Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create whitelist-run-common.inc #4288

Merged
merged 2 commits into from
Jul 16, 2021
Merged

Create whitelist-run-common.inc #4288

merged 2 commits into from
Jul 16, 2021

Conversation

rusty-snake
Copy link
Collaborator

@rusty-snake rusty-snake commented May 19, 2021
edited
Loading

This still needs testing. Add it to your globals.local. Does everything still work?

If someone who use systemd-resolved can say more which resolv.conf is necessary on such system.

@rusty-snake rusty-snake added the help wanted Extra attention is needed label May 19, 2021
@pirate486743186
Copy link
Contributor

lol, nothing works anymore
Error: invalid whitelist path /run/NetworkManager/resolv.conf Error: proc 4224 cannot sync with peer: unexpected EOF Peer 4225 unexpectedly exited with status 1
ubuntu 18.04 32bit, latest firejail from ppa
The path exist, actually firejail rejects all lines, not sure what's wrong.

@rusty-snake
Copy link
Collaborator Author

I'm not sure which version is in the ppa but you need #4302.

@rusty-snake rusty-snake marked this pull request as ready for review June 21, 2021 12:27
@rusty-snake
Copy link
Collaborator Author

I have whitelist /run/dbus/system_bus_socket in globals.local for over one month now and had no trouble (except for printing which is now solved by adding whitelist /run/cups/cups.sock). Nerveless, my resolv.conf is a file (not a symlink) for example and I don't things like kerberos, avahi, VPNs, ... so it might don't work for all system configurations.

If nobody reports testing here, I go forward, merged this PR and start adding it to some profiles.

@pirate486743186
Copy link
Contributor

in order to test this, you need to compile firejail from source....
So, not a lot of potential testers...

@rusty-snake
Copy link
Collaborator Author

rusty-snake commented Jul 3, 2021
edited
Loading

in order to test this, you need to compile firejail from source....

No, you can it install with your package manager in Arch Linux and Fedora Rawhide. And other distros like Debian unstable, Debian stable+backports, OpenSUSE tumbleweed, Manjaro will follow soon.

So depending you your distros, you already do it.

And TBH firejail is one of the easiest programs to compile form source that I know. Furthermore Arch Linux users can install firejail-git which is even easier.

So, not a lot of potential testers...

The most people (frequently) hanging here and reading this compile firejail from source as it looks for me. Anyway we don't need much testers a few with different distros and dns setups are enough. There are 5 whitelists ATM so there aren't to much possibilities to differ. The only thing that I worry about are resolv.conf symlinks.

@glitsj16
Copy link
Collaborator

glitsj16 commented Jul 3, 2021

This needs testing. Add it to your globals.local. Does everything still work?

FWIW, I've been running with this without any issues on Arch Linux. But my resolv.conf also is a file instead of a symlink (never used systemd-resolved) so on that part I cannot add anything relevant.

glitsj16
glitsj16 approved these changes Jul 3, 2021
View reviewed changes
Copy link
Collaborator

@glitsj16 glitsj16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rusty-snake rusty-snake merged commit 6422a67 into netblue30:master Jul 16, 2021
@rusty-snake rusty-snake deleted the whitelist-run-common branch July 16, 2021 09:29
kmk3 added a commit that referenced this pull request Dec 11, 2021
@kmk3
RELNOTES: add more missing pr/issue references
5716965 
Relates to #4157 #4288 #4461 #4462.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glitsj16 glitsj16 glitsj16 approved these changes

Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
Release 0.9.68
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rusty-snake @pirate486743186 @glitsj16