search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.8k stars 567 forks source link

seccomp.block-secondary #3417

Closed rusty-snake closed 4 years ago

rusty-snake commented 4 years ago

Are there any reasons why we don't use seccomp.block-secondary? It should work for almost all profiles (except wine and steam).

glitsj16 commented 4 years ago

I have been running with seccomp.block-secondary in globals.local for as long as it exists without issues. But I don't use wine nor steam. The only other exception I encountered is when firejailing an appimage (which generally I try to avoid). We would need to determine how appimages in general react to the seccomp.block-secondary option, which I for one am not particularly looking forward to.

rusty-snake commented 4 years ago

I have been running with seccomp.block-secondary in globals.local

I too

The only other exception I encountered is when firejailing an appimage

Just this one? or also other appimages?

glitsj16 commented 4 years ago

Just this one? or also other appimages?

This is the only appimage I use because I couldn't create a reasonable profile for its non-appimage counterpart. It's not something I'm happy with, in general I avoid using snap/flatpak/appimage technology. So I cannot determine if it is something specific to this application or something in general with appimages. I'll try to test a few others, but to be conclusive we might ask @ AppImageKit I suppose.

rusty-snake commented 4 years ago

Tested KeePassXC and Cool-Retro-Term AI, both worked with sbs. We can go and add sbs to the most profiles.