Profile requests #825

Open
netblue30 opened this Issue Oct 1, 2016 · 35 comments

Projects

None yet

10 participants

@netblue30
Owner
netblue30 commented Oct 1, 2016 edited

Leave them on this thread, I'll bring them on top and strike them through when implemented.

Natron, Cinelerra, Inkscape, Gimp, LuminanceHDR, QpdfView, Synfigstudio, Otter browser, Calligra, Openshot, Scribus, Temaviewer, Blender, Google Earth, darktable, shotcut, Ricochet (https://ricochet.im/), Tbb (http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html), Wire (https://medium.com/wire-news/get-your-linux-on-999403a1a4fe#.fb99nx4uq), flowblade, VirtualBox, jmemorize, amarok, dragon (Dragon Player), kate, KTnef, KTorrent, Akregator, KRDC, discover, k3b, dolphin, ark, KWalletManager, skanlite, xpra, bleachbit, gedit, nautilus, xfburn, file-roller, gnome-books, gnome-photos, gnome-online-miners, gnome-sound-recorder, gnome-contacts, gnome-documents, gnome-weather, gnome-music, gnome-maps, brasero, goobox, gpa, simple-scan

@Laurent092
Laurent092 commented Oct 2, 2016 edited

Hi netblue,
Teamviewer is used sometimes to help some people but I heard that there was some attack on it. Do you think it's possible to add a secure profile for this software ?
Thanks
Laurent.
Uploading T.V daemon not recognize.png…
Uploading TeamViewer_noprofile_debug.txt…

@netblue30
Owner

Sure, give me a link to the project website.

@chiraag-nataraj
chiraag-nataraj commented Oct 2, 2016 edited

https://www.teamviewer.com/en/download/linux/
But there's a problem. I'm not exactly sure how Teamviewer verifies the daemon is running (probably looking for a process?), but when I launch Teamviewer within firejail (even with --noprofile), it fails to detect that the daemon is already running (hence my suspicion that it is looking for a process - the new PID namespace would preclude it from detecting the daemon).

[Edit] Yup, my suspicion was correct. The relevant code is in /opt/teamviewer/tv_bin/script/tvw_exec under the function IsDaemonRunning. It basically uses ps and grep to look for a process called teamviewerd. @netblue30, is there any way to selectively "pass through" processes from the global PID namespace into the local PID namespace? This would be the preferred way to fix this as teamviewerd is started as a system service.

@Laurent092

It could be great if you find a solution. I am currently installing a Linux OS on a laptop for a friend and he asked me if I could install teamviewer. I said yes if I can sandbox it !! And I think a lot of people will be aware of that because they generally deinstalled it after doing the maintenance because of security issue. Firejail could be the best solution for me and my future installation on some laptop ;)

@netblue30
Owner

@Laurent092, the default profile will work fine until we come up with a more restrictive one. The main security features such as seccomp and noroot are implemented in the default profile. Start the program as "firejail teamviewer" - I assume teamviewer is the name of the program.

@triceratops1

Could you add these profiles too?
1 Blender

2 Google earth, marble dont have some google earth's features, and this is propietary software

@chiraag-nataraj

@netblue30 The default profile does not work because of the reasons I specified. In fact, even using --noprofile does not work because firejail creates a PID namespace, leading Teamviewer to think the daemon has not been started. It then can't start the daemon because it doesn't have root privileges (it uses upstart/systemd/sysv/etc to start the daemon).

@Laurent092
Laurent092 commented Oct 3, 2016 edited

Hi netblue. i agree with chiraag. It doesn't work. The TeamViewer GUI launched a pop-up message that indicates the daemon is not running :

firejail teamviewer
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 2173, child pid 2174

Child process initialized

Init...
XRandRWait: No value set. Using default.
XRandRWait: Started by user.
Checking setup...
Launching TeamViewer ...
Starting network process (no daemon)
terminate called without an active exception
/opt/teamviewer/tv_bin/script/tvw_exec : ligne 95 : 113 Abandon "$TV_BIN_DIR/teamviewerd" -n -f
Network process already started (or error)
Launching TeamViewer GUI ...

parent is shutting down, bye...

@netblue30
Owner

Sorry, didn't see the description.

It cannot be sandboxed the normal way - the guy needs to become root and start daemons. That's bad, you are running a closed source executable as root!

@chiraag-nataraj

Do we have a way to poke holes in the PID namespace so that teamviewer recognizes that its daemon is running?

@chiraag-nataraj

@triceratops1 Blender is up on my repo. Give it a whirl!

@chiraag-nataraj
chiraag-nataraj commented Oct 4, 2016 edited

@netblue30, @triceratops1 I'm running into an interesting issue with Google Earth. If I run it within firejail, even with --noprofile, Google Earth fails to remove its lock file. That is, if I start it up again, it complains that it's already running. I'm going to look into workarounds for this issue, but your perspectives on it would be appreciated.

[Edit] Ah, okay, I think this makes more sense. When Google Earth runs, it creates a symlink to /proc/<PID>. I guess it's not able to remove the symlink afterwards for some reason - is this something that firejail prohibits?

