-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing calling specific apps outside the sandbox or with a different firejail profile #3785
Comments
https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/lutris.profile
It's possible but unsupported. Meaning you will find a to execute a command outsite of the sandbox for a lot of profiles (especial weak profile e.g. blacklisting, permissive dbus, ...).
Transition between sandboxes is difficult for sanbox implementations based on linux-namespaces like firejail. LSMs like SELinux have a better concept to do so. IMHO the best way ATM is to use
D-Bus rules (if required, for kodi it's not the case).
|
Thank you! Very happy to see that somebody recently created a profile for Lutris now!
Any idea how this could be solved?
Couldn't there be some firejail software running that could be requested by the sandbox and depending on the profile of the requesting application allow a specific application to be launched by the sandboxed app by taking the request with the requested app/command to run and then running that command on behalf of said app? (Related question here).
Which one of those two to use (or in which of those in which cases)? |
lutris.local:
If this doesn't help, use just
IDK if there are an reason for one or the other.
ok. This is still easier than playing with $PATH. Change it so e.g.
or here 😁 . It could be, but that's a lot. Actually the daemon would need to be triggerd by custom overrides (e.g. replace /usr/bin/vlc with a own binary) which forwards this start, because it must be transparent for the application. |
Still getting that same error.
I already tried that but I guess I got to get firejail lutris working first as I can't run
You mean it needs to be transparent for the requesting application which app is launched? If it requests "VLC" with some parameters the daemon could for example have a table with verified hashsums to ensure that VLC is actually VLC. |
The request must be transparent, meaning there is no differences to a normal start of this other app. If you want that vlc for example adds code to talk with a firejail-daemon. Forget it! This will never happen. Why should the devs add much code and work for that few users with firejail.
You know that there is one hash per build per release?! |
Thanks for the explanation, even though I'm still not entirely sure what you mean. I wasn't suggesting that other apps like VLC would add code for firejail-support. If I can run VLC with command In the specific usecase described above:
|
This would work. "firejail would detect the call to lutris" that's a bit tricky, best would be to place a own program under /usr/bin/lutris which then forawrds the call to the firejail-daemon. |
Do we want to implement something like this, or should we close? |
My two cents. The |
That's a good point. For example there could be a single root-protected file that specifies which firejail profiles can allow calling a) which apps/commands b) with which other firejail profiles it's basically the same security as before: one basically only has to ensure that those firejail profiles are good and remain unchanged (e.g. via users/permissions, IDS, testing the profile, etc) and that this protected file does not allow an app to run commands with other firejail profiles that it shouldn't. Default firejail would have deliver this file in a blank state so nothing would change except if this file is changed. This would make it easy for people to implement the rest and in a secure way so. Firejail could even display a prompt or at least message box if it detected a change to this file requiring root-user confirmation that this changed config should be applied. |
This is something I would like, so that I can call other executables inside their own sandbox started from outsid ethe current sandbox. E.g. I have it setup so each application gets it's own application data directory in ~/.appdate/- which is set as $HOME when it's run by firejail, if I were to run rtv and open a video link in mpv, the instance of mpv that is run would have as it's application data directory /.appdata/rtv-/.appdata/mpv-. Simple call outs to other programs is possible with a simple daemon using a FIFO, which I tested and works fine, however another thing I want to do is to be able to pipe into a called application, so for example a program could call a program and open a pipe to it's standard input, which isn't possible with a simple daemon that calls the program. I'm wondering if it's possible to have the daemon be able to reattach a pipe to the called application? |
Just try it: |
@rusty-snake i don't run systemd, do you have any other example I could try? nice to know it's possible though |
And you can use ssh if there is no |
Actually ssh was a solution I was looking into a while back, but i stopped because I didn't want to have to deal with handling keys and such, also I thought maybe it would be a security risk as if I give application sandboxes ssh access then they could just run ssh and do anything outside the sandbox, rather than call only other sandboxed applications. Ectually I will use a specified SSH key, which will be restricted to running sandboxed applications. |
@mYnDstrEAm Hi, I've solved the issue with Lutris profile and prepared a pull request: #4283 |
@RandomVoid @rusty-snake Thank you! However, it's a problem with the kodi.profile. I'm using the Lutris-Kodi addon in Kodi and it fails because of that profile and not the lutris.profile. Should one include lutris.profile in kodi.local? Especially if not could you please also update the kodi.profile (or add some info on how a kodi.local profile should look like to make it work which could go into the kodi.profile in commented-out and be turned into a click-enabable option users get prompted for at some trigger for the kodi firejail profile in the future). |
No
So
makes it work? |
No, it doesn't...I get "Permission denied: '/home/username/.cache/lutris/lutris.log'". Obviously one could whitelist '/home/username/.cache/lutris/' which is what I tried with noblacklist in kodi.local. But that didn't work (same error). |
What did you tried? This is how it should look like I guess.
|
Thank you, that was a stupid mistake: I wrote out the entire home path instead of using that variable. It finally works with this in kodi.local:
It's really useful to have Gaming via Lutris added to Kodi so I think it would be good if this could added to kodi.profile, or an additional profile like kodi+lutris.profile. I had to add a few things to kodi.local earlier to make Kodi work properly (ignore disable-mnt and noblacklisting some media source folders). Maybe there could be a way to make it easier for users to configure profiles if needed modifications for specific use-cases are known (the lutris-kodi addon) or common (additional external media sources folders) like prompting the user about it or showing some console output that can make the needed changes by pressing some button. |
Is it possible to allow an app to call other apps to run outside the sandbox? Alternatively, is it possible to allow app A running with firejail profile A to call app B to run with firejail profile B?
In specific: I'd like to call the app
Lutris
from a firejailed instance ofKodi
(Kodi 19 in Debian 10 with the the Kodi-Lutris addon).There currently is no firejail profile for Lutris but if there was or if I'd create a very permissive profile for it (e.g. allowing everything but blacklisting a few folders) then I'd like Kodi to call Lutris with that firejail profile instead of it running in the sandbox of Kodi.
Alternatively, maybe one could allow/trust the app in the firejail profile for Kodi so that this specific app can run outside the sandbox.
Is that currently possible? I think this would be a very useful feature.
Relates to:
The text was updated successfully, but these errors were encountered: