Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable-sys.inc #5441

Open
rusty-snake opened this issue Oct 30, 2022 · 5 comments
Open

disable-sys.inc #5441

rusty-snake opened this issue Oct 30, 2022 · 5 comments
Labels
enhancement New feature request

Comments

@rusty-snake
Copy link
Collaborator

Is your feature request related to a problem? Please describe.

/sys exposes a lot information about Kernel and Devices.

Describe the solution you'd like

disable-sys.inc include that disables files/dirs in /sys that are rarely needed by programs that do not interact with devices directly.
@rusty-snake rusty-snake added the enhancement New feature request label Oct 30, 2022
@topimiettinen
Copy link
Collaborator

For example serial numbers:

$ find /sys -xdev -iname '*serial' | wc -l
14

@rusty-snake
Copy link
Collaborator Author

firejail/src/firejail/fs.c

Lines 743 to 752 in d8a5f38

disable_file(BLACKLIST_FILE, "/sys/firmware");
disable_file(BLACKLIST_FILE, "/sys/hypervisor");
{ // allow user access to some directories in /sys/ by specifying 'noblacklist' option
profile_add("blacklist /sys/fs");
profile_add("blacklist /sys/module");
}
disable_file(BLACKLIST_FILE, "/sys/power");
disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");

Are already blacklisted, this leaves /sys/block, /sys/bus , /sys/class, /sys/dev, /sys/devices and /sys/kernel. nNevertheless blacklisting in /sys/fs and /sys/module is needed as well for programs that need parts of them.

@kmk3
Copy link
Collaborator

kmk3 commented Nov 4, 2022

@topimiettinen commented on Nov 1:

For example serial numbers:

$ find /sys -xdev -iname '*serial' | wc -l
14

Blocking this sounds good; how about adding something like
disable-hardware-ids.inc?

I'm not sure about the full extent of what /sys provides and what could be
broken by blocking things in it, but I think that hardware identifiers is a
fairly commonly known concept and that hardly any program would actually need
them (and so most profiles could probably safely block them).

As an example, it might be helpful to have access to MAC addresses in
Wireshark, but hardly so in web browsers.

@rusty-snake
Copy link
Collaborator Author

My Firefox runs fine with only
https://github.com/rusty-snake/kyst/blob/58264c8a67bad7c0f65bd860d2555787a57a080e/firejail/firefox.local#L16-L24
and I wouldn't say Firefox has low requirements.

@kmk3
Copy link
Collaborator

kmk3 commented Nov 4, 2022

@rusty-snake commented on Nov 4:

My Firefox runs fine with only
https://github.com/rusty-snake/kyst/blob/58264c8a67bad7c0f65bd860d2555787a57a080e/firejail/firefox.local#L16-L24
and I wouldn't say Firefox has low requirements.

That's good to know and to be clear I don't think that both options would be
mutually exclusive.

My point was more about the debuggability/visibility of it as a user.

If a program breaks because all/most of /sys is blocked and I don't know the
full scope of /sys and how legitimate is the program's need to access it, I
would first assume that the problem is in firejail blocking too much of /sys.
That is, it would more likely to result in ignore include disable-sys.inc.

If a program breaks specifically because it cannot access hardware
idenfitifers, that seems rather sketchy, so I'd be more inclined to try to
debug it and/or try to find an alternative program.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@topimiettinen @kmk3 @rusty-snake