-
Notifications
You must be signed in to change notification settings - Fork 18
Install firejail and sandbox default programs #86
Comments
PS: That might be unclear in the description, but we can start providing |
@hashbang/administrators Would anyone have any issue with installing |
No issue. On Wed, Apr 6, 2016 at 2:05 PM The Fox in the Shell <
Ryan Rion ryan@hashbang.sh |
Ok, let's install that. |
|
Rolled back the installation of Rationale:
I will endeavour to have that fixed upstream, and this issue will be blocked in the meantime. |
@ChickenNuggers Thanks, I was too lazy to add the label to the project that early in the morning. As soon as a new release of firejail is tagged (and available in Debian), we can install it again since it will support a config file letting us set which |
@hashbang/administrators OK, all the improvements we needed landed in upstream firejail, so we can start working on what we need next. I'm opening a pull-request on |
@hashbang/administrators Providing a profile for I suggest using
|
I use msmtp at home. I'm a fan. :) |
@dpflug I will take that as approval and just do it, then. |
firejail 0.9.40 landed today in Debian unstable. @hashbang/administrators @hashbang/contributers In the meanwhile, we can get a profile for mutt ready. That would help not losing momentum. |
I merged #93 and installed |
This is part of hashbang/shell-etc#86
This is part of hashbang/shell-etc#86
This is part of hashbang#86 and required for hashbang/dotfiles#25
Doing some work now on |
We could actually enable firejail on weechat now: the profile is currently pretty basic, but better than nothing. @hashbang/administrators Any thoughts? |
@KellerFuchs Fine with me. |
@lrvick Done and tested. |
Actually, now that weechat's firejail profile uses a homedir whitelist, it's not so basic anymore :-) I guess I can close this |
This is part of #86 and required for hashbang/dotfiles#25
This is part of #86 and required for hashbang/dotfiles#25
I think it would be a pretty good security improvements to provide users with firejail and run several things (like weechat or mutt) inside.
Note that user configuration (in ~/.config/firejail) always trumps system-wide config (in /etc/firejail).
This would ideally involve:
CAP_SYS_ADMIN
is required AFAIK)NO_NEW_PRIVS
to make sure users don't exploit privileged binaries through firejail.restricted-network
to apply to--netfilter
.NO_NEW_PRIVS
.possibly by building a backport.sendmail
.dotfiles
to run things under firejail:weechat
mutt
Alternatively, we can create symlinks from/usr/local/bin/{mutt,weechat,...}
to/usr/bin/firejail
, but I think that might be more confusing to users.Pro:
For instance, that would prevent exploitation of a vulnerability in
weechat
(or, more likely, in a script) to runsudo hashbangctl
, access private keys and so on.root
to define profiles.firejail
uses namespaces, capabilities and seccomp (mainly), yet stays fairly accessible and user-friendly.Cons:
We can have violations of the default profiles written to
syslog(3)
and mailed to us to be able to handle those issues quickly.firejail
itself may enable privilege escalation (by #! users), as it is a suid binary.This seems pretty unlikely, however.
The text was updated successfully, but these errors were encountered: