-
Notifications
You must be signed in to change notification settings - Fork 576
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "private-etc: big profile changes" #5645
base: master
Are you sure you want to change the base?
Conversation
This reverts commit 5d0822c and later commits that touch the same files (which is necessary in order to revert the commit in question). There seems to be a non-trivial amount of changes done in error in the big refactor from commit 5d0822c ("private-etc: big profile changes", 2023-02-05). For example, there are profiles for CLI programs (including man.profile) and servers that now contain the @X11 group: $ git grep -l '^private-etc .*@X11' -- etc # [...] etc/profile-a-l/email-common.profile:private-etc @tls-ca,@X11,gnupg,hosts.conf,mailname,timezone etc/profile-m-z/man.profile:private-etc @X11,groff,man_db.conf,manpath.config,sysless etc/profile-m-z/mutt.profile:private-etc @tls-ca,@X11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo etc/profile-m-z/neomutt.profile:private-etc @tls-ca,@X11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver etc/profile-m-z/nextcloud.profile:private-etc @tls-ca,@X11,Nextcloud,host.conf,os-release etc/profile-m-z/nodejs-common.profile:private-etc @tls-ca,@X11,host.conf,mime.types,rpc,services Note: These are just the ones that I immediately noticed; it is possible that there are many that I missed. Part of the issue is that the groups appear to be inconsistent and rather broad. For example, paths related to 3D graphics (vulkan) and audio (openal) are in the @games group, which are not used only by games and not all games use those standards/libraries. As another example, the @X11 group contains paths related to GTK, KDE and GPU hardware acceleration, even though those are not necessarily tied to X11 (and even though hardware acceleration may be used by headless programs). Replacing the known paths with groups that are not very granular results in loss of information about what exactly a profile actually needs and so makes the profiles less self-documenting. Note also that a given path could potentially belong to multiple groups, which would preclude using the "etc-cleanup" tool (in its current form at least), as it would not know which is the correct group to replace the path with. Command used to revert the changes: $ git revert \ 1be9bb3 \ e889db0 \ e6f2374 \ acb0154 \ 740f502 \ 5649bd4 \ 2e4e9d1 \ 0f996ea \ 5d0822c Note: This reverts commits from PRs netblue30#5641 netblue30#5642 netblue30#5643, most of which are later re-applied. Relates to netblue30#5610.
(cherry picked from commit 5d0822c) Committer note: This only applies the changes from src/.
(cherry picked from commit 0f996ea) Committer note: This only applies the changes from src/.
(cherry picked from commit acb0154) Committer note: This only applies the changes from src/.
There is no `/etc/groups` AFAIK. Existing typo likely caused this. Committer note: The original commit is part of PR netblue30#5641. (cherry picked from commit 001f541)
There is no `/etc/password` AFAIK. Existing typo likely caused this. Committer note: The original commit is part of PR netblue30#5641. (cherry picked from commit 5f01eb1)
There is no `/etc/groups` AFAIK. Existing typo likely caused this. Committer note: The original commit is part of PR netblue30#5641. (cherry picked from commit 2588d51)
There is no `/etc/groups` AFAIK. Existing typo likely caused this. Committer note: The original commit is part of PR netblue30#5641. (cherry picked from commit aea2109)
`dconfgtk-3.0` is missing a `,`. Committer note: The original commit is part of PR netblue30#5641. (cherry picked from commit 81f8847)
There is no `/etc/ssli` AFAIK. Existing typo likely caused this. Committer note: The original commit is part of PR netblue30#5641. (cherry picked from commit f9c009e)
(cherry picked from commit 2e4e9d1)
(cherry picked from commit e6f2374)
Thanks for explaining the gist of your problem/worries with the current state of the private-etc refactoring. These are all sound and valid arguments IMO and we should have a discussion on them. That being said - and that's also just my opinion - there's always going to be some amount of 'wins and losses' if one wants to introduce a more abstract way of putting together a working private-etc combination. Can one achieve a perfect 1:1 relationship between the 'old' and the 'new'? Probably not. Can the current grouping be improved upon to 'make more sense' regarding the 'nature' of the application involved (CLI vs GUI, client vs server, GNOME vs KDE, game vs work, etcetera)? Probably yes. Without wanting to stir up some kind of confusion or 'infight', I do feel there's some (growing) friction with the way impactful changes like this one are being introduced. If there had been a foregoing discussion on the criteria used to distinguish sensible groups of files under /etc we can use to abstract-away the very fine-grained yet hard-to-maintain long lines of the past, I think your arguments would still make sense. Boils down to communication styles/preferences I guess. Please don't take this as some kind of personal criticism. I do understand and appreciate the perspective you are and have been taking in Firejail as a project, especially regarding the state of our git tree(s). Maybe I'm reading too much into some of the recent back and forth's. I do hope we can work this out in a constructive way and keep offering the community of users the best possible combination of security profiles we can, being a voluntary community. Cheers! |
