profiles: telegram: allow opening links (xdg-open) #4783
Conversation
|
This doesn't seem right? |
|
@SkewedZeppelin What did you mean? |
The telegram profile uses BTW, we have allow-bin-sh.inc to override 'include disable-shell.inc' in a more maintainable way compared to adding seperate noblacklist paths. To get to the bottom of this it might be helpful to open an issue ticket where we can try to reproduce and discuss things before jumping in with a PR that - for now - offers little context. Just my 2 cents, nothing personal. |
|
@glitsj16 Open an issue would be a good idea, and I can do that. Meanwhile, I did have the issue that I wasn't able to open hyperlinks in Telegram because when Telegram tried to open a link, it invokes |
|
I don't use telegram. But I can definately see how it would rely on Usually I don't mind installing an app I will never use myself for firejail testing purposes, done so many times. As far as I know Telegram requires a phone number for account creation. So to test its hyperlink functionality under firejail I'd have to supply something I personally regard as very private indeed and that's where I draw the testing line. Maybe other collaborators use it, I don't know. Would be helpful if they chimed in :-) |
Fair enough. I've opened the issue #4784 as per your suggestion. |
You are actually right. The reason this PR worked for me was because in my version (installed with Arch Linux pacman), the But in the git version, the above line was uncommented: When I uncommented this command, the PR didn't fix the issue. So I added But the hyperlink still could not be opened, and I got the following message as I clicked the link: I don't know why it tried to execute |
|
Adding |
|
Can anyone explain to me why "Profile Checks" failed? Thank you. |
|
Crossing communications... I noticed the differences between the git profile and the one from 0.9.66 too. Bottomline, change the private-bin line to:
One thing I noticed that might explain this is this warning on your issue debug log: That warning usually is an indication that there's been a mix-up in the paths when starting a sandbox. If you use firecfg, that places a telegram symlink under /usr/local/bin for 'ease-of-use' or what's refered to as |
| @@ -8,6 +8,10 @@ include globals.local | |||
| noblacklist ${HOME}/.TelegramDesktop | |||
| noblacklist ${HOME}/.local/share/TelegramDesktop | |||
|
|
|||
| # Allow opening hyperlinks | |||
There was a problem hiding this comment.
Suggestion: use our inc file specifically designed for situations like this (instead of the two noblacklists)
include allow-bin-sh.inc
There was a problem hiding this comment.
Suggestion: use our inc file specifically designed for situations like this (instead of the two noblacklists)
include allow-bin-sh.inc
Nice suggestion, thank you @glitsj16.
etc/profile-m-z/telegram.profile
Outdated
| @@ -41,7 +45,7 @@ seccomp.block-secondary | |||
| shell none | |||
|
|
|||
| disable-mnt | |||
| private-bin telegram,Telegram,telegram-desktop | |||
| private-bin bash,telegram,Telegram,telegram-desktop,sh | |||
There was a problem hiding this comment.
add xdg-open too and respect ordering (the latter might explain the Profile Checks failure):
private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
|
Thank you very much for the help @glitsj16, I'm very new to You are right about the reason of the warning:
which, as you pointed out, was because I had a symbolic link in
Do we still need to add
This order worked, but I don't understand the reason behind this order, could you explain? |
You're welcome. We've all been new to firejail and it's a complex application (code-wise). So keep asking for help whenever the need arises, that's very wise in regards to a security/privacy related app IMO. Also consult the wiki pages and issue tracker etc. and you'll get the hang of it soon enough.
There's no strictly technical reason for ordering option values |
Have no idea why I thought |
Heh, happens to all of us. That's exactly the reason for having a CI check on stuff like this :-) |
Yep, we need it there too. Run a search in your editor of choice on xdg-open in /etc/firejail/. You'll notice we add it in lots of profiles to guarantee hyperlink functionality. |
etc/profile-m-z/telegram.profile
Outdated
| @@ -41,7 +44,7 @@ seccomp.block-secondary | |||
| shell none | |||
|
|
|||
| disable-mnt | |||
| private-bin telegram,Telegram,telegram-desktop | |||
| private-bin bash,sh,telegram,Telegram,telegram-desktop | |||
There was a problem hiding this comment.
private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
There was a problem hiding this comment.
private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
Done. Thank you.
Done. Thank you. |
|
@glitsj16 BTW, where do I ask questions? |
|
@YorkZ You can ask questions via the discussions section here on GH. Not a perfectly labelled section but well, that's out of our control :-) |
Very nice, thank you. |
| @@ -41,7 +44,7 @@ seccomp.block-secondary | |||
| shell none | |||
|
|
|||
| disable-mnt | |||
| private-bin telegram,Telegram,telegram-desktop | |||
| private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open | |||
There was a problem hiding this comment.
