-
Notifications
You must be signed in to change notification settings - Fork 569
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
profiles: discord-common: harden & allow notifications #5978
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thank you for testing!
Lots of applications act similarly. As you've noticed we can usually block access to the system bus without crippling functionality and harden the sandbox that way.
You can add the below to support opening links. We use this in several profiles already and it would be a nice addition to do the same for discord.
Probably needs an additional
IMO we can enable apparmor. On a standard Linux distro that uses AppArmor it shouldn't break anything, unless a vital part of discord is installed under the user's home dir. And in the latter case we already have comments in the relevant AA profile on how to cover such setups. All in all your testing allows to harden discord.profile rather nicely already. Thank you for taking the time to check! |
Can you give me a quick howto or link documentation on opening links in general? I've been searching for this for the past weeks and couldn't make it work (for any app). There's a draft PR and accompanying discussion, which indicate that inter/extra-jail link opening is still in the planning stages. As of now, even with your suggested directives, Discord will instead attempt to use
Will have a look at that later. |
Besides the links you've already referenced I'd have a look at
My ommission, apologies. I forgot that discord-common.profile uses For debugging these URL opening situations I sometimes use a basic wrapper script for xdg-open like the below to echo out what it receives from sandboxed apps. Might help to double-check what discord is doing when running Firejailed. $ cat ~/bin/xdg-open
#!/bin/sh
### vars
_app="xdg-open"
_bin="/usr/bin/${_app}"
_debug_log="/home/${USER}/Downloads/${_app}.debug"
_msg="[${_app}] debug info"
### logic
_parent="$(ps -o args= "$PPID")"
{
echo "# ${_msg}"
echo "# $(date +%Y.%m.%d\ \@\ %H:%M:%S)"
echo "# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
echo
echo "parent: ${_parent}"
echo "params:"
echo "\$@: ${@}"
} > "$_debug_log"
${_bin} "$@" |
Some clarifications on enabling the As mentioned here I've installed discord and did some additional testing too. We can add a comment for users that want to enable If you don't feel comfortable adding it to this PR that's fine, I can always add it in a follow-up PR myself. $ cat /etc/apparmor.d/local/firejail-default
# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/apparmor.d/local/README.
# Here are some examples to allow running programs from home directory.
# Don't enable all of these, just pick a specific one or write a custom rule
# instead as done below for torbrowser-launcher.
#owner @HOME/** ix,
#owner @HOME/bin/** ix
#owner @HOME/.local/bin/** ix
# Uncomment to opt-in to apparmor for brave + ipfs
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
# Uncomment to opt-in to apparmor for brave + tor
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
# Uncomment to opt-in to apparmor for discord
#owner @{HOME}/.config/discord/*/modules/** ix,
# Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm)
#owner @{HOME}/.mozilla/firefox/*/gm*/** ix,
# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, $ cat /etc/firejail/discord-common.profile
[...]
# Add 'apparmor' to your discord-common.local to enable AppArmor support.
# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
# to be uncommented too for this to work as expected.
#apparmor HTH |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for testing!
LGTM.
Note: I squashed the commits and added your notes to the commit message, as
they can be helpful for debugging. But feel free to edit it in any case.
What works: - Basic functionality - Receiving notifications - Voice communication - Watching streams What wasn't tested: - Casting streams - Opening links - Tracking/displaying "current activity" as status message - Apparmor Notes: - Discord tries to access system dbus (`[ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied`). I don't know what business it has with the system dbus, and didn't notice any problems due to that. - I had one crash after 2h of watching a stream. Probably unrelated. Fixes netblue30#5971.
Merged, thanks! |
Tested some more directives by removing the ignores. Also add directives necessary for dbus notifications (fixes #5971).
What works:
What wasn't tested:
Notes:
[ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
). I don't know what business it has with the system dbus, and didn't notice any problems due to that.