Create disable-X11.inc #4462
Merged
Create disable-X11.inc #4462
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
reinerh
reviewed
Aug 9, 2021
| blacklist ${RUNUSER}/gdm/Xauthority | ||
| blacklist ${RUNUSER}/.mutter-Xwaylandauth* | ||
| blacklist ${RUNUSER}/xauth_* | ||
| #blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] |
There was a problem hiding this comment.
Out of curiosity I just tried to find where support for these regex classes is implemented, but I didn't succeed.
The only other place using them seems to be whitelist-runuser-common.inc.
Would this actually work? If yes, do you know where this is implemented?
There was a problem hiding this comment.
Interesting, glob(7) is documenting this. I wasn't aware that glob() supports character classes.
There was a problem hiding this comment.
Yes it is glob(). If it would be a regex, I could write [[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12} to match a UUID which would be shorter and much more readable. Too bad that you can not do it.
And, FTR, this line is commented because there are maybe other programs out there with the stupid idea of using a UUID without any prefix/suffix that indicates the program/usage.
reinerh
approved these changes
Aug 9, 2021
|
Related discussion: |
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 23, 2024
Instead of duplicating some of the entries. Also, improve the relevant documentation. Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 23, 2024
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/gconf-editor.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 23, 2024
If `x11 none` is used, comment the include of disable-X11.inc to avoid
including it twice.
Note: This is already done in some profiles.
Commands used to search and replace:
$ git grep -Ilz '^x11 none' -- etc/profile*/*.profile | xargs -0
perl -pi -e 's/^(include disable-X11.inc)$/#$1 # x11 none/'
This was apparently first done on commit b76dc25 ("New profile: daisy
(netblue30#5935)", 2023-08-02).
Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 23, 2024
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/gconf-editor.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 23, 2024
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/gconf-editor.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 23, 2024
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 24, 2024
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to netblue30#4462 netblue30#4854.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 26, 2024
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections. That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.
Also, keep the old include as a redirect to the new one for now to avoid
breakage.
Commands used to search and replace:
git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
git grep -Ilz 'disable-X11' -- etc | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to netblue30#4462 netblue30#4854 netblue30#6070 netblue30#6289.
This is a follow-up to netblue30#6286.
kmk3
added a commit
that referenced
this pull request
Mar 27, 2024
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections. That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.
Also, keep the old include as a redirect to the new one for now to avoid
breakage.
Commands used to search and replace:
git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
git grep -Ilz 'disable-X11' -- etc | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #4462 #4854 #6070 #6289.
This is a follow-up to #6286.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move https://gitlab.com/rusty-snake/kyst/-/blob/122cda1b1492213467d1d583671502a549d912bb/firejail/deny-X11.inc upstream.