search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.72k stars 561 forks source link

chromium and custom URL protocol handler in KDE #2952

Closed AloisJanicek closed 4 years ago

AloisJanicek commented 5 years ago
System information - Arch Linux - default kernel - firejail-git - desktop: KDE Plasma 5.16.5 - KDE Applications: 19.08 - KDE Frameworks 5.61 - chromium 76.0.3809.132 ``` firejail version 0.9.61 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ aa-enabled Yes $ uname -a Linux 5.2.13-arch1-1-ARCH #1 SMP PREEMPT Fri Sep 6 17:52:33 UTC 2019 x86_64 GNU/Linux ```

Background info

In chromium, I am using this little user script to generate URLs which starts with org-protocol:// to capture URLs into emacs.

(following setup is based on org-capture-extension's README)

I have ~/.local/share/applications/emacs-capture.desktop file which points to ~/.local/bin/emacs-capture bash script.

emacs-capture.desktop looks like this: (I omitted irrelevant lines)

Exec=$HOME/.local/bin/emacs-capture "%u"
MimeType=x-scheme-handler/org-protocol;

and emacs-capture script like this

url=$(echo "$1" | sed -E 's/[[:space:]]+/%20/g')
emacsclient "$url"

This setup works flawlessly without firejail and delivers URL from browser to emacs.

Issue

With firejail I get following error popup when trying open org-protocol URL:

---- Error - Kio Client ----
Could not find any application or handler for org-protocol://store-link?url=https%3A%2F%2Fgithub.com%2Fnetblue30%2Ffirejail%2Fissues&title=Issues · netblue30%2Ffirejail

So I started to investigate and for now end up with ~/.config/firejail/chromium.profile like this:

include /etc/firejail/chromium.profile
# bash script which runs sed on its argument and launches emacsclient
whitelist ${HOME}/.local/bin/emacs-capture
# this was needed as whole because I could not figure out which folder exactly
whitelist ${HOME}/.cache/

Now I am able to successfully execute xdg-open URL or kioclient5 exec URL when joining chromium's firejail jail on command line, but it still doesn't work from running chromium GUI itself.

for example commands like this works as expected:

firejail --join=65652 kioclient5 exec "org-protocol://store-link?url=https%3A%2F%2Fwww.google.cz%2Fsearch%3Fq%3Dkde%2Bregister%2Bprotocol%26oq%3Dkde%2Bregister%2Bprotocol%26aqs%3Dchrome..69i57.6128j0j0%26sourceid%3Dchrome%26ie%3DUTF-8&title=kde register protocol - Google Search"

firejail --join=57768 xdg-open "org-protocol://store-link?url=https%3A%2F%2Fwww.google.cz%2Fsearch%3Fq%3Dkde%2Bregister%2Bprotocol%26oq%3Dkde%2Bregister%2Bprotocol%26aqs%3Dchrome..69i57.6128j0j0%26sourceid%3Dchrome%26ie%3DUTF-8&title=kde register protocol - Google Search"

Questions

Why is this working on command line and not from application itself? Is there something I can change in configuration to get this working?

AloisJanicek commented 5 years ago

I just got it work, it boils down essentially to three issues:

In /etc/firejail/chromium.profile, file chromium.local is included. This file has following private-etc declaration:

private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime

which somehow prevents KDE's kio or xdg to correctly determine default application for org-protocol://

I disabled this include, but definitely better would be to add what is needed instead of disabling it completely.

Disabling apparmor support allowed my script to be executed by bash. Again it would be better to somehow whitelist this functionality.

Finally whitelisting script location was needed.

whitelist ${HOME}/.local/bin/emacs-capture
rusty-snake commented 5 years ago

Maybe xdg fix the private-etc issue. https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template#L155-L166

AloisJanicek commented 5 years ago

sadly just adding xdg folder to private-etc didn't fix it+ edit: it actually worked, see bellow

Vincent43 commented 5 years ago

In order to make it work with AppArmor you may try using Exec=bash $HOME/.local/bin/emacs-capture "%u" in emacs-capture.desktop

AloisJanicek commented 5 years ago

Thank you both, I got it working without compromising security. exec=bash was essential for apparmor and adding xdg to private-etc for xdg-open

now my ~/.config/firejail/chromium is simple:

include /etc/firejail/chromium.profile
whitelist ${HOME}/.local/bin/emacs-capture
private-etc xdg,firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime

Can I append to private-etc declaration instead of copying and editing it?

rusty-snake commented 5 years ago

Can I append to private-etc declaration instead of copying and editing it?

Try it out :wink:. It should work.

BTW: If you use ~/.config/firejail/chromium.local insted of ~/.config/firejail/chromium.profile, you can skip the include /etc/firejail/chromium.profile line.

rusty-snake commented 4 years ago

@AloisJanicek I'm closing here due to inactivity, please fell free to reopen if you have more questions.