Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a profile for Flatseal #4724

Merged
merged 1 commit into from
Dec 6, 2021
Merged

Add a profile for Flatseal #4724

merged 1 commit into from
Dec 6, 2021

Conversation

WhyNotHugo
Copy link
Contributor

Flatseal is a GUI tool to configure permissions for Flatpak applications.

This restricts permissions as much as possible without affecting functionality.

rusty-snake
rusty-snake previously requested changes Nov 29, 2021
View reviewed changes
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Show resolved Hide resolved
@WhyNotHugo WhyNotHugo force-pushed the flatseal branch 4 times, most recently from b344dea to e17dd7c Compare November 29, 2021 22:59
WhyNotHugo
WhyNotHugo commented Nov 29, 2021
View reviewed changes
Copy link
Contributor Author

@WhyNotHugo WhyNotHugo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated based on most feedback.

Is there any way to, given a specific profile, make a list of all resulting whitelisted paths and permissions?

Rather than an overview of what's restricted, I'd kind want to see just what's being allowed.

etc/profile-a-l/com.github.tchx84.Flatseal.profile Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Show resolved Hide resolved
@netblue30
Copy link
Owner

netblue30 commented Nov 30, 2021
edited

Is there any way to, given a specific profile, make a list of all resulting whitelisted paths and permissions?

I put in this morning a tool (profstats) to print whitelists/blacklists and several stats for profiles. It gets installed by default in /etc/firejail directory. As a regular user, go in /etc/firejail and start it:

$ cd /etc/firejail
$ ./profstats --print-whitelist firefox.profile
firefox.profile: whitelist ${HOME}/.cache/mozilla/firefox
firefox.profile: whitelist ${HOME}/.mozilla
firefox.profile: whitelist /usr/share/doc
firefox.profile: whitelist /usr/share/firefox
firefox.profile: whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
firefox.profile: whitelist /usr/share/gtk-doc/html
firefox.profile: whitelist /usr/share/mozilla
firefox.profile: whitelist /usr/share/webext
firefox.profile: whitelist ${RUNUSER}/*firefox*
firefox-common.profile: whitelist ${DOWNLOADS}
firefox-common.profile: whitelist ${HOME}/.pki
firefox-common.profile: whitelist ${HOME}/.local/share/pki
whitelist-run-common.inc: whitelist /run/NetworkManager/resolv.conf
whitelist-run-common.inc: whitelist /run/cups/cups.sock
whitelist-run-common.inc: whitelist /run/dbus/system_bus_socket
whitelist-run-common.inc: whitelist /run/media
whitelist-run-common.inc: whitelist /run/resolvconf/resolv.conf
whitelist-run-common.inc: whitelist /run/shm
whitelist-run-common.inc: whitelist /run/systemd/journal/dev-log
whitelist-run-common.inc: whitelist /run/systemd/journal/socket
whitelist-run-common.inc: whitelist /run/systemd/resolve/resolv.conf
whitelist-run-common.inc: whitelist /run/systemd/resolve/stub-resolv.conf
whitelist-run-common.inc: whitelist /run/udev/data

For blacklists use --print-blacklists

rusty-snake
rusty-snake reviewed Nov 30, 2021
View reviewed changes
Copy link
Collaborator

@rusty-snake rusty-snake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Forgotten to submit.

etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
etc/profile-a-l/com.github.tchx84.Flatseal.profile Outdated Show resolved Hide resolved
@rusty-snake
Copy link
Collaborator

rusty-snake commented Nov 30, 2021
edited

Is there any way to, given a specific profile, make a list of all resulting whitelisted paths and permissions?

Permissions is not a concrete defined concept in firejail, it's only used in an abstract way.
Regarding whitelisted paths, I think fjp generate-standalone gnome-2048.profile | grep "^whitelist" | cut -d" " -f2 | sort -u is the easiest, but with official tools IDK edit see netblue30's comment.

@glitsj16
Copy link
Collaborator

For blacklists use --print-blacklists

Correction for #4724 (comment): the flag is --print-blacklist (singular)

glitsj16
glitsj16 approved these changes Dec 2, 2021
View reviewed changes
Copy link
Collaborator

@glitsj16 glitsj16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Can be merged when requested change by @rusty-snake is resolved.

@WhyNotHugo WhyNotHugo force-pushed the flatseal branch 3 times, most recently from e934079 to 79bb081 Compare December 3, 2021 16:35
@rusty-snake rusty-snake dismissed their stale review December 3, 2021 17:10

All blocking comments are resolved. Only nice to have comments left.

@WhyNotHugo WhyNotHugo force-pushed the flatseal branch 2 times, most recently from 3ecdf60 to 80776ae Compare December 3, 2021 17:37
@WhyNotHugo
Copy link
Contributor Author

I think all comments have been addressed, but lemme know if I've missed anything.

kmk3
kmk3 approved these changes Dec 3, 2021
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@WhyNotHugo
Copy link
Contributor Author

Anything blocking this merge?

@rusty-snake rusty-snake merged commit 9b1daa6 into netblue30:master Dec 6, 2021
@rusty-snake
Copy link
Collaborator

No.

Merged, thanks.

@WhyNotHugo WhyNotHugo deleted the flatseal branch December 7, 2021 19:28
@kmk3 kmk3 added this to To Document (RELNOTES/man) in Release 0.9.68 Feb 6, 2022
kmk3 added a commit that referenced this pull request Feb 6, 2022
@kmk3
RELNOTES: add com.github.tchx84.Flatseal profile
e9228de 
Relates to #4724.
@kmk3 kmk3 moved this from To Document (RELNOTES/man) to Done (on RELNOTES) in Release 0.9.68 Feb 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glitsj16 glitsj16 glitsj16 approved these changes

@kmk3 kmk3 kmk3 approved these changes

@rusty-snake rusty-snake rusty-snake approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Release 0.9.68
  
Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@WhyNotHugo @netblue30 @rusty-snake @glitsj16 @kmk3