Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firejail support #456

Closed
aminvakil opened this issue Jun 8, 2020 · 4 comments
Closed

Firejail support #456

aminvakil opened this issue Jun 8, 2020 · 4 comments

Comments

@aminvakil
Copy link

aminvakil commented Jun 8, 2020
edited
Loading

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

I want to add a profile for strawberry, but right now I've just copied clementine profile and changed names to strawberry, maybe we can harden it further, in case anyone has any idea don't hesitate to comment on this pull request in firejail repo.

netblue30/firejail#3459

I'm going to close this issue after PR has been merged to firejail master branch and future hardenings can be discussed over there, but for now in case a additional privilege should be added to profile, please mention it there.

Thanks for this great fork!
@jonaski
Copy link
Member

jonaski commented Jun 8, 2020

Does this block file access? How does that allow mounting devices, accessing music, writing tags, etc?
Why is there no noblacklist entry for ${HOME}/.local/share/strawberry while there is for .config and .cache? If it blocks .local then nothing will work since that's where the database is stored.
Does it block network traffic too?
Did you test this?

@aminvakil
Copy link
Author

Does this block file access? How does that allow mounting devices, accessing music, writing tags, etc?

It can be configured to prevent access to anything but ${HOME}/Music, I think that would be enough, but that depends on firejail maintainers.
Also aside from strawberry.profile anyone can create a strawberry.local file which is a custom config file to include any additional folders which they put their music in it.

Why is there no noblacklist entry for ${HOME}/.local/share/strawberry while there is for .config and .cache? If it blocks .local then nothing will work since that's where the database is stored.

I didn't know this exists, I will add it, thanks.

Does it block network traffic too?

It can be configured to block network traffic too, but as network is needed for fetching lyrics, connecting to services, etc. I assume it should be allowed by default.

Did you test this?

Yes, also @rusty-snake gave me lots of suggestions in netblue30/firejail#3459 (review) which I will try them too to tighten it as possible as it doesn't break.

@aminvakil
Copy link
Author

Suggestions were implemented and various stuff changed in profile, but it will remain

open for now so others have time to comment on it too

.

So if anything is wrong or can be better please go on.
netblue30/firejail#3459

@aminvakil
Copy link
Author

Merged. netblue30/firejail@89d77cc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonaski @aminvakil