Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: ‘program.local’ ‘global.local’ and ‘program.profile’? #1510

Closed
Irvinehimself opened this issue Aug 31, 2017 · 3 comments
Closed

Question: ‘program.local’ ‘global.local’ and ‘program.profile’? #1510

Irvinehimself opened this issue Aug 31, 2017 · 3 comments

Comments

@Irvinehimself
Copy link
Contributor

I would like to enable ‘apparmor’ and disable the internet, (protocol unix’[?],) globally, yet selectively disable ‘apparmor’ and/or enable the internet on a per program basis.

Can this be done by using an appropriate combination of ‘global.local’ and ‘program.local’ profiles?

For example,a neat/tidy solution would be something like:

global.local: {enable apparmor, disable internet connectivity}

protocol unix
apparmor

program.local: {selectively enable internet connectivity}

protocol unix,inet,inet6,netlink

Further, if the above did in fact work!!!, would it be possible to selectively disable apparmor in the ‘program.local’ profile?

A less neat solution, (if the ‘program.local’ setting overrides the profile setting,) would be to run the following bash and edit the created '.local' files as needed:

#!/bin/bash

ls /etc/firejail |\
    ( 
    suffix="profile"
    while read Line ; do
        tmp=${line%$suffix}"local"
        echo "apparmor" >> "/etc/firejail/$tmp"
        echo "protocol unix" >> "/etc/firejail/$tmp"
    done
    )

I would be grateful to hear your thoughts

Irvine
@Ferroin
Copy link
Contributor

Ferroin commented Aug 31, 2017

There are better, more reliable, and more well documented methods of achieving what you want on the networking side. Take a look at the iptables documentation, you can achieve similar things with at least the 'owner' match or the 'cgroup' match, and possibly other ways too. Alternatively, don't configure the network in the main network namespace, then configure it explicitly in dedicated namespaces.

As far as whether or not any of this is possible with Firejail, I'd be willing to bet the answer is probably no, as making this possible would provide a trivial method of escaping the isolation firejail provides.

@ghost
Copy link

ghost commented Aug 31, 2017
edited by ghost

You can disable apparmor by adding ignore apparmor line in program.local.
program.local is loaded first so it takes precedence over global.local and program.profile.
You can use net none instead of protocol unix (disable by ignore net) which is stronger but can break more things.

@Irvinehimself
Copy link
Contributor Author

Thank you for a very complete answer. The order of precedence combined with the 'ignore' flag is exactly what I have been trying to figure out.

When I read the manual, I noted the 'ignore' flag's existence, but then lost the reference. Similarly, WRT 'net' flag, the manual, (which in retrospect was obviously referring to the .desktop launcher,) suggested 'net=none' . When I tried to put that into a profile, it crashed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ferroin @Irvinehimself