-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
profile.template: add missing noautopulse option #4269
Conversation
Added on commit 617ff40 ("add --noautopulse arg for complex pulse setups") / PR netblue30#1854. Note: The template was added after that, on commit cb98aea ("Add profile templates"). Misc: I noticed that it was missing when comparing it to contrib/vim/syntax/firejail.vim on commit 22a91ae ("contrib/vim: add missing noinput command to syn match") / PR netblue30#4259.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm against adding it. It is only used in agetpkg and looks wrong there too.
$ grep noautopulse /etc/firejail/*
/etc/firejail/agetpkg.profile:noautopulse
37ec03c
to
b1d73f2
Compare
@rusty-snake left a comment:
Why is that? Is it something that should only be used on local profiles? I thought about adding it for completeness, as it's mentioned on firejail(1) How about commenting that it should not be used then? Example: --- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -145,6 +145,7 @@ include globals.local
#net none
#netfilter
#no3d
+##noautopulse (use only on local profiles, see #4269)
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
#nodvd
#nogroups |
Moreover there are a lot of commands in firejail-profile(5) "missing" in profile.template. For me that are |
@rusty-snake Correct, I'll take it out. |
So agetpkg was added on #3887. @glitsj16 Do you remember why the option was My suspicion: Since agetpkg is a CLI tool that does not need access to Say, an unsuspecting individual glancing over the options might assume that if Another factor is that, unlike many of the options that you listed, this one is You also mentioned Anyway, I think making it clear on the template itself that
In this case, there is no |
@kmk3 That's fully correct. I added it in an overzealous attempt to make agetpkg as tight as possible. Thanks to @rusty-snake now I know better.
I can see private-srv in 8 of the current profiles. It's nice to have a clearcut understanding and profile template to avoid mistakes like this. Thanks to you both for all the work on the template! What do you guys think, shall we take out private-srv? |
I would prefer to add
|
Makes perfect sense. I'll hold off, you are on top of this apparently 👍. @kmk3 Apologies for semi-hijacking this thread. |
Hi, thanks for the CC @kmk3, I agree that
Personally I would indeed document it somewhere. An explicit "not in the tl;dr version on purpose" avoids confusion about whether it was simply forgotten or not. I have not worked with firejail in some years however, so I am not sure how it should be done for this project, if at all. Cheers. |
@glitsj16 commented 22 hours ago:
No problem; it's good to know more about @vermeeren commented 20 hours ago:
Thanks for the input. Okay, so if there is no agreement on including
It doesn't solve the problem but it's at least something. Ultimately, I think that the main issue stems from the option itself looking If this makes sense, then both versions could be supported at once for a while, I'm usually not a fan of renaming config options, but I think that this one has |
+1 for renaming it to |
+1 from me too |
Changes: * add the keep-config-pulse option * make noautopulse an alias for keep-config-pulse * deprecate the noautopulse option * misc: fix indentation of --keep-dev-shm on src/firejail/usage.c Even though noautopulse is not intended for hardening, it looks like it is, because it starts with "no", just like no3d, noroot, etc). In fact, it is the only "no" option that differs in such a way. And it has been accidentally misused as such before; see PR netblue30#4269 and commit e4beaea ("drop noautopulse from agetpkg"). So effectively rename it to keep-config-pulse in order to avoid confusion. This is similar to the keep-var-tmp and keep-dev-shm options, which are used to "leave a path alone", just like noautopulse. Note: The changes on this patch are based on the ones from commit 617ff40 ("add --noautopulse arg for complex pulse setups") / PR netblue30#1854. See netblue30#4269 for the discussion.
Closing in favor of #4278. |
Added on commit 617ff40 ("add --noautopulse arg for complex pulse
setups") / PR #1854.
Note: The template was added after that, on commit cb98aea ("Add
profile templates").
Misc: I noticed that it was missing when comparing it to
contrib/vim/syntax/firejail.vim on commit 22a91ae ("contrib/vim: add
missing noinput command to syn match") / PR #4259.
Cc: @vermeeren (as the author of #1854)