Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix sndio support #4365

Merged
merged 5 commits into from
Jul 1, 2021
Merged

Fix sndio support #4365

merged 5 commits into from
Jul 1, 2021

Conversation

nullenvk
Copy link
Contributor

This patch allows sandboxed programs to access a sndiod server and play audio on systems where sndio handles audio.

SkewedZeppelin
SkewedZeppelin requested changes Jun 19, 2021
View reviewed changes
Copy link
Collaborator

@SkewedZeppelin SkewedZeppelin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-1, don't add /tmp to this, will effectively apply private-tmp to all profiles using whitelist-common

@SkewedZeppelin
Copy link
Collaborator

This is likely something you should add to your locals.

rusty-snake
rusty-snake requested changes Jun 20, 2021
View reviewed changes
Copy link
Collaborator

@rusty-snake rusty-snake left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Move it into the common block (the first one)
  • Only whitelist in ${HOME} (if whitelist /tmp/sndio is necessary, we should add it to private-tmp)

@rusty-snake rusty-snake linked an issue Jun 20, 2021 that may be closed by this pull request
Firefox can't access sndio sound server #4362
Closed
7 tasks
@nullenvk
Copy link
Contributor Author 

* [ ]  Move it into the common block (the first one)

* [ ]  Only `whitelist` in `${HOME}` (if `whitelist /tmp/sndio` is necessary, we should add it to `private-tmp`)

I've removed that last line and moved the cookie whitelist into the common block. However, I'm not quite sure how to handle the /tmp/sndio directory. Usually it contains UNIX domain sockets (e.g. /tmp/sndio/sndio0) used to connect to the server.

@rusty-snake
Copy link
Collaborator

However, I'm not quite sure how to handle the /tmp/sndio directory. Usually it contains UNIX domain sockets (e.g. /tmp/sndio/sndio0) used to connect to the server.

I think a profile_add("whitelist /tmp/sndio"); in fs_private_tmp works

firejail/src/firejail/fs.c

Lines 1251 to 1299 in 447e30e

// this function is called from sandbox.c before blacklist/whitelist functions
void fs_private_tmp(void) {
EUID_ASSERT();
if (arg_debug)
printf("Generate private-tmp whitelist commands\n");
// check XAUTHORITY file, KDE keeps it under /tmp
const char *xauth = env_get("XAUTHORITY");
if (xauth) {
char *rp = realpath(xauth, NULL);
if (rp && strncmp(rp, "/tmp/", 5) == 0) {
char *cmd;
if (asprintf(&cmd, "whitelist %s", rp) == -1)
errExit("asprintf");
profile_check_line(cmd, 0, NULL);
profile_add(cmd); // profile_add does not duplicate the string
}
if (rp)
free(rp);
}
// whitelist x11 directory
profile_add("whitelist /tmp/.X11-unix");
// read-only x11 directory
profile_add("read-only /tmp/.X11-unix");
// whitelist any pulse* file in /tmp directory
// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
DIR *dir;
if (!(dir = opendir("/tmp"))) {
// sleep 2 seconds and try again
sleep(2);
if (!(dir = opendir("/tmp"))) {
return;
}
}
struct dirent *entry;
while ((entry = readdir(dir))) {
if (strncmp(entry->d_name, "pulse-", 6) == 0) {
char *cmd;
if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
errExit("asprintf");
profile_check_line(cmd, 0, NULL);
profile_add(cmd); // profile_add does not duplicate the string
}
}
closedir(dir);
}

@nullenvk
Copy link
Contributor Author

Done, now it works properly without any extra tweaking.

rusty-snake
rusty-snake reviewed Jun 20, 2021
View reviewed changes
Copy link
Collaborator

@rusty-snake rusty-snake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

src/firejail/fs.c Outdated Show resolved Hide resolved
@netblue30 netblue30 merged commit 9abc12b into netblue30:master Jul 1, 2021
@netblue30
Copy link
Owner

Thanks for the patch!

@kmk3 kmk3 added this to In progress in Release 0.9.68 via automation Jan 27, 2022
@kmk3 kmk3 moved this from In progress to To Document (RELNOTES/man) in Release 0.9.68 Jan 27, 2022
kmk3 added a commit that referenced this pull request Feb 3, 2022
@kmk3
RELNOTES: add more bugfixes
54d8d58 
Relates to #3958 #4362 #4365 #4476 #4578 #4579 #4583.
@kmk3 kmk3 moved this from To Document (RELNOTES/man) to Done (on RELNOTES) in Release 0.9.68 Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rusty-snake rusty-snake rusty-snake approved these changes

@SkewedZeppelin SkewedZeppelin Awaiting requested review from SkewedZeppelin

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Release 0.9.68
  
Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Firefox can't access sndio sound server
4 participants
@nullenvk @SkewedZeppelin @rusty-snake @netblue30