@Laurent092

@chiraag-nataraj about googleearth,
I apply a workaround in using firejail --private googleearth. The lock file is always remove at the end of the session.

@chiraag-nataraj
chiraag-nataraj commented Oct 4, 2016 edited

@Laurent092 Yeah, that works. However, that means the config files aren't saved, which is theoretically annoying?

[Edit] For the record, this is actually false. It saves "My Places" and miscellaneous temporary information to that folder. Config actually goes in ~/.config/Google/. Still, you normally want to save places, so I had to work around this another way.

@Laurent092

i saw in the man of firejail you have many choice for --private (bin, etc....)
Where is located the lock file ?

@chiraag-nataraj
chiraag-nataraj commented Oct 4, 2016 edited

The lock file is located in ~/.googleearth, which is also the directory configuration files are stored in.

@Laurent092

firejail --blacklist=dirname_or_filename
Blacklist directory or file.

          Example:
          $ firejail --blacklist=/sbin --blacklist=/usr/sbin
          $ firejail --blacklist=~/.mozilla
          $ firejail "--blacklist=/home/username/My Virtual Machines"
@chiraag-nataraj

Never mind, found a way around it 😃 I'll have a profile up soon

@chiraag-nataraj

Google Earth is up on my repo!

@triceratops1

We could add some extra profiles
1 google chrome (its required if you need flash), but flash is VERY VULNERABLE, and you need sanbox it

2 flowblade

@chiraag-nataraj
chiraag-nataraj commented Oct 8, 2016 edited

Huh, so interesting thing about flowblade. If I run it within firejail, even with --noprofile, it gets hung on the code after printing "Exiting app...". Even after adding additional statements to try to track down the problem, it seems to completely finish even calling Gtk.main_quit(), so I'm not even sure what the problem is...
[Edit] I should note that this problem does not occur if I don't change anything and immediately exit.
[Edit2] Never mind. I found out it was rendering the audio of the file I imported.

@chiraag-nataraj
chiraag-nataraj commented Oct 8, 2016 edited

Added Flowblade to my repo! As for Google Chrome, I believe a profile already exists. And if you specifically want a stricter profile than the default, please open the issue on my project page rather than here, since it's easy to get confused 😃
[Edit] Added Google Chrome to my repo anyway 😉

This was referenced Oct 9, 2016
@mimf
mimf commented Oct 11, 2016

Wire has now a Linux client (https://medium.com/wire-news/get-your-linux-on-999403a1a4fe#.fb99nx4uq)

Would be nice to have a default profile for it.

@denizakcal

Hello, netblue30. :)

Could you please add a profile for VirtualBox to the default Firejail installation (when you get the chance)?

@chiraag-nataraj

@denizakcal, check out my repo in the meantime :) I happen to have a profile for Virtualbox.

@netblue30
Owner

VirtualBox, flowblade and OpenShot done.

@denizakcal

@chiraag-nataraj: Sorry for the delay. Your temporary solution no longer seems necessary, but I appreciate it nonetheless, so thanks! :)

@netblue30: Thanks for the VirtualBox profile (included in the default Firejail installation)!

If it's not too much to ask, could you also make a profile (included in the default Firejail installation) for jMemorize ( https://sourceforge.net/projects/jmemorize/ ) (especially since it doesn't seem maintained anymore, which, I'm not a security expert, but I believe it makes it more of a security risk)?

@netblue30
Owner

I added jmemorize to the list.

@denizakcal

Thanks. :)

@kesso
kesso commented Nov 17, 2016 edited

It would be nice to have profiles for the default kde and gnome applications and some others:

amarok, dragon (Dragon Player), kate, KTnef, KTorrent, Akregator, KRDC, discover, k3b, dolphin, ark, KWalletManager, skanlite, xpra, bleachbit, gedit, nautilus, xfburn, file-roller, gnome-books, gnome-photos, gnome-online-miners, gnome-sound-recorder, gnome-contacts, gnome-documents, gnome-weather, gnome-music, gnome-maps, brasero, goobox, gpa, simple-scan

@curiosity-seeker
Contributor
curiosity-seeker commented Nov 23, 2016 edited

The recently published vulnerabilities in Linux

https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html

make me wonder if it's possible to sandbox the various indexing tools (Tracker in Gnome, Baloo in KDE, ...) with Firejail as suggested by Chris Evans.

@valoq
Contributor
valoq commented Nov 28, 2016

There is already a profile for tracker, however the problem is that these are services that are started by systemd or via dbus by other applications and therefore firejail is not automatically applied.

It might be possible to have firejail sandbox those services but this needs a closer look.

@slicer69

I don't think anyone has mentioned the Qupzilla web browser yet. I put together a rough profile for Qupzilla in case anyone wants to expand on it. It is basically the Firefox profile with the config and cache paths changed and some unneeded permissions removed.

qupzilla.txt

@netblue30
Owner

I merged QupZilla profile, thanks!

@mimf
mimf commented Dec 28, 2016

Profile requests:

@GSI GSI pushed a commit to GSI/firejail that referenced this issue Jan 20, 2017
GSI2017 added uzbl-browser.profile (refs #825) 9ab87bc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment