Someone else would have a better idea how to test this, but I've built it and attempted to make the default profiles stateless.
Not really sure the need for firejail if I'm honest. If we're providing software, there is implied trust in it, otherwise we would be providing it. I would be interested in seeing what third-party software users need that we don't provide, that they are required to obtain via untrusted sources.
That being said, onto the review:
- gcc isn't needed as a builddep, since that is in system.devel.
- Not sure how this is stateless. While yes, we now put the configs in a vendor directory now, unless firejail is also capable of reading from /etc/ and not just the vendor dir, then it isn't stateless. See Clear Linux doc.
The patch itself looks good. I just question the necessity of said software.
Ugh. Yeah so gcc is there because I don't like retyping builddeps and I forgot to delete it. Let me take a closer look at the stateless side of things. From what I've seen so far, primary config stuff comes from whatever you set sysconfdir to for the install. The rest of it normally comes from ~/.config/firejail which actually overrides any of the files in sysconfdir. However, if they can check two directories, they can check three. Not sure if it's worth all the patching we would need to do.
I generally agree, it software should be coming from us through the repos or Third-Party. But I also see the case where people get it from elsewhere and don't know whether to trust the source or not. Maybe Clear has a stateless alternative to this? Any thoughts @ikey?
In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server. The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home. More advanced sandbox configurations blocked everything else.
Firejail landed in https://git.solus-project.com/packages/firejail/commit/?h=firejail-0.9.44-2
We should probably look at working with the firejail devs to get this cleaned up and included