Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New profile: luarocks #4596

Draft
wants to merge 13 commits into
base: master
Choose a base branch
from
Draft

New profile: luarocks #4596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
990ffbb
Add profile for luarocks
matu3ba Oct 7, 2021
eb7dab0
use allow-lua as its smaller.
matu3ba Oct 8, 2021
4e670d2
remove disable-write-mnt
matu3ba Oct 8, 2021
5df4c63
shortening (default-disabled) private-etc
matu3ba Oct 8, 2021
f6f0021
remove private-bin and s/allow/whitelist
matu3ba Oct 8, 2021
65242d9
add luarocks to firecfg.config
matu3ba Oct 8, 2021
4c5ca65
fix allow-lua.inc and disable-interpreters.inc
matu3ba Oct 8, 2021
161df63
add seccomp.block-secondary
matu3ba Oct 8, 2021
29ef011
update luarocks profile
matu3ba Oct 8, 2021
e610d2e
Merge branch 'luarocks' of github.com:matu3ba/firejail into luarocks
matu3ba Oct 8, 2021
f3e9ea0
update luarocks profile
matu3ba Oct 8, 2021
ce1b231
add whitelist-var-common and whitelist-run-common
matu3ba Oct 8, 2021
1d1f524
fix order
matu3ba Oct 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion etc/inc/allow-lua.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,4 @@ noblacklist /usr/lib/liblua*
noblacklist /usr/lib/lua
noblacklist /usr/lib64/liblua*
noblacklist /usr/lib64/lua
noblacklist /usr/share/lua
noblacklist /usr/share/lua*
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to check why there was these two.

72 changes: 72 additions & 0 deletions etc/profile-a-l/luarocks.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Firejail profile for luarocks
# Description: LuaRocks is the package manager for the Lua programming language.
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include luarocks.local
# Persistent global definitions
include globals.local

# Disallow blocking access to Lua header files.
noblacklist /usr/include/lua*
Comment on lines +10 to +11
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#4596 (comment)

When is /usr/include/lua… used? Current behaviour of allow-lua.inc is strange, allow /usr/include but not /usr/include/lua*.

Currently this is how we handle /usr/include:

$ grep /usr/include /etc/firejail/*
/etc/firejail/allow-lua.inc:noblacklist /usr/include
/etc/firejail/allow-nodejs.inc:noblacklist /usr/include/node
/etc/firejail/allow-python2.inc:noblacklist /usr/include/python2*
/etc/firejail/allow-python3.inc:noblacklist /usr/include/python3*
/etc/firejail/disable-devel.inc:blacklist /usr/include
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/lua*
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/node
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/python2*
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/python3*
/etc/firejail/hashcat.profile:noblacklist /usr/include

# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc

matu3ba marked this conversation as resolved.
Show resolved Hide resolved
blacklist ${RUNUSER}

include disable-common.inc
# luarocks can invoke compilers
#include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
# luarocks is hacky and needs shell access
#include disable-shell.inc
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
include disable-X11.inc
include disable-xdg.inc

whitelist ${HOME}/.netrc
whitelist ${HOME}/.config/pkcs11
whitelist ${HOME}/.wget-hsts
Copy link
Collaborator

@rusty-snake rusty-snake Oct 8, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary?

edit: this line: whitelist ${HOME}/.wget-hsts

whitelist ${HOME}/.cache/luarocks
whitelist ${HOME}/luarocks/cmd/external
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing else from ~/luarocks required?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The answer to this question depends on "Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)".
To what degree does firejail want to allow invoking build systems or running stuff from a package manager (which sounds like bad security practice).

whitelist ${HOME}/.nix-profile/bin
whitelist ${HOME}/.luarocks
whitelist ${HOME}/.config/luarocks
Comment on lines +28 to +35
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing mkdir/mkfile for some of them.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing blacklist/noblacklist/read-only for some of them.

Comment on lines +28 to +35
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs discussion: Missing wc.

Comment on lines +28 to +35
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs discussion: Do we want to use whitelisting for package-managers/build-systems by default.


whitelist /usr/share/lua
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
include whitelist-run-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# apparmor
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
seccomp.block-secondary
shell none
tracelog

disable-mnt
private-cache
private-dev
#private-etc alternatives,ca-certificates,crypto-policies,luarocks,pki,ssl
private-tmp

dbus-user none
dbus-system none

read-write ${HOME}/.luarocks
1 change: 1 addition & 0 deletions src/firecfg/firecfg.config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,7 @@ lowriter
# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
luarocks
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Status quo of the default profile is very undesirable, because luarocks search does not update the package list.
Both options are annoying to some degree:

  1. If sandboxed on default, luarocks may have too few privileges to invoke external compilers ie to compile luaformat
  2. If not sandboxed, evil lua programs/plugins in neovim may trivially invoke luarocks to do bad stuff.

luminance-hdr
lximage-qt
lxmusic
Expand Down