Profile requests

[netblue30]

Leave them on this thread, I'll bring them on top and strike them through when implemented.

Natron, Cinelerra, Inkscape, Gimp, LuminanceHDR, QpdfView, Synfigstudio, Otter browser, Calligra, Openshot, Scribus, Temaviewer, Blender, Google Earth, darktable, shotcut, Ricochet (https://ricochet.im/), Tbb (http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html), Wire (https://medium.com/wire-news/get-your-linux-on-999403a1a4fe#.fb99nx4uq), flowblade, VirtualBox, jmemorize, amarok, dragon (Dragon Player), kate, KTnef, KTorrent, Akregator, KRDC, discover, k3b, dolphin, ark, KWalletManager, skanlite, xpra, bleachbit, gedit, nautilus, xfburn, file-roller, gnome-books, gnome-photos, gnome-online-miners, gnome-sound-recorder, gnome-contacts, gnome-documents, gnome-weather, gnome-music, gnome-maps, brasero, goobox, gpa, simple-scan

[Laurent092]

Hi netblue,
Teamviewer is used sometimes to help some people but I heard that there was some attack on it. Do you think it's possible to add a secure profile for this software ?
Thanks
Laurent.

Uploading TeamViewer_noprofile_debug.txt…

[netblue30]

Sure, give me a link to the project website.

[chiraag-nataraj]

https://www.teamviewer.com/en/download/linux/
But there's a problem. I'm not exactly sure how Teamviewer verifies the daemon is running (probably looking for a process?), but when I launch Teamviewer within firejail (even with --noprofile), it fails to detect that the daemon is already running (hence my suspicion that it is looking for a process - the new PID namespace would preclude it from detecting the daemon).

[Edit] Yup, my suspicion was correct. The relevant code is in /opt/teamviewer/tv_bin/script/tvw_exec under the function IsDaemonRunning. It basically uses ps and grep to look for a process called teamviewerd. @netblue30, is there any way to selectively "pass through" processes from the global PID namespace into the local PID namespace? This would be the preferred way to fix this as teamviewerd is started as a system service.

[Laurent092]

It could be great if you find a solution. I am currently installing a Linux OS on a laptop for a friend and he asked me if I could install teamviewer. I said yes if I can sandbox it !! And I think a lot of people will be aware of that because they generally deinstalled it after doing the maintenance because of security issue. Firejail could be the best solution for me and my future installation on some laptop ;)

[netblue30]

@Laurent092, the default profile will work fine until we come up with a more restrictive one. The main security features such as seccomp and noroot are implemented in the default profile. Start the program as "firejail teamviewer" - I assume teamviewer is the name of the program.

[nyancat18]

Could you add these profiles too?
1 Blender

2 Google earth, marble dont have some google earth's features, and this is propietary software

[chiraag-nataraj]

@netblue30 The default profile does not work because of the reasons I specified. In fact, even using --noprofile does not work because firejail creates a PID namespace, leading Teamviewer to think the daemon has not been started. It then can't start the daemon because it doesn't have root privileges (it uses upstart/systemd/sysv/etc to start the daemon).

[Laurent092]

Hi netblue. i agree with chiraag. It doesn't work. The TeamViewer GUI launched a pop-up message that indicates the daemon is not running :

firejail teamviewer
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 2173, child pid 2174

Child process initialized

Init...
XRandRWait: No value set. Using default.
XRandRWait: Started by user.
Checking setup...
Launching TeamViewer ...
Starting network process (no daemon)
terminate called without an active exception
/opt/teamviewer/tv_bin/script/tvw_exec : ligne 95 : 113 Abandon "$TV_BIN_DIR/teamviewerd" -n -f
Network process already started (or error)
Launching TeamViewer GUI ...

parent is shutting down, bye...

[netblue30]

Sorry, didn't see the description.

It cannot be sandboxed the normal way - the guy needs to become root and start daemons. That's bad, you are running a closed source executable as root!

[chiraag-nataraj]

Do we have a way to poke holes in the PID namespace so that teamviewer recognizes that its daemon is running?

[chiraag-nataraj]

@triceratops1 Blender is up on my repo. Give it a whirl!

[chiraag-nataraj]

@netblue30, @triceratops1 I'm running into an interesting issue with Google Earth. If I run it within firejail, even with --noprofile, Google Earth fails to remove its lock file. That is, if I start it up again, it complains that it's already running. I'm going to look into workarounds for this issue, but your perspectives on it would be appreciated.

[Edit] Ah, okay, I think this makes more sense. When Google Earth runs, it creates a symlink to /proc/<PID>. I guess it's not able to remove the symlink afterwards for some reason - is this something that firejail prohibits?

