Closed g4njawizard closed 1 year ago
Your profile has a commented line #include disable-common.inc
, but when you run Firejail it reports Reading profile /etc/firejail/disable-common.inc
. So we have a mismatch here. Can you please verify the pasted profile is correct?
It might be easier to adapt the codium profile shipped by Firejail to your needs, rather than build a new profile from scratch (even though that's admittedly more fun). To enable ssh
, you probably will need to add include allow-ssh.inc
. Maybe it helps to take a look at the other rules in ssh.profile
?
Allowing sudo
inside a sandbox is quite painful; it is possible to get this running, but you will need to water down the sandbox very significantly. If you are ok with this, add to the profile:
ignore caps.drop all # from your pasted profile
ignore caps.keep # capability list from electron.profile is not sufficient for sudo
ignore nonewprivs
ignore protocol # implemented using seccomp
ignore seccomp
ignore private-bin # nosuid mount
ignore private-lib # without private-bin, private-lib is not as automagical, so this needs more tuning
Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses?
--build
, --trace
and --tracelog
options do this. But it doesn't work with all applications.
odin@mjolnir:~/git/ansible|⇒ codium
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 129439, child pid 129440
Child process initialized in 126.27 ms
Still have the same error despite the fact that it is reading the "allow-ssh.inc"
2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features
Error: no suitable /usr/bin/ssh executable found
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The profiles that has been loaded:
user@workstation:~/git/ansible|⇒ cat /etc/firejail/codium.profile
# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include codium.local
# Persistent global definitions
# added by included profile
#include globals.local
# Redirect
include vscodium.profile
user@workstation:~/git/ansible|⇒ cat /etc/firejail/vscodium.profile
# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include vscodium.local
# Persistent global definitions
# added by included profile
#include globals.local
noblacklist ${HOME}/.VSCodium
noblacklist ${HOME}/.config/VSCodium
# Redirect
include code.profile
include allow-ssh.inc
user@workstation:~/git/ansible|⇒ cat /etc/firejail/code.profile
# Firejail profile for Visual Studio Code
# This file is overwritten after every install/update
# Persistent local customizations
include code.local
# Persistent global definitions
include globals.local
# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
ignore dbus-user none
ignore dbus-system none
noblacklist ${HOME}/.config/Code
noblacklist ${HOME}/.config/Code - OSS
noblacklist ${HOME}/.vscode
noblacklist ${HOME}/.vscode-oss
# Allows files commonly used by IDEs
include allow-common-devel.inc
nosound
# Disabling noexec ${HOME} for now since it will
# probably interfere with running some programmes
# in VS Code
# noexec ${HOME}
noexec /tmp
# Redirect
include electron.profile
user@workstation:~/git/ansible|⇒
2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features
This warning might be important to double-check. It usually means that you're using firecfg
, which creates symlinks under /usr/local/bin/foo to the firejail binary, usually located at /usr/bin/firejail. Or you've created similar symlinks yourself. Either way, if you have a /usr/local/bin/ssh
, try to move it out of the way for testing (temporarily rename it) and post the output from the below command here please:
$ firejail --ignore=quiet /usr/bin/codium
codium now has lost it's connection to the internet, but I haven't changed the config.
When I move the ssh file and run codium, I see the following:
odin@mjolnir:~|⇒ firejail --ignore=quiet /usr/bin/codium
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 156435, child pid 156436
Child process initialized in 122.72 ms
Parent is shutting down, bye...
Inside Codium:
> git pull --tags origin main
error: cannot run ssh: No such file or directory
fatal: unable to fork
@g4njawizard on Feb 9:
codium now has lost it's connection to the internet, but I haven't changed the config.
When I move the ssh file and run codium, I see the following:
odin@mjolnir:~|⇒ firejail --ignore=quiet /usr/bin/codium Reading profile /etc/firejail/codium.profile Reading profile /etc/firejail/vscodium.profile Reading profile /etc/firejail/code.profile Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Reading profile /etc/firejail/allow-ssh.inc Parent pid 156435, child pid 156436 Child process initialized in 122.72 ms Parent is shutting down, bye...
Inside Codium:
> git pull --tags origin main error: cannot run ssh: No such file or directory fatal: unable to fork
The issue appears to be that allow-ssh.inc is being included after (rather than
before) disable-
.inc files. See also profile.template.
Unless you intend to override an entire profile, it's recommended to put the changes in a .local file instead of overriding .profile files.
This also makes it easier to see what exactly was changed.
Try this: Remove all modifications from related .profile files in /etc/firejail and add the following to ~/.config/firejail/code.local:
include allow-ssh.inc
Thanks for that! SSH works now. Do you know what setting I need to enable network connection for plugins?
@g4njawizard on Feb 9:
Thanks for that! SSH works now.
No problem.
Do you know what setting I need to enable network connection for plugins?
Warning: networking feature is disabled in Firejail configuration file
Did you change the network
option in /etc/firejail/firejail.config?
I dont remember if I've set it, or it is default:
firejail.config:
#network yes
restricted-network yes
Do I have to create a namespace and allow for specific programms in that namespace network access?
@g4njawizard on Feb 9:
I dont remember if I've set it, or it is default:
firejail.config:
#network yes restricted-network yes
See the description:
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
Do I have to create a namespace and allow for specific programms in that namespace network access?
I don't think so, unless you are doing something firewall-related.
You're right. I've done it in the past with the idea of allowing single applications to access the network. But I never configured something in that way and forgot about it. Thanks for the support!
Hi, I am still a noob in terms of firejail configuration. I have Apparmor and Firejail enabled and I can use it with firefox or thunderbird, but when I try to use codium, I have some problems. When I run codium and use the default profile, codium is way too restricted. I can't sudo, nor access .ssh or different directories that are important for my test's or pushing for github etc. So I've build a custom profile with whitelistings. Unfortunately I cannot start codium with my custom profile.
my profile:
When I try to run codium
ll /usr/bin/codium lrwxrwxrwx 1 root root 28 Nov 11 05:17 /usr/bin/codium -> /usr/share/codium/bin/codium
Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses?
firejail version 0.9.70