Update telegram.profile

[nidamanx]

Allow Telegram ONLY in .TelegramDesktop, .local/share/TelegramDesktop and Downloads

If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.

If you make a PR for new profiles or changeing profiles please do the following:

• The ordering of options follow the rules descripted in /usr/share/doc/firejail/profile.template.

  Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.

• Order the arguments of options alphabetical, you can easy do this with the sort.py.
  The path to it depends on your distro:

  Distro	Path
  Arch/Fedora	/usr/lib64/firejail/sort.py
  Debian/Ubuntu/Mint	/usr/lib/x86_64-linux-gnu/firejail/sort.py
  local git clone	contrib/sort.py

  Note also that the sort.py script exists only since firejail 0.9.61.

See also CONTRIBUTING.md.

[rusty-snake]

LGTM, except that includes should go by name and not by path.

BTW: There's a lot more we can do on telegram.profile, see #3638 (comment).

OT: TelegramDesktop is a electron too if I'm right. We should refactor it too.

[Neo00001]

OT: TelegramDesktop is a electron too if I'm right. We should refactor it too.

TelegramDesktop is Qt-based desktop client afaik.

[Neo00001]

@ndmann

include disable-passwdmgr.inc
include disable-xdg.inc

include whitelist-usr-share-common.inc
include whitelist-var-common.inc
include whitelist-runuser-common.inc

try these.Hopefully it will work

[nidamanx]

@ndmann

include disable-passwdmgr.inc
include disable-xdg.inc

include whitelist-usr-share-common.inc
include whitelist-var-common.inc
include whitelist-runuser-common.inc

try these.Hopefully it will work

Thanks @Neo00001
one submitted setting was already verified
https://github.com/netblue30/firejail/pull/3897/files

I found very interesting your suggestion about
include disable-passwdmgr.inc
Are you using it?

--edit
I tried your config. Unfortunately it didn't work. All was exposed.
The one I submitted works well

[Neo00001]

Are you using it?

yes.& these also

include disable-shell.inc
apparmor
shell none

my dbus-policy is

dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.kde.StatusNotifierWatcher

dbus-system none

I'm on kde btw, for other DE it will be different though.

if you have some other folders/programs in opt you may create an empty folder foo & add

private-opt foo to telegram's profile.

depending upon your usecase, you may restrict much more.

[nidamanx]

Are you using it?

yes.& these also

include disable-shell.inc
apparmor
shell none

my dbus-policy is

dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.kde.StatusNotifierWatcher

dbus-system none

I'm on kde, for other DE it will be different though.

if you have some other folders/programs in opt you may create an empty folder foo & add

private-opt foo to telegram's profile.

depending upon your usecase, you may restrict much more.

That's also interesting!

include disable-shell.inc
apparmor
shell none

Could be useful to find a basic config ready for all DE.
I'll try your added lines
Thanks!

[Neo00001]

All was exposed

what were exposed?
btw,you had to add those lines into your profile along with your already submitted changes. otherwise home folder won't be properly restricted.

[nidamanx]

All was exposed

what were exposed?
btw,you had to add those lines into your profile along with your already submitted changes. otherwise home folder won't be properly restricted.

Ah, ADDED to my submitted lines!
So, I think, all will be absolutely better!
I thought your setup could be a better way to have the same results of the code i submitted
...btw i already stated to integrate your lines

[nidamanx]

So, @Neo00001, you are on KDE.
I'm on Gnome and Xfce.
Let's try a config for more DEs

My install:

• telegram in /opt/telegram
• alias in /usr/local/bin/telegram
• launcher in /usr/local/share/applications/telegram-messenger.desktop
• firejail profile in: ~/.config/firejail/telegram.profile

The following lines work perfect to me (Gnome and Xfce) and probably in KDE too.
Adding all the lines you suggested didn't allow my telegram to start from launcher

mkdir ${HOME}/.TelegramDesktop
mkdir ${HOME}/.local/share/TelegramDesktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.TelegramDesktop
whitelist ${HOME}/.local/share/TelegramDesktop
include whitelist-common.inc

include disable-passwdmgr.inc
include disable-xdg.inc
shell none
apparmor

[nidamanx]

Adding the following lines, seems absolutely better:
now we're in private-dev too

mkdir ${HOME}/.TelegramDesktop
mkdir ${HOME}/.local/share/TelegramDesktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.TelegramDesktop
whitelist ${HOME}/.local/share/TelegramDesktop
include whitelist-common.inc
include disable-passwdmgr.inc
include disable-xdg.inc
shell none
apparmor
private-dev

I could be possible that using private-dev, phone calls will not be allowed.
Anyway, in audit: I can see a good protection (nothing marked as BAD anymore)

I have these few errors in logs:

[ALSOFT] (EE) Failed to set real-time priority for thread: not allowed
Could not create AF_NETLINK socket not supported

But Telegram (chat) seems to work fine.
Maybe we have to investigate more about those errors?
Thanks

[Neo00001]

The following lines work perfect to me (Gnome and Xfce) and probably in KDE too.

yes.It works for kde also.

