Overhaul of Profiles #793
Comments
|
+1 for anything that streamlines the profiles. I've gotten to the point where I've just created my own profiles for every program that I use since I'm never sure exactly what's being blocked by which profile and it's usually easier to whitelist rather than blacklist (as the default profiles do). |
|
This is very cool! How difficult would be to port the code to C or C++ and merge it in firecfg utility (src/firecfg directory)? We can make it part of the build, and also let the user generate an xml file with all the configuration and later move it to a different computer. |
|
I could give it a go and port to C++, do you have a specific XML parser in mind? As for merging it into firecfg, shouldn't it be along side? My goal was that people should stop making .profiles (because they don't update disable-programs.inc) and instead update the .xml. So the .XML gets bundled with firejail and when they 'make' the project, a standalone program converts the .XML into the .profiles (streamlined in the build process) to be packaged. The end goal is to have firejail directly support the .XML and stop using .profiles. In the mean time the generator program is a stop-gap. And after/before that I was thinking about making a (foss) website that list all the currently available profiles and lets users create their own and request changes to existing ones. It'll also allow users to report whether or not they work, which would help declutter the Github issues page of firejail. So that more users can have more firejailed applications. Obviously those are major changes and this is your project, so what are your thoughts? |
|
Sure, make it standalone C++ and look at tinyxml2 (http://www.grinninglizard.com/tinyxml2/). It is available probably in all distributions, if not, it is small enough to include a copy of it in the program. For the next release we can just run it on all profiles in etc/firejail directory during the build and clean them up. In the phase 2 we distribute only the xml file and generate the profiles at install time, or we can go with xml support directly in firejail. |
|
Hi, I'm using firejail for almost (if it's not all) my app but I have a different approch and not sure if it's the right/best way to tight them I'm making for each of then a small script bash, most of them end like this :
Any comment about this way of use ? Thanks |
|
@Anyon3 afaik you can't use symlink invocation without using the .profiles. Also assuming you didn't know about that feature here is a link to the post about it (tl;dr 'sudo ln -s /usr/bin/firejail /usr/local/bin/[app you want to sanbox]'), so you can launch your apps using normal .desktop files instead of a bunch of bash scripts. But I see you're setting some extra flags anyway, you know what works best for you. |
|
Thanks for the tips I'm using fluxbox as wm and have no icons in my desktop, every bash script are registered in the menu (.fluxbox/menu), some of them actually use the default (when --noprofile isn't use) Is there any gain of security to symlink invocation or, as showed in my example (in line), it can get the same feature/level of restriction ? |
|
@Anyon3 Nope same security. |
So profiles right now are a mess, they're all in different formats by different people and profiles get added without disable-programs.inc getting updated. So I made a program that handles all programs in a streamlined XML file and then generates .profiles from that. I have manually rewritten all current profiles into said XML, and the generator spits out nice and tidy .profiles. I plan on making a pull request soon that replaces all the old profiles with the new ones. But I'd like some people to take a look over to make sure I didn't forget anything too major. A few profiles were also added and some were made more strict.
Links:
Repository
XML
Profiles
Program
Help Test
The text was updated successfully, but these errors were encountered: