Closed Boruch-Baum closed 3 years ago
Running program A in the sandbox made for program B is something that maybe works and maybe don't work.
On 2021-08-01 00:41, rusty-snake wrote:
Running program A in the sandbox made for program B is something that maybe works and maybe don't work. profile diffs
$ fjp diff atril calibre $ fjp diff zathura calibre $ fjp diff mupdf calibre
I don't seem to have a local copy of the fjp tool installed (debian). Where / how can I get it so that I can see exactly what's happening locally?
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
fjp is a unoffical tool from me. repo: https://github.com/rusty-snake/fjp website: https://rusty-snake.github.io/fjp/ latest release: https://github.com/rusty-snake/fjp/releases/tag/v0.2.0 (v0.3.0-rc1 will come soon)
Thanks.
On 2021-08-01 02:45, rusty-snake wrote:
fjp is a unoffical tool from me. repo: [1]https://github.com/rusty-snake/fjp
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~
BTW this is a firejail error, if you remove the firecfg symlink, it might work. But why does mupdf work, it should have a firecfg symlink too.
I think I have the calibre/atril problem solved.
What seems to have been breaking things is that setting 'net none' in my calibre.local file was disabling dbus (bug?, documented?). This is important to me because I'm frightened by calibre's demands for internet access (to places like amazon.com, etc) and can never be sure of its scope. For many users, such access may be desirable (eg. to search, sync, and purchase ebooks directly from calibre), but they probably are not the type of people who would be interested in firejail in the first place.
Based upon my re-reading of the firejail-profile man page, I have updated my calibre.local with two additional lines, so it looks like this:
net none dbus-user filter dbus-user.talk org.freedesktop.*
My tests indicate that this allows atril and disables internet.
Remaining questions for me:
1) Am I doing this correctly?
2) Should I be more restrictive somehow in the use of the dbus filters?
3) Should 'net none' really be killing dbus access?
On 2021-08-01 03:14, rusty-snake wrote:
Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~
BTW that a firejail error, if you remove the firecfg symlink, it might work.
I'm not using symlinks. I modify my local copy of the *.desktop file. Doing so also allows me to do the following (very long line follows may show up as word-wrapped in your email viewer):
Exec=env CALIBRE_USE_DARK_PALETTE=0 CALIBRE_USE_SYSTEM_THEME=true QT_QPA_PLATFORMTHEME=qt5ct cpulimit -l 50 -- firejail /usr/bin/calibre %F
But why does mupdf work, it should have a firecfg symlink too.
Aaahh. In my local setup mupdf has no symlink and no modified *.desktop file (I have mupdf installed for its pdf manipulation tools, not for its viewer. It was just that while trying to figure out this problem I tried using it as an alternative).
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
setting 'net none' in my calibre.local
If you have modified settings, you should say it already in OP. Even if they seem to be unrelated to the error message/behaviour as there can be strange side effects.
dbus-user.talk org.freedesktop.*
Why using D-Bus filtering at all with this rule?
This allows (org.freedesktop.DBus
), org.freedesktop.Flatpak
, org.freedesktop.Notifications
, org.freedesktop.PackageKit
, org.freedesktop.ScreenSaver
, org.freedesktop.Tracker3.Miner.Files.Control
, org.freedesktop.impl.portal.PermissionStore
, org.freedesktop.impl.portal.desktop.gtk
, org.freedesktop.portal.Flatpak
, org.freedesktop.secrets
, org.freedesktop.systemd1
.
Am I doing this correctly?
What's your goal? General: Adding command to .locals to make things work is right.
Should I be more restrictive somehow in the use of the dbus filters?
See above. btw from where did you got the org.freedesktop.*
?
Should 'net none' really be killing dbus access?
If you use abstract sockets, yes.
On 2021-08-01 06:16, rusty-snake wrote:
setting 'net none' in my calibre.local
If you have modified settings, you should say it already in OP. Even if they seem to be unrelated to the error message/behaviour as there can be strange side effects.
Sorry. As soon as I realized that the file existed, I reported it.
dbus-user.talk org.freedesktop.*
Why using D-Bus filtering at all with this rule?