Let's leave this pr open for now, we can revert the profiles at any time, or we can just go back to the point we were in 0.9.72 and do some merging. An easy way to cover the hundreds of profiles we have, is to build a default group that will work for most console application, and a x11 group for most X11/gnome/kde apps. sound and network are handled automatically, then we add some miscellaneous groups such as tls-ca and games. We can detect all these groups and additional files with "firejail --build". It is not worth building different groups for kde and gnome, or QT and GTK. The differences in /etc are small, and you might have programs linking in libraries from both sides. If vulkan starts showing up in non-game apps, we move it in x11 group. We already have there nvidia and ati. Intel and AMD drivers seem to be integrated in x11 (probably under /etc/X11) Something interesting regarding /etc directory. The following command works just fine for me:
If the program cannot access /etc, it will just work with whatever defaults are hardcoded in the program or libraries. I'm seeing this on most programs. Usually, if you or your Linux distribution didn't modify the file in /etc, you don't really need it. Only sound and networking seem to be affected by /etc. |
Follow-up to my earlier comment. Hopefully an example can convey what I mean more appropriately. An app I use (however briefly) regularly is Before the big private-etc refactor:
After:
So this profile is currently broken (I'll be filing a PR to unbreak it). Although $ grep private-etc /etc/firejail/gnome-logs.local
# file bug report on private-etc, profile currently broken
# temporary fix
#private-etc @sound
private-etc machine-id So, yes, I do agree that using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review request. I'll do that later, if netblue30 decides to go that route. LGTM though, appreciate the effort and time you must have spent preparing this.
@glitsj16 I appreciate your kind words and concerns; I'll try to address the Besides what was said in the first comment, the discarding of information in Point 1: The Revert
As mentioned, it was not trivial to prepare the revert and for any extra commit Note that commits have to be reverted in the reverse order that they were While on the other side of things, as far as I understand it, it is relatively So if anything I would say the reverse: Let's do the revert for now (which has In the mean time we can discuss and improve the groups so that when the tool is
There would be two main ways of doing this:
The first would effectively invalidate (but not remove) a significant amount of Note that this PR already reverts a bunch of commits, but doing the above would The second seems like a rather nuclear option, especially for an established And in either case, starting over from scratch would cause a mess with the Additionally, if you considered starting the release from scratch anyway, why Edit: I did not manage to finish writing the remaining points yet but I wanted But for reference, the gist of it is that the information that was added to |
That's the thing: machine-id is not used only by pulseaudio; it may be used by gnome-logs.profile had both This is one of the reasons for the revert: The way that the search and replace |
Programs using GPU acceleration and Games
I think that this scheme is likely to lead to confusion because some programs
Some examples of non-game apps that use or plan to use OpenGL/Vulkan: GFX tools (Blender), video editors (Da Vinci Resolve), image editors (Krita). OpenGL is used in some compositors for making desktop effects smoother and Vulkan Video is becoming a thing, which will allow using standardized Vulkan
Driver-specific options can be configured in the X server configuration in Note also that in the case of Mesa (which is usually the default for at least
That sounds good and I think it would make sense to do the same for 3d. Suggestion: Create a I think that compared to the As for the paths used by games, proprietary games tend to be started from In the case of tools and frameworks used in fully libre games, I think that |
I have some more comments about the groups and etc, but considering at least
And considering that:
Do you see any downsides for reverting the commits in order to fix the above? |
This reverts commit 5d0822c and later
commits that touch the same files (which is necessary in order to revert
the commit in question).
There seems to be a non-trivial amount of changes done in error in the
big refactor from commit 5d0822c ("private-etc: big profile changes",
2023-02-05). For example, there are profiles for CLI programs
(including man.profile) and servers that now contain the @X11 group:
Note: These are just the ones that I immediately noticed; it is possible
that there are many that I missed.
Part of the issue is that the groups appear to be inconsistent and
rather broad. For example, paths related to 3D graphics (vulkan) and
audio (openal) are in the @games group, which are not used only by games
and not all games use those standards/libraries. As another example,
the @X11 group contains paths related to GTK, KDE and GPU hardware
acceleration, even though those are not necessarily tied to X11 (and
even though hardware acceleration may be used by headless programs).
Replacing the known paths with groups that are not very granular results
in loss of information about what exactly a profile actually needs and
so makes the profiles less self-documenting. Note also that a given
path could potentially belong to multiple groups, which would preclude
using the "etc-cleanup" tool (in its current form at least), as it would
not know which is the correct group to replace the path with.
Command used to revert the changes:
Note: This reverts commits from PRs #5641 #5642 #5643, most of which are
later re-applied.
Relates to #5610.