Add vmware profile

[Neo00001]

No description provided.

[rusty-snake]

TODOs:

• Header (see the profile template)~
• whitelisting goes in a block between the disable-.inc and caps.
• ${HOME}/.vmware and ${HOME}/.cache/vmware need a mkdir and noblacklist + a blacklist in disable-programs.inc
• nodbus should be removed, since it is deprecated as of 0.9.63. Move the dbus-* none command in a extra block at the end of the file
• The blank lines between disable-mnt ant private-etc can be removed.
• ipc-namespace should be removed
• caps.drop all can be removed

What about:

• whitelist-usr-share-common.inc
• whitelist-var-common.inc
• whitelist-runuser-common.inc
• nonewprivs (may break?)
• noroot
• tracelog
• protocol
• seccomp
• private-cache
• private-dev (does this allow /dev/kvm?)
• private-bin
• private-tmp

[Neo00001]

whitelist-usr-share-common.inc,whitelist-var-common.inc,whitelist-runuser-common.inc

• didn't feel the need. nothing seems broken regarding normal functionality. btw, whitelist-runuser-common.inc is not available under firejail version 0.9.62.

nonewprivs,noroot,protocol,seccomp,private-bin

• all of these make vmware dysfunctional. vmware may launch but can't run any guest os.

private-bin

• despite allowing all of vmware related bin files vmware still doesn't run. if you may suggest some other files I would like to check it further.

private-cache

• drag & drop from guest to host won't work

private-tmp

• it may work, I have to check it though. there is a folder namely VMwareDnD (in /tmp) which keeps linked folders of cache's drag_and_drop folder's contents.

tracelog

• it works. but is it needed?

[rusty-snake]

didn't feel the need. nothing seems broken regarding normal functionality

Adding them is more secure, then are only whitelisted files/dirs allowed, w/o all are allowed.
wusc may need extras (e.g. whitelist /usr/share/vm-ware)

all of these make vmware dysfunctional. vmware may launch but can't run any guest os.

👍 vmware is a suid, right?

• protocol which what protocols have tested? protocol unix,inet,inet6,netlink,packet is the most permissive one.
• seccomp you can watch your syslog (journalctl --follow) to know which syscall are blocked

despite allowing all of vmware related bin files vmware still doesn't run. if you may suggest some other files I would like to check it further.

You can use firejail --build vmware You can not since nonewprivs breaks.

it works. but is it needed?

It logs blacklist violation which are usually a indicator for issues. In general it is added to all profiles where it is supported.

whitelist-runuser-common.inc is not available under firejail version 0.9.62.

If you still use X11, you can copy it.

[Neo00001]

private-tmp is breaking drag & drop from guest to host.

Everything got copied twice.

[Neo00001]

• protocol which what protocols have tested? protocol unix,inet,inet6,netlink,packet is the most permissive one.

• seccomp you can watch your syslog (journalctl --follow) to know which syscall are blocked

protocol unix,inet,inet6,netlink,packet

• doesn't allow vmware to run any guest os.

& regarding seccomp, the syscall was iopl. & seccomp !iopl doesn't work

[rusty-snake]

It maybe more then one, if seccomp !foo,!bar breaks without any logs, you can leave it out.

[Neo00001]

It maybe more then one, if seccomp !foo,!bar breaks without any logs, you can leave it out.

seccomp !iopl breaks without logs.

[Neo00001]

should I add nou2f?

[rusty-snake]

Reseted, rebased and squashed that for you. Merged in 6fa68d1.

PS: You should delete your fork and fork again.

[Neo00001]

Reseted, rebased and squashed that for you. Merged in 6fa68d1.

PS: You should delete your fork and fork again.

Thanks.

& Sorry for all of these.