reinerh
commented
3 years ago surf is another one using webkitgtk. though after a quick test it was still working in firejail.
Open SkewedZeppelin opened 3 years ago
reinerh
commented
3 years ago surf is another one using webkitgtk. though after a quick test it was still working in firejail.
rusty-snake
commented
3 years ago FWIW: https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/
Fedoras kernel has unprivileged user-ns always enabled. The non-suid bwrap binary which is therefore used as default in Fedora works with these minimal changes:
$ firejail '--noblacklist=${PATH}/bwrap' '--seccomp=!mount,!pivot_root,!umount2' bwrap --dev-bind / / lsHowever the suid variant will need more permissions, such as no nonewprivs.
UPDATE: https://github.com/netblue30/firejail/issues/3647#issuecomment-769288256
ckotte
commented
3 years ago Just adding noblacklist /usr/bin/bwrap works with evolution 3.38 on Arch Linux
Edit: Sorry. I'm wrong.I can start evolution, but new emails cannot be read. I get
bwrap: loopback: Failed to create NETLINK_ROUTE socket: Operation not supported@rusty-snake How can I put those seccomp and dev-bind options into the profile?
rusty-snake
commented
3 years ago How can I put those seccomp and dev-bind options into the profile?
--dev-bind / / is a bwrap option.noblacklist ${PATH}/bwrap
seccomp !mount,!pivot_root,!umount2However, from the error message you likely need to add protocol unix,inet,inet6,netlink (adding netlink) likewise.
ckotte
commented
3 years ago Now I get this bwrap: Can't mount proc on /newroot/proc: Operation not permitted. Probably better to not use firejail with evolution anymore..
rusty-snake
commented
3 years ago Does Arch ship the suid variant? (check ls -l /usr/bin/bwrap)
Does it work with --noprofile? If not we'll need to remove all those programs from firecfg (or make it work).
ckotte
commented
3 years ago Does Arch ship the suid variant? (check
ls -l /usr/bin/bwrap)
No suid:
ls -l /usr/bin/bwrap
-rwxr-xr-x 1 root root 55352 Mar 30 2020 /usr/bin/bwrapDoes it work with
--noprofile? If not we'll need to remove all those programs from firecfg (or make it work).
Doesn't work with --noprofile. I always get bwrap: Can't mount proc on /newroot/proc: Operation not permitted
rusty-snake
commented
3 years ago Maybe it is caused by the pid-namespace. (If so) we need a option to run the sandbox in the default pid-namespace. Can you post the full bwrap cmd, maybe it only happens if a certain option is used.
Since the are flatpaks for almost every GNOME-App and bwrap does not work inside bwrap, there must be some code which disable the webkit2gtk-4.0 sandbox. Maybe we can trigger this or add a patch to trigger this by a env-var (or there is already one).
ckotte
commented
3 years ago There are two bwrap processes /usr/bin/bwrap --args 58 -- /usr/lib/WebKitWebProcess 7 48 when running without firejail.
I couldn't find a bwrap command in the evolution code. So, not sure how this works.
I also cannot find anything to configure flatpak/bwrap for evolution.
rusty-snake
commented
3 years ago There are two bwrap processes /usr/bin/bwrap --args 58 -- /usr/lib/WebKitWebProcess 7 48 when running without firejail. I couldn't find a bwrap command in the evolution code. So, not sure how this works.
They pass is via FD :cry: . This bwrap call is in the webkit2gtk code and not in evolution, but I could not find a webkit2gtk repo in the internet.
If flatpak and flathub are configured: flatpak install flathub org.gnome.Evolution
reinerh
commented
3 years ago if (sandboxEnabled && !isInsideFlatpak() && !isInsideSnap() && !isInsideDocker())
process = bubblewrapSpawn(launcher.get(), m_launchOptions, argv, &error.outPtr());Looks like they check for flatpak and other sandboxing already.
Micha-Btz
commented
3 years ago my evolution on debian sid doesn't work. After creating evolution.local with
noblacklist ${PATH}/bwrap seccomp !mount,!pivot_root,!umount2
evoluition starts, but I'm unable to read a mail, since
Something has gone wrong when displaying the message
A WebKitWebProcess crashed when displaying the message. You can try again by moving to another message and back. If the issue persists, please file a bug report in GNOME Gitlab.
