-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webkit2gtk-4.0 requires bwrap #3647
Comments
surf is another one using webkitgtk. though after a quick test it was still working in firejail. |
FWIW: https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/ Fedoras kernel has unprivileged user-ns always enabled. The non-suid bwrap binary which is therefore used as default in Fedora works with these minimal changes:
However the suid variant will need more permissions, such as no nonewprivs. UPDATE: #3647 (comment) |
Just adding Edit: Sorry. I'm wrong.I can start evolution, but new emails cannot be read. I get
@rusty-snake How can I put those seccomp and dev-bind options into the profile? |
However, from the error message you likely need to add |
Now I get this |
Does Arch ship the suid variant? (check |
No suid:
Doesn't work with |
Maybe it is caused by the pid-namespace. (If so) we need a option to run the sandbox in the default pid-namespace. Can you post the full bwrap cmd, maybe it only happens if a certain option is used. Since the are flatpaks for almost every GNOME-App and bwrap does not work inside bwrap, there must be some code which disable the webkit2gtk-4.0 sandbox. Maybe we can trigger this or add a patch to trigger this by a env-var (or there is already one). |
There are two bwrap processes I couldn't find a bwrap command in the evolution code. So, not sure how this works. I also cannot find anything to configure flatpak/bwrap for evolution. |
They pass is via FD 😢 . This bwrap call is in the webkit2gtk code and not in evolution, but I could not find a webkit2gtk repo in the internet. If flatpak and flathub are configured: |
Looks like they check for flatpak and other sandboxing already. |
my evolution on debian sid doesn't work. After creating evolution.local with
evoluition starts, but I'm unable to read a mail, since
The output from the console shows:
I have tested also the newest profile from git hub since it seems to be newer then the debian one, also no success. Micha |
Additional question, is firejail needed when bwrap is also a sandbox application? |
ohh no not debian, this will be even harder. Debian has unprivileged-userns-clones disable and therefore bwrap installed as suid. Either you enable them (
Firejail still provides extra security by sandboxing the full application and not parts of it. However, the internal-bwrap sandbox sandboxes the web-content-processes which have a major attack-surfface because they deal with untrusted input. IDK how tight this sandbox is, but those processes usually don't need any filesystem access, so I think they ok. So if you don't want dig deeper, you very likely well protected if you only use the bwrap sandbox for now. |
- gimp: allow mbind syscall. no start on Fedora 33 without - minetest: disable private-cache. without persistent cache connecting to servers can take many minutes - supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers - supertuxkart: comment private-dev to allow controller use - profiles: unify controller support comments - firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
- gimp: allow mbind syscall. no start on Fedora 33 without - minetest: disable private-cache. without persistent cache connecting to servers can take many minutes - supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers - supertuxkart: comment private-dev to allow controller use - profiles: unify controller support comments - firecfg: comment evolution with a note, and add a note to epiphany netblue30#3647 + netblue30#2995
Can someone confirm if |
Did a bit strace, here are my findings: The error occurs only if bwrap is called with mount("proc", "/newroot/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted) |
webkit2gtk uses a bwrap based sandbox by default since 4.0, see netblue30#3647. This is good as it means more security by default on for linux system. Unfortunately is it not possible to run bwrap inside firejail if bwrap is started with --unshare-pid --proc /proc at all. In general we should exclude a program from firecfg until a final solution is found. But bijiben is special, while epiphany or evolution display random stuff from the internet is webkit2gtk in bijiben used to display local files create by the user. Bijiben has a thight profile (net none, whitelist, private-bin, ...) therefore my decision here was to disable the webkit2gtk sandbox rather then firejail.
webkit2gtk uses a bwrap based sandbox by default since 4.0, see #3647. This is good as it means more security by default on for linux system. Unfortunately is it not possible to run bwrap inside firejail if bwrap is started with --unshare-pid --proc /proc at all. In general we should exclude a program from firecfg until a final solution is found. But bijiben is special, while epiphany or evolution display random stuff from the internet is webkit2gtk in bijiben used to display local files create by the user. Bijiben has a thight profile (net none, whitelist, private-bin, ...) therefore my decision here was to disable the webkit2gtk sandbox rather then firejail.
It does, at least to the extent of reading a message, so I've set it in evolution.local. I'm on Debian 11 with firejail 0.9.66 from the backports repo. |
@loveshack can you share your working profile for Debian 11? I'm not using bwrap (starting with
|
This makes bwrap work inside foliate firejail sandbox. bwrap requires
I haven't been able to figure out which binaries need to be passed to private-bin. |
bwrap requires a lot of capabilities and lack of seccomp. This seems to outweigh benefits of running bwrap inside firejail sandbox. nyxt browser just disables webkit sandbox. nyxt recommends using an external sandbox like guix container or firejail. |
is there a possibility of getting a feature to set environment variables in profiles ? |
That is already possible:
|
does that mean this solved the problem for foliate ?? echo env WEBKIT_FORCE_SANDBOX=0 > ~/.config/firejail/foliate.local |
I don't know. If you have that problem, why don't you try it? |
yeah tried it. It works. thanks. i am just surprised that last time i check i did not fine |
looks like the env variable is changed.
|
Should webkit sandbox be disabled? Or, should it be used in firejail? |
You should NOT disable it. |
I tried to put nyxt with webkit sandbox in firejail sandbox and got this error message.
|
After disabling apparmor, I get this error message.
