netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.8k stars 567 forks source link

"ignore quiet" does not work in override (.local) files #3503

Open NetSysFire opened 4 years ago

NetSysFire commented 4 years ago

Steps to reproduce:

--ignore=quiet works though.

Relates to:

glitsj16 commented 4 years ago

I can reproduce and confirm this is an issue in git master as well.

rusty-snake commented 4 years ago

The reason is that we put the quiet above the include foo.local.

quiet
include foo.local

We can not fix this by changing this order, because we break quiet if it is not the first command.

IMHO this is expected behaviour.

glitsj16 commented 4 years ago

The reason is that we put the quiet above the include foo.local.

That's correct.

We can not fix this by changing this order, because we break quiet if it is not the first command.

I thought so too. But it is NOT what I'm seeing. And according to my observations changing the order CAN fix it, but it's unreliable and inconsistent.

Example A: unchanged profiles --> 'quiet' works as expected (no firejail output)

$ head -n 8 /etc/firejail/curl.profile
# Firejail profile for curl
# Description: Command line tool for transferring data with URL syntax
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include curl.local
# Persistent global definitions
include globals.local

$ cat /etc/firejail/curl.local
# Firejail profile for curl
# Persistent local customizations

$ firejail /usr/bin/curl --version
curl 7.71.1 (x86_64-pc-linux-gnu) libcurl/7.71.1 OpenSSL/1.1.1g zlib/1.2.11 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh2/1.9.0 nghttp2/1.41.0
Release-Date: 2020-07-01
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Example B: 'quiet' placed below 'include foo.local' in foo.profile + foo.local contains 'ignore quiet' as first option --> works as expected (firejail output is shown)

$ head -n 8 /etc/firejail/curl.profile
# Firejail profile for curl
# Description: Command line tool for transferring data with URL syntax
# This file is overwritten after every install/update
# Persistent local customizations
include curl.local
quiet
# Persistent global definitions
include globals.local

$ cat /etc/firejail/curl.local
# Firejail profile for curl
# Persistent local customizations
ignore quiet

$ firejail /usr/bin/curl --version
Reading profile /etc/firejail/curl.profile
Reading profile /etc/firejail/curl.local
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 34736, child pid 34737

Blacklist violations are logged to syslog
Child process initialized in 311.14ms
curl 7.71.1 (x86_64-pc-linux-gnu) libcurl/7.71.1 OpenSSL/1.1.1g zlib/1.2.11 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh2/1.9.0 nghttp2/1.41.0
Release-Date: 2020-07-01
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Parent is shutting down, bye...

Example C: 'quiet' placed below 'include foo.local' in foo.profile + foo.local does NOT contain 'ignore quiet' --> broken (firejail output is partly shown)

$ firejail /usr/bin/curl --version
Reading profile /etc/firejail/curl.profile
Reading profile /etc/firejail/curl.local
curl 7.71.1 (x86_64-pc-linux-gnu) libcurl/7.71.1 OpenSSL/1.1.1g zlib/1.2.11 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh2/1.9.0 nghttp2/1.41.0
Release-Date: 2020-07-01
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

I'm not saying this is easy to fix. But can we really expect users having to go through CLI hoops to override a firejail option, whether it be 'quiet' or any other?

rusty-snake commented 4 years ago

I'm not saying this is easy to fix. But can we really expect users having to go through CLI hoops to override a firejail option, whether it be 'quiet' or any other?

Alternative they need to edit foo.profile after every update, or better copy foo.profile to their home. We have no full override support (yet). Disabling whitelisting meany add a ignore whitelist foobar for every whitelist (and a update which adds one lin to wc, enables it again). Include can not be ignored.

The best workaround ATM would be ~/.config/firejail/youtube-dl.profile:

ignore quiet
include ${CFG}/youtube-dl.profile