The output from the console shows:
LC_ALL=C firejail --profile=/etc/firejail/evolution.profile /usr/bin/evolution Reading profile /etc/firejail/evolution.profile Reading profile /home/mdomann/.config/firejail/evolution.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown, Parent pid 36121, child pid 36122 Warning: not remounting /home/mdomann/.ssh/authorized_keys Seccomp list in: !mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown, Child process initialized in 48.85 ms
(evolution-alarm-notify:23): GLib-GIO-WARNING **: 18:23:06.671: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'. ^[[Obwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'. bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.
(evolution:5): Gtk-WARNING **: 18:23:55.901: Calling org.xfce.Session.Manager.Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Keine derartige Methode ?Inhibit?
(evolution:5): GLib-GIO-WARNING **: 18:23:55.982: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). ^[[I Parent is shutting down, bye...
I have tested also the newest profile from git hub since it seems to be newer then the debian one, also no success. Any idea?
Micha
Micha-Btz
commented
3 years ago Additional question, is firejail needed when bwrap is also a sandbox application?
rusty-snake
commented
3 years ago my evolution on debian sid
ohh no not debian, this will be even harder. Debian has unprivileged-userns-clones disable and therefore bwrap installed as suid. Either you enable them (sysctl kernel.unprivileged-userns-clone=1) and remove setuid bit from bwarp, or you make it work with firejail. For that you need to remove nonewprivs and likely some more, also you need must not set force-nonewprivs yes in /etc/firejail/firejail.config. But first check that it works with --nopofile (and force-nonewprivs no in firejail.config).
Additional question, is firejail needed when bwrap is also a sandbox application?
Firejail still provides extra security by sandboxing the full application and not parts of it. However, the internal-bwrap sandbox sandboxes the web-content-processes which have a major attack-surfface because they deal with untrusted input. IDK how tight this sandbox is, but those processes usually don't need any filesystem access, so I think they ok. So if you don't want dig deeper, you very likely well protected if you only use the bwrap sandbox for now.
bbhtt
commented
3 years ago Can someone confirm if WEBKIT_FORCE_SANDBOX=0 evolution works on Debian?
rusty-snake
commented
3 years ago Did a bit strace, here are my findings:
The error occurs only if bwrap is called with --unshare-pid and --proc /proc. So the minimal STR is firejail --noprofile bwrap --unshare-pid --proc /proc --dev-bind / / bash.
mount("proc", "/newroot/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)
loveshack
commented
2 years ago Can someone confirm if
WEBKIT_FORCE_SANDBOX=0 evolutionworks on Debian?
It does, at least to the extent of reading a message, so I've set it in evolution.local.
I'm on Debian 11 with firejail 0.9.66 from the backports repo. (Unlike on Debian 10, bwrap isn't suid.)
pedrib
commented
2 years ago @loveshack can you share your working profile for Debian 11?
I'm not using bwrap (starting with WEBKIT_FORCE_SANDBOX=0 evolution but the built-in firejail profile doesn't work for me with Evolution 3.38.3-1 / firejail 0.9.66:
~ > WEBKIT_FORCE_SANDBOX=0 firejail evolution
Reading profile /etc/firejail/evolution.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Warning: networking feature is disabled in Firejail configuration file
Warning: Warning: NVIDIA card detected, nogroups command disabled
Warning: noroot option is not available
Parent pid 35144, child pid 35145
Warning: not remounting /home/ble/.ssh/config
Child process initialized in 158.94 ms
Failed to initialize gtk+: Unable to initialize the Clutter backend: no available drivers found.
