Open rusty-snake opened 4 years ago
Personally I really like the aliases idea! Besides the already mentioned complexity/maintenance/performance issues, IMO we face a real need to come up with a syntax format that would also work on the command-line. Something like firejail --notrash --dbus=notifications foo
is manageable and reasonably clear as to what it does exactly, which I can't say of the longer format.
I was already thinking about splitting everything regarding the filesystem (blacklist, whitelist, disable-mnt, tmpfs, private-bin, ...) into a low-level-profile-language and a high-level one. Profiles would be written in the high-level-language which will have all things like notrash, nodesktop, private-gnupg (#2786), allusers, private-dev, .... Options like nonewprivs exists in both and are unchanged. The high-level-language would be parsed by a plugin/helper-program (which can be sandboxed, chrooted, setuid=nodboy, ...) which generated the low-level-commands (only blacklist, tmpfs (needs restrictions which paths can be tmpfsed[1]), bind (need restriction too), and nonewprivs, seccomp, mdwe, ...) which is then applied by firejail. This allows faster implementing of new options, less code running with uid=0,euid=nobody.
[1] example: tmpfs is always allowed in $HOME, for /etc only if nonewprivs is set, ...
A
alias
statement like in bash can be very handy.Example
Why?
Easier maintenance of profiles.
New command like
notrash
(see #3081) can be implemented w/o touching C-code.Performance: Firejail profile becoming harder to maintain a cross distros, getting new features (such as dbus). To deal with that we add more
include allow-*.inc
commands.include
will always cause a disk I/O even for small things. If we now also adddbus-*.inc
files (see https://github.com/netblue30/firejail/pull/3406#issuecomment-625455112) which makes sense form the maintenance standpoint, we get more and more files to open just for a few lines.My firefox.profile has already 22 profiles included.
Alternatives
Instead of a new profile option we could also use a
aliasen.xml
(or what ever the name/file-type is) in/etc/firejail
and~/.config/firejail
.