In order to try to debug, I decided to launch firejail from a console in order to see what it was sending to STDERR. One message was: "DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused"
So I tried that dbus socket, ie.:
dbus-user.talk org.freedesktop.*
However, that caused firejail to send an error message to the console:
Ignoring "dbus-user.talk org.freedesktop.*".
So, I went back to the man page, and saw in the example given that the dbus.user-talk line was preceded by a line 'dbus filter' and the documentation seems to say that both are needed. Now I see that line 'dbus filter' alone is enough to enable atril.
This allows (org.freedesktop.DBus), org.freedesktop.Flatpak, org.freedesktop.Notifications, org.freedesktop.PackageKit, org.freedesktop.ScreenSaver, org.freedesktop.Tracker3.Miner.Files.Control, org.freedesktop.impl.portal.PermissionStore, org.freedesktop.impl.portal.desktop.gtk, org.freedesktop.portal.Flatpak, org.freedesktop.secrets, org.freedesktop.systemd1.
Am I doing this correctly?
What's your goal?
1) Calibre should have no internet access. 2) Calibre should be able to launch atril. 3) The rules (dbus) should not be overly permissive.
General: Adding command to .locals to make things work is right.
Should I be more restrictive somehow in the use of the dbus filters?
See above.
I went one-by-one and tested each of the items you listed above, using an ignore statement to eliminate the others, and it seems none of the org.freedesktop rules are necessary, and some other dbus feature is being white-listed by the general statement 'dbus filter'.
btw from where did you got the org.freedesktop.*?
I saw an error message on my console: "DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused"
Thanks for the support and time you've been giving me on this. I hope maybe something comes of it that can be useful for others, somehow.
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
org.freedesktop.DBus.Error.NoServer
is the error type and not the name it tried to access. Unfortunately it does not say which name it tries to accessdbus-user filter
(no dbus-user.{own,talk}
)? And with dbus-user none
? (<<The rules (dbus) should not be overly permissive.)net none
is enough to disable internet access. As alternative you can set protocol unix,netlink
+ignore protocol
. If you only care about amazon connections (i.e. your goal is privacy) maybe eve dns 0.0.0.0
works. (<<Calibre should have no internet access.)On 2021-08-01 07:53, rusty-snake wrote:
- Does it work with just dbus-user filter (no dbus-user.{own,talk})?
Yes, it does launch atril that way.
And with dbus-user none? (<<The rules (dbus) should not be overly permissive.)
No, it does not launch atril with that rule.
- net none is enough to disable internet access. As alternative you can set protocol unix,netlink+ignore protocol. If you only care about amazon connections (i.e. your goal is privacy) maybe eve dns 0.0.0.0 works. (<<Calibre should have no internet access.)
Do I need both protocol lines in my calibre.local file? In my testing it seems that line 'protocol unix,netlink' was sufficient to eliminate internet access even without the other line 'ignore protocol'. What I get on STDERR on the console with just the single line is:
Warning: networking feature is disabled in Firejail configuration file Warning: more than one protocol list is present, "unix,netlink" will be installed
Currently, my calibre.local file looks like this:
protocol unix,netlink
This does cut off internet and allows atril. I then delayed responding to you because I thought it may be over-permissive in that allows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers.
So I ran some (many) tests (which could have been expedited with some kind of strace help probably) and I've come up with the following which is working for me for documents of type djvu, epub, and pdf. If it can be useful to you or to some firejail users, that would be great. Note that I've only been testing this for a matter of minutes, so if you think it has potential you may still want to wait and get back to me after further 'life' testing. Also, calibre is chock full of features that I don't use, so the following may need more permissiveness.