Parent is shutting down, bye...
amano-kenji
commented
1 year ago caps.keep sys_admin,sys_chroot,net_admin,setuid,setgid,sys_ptrace
ignore caps.drop
ignore nonewprivs
ignore noroot
ignore protocol
ignore seccomp
noblacklist ${PATH}/bwrap
ignore private-binThis makes bwrap work inside foliate firejail sandbox. bwrap requires
caps.keep sys_admin,sys_chroot,net_admin,setuid,setgid,sys_ptrace
I haven't been able to figure out which binaries need to be passed to private-bin.
amano-kenji
commented
1 year ago bwrap requires a lot of capabilities and lack of seccomp. This seems to outweigh benefits of running bwrap inside firejail sandbox.
nyxt browser just disables webkit sandbox.
nyxt recommends using an external sandbox like guix container or firejail.
sak96
commented
1 year ago is there a possibility of getting a feature to set environment variables in profiles ? this could help manage issue easily. cc: @rusty-snake
reinerh
commented
1 year ago That is already possible:
env name=value
Set environment variable. Examples:
env LD_LIBRARY_PATH=/opt/test/lib
env CFLAGS="-W -Wall -Werror"does that mean this solved the problem for foliate ??
echo env WEBKIT_FORCE_SANDBOX=0 > ~/.config/firejail/foliate.localI don't know. If you have that problem, why don't you try it?
sak96
commented
1 year ago yeah tried it. It works. thanks.
i am just surprised that last time i check i did not fine env in man firejail-profile.
i think i overlooked it.
sak96
commented
1 year ago 10:57:18.571: WEBKIT_FORCE_SANDBOX no longer allows disabling the sandbox. Use WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 instead.
looks like the env variable is changed.
env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1Should webkit sandbox be disabled? Or, should it be used in firejail?
rusty-snake
commented
1 year ago You should NOT disable it.
amano-kenji
commented
1 year ago I tried to put nyxt with webkit sandbox in firejail sandbox and got this error message.
bwrap: Failed to make / slave: Permission deniedAfter disabling apparmor, I get this error message.
bwrap: Can't mount proc on /newroot/proc: Operation not permittedI haven't figured out a way to run a bwrap sandbox inside firejail.
amano-kenji
commented
8 months ago Has anyone found a way to make bwrap work inside firejail? How does firefox sandbox work inside firejail?
ipaqmaster
commented
6 months ago Can't seem to get gnome-notes (bijiben) to function with the default firejail enabled. It seems to throw Failed to start dbus proxy: Failed to spawn child process “/usr/bin/bwrap” (No such file or directory).
rusty-snake
commented
6 months ago Looks linke they updated to gtk-4.
amano-kenji
commented
5 months ago At this point, I think it's better to just disable bwrap with
env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1because I could not find a way to make bwrap work inside firejail sandbox. If I had to choose between the two, I would choose firejail because webkit sandbox doesn't place a tight access control over filesystem. The webkit sandbox isn't configurable, either. Firejail sandbox is configurable and tighter.
We can't drag this on for ever. We need something working in a timely manner. I can't wait 3 decades for this issue to be resolved...
rusty-snake
commented
5 months ago WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
DON'T DO THIS!
webkit sandbox doesn't place a tight access control over filesystem
This is not true. The code can be found here.
Firejail sandbox is [] tighter.
Heavily depends on the profile.
rusty-snake
commented
5 months ago https://github.com/netblue30/firejail/issues/3647#issuecomment-769288256
Did a bit strace, here are my findings:
The error occurs only if bwrap is called with
--unshare-pidand--proc /proc. So the minimal STR isfirejail --noprofile bwrap --unshare-pid --proc /proc --dev-bind / / bash.mount("proc", "/newroot/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)
Doing this with crablock that uses new-mount-api, the fsmount call fails with EPERM. fsopen and fsconfig (including CMD_CREATE) work.
rusty-snake
commented
5 months ago Actually we get a warning in dmesg. :partying_face:
kernel: VFS: Mount too revealing$ firejail --noprofile findmnt
├─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ ├─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=30,pgrp=0,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=9002
│ └─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ ├─/proc/sysrq-trigger tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ ├─/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
│ │ ├─/proc/sys/fs/binfmt_misc tmpfs[/firejail/firejail.ro.dir] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ │ ├─/proc/sys/kernel/core_pattern tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ │ ├─/proc/sys/kernel/modprobe tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ │ └─/proc/sys/vm/panic_on_oom tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ ├─/proc/irq tmpfs[/firejail/firejail.ro.dir] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ ├─/proc/bus tmpfs[/firejail/firejail.ro.dir] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ ├─/proc/timer_list tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ ├─/proc/kcore tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ ├─/proc/kallsyms tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64
│ └─/proc/kmsg tmpfs[/firejail/firejail.ro.file] tmpfs ro,nosuid,nodev,seclabel,size=1578572k,nr_inodes=819200,mode=755,inode64What happens if we don't blacklist them?
rusty-snake
commented
5 months ago What happens if we don't blacklist them?
