-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to block internet access while retain connection to host native X11 #3568
Comments
Unix sockets are local and can not be used for TCP/IP. Steam likely spawns a download-worker through systemD/D-Bus .
You can bind mount the regular-X11-socket inside the chroot. |
A bit of a dirty hack is to set an environment variable |
Can you expand a bit on the systemd/dbus exploit? I'm trying to relate how steam can communicate with the systemd/dbus in the chroot, but my assumption is that systemd/dbus that steam talks to is also bound by the
This worked for me! I found some more info in #2711 and the code. Do you have any idea whether this hack would be formalized? E.g. to become a command line parameter. Also, as the solution is similar for #3484 as well, I think this should be able to be applied to pulseaudio as well (which needs to copy |
I just found that the bind-mounting by If that is correct, this would be much cleaner than the manual mounting outside the jail (I'm scripting it for pulseaudio, and I don't have a good way yet to umount it automatically, considering a possible multiple instances situation). |
These mounts are destroyed when all processes in the sandbox mount namespace have terminated, or in other words, when Firejail exits.
I guess a simple way to formalize this would be to just use an environment variable different from |
The problem is that the process at the other end of the socket doesn't know about our own sandbox restrictions. If you allow a sandbox access to a socket, you open up unrestricted access to the service, and what that means depends on the service alone. What does |
Do you suggest that firejail mounts the dbus in chroot by default? Not stated in the manpage at least. I was saying that with an assumption that the dbus inside is a different one, and not the dbus outside.
With
And when trying with an additional There is a
I'm not sure how to test dbus. What I came up with:
seems to indicate that dbus is defunct too. I'll try to find something to figure out which process is handling the network traffic. That might help to provide more clues. |
To find a abstract unix socket, you must use |
add check so that environment variable FIREJAIL_CHROOT_X11 can be used to mount /tmp/.X11-unix into the chroot; issue #3568
I added environment variables
No, it doesn't do anything with D-Bus. |
Sorry for a much delayed response. I finally got the latest firejail in backports channel. |
The options I explored:
--net=none
blocks both internet and host X11 connection.--net=none --x11
works, but I need gpu hardware acceleration, and thus a direct host x11 connection.--netfilter
works only when--net=
is used, according to the manpage.--protocol=unix
works only partially. I tested with steam, in which web pages are all broken. But somehow steam can still download games (both new game install and update downloads work).For the 3rd point, my impression is that unix sockets are local. Is it possible to use a unix socket for internet access? I found https://wiki.manjaro.org/index.php?title=Firejail#Block_an_application_from_accessing_the_internet, which seems to side with my impression (that unix socks are local), but somehow firejailed steam is not fully restricted from internet.
In case it might be helpful, how I launch steam is:
firejail --noprofile --seccomp --nonewprivs --caps.drop=all --chroot=~/chroot steam
.Not sure what else I can do to achieve the result in the title. Any recommendations / suggestions are welcome.
The text was updated successfully, but these errors were encountered: