Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

profiles: firecfg: disable text editors #6477

Merged
merged 1 commit into from
Sep 19, 2024
Merged

profiles: firecfg: disable text editors #6477

merged 1 commit into from
Sep 19, 2024

Conversation

kmk3
Copy link
Collaborator

@kmk3 kmk3 commented Sep 14, 2024
edited
Loading

Disable common general-purpose text editors.

They are likely to be the default OS text editor and users may want to
use them for editing most/all files, which could include common
sensitive files such as ~/.bashrc and profiles in ~/.config/firejail.

Fixes #6002.

Relates to #924 #941 #1154.

Reported-by: @ilikenwf

@kmk3 kmk3 added the firecfg Anything related to firecfg and not firejail itself label Sep 14, 2024
@kmk3
Copy link
Collaborator Author

kmk3 commented Sep 14, 2024

Let me know if I missed any text editor.

rusty-snake
rusty-snake approved these changes Sep 14, 2024
View reviewed changes
src/firecfg/firecfg.config Outdated Show resolved Hide resolved
@kmk3 kmk3 force-pushed the firecfg-disable-text-editors branch 2 times, most recently from 0944ef0 to b13975f Compare September 19, 2024 11:02
@kmk3 kmk3 marked this pull request as draft September 19, 2024 11:17
kmk3 added a commit to kmk3/firejail that referenced this pull request Sep 19, 2024
@kmk3
tests: partially disable private-home.exp to fix ci
f833a49 
This test started failing today with "TESTING ERROR 3".

Log from a CI re-run of test-fs on commit 897f12d ("build(deps): bump
step-security/harden-runner from 2.9.0 to 2.9.1", 2024-09-01) /
PR netblue30#6455[1]:

    2024-09-19T13:39:04.5681290Z TESTING: private home (test/fs/private-home.exp)
    2024-09-19T13:39:04.5713434Z spawn /bin/bash
    2024-09-19T13:39:05.2772248Z touch ~/_firejail_test_file1
    2024-09-19T13:39:05.2773779Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2774475Z <jail/firejail/test/fs$ touch ~/_firejail_test_file1
    2024-09-19T13:39:05.2775175Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2776506Z <jail/firejail/test/fs$ touch ~/_firejail_test_file2
    2024-09-19T13:39:05.2777841Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2778918Z <ejail/firejail/test/fs$ mkdir ~/_firejail_test_dir1
    2024-09-19T13:39:05.2780080Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2780903Z <fs$ mkdir ~/_firejail_test_dir1/_firejail_test_dir2
    2024-09-19T13:39:05.2781613Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2782461Z <_test_dir1/_firejail_test_dir2/_firejail_test_file3
    2024-09-19T13:39:05.2783224Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2784047Z <firejail/test/fs$ ln -s /etc ~/_firejail_test_link1
    2024-09-19T13:39:05.2784851Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2785861Z < ln -s ~/_firejail_test_dir1 ~/_firejail_test_link2
    2024-09-19T13:39:05.2787008Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$
    2024-09-19T13:39:05.2788303Z <test_file1,_firejail_test_file2,_firejail_test_dir1
    [...]
    2024-09-19T13:39:05.4971716Z runner@fv-az1247-944:~$ find ~
    2024-09-19T13:39:05.4989255Z /home/runner
    2024-09-19T13:39:05.4990116Z /home/runner/_firejail_test_file1
    2024-09-19T13:39:05.4990768Z /home/runner/_firejail_test_file2
    2024-09-19T13:39:05.4991299Z /home/runner/_firejail_test_dir1
    2024-09-19T13:39:05.4992082Z /home/runner/_firejail_test_dir1/_firejail_test_dir2
    2024-09-19T13:39:05.4992760Z /home/runner/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3
    [...]
    2024-09-19T13:39:15.4995765Z runner@fv-az1247-944:~$ TESTING ERROR 3
    2024-09-19T13:39:15.5000367Z

Misc: This was noticed on netblue30#6477.

[1] https://github.com/netblue30/firejail/actions/runs/10655583953/job/30378507249
@kmk3 kmk3 force-pushed the firecfg-disable-text-editors branch from b13975f to 07ea54c Compare September 19, 2024 14:16
@kmk3 kmk3 marked this pull request as ready for review September 19, 2024 14:25
@kmk3
profiles: firecfg: disable text editors
f1365a8 
Disable common general-purpose text editors.

They are likely to be the default OS text editor and users may want to
use them for editing most/all files, which could include common
sensitive files such as ~/.bashrc and profiles in ~/.config/firejail.

Fixes netblue30#6002.

Relates to netblue30#924 netblue30#941 netblue30#1154.

Reported-by: @ilikenwf
@kmk3 kmk3 force-pushed the firecfg-disable-text-editors branch from 07ea54c to f1365a8 Compare September 19, 2024 14:32
@kmk3 kmk3 merged commit bd8ed0b into netblue30:master Sep 19, 2024
8 checks passed
@kmk3 kmk3 deleted the firecfg-disable-text-editors branch September 19, 2024 14:37
kmk3 added a commit that referenced this pull request Sep 19, 2024
@kmk3
RELNOTES: add profile items
1b2d18e 
Relates to #5816 #5877 #6002 #6477 #6478 #6479.
@kmk3 kmk3 mentioned this pull request Sep 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rusty-snake rusty-snake rusty-snake approved these changes

@glitsj16 glitsj16 Awaiting requested review from glitsj16

Assignees
No one assigned
Labels
firecfg Anything related to firecfg and not firejail itself
Projects
Release 0.9.74
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

text-editors: cannot access all text files in the user home
2 participants
@kmk3 @rusty-snake