Page MenuHomeSolus

Closed, ResolvedPublic


Someone else would have a better idea how to test this, but I've built it and attempted to make the default profiles stateless.

Related Objects

Resolved ikey
Resolved ikey

Event Timeline

Not really sure the need for firejail if I'm honest. If we're providing software, there is implied trust in it, otherwise we would be providing it. I would be interested in seeing what third-party software users need that we don't provide, that they are required to obtain via untrusted sources.

That being said, onto the review:

  1. gcc isn't needed as a builddep, since that is in system.devel.
  2. Not sure how this is stateless. While yes, we now put the configs in a vendor directory now, unless firejail is also capable of reading from /etc/ and not just the vendor dir, then it isn't stateless. See Clear Linux doc.

The patch itself looks good. I just question the necessity of said software.

Ugh. Yeah so gcc is there because I don't like retyping builddeps and I forgot to delete it. Let me take a closer look at the stateless side of things. From what I've seen so far, primary config stuff comes from whatever you set sysconfdir to for the install. The rest of it normally comes from ~/.config/firejail which actually overrides any of the files in sysconfdir. However, if they can check two directories, they can check three. Not sure if it's worth all the patching we would need to do.

I generally agree, it software should be coming from us through the repos or Third-Party. But I also see the case where people get it from elsewhere and don't know whether to trust the source or not. Maybe Clear has a stateless alternative to this? Any thoughts @ikey?

DataDrake closed this task as Wontfix.Oct 28 2016, 7:29 PM
DataDrake claimed this task.
ikey reopened this task as Open.Nov 27 2016, 6:35 PM
ikey claimed this task.


BRM added a subscriber: BRM.Nov 27 2016, 6:48 PM

@JoshStrobl it's not a matter of trust, it helps mitigating 0days.

In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server. The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home. More advanced sandbox configurations blocked everything else.

ikey closed this task as Resolved.Nov 27 2016, 7:15 PM

Firejail landed in

Stateless patch:

We should probably look at working with the firejail devs to get this cleaned up and included