist ${PATH}/vendor_perl ?

[glitsj16]

@rusty-snake At present we don't blacklist site_perl and vendor_perl, although I think we should. I forgot that part, nice catch. To keep this draft PR clean, would you be so kind as to add those to the current /etc/firejail/disable-interpreters.inc?

[SkewedZeppelin]

@rusty-snake

COMMENTS -- don't know what this is.

some profiles have comments on their use
eg.
https://github.com/netblue30/firejail/blob/master/etc/Xephyr.profile
https://github.com/netblue30/firejail/blob/master/etc/xpra.profile
https://github.com/netblue30/firejail/blob/master/etc/spectre-meltdown-checker.profile

[SkewedZeppelin]

Ignoring placement, are we OK with this to merge?

[rusty-snake]

@SkewedZeppelin I think so.