I haven't figured out a way to run a bwrap sandbox inside firejail. |
Has anyone found a way to make bwrap work inside firejail? How does firefox sandbox work inside firejail? |
Can't seem to get gnome-notes ( |
Looks linke they updated to gtk-4. |
At this point, I think it's better to just disable bwrap with
because I could not find a way to make bwrap work inside firejail sandbox. If I had to choose between the two, I would choose firejail because webkit sandbox doesn't place a tight access control over filesystem. The webkit sandbox isn't configurable, either. Firejail sandbox is configurable and tighter. We can't drag this on for ever. We need something working in a timely manner. I can't wait 3 decades for this issue to be resolved... |
DON'T DO THIS!
This is not true. The code can be found here.
Heavily depends on the profile. |
Doing this with crablock that uses new-mount-api, the |
Actually we get a warning in dmesg. 🥳
|
What happens if we don't blacklist them? |
$ firejail --quiet --noprofile bwrap --unshare-pid --proc /proc --dev-bind / / echo "Hello from bubblewrap!"
Hello from bubblewrap diffdiff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cdad5e220..9f2fcd510 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -718,12 +718,12 @@ void fs_mnt(const int enforce) {
void fs_proc_sys_dev_boot(void) {
// remount /proc/sys readonly
- if (arg_debug)
- printf("Mounting read-only /proc/sys\n");
- if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
- mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
- errExit("mounting /proc/sys");
- fs_logger("read-only /proc/sys");
+ // if (arg_debug)
+ // printf("Mounting read-only /proc/sys\n");
+ // if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
+ // mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+ // errExit("mounting /proc/sys");
+ // fs_logger("read-only /proc/sys");
/* Mount a version of /sys that describes the network namespace */
if (arg_debug)
@@ -753,27 +753,27 @@ void fs_proc_sys_dev_boot(void) {
disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
// various /proc/sys files
- disable_file(BLACKLIST_FILE, "/proc/sys/security");
- disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");
- disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");
- disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");
- disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");
- disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
- disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
- disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/security");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");
+ // disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
+ // disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
// various /proc files
- disable_file(BLACKLIST_FILE, "/proc/irq");
- disable_file(BLACKLIST_FILE, "/proc/bus");
+ // disable_file(BLACKLIST_FILE, "/proc/irq");
+ // disable_file(BLACKLIST_FILE, "/proc/bus");
// move /proc/config.gz to disable-common.inc
//disable_file(BLACKLIST_FILE, "/proc/config.gz");
- disable_file(BLACKLIST_FILE, "/proc/sched_debug");
- disable_file(BLACKLIST_FILE, "/proc/timer_list");
- disable_file(BLACKLIST_FILE, "/proc/timer_stats");
- disable_file(BLACKLIST_FILE, "/proc/kcore");
- disable_file(BLACKLIST_FILE, "/proc/kallsyms");
- disable_file(BLACKLIST_FILE, "/proc/mem");
- disable_file(BLACKLIST_FILE, "/proc/kmem");
+ // disable_file(BLACKLIST_FILE, "/proc/sched_debug");
+ // disable_file(BLACKLIST_FILE, "/proc/timer_list");
+ // disable_file(BLACKLIST_FILE, "/proc/timer_stats");
+ // disable_file(BLACKLIST_FILE, "/proc/kcore");
+ // disable_file(BLACKLIST_FILE, "/proc/kallsyms");
+ // disable_file(BLACKLIST_FILE, "/proc/mem");
+ // disable_file(BLACKLIST_FILE, "/proc/kmem");
// remove kernel symbol information
if (!arg_allow_debuggers) {
@@ -818,8 +818,8 @@ void fs_proc_sys_dev_boot(void) {
if (getuid() != 0) {
// disable /dev/kmsg and /proc/kmsg
- disable_file(BLACKLIST_FILE, "/dev/kmsg");
- disable_file(BLACKLIST_FILE, "/proc/kmsg");
+ // disable_file(BLACKLIST_FILE, "/dev/kmsg");
+ // disable_file(BLACKLIST_FILE, "/proc/kmsg");
}
EUID_ROOT(); |
Btw, crablock mounts with |
Look. I know webkit sandbox cannot be allowed to restrict access to user directories because restricting user access will cause people to ditch web browsers... That's a UX disaster..... Web browsers will be killed if they restricted user access by default. People will just use another web browser that lets them upload files from any directory without a hassle.... If google chrome pulled off this stunt, it will lose market share to firefox very quickly... Google chrome will die in a month. With firejail, users choose to restrict user access to a subset of it. With firejail, users have control. With webkit sandbox, users don't get to choose which directories are whitelisted or blacklisted. I'm not comfortable with a web browser having access to my private files...... |
So, you found a way to make bwrap work inside firejail? Perhaps, can it be packaged as |
The webkit process does not have access to all your private files:
|
It requires code changes. But after that it should be possible with an |
I didn't know that was going on. However, I still want to restrict browser access from my end through firejail or apparmor. The bloated browser program itself still has user access... |
The new webkit2gtk-4.0/-2.30 seems to hard require bubblewrap.
This causes firejailed programs such as evolution and epiphany fail to start.
The profiles will need to be updated ala chromium probably.
Edit:
#2995 dropped support for epiphany because of this
The text was updated successfully, but these errors were encountered: