Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New profile for CoyIM #3853

Merged
merged 4 commits into from
Jan 25, 2021
Merged

New profile for CoyIM #3853

merged 4 commits into from
Jan 25, 2021

Conversation

botherder
Copy link
Contributor

I have created here a first profile for CoyIM. I have tried to make it as restrictive as I could and follow the guidelines of the template. It is however the first firejail profile I create, so any input or feedback would be very welcome.

SkewedZeppelin
SkewedZeppelin requested changes Dec 29, 2020
View reviewed changes
Copy link
Collaborator

@SkewedZeppelin SkewedZeppelin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly good aside from minor things

etc/profile-a-l/coyim.profile Show resolved Hide resolved
etc/profile-a-l/coyim.profile Show resolved Hide resolved
rusty-snake
rusty-snake reviewed Dec 29, 2020
View reviewed changes
Copy link
Collaborator

@rusty-snake rusty-snake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have tried to make it as restrictive as I could and follow the guidelines of the template. It is however the first firejail profile I create, so any input or feedback would be very welcome.

It's always better to make more review steps and have a profile 😄 . So here're my inputs.

  • Can we use include whitelist-runuser-common.inc, include whitelist-usr-share-common.inc, include whitelist-var-common.inc?
  • Add blacklist ${HOME}/.config/coyim to disable-programs.inc
  • Add coyim to src/firecfg/firecfg.config.

etc/profile-a-l/coyim.profile Outdated Show resolved Hide resolved
etc/profile-a-l/coyim.profile Outdated Show resolved Hide resolved
etc/profile-a-l/coyim.profile Outdated Show resolved Hide resolved
etc/profile-a-l/coyim.profile Show resolved Hide resolved
@botherder
Copy link
Contributor Author

I have added the suggested changes.

@botherder
Copy link
Contributor Author

It's always better to make more review steps and have a profile . So here're my inputs.

Thank you for your feedback.

  • Can we use include whitelist-runuser-common.inc, include whitelist-usr-share-common.inc, include whitelist-var-common.inc?

What's the rulebook regarding the inclusion of whitelist-*? Isn't it preferable to avoid adding additional inclusions if they are not necessary to the proper functioning of the application?

@rusty-snake
Copy link
Collaborator

rusty-snake commented Dec 29, 2020
edited
Loading

What's the rulebook regarding the inclusion of whitelist-*? Isn't it preferable to avoid adding additional inclusions if they are not necessary to the proper functioning of the application?

whitelist-common.inc (wc): Should always be used for whitelisting profiles. It provides things such as bookmarks in file-selection dialogs and custom GTK/QT themes, icon themes, .... (exception: commandline-program which only read ~/.foorc)
whitelist-runuser-common.inc (wruc), whitelist-usr-share-common.inc (wusc) and whitelist-var-common.inc (wvc): including these profiles add restrictions because they enabled whitelisting in these locations.

edit: wusc maybe need something like whitelist /usr/share/CoyIM.
edit2: compare firejail ls /usr/share and firejail --profile=default.profile --profile=/etc/firejail/whitelist-usr-share-common.inc ls /usr/share.

@rusty-snake
Copy link
Collaborator

Had you found time to test CoyIM with wruc, wusc and wvc.

@botherder
Copy link
Contributor Author

Yep, works fine.

@netblue30 netblue30 merged commit f45534d into netblue30:master Jan 25, 2021
@netblue30
Copy link
Owner

merged, thanks!

@matu3ba matu3ba mentioned this pull request Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rusty-snake rusty-snake rusty-snake approved these changes

@SkewedZeppelin SkewedZeppelin Awaiting requested review from SkewedZeppelin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@botherder @rusty-snake @netblue30 @SkewedZeppelin