$ firejail --quiet --noprofile bwrap --unshare-pid --proc /proc --dev-bind / / echo "Hello from bubblewrap!"
Hello from bubblewrapRelevant execution path you have to look at:
rusty-snake
commented
5 months ago Btw, crablock mounts with subset=pid by default, so mounting proc would not reveal anything new. Anyway, I think it is ok to check this at fsmount because you could fspick the superblock later on and undo this I think.
amano-kenji
commented
5 months ago This is not true. The code can be found here.
Look. I know webkit sandbox cannot be allowed to restrict access to user directories because restricting user access will cause people to ditch web browsers... That's a UX disaster..... Web browsers will be killed if they restricted user access by default.
People will just use another web browser that lets them upload files from any directory without a hassle....
If google chrome pulled off this stunt, it will lose market share to firefox very quickly... Google chrome will die in a month.
With firejail, users choose to restrict user access to a subset of it. With firejail, users have control. With webkit sandbox, users don't get to choose which directories are whitelisted or blacklisted.
I'm not comfortable with a web browser having access to my private files......
amano-kenji
commented
5 months ago So, you found a way to make bwrap work inside firejail? Perhaps, can it be packaged as allow-bwrap.inc or something else?
rusty-snake
commented
5 months ago I know webkit sandbox cannot be allowed to restrict access to user directories because restricting user access will cause people to ditch web browsers... That's a UX disaster..... Web browsers will be killed if they restricted user access by default.
I'm not comfortable with a web browser having access to my private files......
The webkit process does not have access to all your private files:
$ tree -a /proc/80317/root/home/rusty-snake
/proc/80317/root/home/rusty-snake
├── .cache
│ ├── epiphany
│ │ └── adblock
│ │ ├── 1f353f7cdbb012b9fb1226455f1b3becba42070e1970c1524996fa3a871af406.filterinfo
│ │ └── compiled
│ │ └── ContentRuleList-1f353f7cdbb012b9fb1226455f1b3becba42070e1970c1524996fa3a871af406
│ ├── fontconfig
│ │ ├── 02770245eac059faefae62cb0d56fbcb-le64.cache-8
│ │ ├── 221930ae9526a9cb8049af2916f03412-le64.cache-8
[...]
│ │ ├── c4be257954870c0bf6972134c1de66d5-le64.cache-8
│ │ ├── CACHEDIR.TAG
│ │ ├── cf759820c416606818fc74e5e9991313-le64.cache-8
│ │ ├── d4fe5728f86380c2e3b1e4e9a34fabd8-le64.cache-8
│ │ └── d63f98f14a274bd69a5425fc33aaac6b-le64.cache-8
│ └── mesa_shader_cache
│ └── index
├── .config
│ ├── epiphany
│ ├── gtk-3.0
│ │ └── bookmarks
│ └── pulse
│ └── cookie
└── .local
└── share
└── epiphany
├── bookmarks.gvdb
├── .goutputstream-D05LE1
├── .goutputstream-JZ0HE1
├── .goutputstream-M25NE1
├── .goutputstream-XX5EE1
├── .migrated
├── page-setup-gtk.ini
├── permissions.ini
├── print-settings.ini
└── web_extensionsSo, you found a way to make bwrap work inside firejail? Perhaps, can it be packaged as allow-bwrap.inc or something else?
It requires code changes. But after that it should be possible with an include allow-bwrap.inc.
amano-kenji
commented
5 months ago You can restrict web contents (webkit) access to homedir while allowing browser access to homedir.
I didn't know that was going on. However, I still want to restrict browser access from my end through firejail or apparmor.
The bloated browser program itself still has user access...
The new webkit2gtk-4.0/-2.30 seems to hard require bubblewrap. This causes firejailed programs such as evolution and epiphany fail to start. The profiles will need to be updated ala chromium probably.
Edit:
2995 dropped support for epiphany because of this