Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't open links from hexchat #3323

Closed
ibahnasy opened this issue Apr 6, 2020 · 6 comments
Closed

Can't open links from hexchat #3323

ibahnasy opened this issue Apr 6, 2020 · 6 comments

Comments

@ibahnasy
Copy link

ibahnasy commented Apr 6, 2020

When running hexchat with firejail, it's not possible to launch links directly.
@rusty-snake
Copy link
Collaborator

#1718
#1770 (comment)

@rusty-snake
Copy link
Collaborator

@other_collaborator, we must document the "open links from foo does not work". Or we must answer it for the rest of our live.

#3308
#2228
#2047
#1955
#3311
#…

@glitsj16
Copy link
Collaborator

glitsj16 commented Apr 6, 2020

we must document the "open links from foo does not work". Or we must answer it for the rest of our live

@rusty-snake Very true. IMO the best we can do is to actually implement a secure way for users to open links from foo in browsers, regardless of documentation. Something along the lines of what I tried to convey here. Although the stuff linked in that comment is outdated, I have been using a few very simple shell scripts and geckodriver to implement basic URL inter-sandbox communication with mozilla-based web browsers for a long time now. Recently I have improved these scripts to avoid having to rely on D-Bus alltogether, in both the scripts and firejail profiles. A bit swamped at the moment to start a WIP PR for it, but reading your message here reminded me I must bite the bullet and go public soonish and see what the firejail community thinks about it...

@rusty-snake
Copy link
Collaborator

@glitsj16 with #3265 a dbus-user.talk org.mozilla.firefox.* rule is enough.
Problem1: profiles with private-bin
Problem2: /usr/bin/firefox is a shell script in Ubuntu/Fedora/Arch/… and adding bash to private-bin relaxes the sandbox.

# globals.local
dbus-user filter
dbus-user.talk org.mozilla.firefox.*
ignore dbus-user none
ignore nodbus

# post-globals.local -- does not exists upstream
# conndition does not exists
?HAS_PRIVATE_BIN: private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname

@glitsj16
Copy link
Collaborator

glitsj16 commented Apr 7, 2020

@rusty-snake Yes, the new D-Bus filters definately improve the situation. The scripts I'm refering to are doing there job outside the sandbox, apllications inside are agnostic to their existence. A wrapper for /usr/bin/firefox intercepts calls to it and dispenses a drop file containing the URL request. Not much different than what the GNOME portal system is doing actually. The work done by @kris7t in this regard is the best thing happening for firejail in a long while! Nevertheless I wouldn't mind D-Bus succumbing to a corona infection, being the security nightmare it is 😀.

@rusty-snake
Copy link
Collaborator

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake rusty-snake mentioned this issue Jul 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glitsj16 @ibahnasy @rusty-snake