[ALSOFT] (EE) Failed to set real-time priority for thread: not allowed

this probably occurs without firejail also. try to run telegram with firejail --noprofile to check

Could not create AF_NETLINK socket not supported

#3733
#3614

* telegram in /opt/telegram

try all of my suggestions except private-opt

btw,what's the output of ls -al /opt/telegram

[nidamanx]

this probably occurs without firejail also. try to run telegram with firejail --noprofile to check

You're right!

Could not create AF_NETLINK socket not supported

fixed as in #3614

- unix,inet,inet6
+ unix,inet,inet6,netlink

try all of my suggestions except private-opt

All seems fine in terminal, but not the launcher (fails)
Seems the only parameter I can add is

include whitelist-var-common.inc

Each one of the following fail to desktop launcher

include disable-shell.inc
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc

Maybe we also need to whitelist launcher location.
Same result if I move launcher in ~/.local/share/applications/telegram-messenger.desktop

cat /usr/local/share/applications/telegram-messenger.desktop 
[Desktop Entry]
Encoding=UTF-8
Name=Telegram Messenger
Comment=Telegram Messenger for Desktop
Exec=firejail /opt/telegram/Telegram
Icon=/usr/local/share/icons/telegram-messenger-icon.png
Type=Application
Categories=Application;

btw,what's the output of ls -al /opt/telegram

drwxrwxr-x 2 user group   4096 gen 17 11:58 .
drwxr-xr-x 6 root root    4096 gen 16 18:54 ..
-rwxr-xr-x 1 user group   93162336 dic 23 13:43 Telegram
-rwxr-xr-x 1 user group   1810344 dic 23 13:43 Updater

[Neo00001]

All seems fine in terminal, but not the launcher (fails)
Seems the only parameter I can add is

So when you run telegram from terminal, all those parameters work but in case of launcher that ain't the case. I'm a bit puzzled here tbh. @rusty-snake may help us out here.

-rwxr-xr-x 1 user group 93162336 dic 23 13:43 Telegram

private-opt won't work for u

Maybe we also need to whitelist launcher location.

/usr/local/share/ is not blocked in your case. Something else is the problem. & btw firejail's apparmor profile also supports execution from /usr/local or /opt

• when you run telegram from terminal, do you notice any error?

[Desktop Entry]
Encoding=UTF-8

did you use any software to create this desktop entry? Encoding is a deprecated key.

[nidamanx]

* So when you run telegram from terminal, all those parameters work

exactly. It's a bit strange

* when you run telegram from terminal, do you notice any error?

no, no errors. if all params in TESTING are enables (see below the full lines added to the default one) .desktop file just doesn't work

* did you use any software to create this desktop entry? Encoding is a deprecated key.

done by myself. Now encoding is removed, but same result.

Here is the actual working config:

# STABLE BEGIN
mkdir ${HOME}/.TelegramDesktop
mkdir ${HOME}/.local/share/TelegramDesktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.TelegramDesktop
whitelist ${HOME}/.local/share/TelegramDesktop
include whitelist-common.inc
include disable-passwdmgr.inc
include disable-xdg.inc
shell none
apparmor
private-dev
include whitelist-var-common.inc
# STABLE END

# TESTING BEGIN
#include disable-shell.inc
#include whitelist-usr-share-common.inc
#include whitelist-runuser-common.inc
# TESTING END

[nidamanx]

All is now fixed using the Debian Backport Package (0.9.64-1~bpo10+1)
Tested on KDE, Gnome, Xfce.
I'm going to submit the code

[rusty-snake]

Can you follow our profile ordering/sorting from profile.template.

[nidamanx]

Can you follow our profile ordering/sorting from profile.template.

Done

[rusty-snake]

merged, thanks.

[nidamanx]

You're welcome! :-)