Why bash?
xdg-open is a shell-script, consider sed,xdg-mime,which,mimeopen,grep,egrep,printf,cut,uname,dbus-send,xprop,dirname,cat,…, exo-open,gio,gvfs-open,mate-open,enlightenment_open,gnome-open,dde-open,kde-open,kde-open*,kfmclient,cygstart,kde-config,gnome-default-applications-properties,… or just drop private-bin.
There was a problem hiding this comment.
Why bash?
I believe enabling bash is necessary because in Arch Linux, /usr/bin/sh has been symlink'ed to /usr/bin/bash (/usr/bin/sh is provided by package bash). Some customized systems also use bash as sh. I personally frequently use bash as sh in production systems too because bash is so much more featureful than sh. In fact, bash has a sh compatible mode which is probably why I've never had any issue when replacing sh with bash. Finally, in this case, I tested only enabling sh, and confirmed that it didn't work.
There was a problem hiding this comment.
I believe enabling bash is necessary because in Arch Linux,
/usr/bin/shhas been symlink'ed to/usr/bin/bash
Do not believe, test 😉.
private-bin follows symlinks IIRC and even if it don't there are other shells commonly used as /bin/sh (namely dash by Debian and Ubuntu(?)).
Finally, in this case, I tested only enabling sh, and confirmed that it didn't work.
(Fedora Linux 35; sh->bash):
$ firejail --noprofile --private-bin=sh,ls ls -l /usr/bin
bash
ls
sh -> /usr/bin/bashI guess you had tested with only sh in private-bin and only noblacklist ${PATH}/sh. This does not work blacklist ${PATH}/bash will blacklist the binary used by /usr/bin/sh. FWIW, blacklist follows symlinks too.
There was a problem hiding this comment.
xdg-open is a shell-script, consider …
On my system for xdg-open to work at all: sh,xdg-open,grep,egrep,<A installed well known browser, e.g. firefox>.
On my system for xdg-open to work correct: sh,xdg-open,grep,egrep,xdg-mime,sed,tr,awk,cut,head,basename,which,readlink,<My browser, e.g. firefox>
For the firefox start script: ...
or just drop private-bin.
yeah, I think this is the way to go.
There was a problem hiding this comment.
I guess you had tested with only
shinprivate-binand onlynoblacklist ${PATH}/sh
That's correct, I think I tested with only sh in private-bin and I only noblacklist sh.
there are other shells commonly used as /bin/sh (namely dash by Debian and Ubuntu(?))
I think dash is indeed an implementation of POSIX sh which is actually sh.
There was a problem hiding this comment.
IIRC this is because firejail hardcodes bash as the default shell.
It don't, read the issues title in your comment:
- Default shell is guessed from $SHELL, despite manpage specifying /bin/bash
On Artix it fails, but I'm not sure why:
If I get you right (sh->dash; getent passwd $USER | cut -d: -f7: bash), you try to start a program (bash) which isn't inside the sandbox.
IMHO --shell=none should be the default (if you specify a program).
So in my case it does require private-bin bash, even though /bin/sh is
/bin/dash.
Because you still run bash inside the sandbox and it isn't present (as a side-effect).
There was a problem hiding this comment.
This just lists the files;
@kmk3 it clearly shows that the file
/bin/shpoints to is
copied/bind-mounted (what does it do?) if you only listshbut notbash
(assuming/bin/shpoints to somewhere in{/usr,}/bin).
I don't understand what you mean. A symlink points to a (text) path; it
doesn't actually point to an inode. For example, if /bin/sh points to just
"dash" and you copy the symlink with to /tmp, the copy will not work:
$ readlink /bin/sh
dash
$ /bin/sh -c 'echo yes'
yes
$ cd /tmp
$ cp -P /bin/sh .
$ readlink ./sh
dash
$ ./sh -c 'echo yes'
bash: ./sh: No such file or directory
$ echo 'echo hello world' >dash
$ chmod +x dash
$ ./dash
hello world
$ ./sh
hello worldDo you mean that sh points to just "bash" outside of firejail but inside of it
it points to "/usr/bin/bash"? That might mean that firejail hardcodes its own
/bin/sh symlink inside the sandbox, but whether /bin/bash is bind-mounted or
not is unclear from your example.
There was a problem hiding this comment.
What I want to tell is that private-bin=sh will copy/bind-mount sh and the program it points to (e.g. bash or dash). No matter if you list bash/dash or not.
I don't care about /bin/sh pointing to somewhere else (e.g. /mnt/extra-program/mysh).
There was a problem hiding this comment.
I just tried removing bash from private-bin, and it worked (the link was opened from Telegram). @kmk3 do you still have problem if removing bash from private-bin?
Good question and fair points. The private-bin enablement after 0.9.66 caused some confusion as you can see (both here and in the issue). I can only find this in the history of telegram.profile. No info on why private-bin got enabled exactly, but I assume it was just good hardening practice. @netblue30 Any thoughts? |
kmk3
changed the title
kmk3
added
the
sandbox-ipc
Without this fix, clicking hyperlinks in Telegram had no effect.