-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access PGP card from Firefox using GPG #4991
Comments
That because of |
Thanks for the reply. |
My local changes to the profile:
|
Any reason to use Why all these unnecessary I've no real idea but does it work if you add |
You mean, I should do
No change for gpg. Do you use systemd? Or an other init like OpenRC? If so with elogind or similar? OpenRC and elogind. I simplified the config, so I am now with
I also noticed, that gnupg updated last week but there is no card status in firejail for both =app-crypt/gnupg-2.2.32-r1 and =app-crypt/gnupg-2.2.33-r1. |
So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run. So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet. A question: Is there a configuration I can put to my firefox.local like: Thanks |
That's indeed the correct syntax.
IMO you can keep whitelist-run-common.inc but you need to add a few things to your firefox.local:
Side-note. Our firefox.profile indeed has
Maybe that's what @rusty-snake was hinting at above. We might want to create something like |
Non of them are affected by wrc. But probably makes sense anyway to add them.
It's always difficult because of whitelisting, private-bin, ...
That's what's the name says ;) |
@polcak What does |
@rusty-snake All good arguments and ideas. I've added a few notes to my firejail-todo.md about 'allow-gpg.inc'. But in all honesty it's not high up, most of all because I don't have a yubikey or similar hw to do proper testing. Apologies to @polcak for side-tracking the issue. |
@ rusty-snake: I went back to using only
So I removed:
When I use:
and
The directory exists but cannot be accessed because it is owned by root:root (readable by root, no other permissions). If I include @glitsj16: I do not feel like the issue is side-tracked. The main issue is likely similar to users are confused how to enable GPG card in a built-in profile. |
I meant outside the sandbox, can you post? Some of them will need a
If you have no |
Signing/encrypting emails with a smartcard is also broken with claws mail. It used to work. |
I was also trying to solve this to no avail. Resorted to removing librewolf's profile altogether for now. Does anyone know what may cause some directories to change owner from user to root/nobody? Adding I know that this has been discussed before, but has there ever been a solution? Here for example are described elaborate steps to make it work without explaining why - everyone's threat model is different so it would be good to have some explanation somewhere why |
@rusty-snake this doesn't appear to be correct - some directories change to root owner permissions instead of user (in firefox or librewolf profiles) |
That's how blacklisting is implemented. The path is read-only bind-mounted over with a file of same type (dir, reg, sock, ...) that has |
thank you for explaining, that makes sense, but in that case I don't know why adding both whitelist and noblacklist options still causes that directory to be blacklisted (owned by root):
Is there anything else that may blacklist gnupg? I've been grepping through all files in |
Just stumbled upon this and found the following option in the Manpage of
Adding this option to the profile solves it for me. |
Description
This is very likely a duplicate of #4107 or both bugs have the same root. I originally used Gentoo sys-apps/firejail-0.9.64.4 and recently updated to sys-apps/firejail-0.9.68. My gpg card used to work in Firefox with local profile. It does not work anymore (very likely after the update, let me know if I should check).
Steps to Reproduce
Steps to reproduce the behavior
firejail --profile=firefox bash
gpg --card-status
Expected behavior
I see details about my card.
Actual behavior
Behavior without a profile
What changed calling
LC_ALL=C firejail --noprofile gpg --card-status
in a terminal?I see details about my card.
Additional context
I tried to noblacklist and whitelist GPG commands listed by
equery -C f app-crypt/gnupg
. I added "ignore private-dev" to the local profile. I added 'ignore nou2f' suggested by keepassxc.profile (see also below).I can see devices in /dev/ in the firefox profile but all are owned by nobody:nobody. Host /dev/usb/hiddev[0-9] as well as /dev/hidraw[0-9] devices are crw------- 1 root:root. I guess that there needs to be additional file accessible to the user.
Environment
Checklist
/usr/bin/vlc
) "fixes" it). I can operate GPG card outside the sandbox.https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers. DRM is irrelevant in this case. I am trying to make a PGP card running not u2f, so that is also irrelevant but to be safe, I tried adding "ignore nou2f" as mentioned above.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages) I am trying to access PGP card from Firefox, so I am trying firefox profile.Log
Output of
LC_ALL=C firejail gpg --card-status
The text was updated successfully, but these errors were encountered: