-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add profiles for build-systems (/package-managers) #4519
Conversation
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While language-specific package managers tend to live in their own world,
general-purpose build-systems usually try to integrate with the system, and so
I'd expect more breakage from such profiles.
I'd make a separate PR for make, as it is very general purpose and another for
cmake/meson, as they are similar to autoconf, in the sense that they can be
used to run arbitrary commands to test for and configure things. If many
people end up using firejail with these tools, I'd expect more corner cases
than usual to be found (i.e.: compared to programs not related to development),
so being able to reference separate PRs on issues could help gauge the results
with timeline events.
include disable-X11.inc | ||
include disable-xdg.inc | ||
|
||
whitelist ${HOME}/Projects |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering that there is no standard path for this, if the includers of
build-systems-common.profile are ever enabled by default, I'd wager that there
would be many issues opened due to the whitelist above. I suppose that we
could at least add comments like:
# Note: Be sure to whitelist your own development project directories:
#whitelist ${HOME}/YOUR_PROJECT_DIR
This is kind of similar to what was added to npm.profile on #3866:
# If you want whitelisting, change the line below to your npm projects directory # and uncomment the lines below. [...] #whitelist ${HOME}/Projects
Which was later changed to the following on #3876:
# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory # and uncomment the lines below. [...] #whitelist ${HOME}/Projects
(And which now lives on nodejs-common.profile since #4255)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO we must not ever sandbox build-systems by default as they can require anything.
I don't even sandbox IDEs. The profile are very weak / must be weak (full D-Bus, no whitelisting, minimal blacklisting, ...) the win is very low to nothing but the sandbox regularly breaks things will developing and since nesting isn't supported you can not sandbox the things which really need sandboxing in a tight profile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am in favour of changing this to make the whitelisting opt-in just as in nodejs-common.profile
, and I think nodejs-common.profile
should be refactored as part of this set of changes in the same way cargo.profile
profile has been.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My idea was that since you already need to type firejail meson compile -C _builddir
(for example), using firejail --whitelist=~/my_project_dir meson compile -C _builddir
isn't much more complicated. Anyway, will make whitelisting opt-in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyway, will make whitelisting opt-in.
Thanks. Can you still put a comment above it noting that it's intended to be
changed?
It's not clear to me that it's supposed to be user-customized; I think that the
path could be easily mistaken as something related to a build system.
I think it would be nice to eventually have bundler on firecfg.config (I had Since I considered these doable (more than for make at least) and since it
Same as above. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many whitelist stuff is not needed and there are no descriptions how this general profile should be used for the important use cases.
|
||
blacklist ${RUNUSER} | ||
|
||
include disable-common.inc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 sentence above this block to briefly describe overwrites in profiles.
shell none | ||
tracelog | ||
|
||
disable-mnt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also here: 1 sentence above this block to briefly describe overwrites in profiles.
# Allow /bin/sh (blacklisted by disable-shell.inc) | ||
include allow-bin-sh.inc | ||
|
||
# Allows files commonly used by IDEs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
build systems may be lang-specific or lang-generalizing. Please improve this comment here.
# added by caller profile | ||
#include globals.local | ||
|
||
ignore noexec ${HOME} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is noexec used in build system that makes this necessary? A comment line could clarify.
#include whitelist-common.inc | ||
|
||
whitelist /usr/share/pkgconfig | ||
include whitelist-run-common.inc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is access to /run files like cups, dbus needed? We only want to fetch and build stuff.
|
||
whitelist /usr/share/pkgconfig | ||
include whitelist-run-common.inc | ||
include whitelist-usr-share-common.inc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is stuff like /usr/share/vulkan x11 etc whitelisted? We only want to fetch and build stuff.
whitelist /usr/share/pkgconfig | ||
include whitelist-run-common.inc | ||
include whitelist-usr-share-common.inc | ||
include whitelist-var-common.inc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simplified speaking /var
is logging for system files, which should not get lost. Build logs are not part of that. Remove that line?
@@ -0,0 +1,66 @@ | |||
# Firejail profile for build-systems-common |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the line Description:
with Usage information. Especially if this profile should be loaded first or last.
Adapt the whitelist/blacklist accordingly.
Bear in mind that users may want to use the non-system package manager also for projects in $HOME and drop an additional sentence what needs to change for that.
merged! |
Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip
All redirect to build-systems-common.profile
Other fixes:
You can now
firejail make
firejail 馃槅.