noblacklist /usr/bin/atril noblacklist /usr/bin/awk noblacklist /usr/bin/basename noblacklist /usr/bin/calibre noblacklist /usr/bin/cpulimit noblacklist /usr/bin/cut noblacklist /usr/bin/ebook- noblacklist /usr/bin/evince noblacklist /usr/bin/djview noblacklist /usr/bin/fail2ban noblacklist /usr/bin/faillog noblacklist /usr/bin/file noblacklist /usr/bin/firecfg noblacklist /usr/bin/firejail noblacklist /usr/bin/firejail-ui noblacklist /usr/bin/firemon noblacklist /usr/bin/firetools noblacklist /usr/bin/gawk noblacklist /usr/bin/mupdf noblacklist /usr/bin/okular noblacklist /usr/bin/pdf noblacklist /usr/bin/print noblacklist /usr/bin/python noblacklist /usr/bin/which noblacklist /usr/bin/www-browser noblacklist /usr/bin/xpdf noblacklist /usr/bin/x-www-browser noblacklist /usr/bin/xdg noblacklist /usr/bin/zathura blacklist /usr/bin/*
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
dbus-user filter
:+1:,dbus-user none
:-1:
I know this behaviour from some Qt programs with File Open Dialogs (e.g. d0004b845d074d6a1bffa1b4212dd3782f4999c3) However, I think here it is something else (maybe).
Do I need both protocol lines in my calibre.local file? In my testing it seems that line 'protocol unix,netlink' was sufficient to eliminate internet access even without the other line 'ignore protocol'.
That changed in firejail 0.9.66
Warning: more than one protocol list is present, "unix,netlink" will be installed
See above
Warning: networking feature is disabled in Firejail configuration file
Debian package default, nothing to worry (only net <iface|bridge|tap>
, net*
, ip*
, ... are disable but not net none
)
I thought it may be over-permissive
It is. If you can, use
net none
protocol unix,netlink
ignore protocol
dbus-user filter
net none
: Always add net none
if you can, it blocks sandbox escapes via abstract unix socketsprotocol unix,netlink
: If it does not need inet,inet6
, why permit itignore protocol
: firejail >= 0.9.66dbus-user filter
: (here) to workaround net none
breakageallows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers.
Note that everything that can be done by other programs can be done by calibre too. (from a permission point of view)
blacklist /usr/bin/*
/bin
private-bin
?On 2021-08-01 10:11, rusty-snake wrote:
I thought it may be over-permissive
It is. If you can, use net none protocol unix,netlink ignore protocol dbus-user filter
OK. I'll do that.
Would it be helpful to also add dbus-system none? It doesn't seem to hurt.
blacklist /usr/bin/* * If your system does not have a unified file-system, there is /bin * Why not simply use private-bin?
The first honest answer is that I didn't remember that it existed.
The more important second honest answer is that I just tried it and for it to work would require me to perform more work, ie. to discover and explicitly include the /bin executables needed by calibre.
---- pause as I do more work before hitting send ----
Below is what I have so far that works. It seems sufficient to add just shells, greps, readlink, and sed to the prior list. However, as I mentioned in my prior email, calibre has many features and plugins and my testing so far has been limited to opening, adding, and deleting ebooks.
private-bin atril,awk,basename,calibre,cpulimit,cut,ebook-,evince,djview,fail2ban,faillog,file,firecfg,firejail,firejail-ui,firemon,firetools,gawk,gv,mupdf,okular,pdf,print,python,which,www-browser,xpdf,x-www-browser,xdg,zathura,bash,dash,egrep,grep,readlink,sed,sh,sh.distrib
Some of the regexes there could be eliminated with some thought (eg. python stuff).
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
Would it be helpful to also add dbus-system none? It doesn't seem to hurt.
Yes
and for it to work would require me to perform more work, ie. to discover and explicitly include the /bin executables needed by calibre.
You can generate one with firejail --build calibre
.
I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.
In debian, using firejail 0.9.64.4, calibre 5.16.1, and atril 1.20.3 and using the default firejail profiles: From within firejail /usr/bin/calibre, I can't open/view a document with atril.
What does work: 1) firejail atril foo.pdf 2) calibre (without firejail) and opening a pdf with atril 3) firejail calibre and opening a pdf with zathura or mupdf
In the following output from
firejail --debug calibre
, note that the first line spawned when askin to view a pdf is the line beginning "Error seteuid":EDIT by @rusty-snake: Code-block