Fred Barclay wrote:One challenge right now is time. Converting profiles that are overly-complicated but do work to whitelist-only profiles will take a lot of testing time.
I'm not disputing it will take time or that the profiles can be a puzzle to untangle
Thanks for having a look.
If I'm right, and I guess from your response there is a chance of that, at least the profiles that include the file
disable-programs.inc and have a
whitelist rule are easy to convert. Because the
blacklist rules in the file
disable-programs.inc don't do anything — those are all for directories in the home directory and because the profile already has a
whitelist rule those directories were already effectively blacklisted.
Converting is as simple as removing the
disable-programs.inc include and change all the
noblacklist rules in the profile to
whitelist rules (as the
noblacklist rule was there to override the
blacklist rule in the inc file). That can be scripted
I'm happy to help on this.
This finds all the profiles that can be safely converted:
Code: Select all
comm -12 <(grep -l "^include /etc/firejail/disable-programs.inc" /etc/firejail/*.profile) <(grep -l "^whitelist " /etc/firejail/*.profile)
Because any profile that has a whitelist rule already blacklists everything else in the home directory. So additional blacklist rules on the home directory don't do anything. So any profile that includes the disable-programs.inc file
and has a whitelist rule doesn't need blacklist rules for the home directory. Just convert the noblacklist rules in the profile to whitelist rules and it should be the same files and directories in the home directory that are visible in the sandbox.
Here's the list of files from above command, which I think can be converted:
Code: Select all
/etc/firejail/0ad.profile
/etc/firejail/abrowser.profile
/etc/firejail/arm.profile
/etc/firejail/aweather.profile
/etc/firejail/bibletime.profile
/etc/firejail/brave.profile
/etc/firejail/chromium.profile
/etc/firejail/conkeror.profile
/etc/firejail/cyberfox.profile
/etc/firejail/deluge.profile
/etc/firejail/dillo.profile
/etc/firejail/dino.profile
/etc/firejail/dropbox.profile
/etc/firejail/epiphany.profile
/etc/firejail/etr.profile
/etc/firejail/firefox.profile
/etc/firejail/flashpeak-slimjet.profile
/etc/firejail/franz.profile
/etc/firejail/frozen-bubble.profile
/etc/firejail/gajim.profile
/etc/firejail/galculator.profile
/etc/firejail/gnome-2048.profile
/etc/firejail/gnome-twitch.profile
/etc/firejail/google-chrome-beta.profile
/etc/firejail/google-chrome.profile
/etc/firejail/google-chrome-unstable.profile
/etc/firejail/google-play-music-desktop-player.profile
/etc/firejail/gpredict.profile
/etc/firejail/hedgewars.profile
/etc/firejail/hexchat.profile
/etc/firejail/icecat.profile
/etc/firejail/inox.profile
/etc/firejail/iridium.profile
/etc/firejail/itch.profile
/etc/firejail/ktorrent.profile
/etc/firejail/liferea.profile
/etc/firejail/Mathematica.profile
/etc/firejail/midori.profile
/etc/firejail/minetest.profile
/etc/firejail/multimc5.profile
/etc/firejail/mumble.profile
/etc/firejail/mupen64plus.profile
/etc/firejail/netsurf.profile
/etc/firejail/neverball.profile
/etc/firejail/nylas.profile
/etc/firejail/open-invaders.profile
/etc/firejail/opera-beta.profile
/etc/firejail/opera.profile
/etc/firejail/palemoon.profile
/etc/firejail/pingus.profile
/etc/firejail/polari.profile
/etc/firejail/psi-plus.profile
/etc/firejail/qbittorrent.profile
/etc/firejail/qtox.profile
/etc/firejail/quiterss.profile
/etc/firejail/qupzilla.profile
/etc/firejail/qutebrowser.profile
/etc/firejail/rambox.profile
/etc/firejail/seamonkey.profile
/etc/firejail/simutrans.profile
/etc/firejail/slack.profile
/etc/firejail/snap.profile
/etc/firejail/spotify.profile
/etc/firejail/stellarium.profile
/etc/firejail/supertux2.profile
/etc/firejail/torbrowser-launcher.profile
/etc/firejail/transmission-gtk.profile
/etc/firejail/transmission-qt.profile
/etc/firejail/truecraft.profile
/etc/firejail/uget-gtk.profile
/etc/firejail/unknown-horizons.profile
/etc/firejail/uzbl-browser.profile
/etc/firejail/virtualbox.profile
/etc/firejail/vivaldi.profile
/etc/firejail/warzone2100.profile
/etc/firejail/waterfox.profile
/etc/firejail/wesnoth.profile
/etc/firejail/xiphos.profile
/etc/firejail/xonotic.profile
/etc/firejail/xpra.profile
/etc/firejail/yandex-browser.profile
/etc/firejail/zoom.profile
That's 82 profiles. Of course it needs testing and such.
There are 200 profiles that do include the disable-programs.inc file but don't have a whitelist rule. That basically means for those programs it hasn't been figured out yet what directories they specifically need access to—only that they shouldn't access some. That's a whole different story (you can find the list of these files by running above command and replacing
comm -12
with
comm -23
).