-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow empty --protocol=
list
#639
Comments
I'll bring a fix in this week, thanks! |
I'm afraid I'm in the dark here (which is my fault) and I can't quite figure out what this would accomplish. Would Or would it deny access to any protocols? In which case, why use it? Wouldn't the absence of the protocol filter, in and of itself deny access to the filtered protocols? Or am I missing the point entirely? Like I said, I don't mean to indicate that I think this is a bad idea in any way; I just can't quite figure out what it does. |
Hi @Fred-Barclay, by An empty protocol list means the application cannot use unix sockets, inet interfaces and so on. But it still has access to the filesystem, so it can be a perfectly fine CLI/terminal program. I guess @netblue30 will decide for naming. |
Thanks @vn971 |
@Fred-Barclay I think it can be the whitelist/blacklist story that is confusing you. The It's probably because of the history of firejail and that it tries to be "simple" for end users, therefore favoring "blacklisting" instead of "whitelisting". So adding new directives makes the container boundaries stronger, and some of the directives are whitelist-like. |
Aha, that does make more sense! Thanks, mate. In that case, might I suggest using the syntax |
Yes, it will be --protocol=none, I'll have a fix in this week. |
@netblue30 ping :) |
I might try working on this, since I don't think it's in yet. |
Oh right...I tried working on this a while back and couldn't really figure out how to safely do it... @netblue30 can you take care of this? 🙂 |
The only difference between I'd suggest to close where as wontfix as the difference is so small and the only use case I can see are cli programs which do not need any sockets. (In that case update pngquant.profile) |
See netblue30#639. Thanks @rusty-snake in code review.
* Create qpdf.profile and redirects qpdf (CLI) provides PDF metadata cleaning. See privacy-handbuch.de[1] for details. The site offers pdf-meta-clean.sh[2], which works very well with firejailed qpdf. [1] https://www.privacy-handbuch.de/handbuch_43a.htm [2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh * RELNOTES: add qpdf and redirects to new profiles section * firecfg.config: add qpdf and redirects * qpdf: use 'seccomp socket' instead of 'protocol unix' See #639. Thanks @rusty-snake in code review.
No functional changes. Relates to netblue30#639.
No functional changes. Relates to #639.
Could an empty protocol list be allowed for firejail?
Like this:
firejail --noprofile --protocol=
I think it may make sense in some scenarions. If it's not too difficult, please add such an ability?
(Sorry, I don't feel myself confident with C, therefore I can only raise issues & make some tests.. No code changes since I'd probably leak something or worse.)
The text was updated successfully, but these errors were encountered: