rusty-snake
commented
2 years ago Did you set force-nonewprivs yes in firejail.config?
Closed little-helper-001 closed 2 years ago
rusty-snake
commented
2 years ago Did you set force-nonewprivs yes in firejail.config?
little-helper-001
commented
2 years ago Did you set
force-nonewprivs yesin firejail.config?
Indeed I did. I followed the instructions to harden firejail. I suppose this is an issue. How should I handle the situation?
rusty-snake
commented
2 years ago You can not set nnp and disable userns if you want to use chromium* programs.
Either set force-nonewprivs no or sysctl kernel.unprivileged_userns_clone=1 (IMHO the right thing).
little-helper-001
commented
2 years ago From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk, while force-nonewprivs no disabled the general hardening for firejail. Can you tell me if there is a third option, that would be to set firecfg to exclude signal-desktop from profile generation or a setting I could put into the signal-desktop.local that disables restriction. I think under the circumstances I would exclude signal from being handeled by firejail
rusty-snake
commented
2 years ago or a setting I could put into the signal-desktop.local that disables restriction.
The idea behind force-nonewprivs is that you can not undo it, otherwise it wouldn't be a hardening option.
From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk
It's such a huge security risk that it is the default in mainline, Debian, Ubuntu, Mint, Fedora, ... kernels.
Did you know that firefox is a security risk?
that would be to set firecfg to exclude signal-desktop from profile generation
Yes you can #2097, https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049, #3016, ...
little-helper-001
commented
2 years ago Thank you for the links. I left the hardening in place.
I created a script to remove the links from applications I want to exclude.
#!/bin/bash
apps=(signal-desktop)
for app in "${apps[@]}"; do
rm /usr/local/bin/$app
doneThen I modified the pacman hook accordingly to run the script everytime it runs firecfg.
GNU nano 6.0 /etc/pacman.d/hooks/firejail.hook
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/local/bin/*
Target = usr/share/applications/*.desktop
[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh'Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh'
All this issue is about a problem caused by multiple hardening option to mitigate potential user2root exploits (which aren't much of an issue for the most desktop systems) that could be discovered in the future.. And to fix it you automatically execute a user writeable script as root? Think of your thread models.
little-helper-001
commented
2 years ago Thank you for your concern, but the script is not user writable.
-rwxr----- 1 root root 91 Feb 13 11:47 firejail-disable-helper.shAs long as some applications make problems with firejail, I will exclude them and let Apparmor handle them. It is a single application so far, so I think this is a good compromise.
rusty-snake
commented
2 years ago Is /home/user/scripts owned by you and writeable?
rm -f ~/scripts/firejail-disable-helper.sh
echo -e '#!/bin/bash\nrm -rf /' > ~/scripts/firejail-disable-helper.sh
chmod +x ~/scripts/firejail-disable-helper.shOh, I actually did not know that this works. Thanks for explaining. I moved the script to /root/scripts for now. I still think only excluding the few applications that make problems is the best way to go.
Description
I tried to launch signal-desktop after running firecfg and the program fails to start.
Steps to Reproduce
Expected behavior
Signal should start.
Actual behavior
Behavior without a profile
LC_ALL=C firejail --noprofile /path/to/programCalling signal by running
/bin/signal-desktopcauses Signal to launch as expected.Environment
Checklist
/usr/bin/vlc) "fixes" it).https://github.com/netblue30/firejail/issues/1139)browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.--profile=PROFILENAMEto set the right profile. (Only relevant for AppImages)Log
Output of
LC_ALL=C firejail /path/to/program``` [user@computer ~]$ LC_ALL=C firejail /bin/signal-desktop Reading profile /etc/firejail/signal-desktop.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 46932, child pid 46935 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 41.64 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 156.23 ms The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Parent is shutting down, bye... ```
EDIT by @rusty-snake: fix markdown checklist; fix details tag