New profiles: jami and postman

[Kobaxidze256]

No description provided.

[glitsj16]

If you've checked that the app is never installed to /opt, you can drop this line. If not, add it uncommented below private-etc for alphabetical ordering.

[Kobaxidze256]

It is installed, but I couldn't make it work with private-opt.

[glitsj16]

It is installed, but I couldn't make it work with private-opt.

I'm not familiar with this postman app so I can't be sure why you couldn't get it to work with private-opt. But when I look at postman.desktop that suggests there are 2 executables involved. The one in /usr/bin/postman is symlinked to the second, /opt/postman/Postman. Yet there's only postman in private-bin. Have you tried getting private-opt working by also adding Postman to private-bin? This case-sensitivity might just do it.

[glitsj16]

Thanks for these profiles! Some minor placement remarks.

[Kobaxidze256]

Sorry for the late feedback.

[glitsj16]

Try private-opt again when adding Postman to private-bin (that's a capital P).

[Kobaxidze256]

Try private-opt again when adding Postman to private-bin (that's a capital P).

@glitsj16,

Error: no suitable /usr/bin/postman executable found

$ LC_ALL=C ls -lh /bin/postman /usr/bin/postman /opt/postman/Postman /opt/postman/app/Postman
lrwxrwxrwx 1 root root  20 Mar  9 19:00 /bin/postman -> /opt/postman/Postman
lrwxrwxrwx 1 root root  11 Mar  9 19:00 /opt/postman/Postman -> app/Postman
-rwxr-xr-x 1 root root 17K Mar  9 19:00 /opt/postman/app/Postman
lrwxrwxrwx 1 root root  20 Mar  9 19:00 /usr/bin/postman -> /opt/postman/Postman

[Kobaxidze256]

16,17c16,17
< #private-opt postman
< private-bin postman,electron,electron[0-9],electron[0-9][0-9],locale,sh
---
> private-opt postman
> private-bin Postman,postman,electron,electron[0-9],electron[0-9][0-9],locale,sh

[Kobaxidze256]

Package: https://aur.archlinux.org/packages/postman-bin

[glitsj16]

I've installed that AUR package and got a working profile. This a quite a large app, causing private-opt to hit firejail's file-copy-limit of 500MB. You can find that setting in /etc/firejail/firejail.config. I recommend against raising it, although it's possible. We had a similar thing with microsoft-edge in #5307 and opted to whitelist /opt/foo instead, which is nicer than draining RAM IMO.

Anyway, here's my working postman.profile:

$ cat /etc/firejail/postman.profile

# Firejail profile for postman
# Description: API testing platform
# This file is overwritten after every install/update
# Persistent local customizations
include postman.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/Postman
noblacklist ${HOME}/Postman

include allow-nodejs.inc

mkdir ${HOME}/.config/Postman
mkdir ${HOME}/Postman
whitelist ${HOME}/.config/Postman
whitelist ${HOME}/Postman
include whitelist-run-common.inc

protocol unix,inet,inet6,netlink

private-bin Postman,postman,electron,electron[0-9],electron[0-9][0-9],locale,node,sh
private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
# private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
# https://github.com/netblue30/firejail/discussions/5307
#private-opt postman
whitelist /opt/postman

# Redirect
include electron-common.profile

As you can see it needed a few extra options, like allowing nodejs. I forgot we had a refactor of electron recently, the redirect should now go to electron-common.profile. You can test it further, I'm not familiar with postman but the basics seem to work fine now.

[Kobaxidze256]

You can test it further.

I don't think I'm gonna be using Postman for a while. I wanted to contribute old working profiles.

[glitsj16]

I don't think I'm gonna be using Postman for a while. I wanted to contribute old working profiles.

Understood. Firejail is an evolving project and it does take time to keep profiles in working order. No problem though, you're in control of the PR :)

[glitsj16]

Fix private-bin sorting and we can bring this in.

[kmk3]

Conflicting files

src/firecfg/firecfg.config

@Kobaxidze256 Please rebase to the upstream master to fix the conflicts and
force-push.

Example (assuming that origin is netblue30/firejail):

git remote -v # check the remotes
git fetch origin
git rebase -i origin/master

[kmk3]

Since there is also a capitalized Postman executable, add a redirect profile
for it:

etc/profile-m-z/Postman.profile:

# Firejail profile for Postman
# This file is overwritten after every install/update
# Persistent local customizations
include Postman.local
# Persistent global definitions
# added by included profile
#include globals.local

# Redirect
include postman.profile

Edit: Also, add Postman to firecfg.

[glitsj16]

Move Postman entree to respect case-sensitive ordering.

[glitsj16]

LGTM

[kmk3]

LGTM.

[kmk3]

@glitsj16 on Mar 15:

Apologies for the bad suggestion.

No problem.

This file appears to use C/ASCII collation, so sort using that.

Interesting. If there's a way to use an easier sorting mechanism we should
look into that IMO.

The C/POSIX collation just uses the raw character values for sorting AFAIK.

And in ASCII all uppercase letters have a lower value than the lowercase letters:

$ ascii
|00 nul|01 soh|02 stx|03 etx|04 eot|05 enq|06 ack|07 bel|
|08 bs |09 ht |0a nl |0b vt |0c np |0d cr |0e so |0f si |
|10 dle|11 dc1|12 dc2|13 dc3|14 dc4|15 nak|16 syn|17 etb|
|18 can|19 em |1a sub|1b esc|1c fs |1d gs |1e rs |1f us |
|20 sp |21  ! |22  " |23  # |24  $ |25  % |26  & |27  ' |
|28  ( |29  ) |2a  * |2b  + |2c  , |2d  - |2e  . |2f  / |
|30  0 |31  1 |32  2 |33  3 |34  4 |35  5 |36  6 |37  7 |
|38  8 |39  9 |3a  : |3b  ; |3c  < |3d  = |3e  > |3f  ? |
|40  @ |41  A |42  B |43  C |44  D |45  E |46  F |47  G |
|48  H |49  I |4a  J |4b  K |4c  L |4d  M |4e  N |4f  O |
|50  P |51  Q |52  R |53  S |54  T |55  U |56  V |57  W |
|58  X |59  Y |5a  Z |5b  [ |5c  \ |5d  ] |5e  ^ |5f  _ |
|60  ` |61  a |62  b |63  c |64  d |65  e |66  f |67  g |
|68  h |69  i |6a  j |6b  k |6c  l |6d  m |6e  n |6f  o |
|70  p |71  q |72  r |73  s |74  t |75  u |76  v |77  w |
|78  x |79  y |7a  z |7b  { |7c  | |7d  } |7e  ~ |7f del|

So when sorting, the uppercase letters always come earlier, not just on the
first character.

Examples:

$ printf 'aaa\nBBB\nccc\n' | LC_ALL=C sort
BBB
aaa
ccc
$ printf 'Aaa\nAAa\n' | LC_ALL=C sort
AAa
Aaa
$ printf 'Aaa\nABa\n' | LC_ALL=C sort
ABa
Aaa

vim also does this when using the :sort command to sort lines.

Do you have a similar command in your editor?

If so, what is the result of sorting like in the examples?

[glitsj16]

@kmk3 Excellent explanation, thanks. I've added a shortcut to my GUI editor (geany) and will check it in nano too now I have the rundown. Sorting is working exactly like in your examples. One less thing :)