[Laurent092]

@chiraag-nataraj about googleearth,
I apply a workaround in using firejail --private googleearth. The lock file is always remove at the end of the session.

[chiraag-nataraj]

@Laurent092 Yeah, that works. However, that means the config files aren't saved, which is theoretically annoying?

[Edit] For the record, this is actually false. It saves "My Places" and miscellaneous temporary information to that folder. Config actually goes in ~/.config/Google/. Still, you normally want to save places, so I had to work around this another way.

[Laurent092]

i saw in the man of firejail you have many choice for --private (bin, etc....)
Where is located the lock file ?

[chiraag-nataraj]

The lock file is located in ~/.googleearth, which is also the directory configuration files are stored in.

[Laurent092]

firejail --blacklist=dirname_or_filename
Blacklist directory or file.

          Example:
          $ firejail --blacklist=/sbin --blacklist=/usr/sbin
          $ firejail --blacklist=~/.mozilla
          $ firejail "--blacklist=/home/username/My Virtual Machines"

[chiraag-nataraj]

Never mind, found a way around it 😃 I'll have a profile up soon

[chiraag-nataraj]

Google Earth is up on my repo!

[nyancat18]

We could add some extra profiles
1 google chrome (its required if you need flash), but flash is VERY VULNERABLE, and you need sanbox it

2 flowblade

[chiraag-nataraj]

Huh, so interesting thing about flowblade. If I run it within firejail, even with --noprofile, it gets hung on the code after printing "Exiting app...". Even after adding additional statements to try to track down the problem, it seems to completely finish even calling Gtk.main_quit(), so I'm not even sure what the problem is...
[Edit] I should note that this problem does not occur if I don't change anything and immediately exit.
[Edit2] Never mind. I found out it was rendering the audio of the file I imported.

[chiraag-nataraj]

Added Flowblade to my repo! As for Google Chrome, I believe a profile already exists. And if you specifically want a stricter profile than the default, please open the issue on my project page rather than here, since it's easy to get confused 😃
[Edit] Added Google Chrome to my repo anyway 😉

[qazip]

Wire has now a Linux client (https://medium.com/wire-news/get-your-linux-on-999403a1a4fe#.fb99nx4uq)

Would be nice to have a default profile for it.

[denizakcal]

Hello, netblue30. :)

Could you please add a profile for VirtualBox to the default Firejail installation (when you get the chance)?

[chiraag-nataraj]

@denizakcal, check out my repo in the meantime :) I happen to have a profile for Virtualbox.

[netblue30]

VirtualBox, flowblade and OpenShot done.

[denizakcal]

@chiraag-nataraj: Sorry for the delay. Your temporary solution no longer seems necessary, but I appreciate it nonetheless, so thanks! :)

@netblue30: Thanks for the VirtualBox profile (included in the default Firejail installation)!

If it's not too much to ask, could you also make a profile (included in the default Firejail installation) for jMemorize ( https://sourceforge.net/projects/jmemorize/ ) (especially since it doesn't seem maintained anymore, which, I'm not a security expert, but I believe it makes it more of a security risk)?

[netblue30]

I added jmemorize to the list.

[denizakcal]

Thanks. :)

[kesso]

It would be nice to have profiles for the default kde and gnome applications and some others:

amarok, dragon (Dragon Player), kate, KTnef, KTorrent, Akregator, KRDC, discover, k3b, dolphin, ark, KWalletManager, skanlite, xpra, bleachbit, gedit, nautilus, xfburn, file-roller, gnome-books, gnome-photos, gnome-online-miners, gnome-sound-recorder, gnome-contacts, gnome-documents, gnome-weather, gnome-music, gnome-maps, brasero, goobox, gpa, simple-scan

[curiosity-seeker]

The recently published vulnerabilities in Linux

https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html

make me wonder if it's possible to sandbox the various indexing tools (Tracker in Gnome, Baloo in KDE, ...) with Firejail as suggested by Chris Evans.

[valoq]

There is already a profile for tracker, however the problem is that these are services that are started by systemd or via dbus by other applications and therefore firejail is not automatically applied.

It might be possible to have firejail sandbox those services but this needs a closer look.

[slicer69]

I don't think anyone has mentioned the Qupzilla web browser yet. I put together a rough profile for Qupzilla in case anyone wants to expand on it. It is basically the Firefox profile with the config and cache paths changed and some unneeded permissions removed.

qupzilla.txt

[netblue30]

I merged QupZilla profile, thanks!

[qazip]

Profile requests:

• Ghetto-skype (https://github.com/stanfieldr/ghetto-skype);
• Riot (https://riot.im/); Riot has now a linux client.

[qazip]

Profile requests:

• Iridium Browser (https://iridiumbrowser.de/)

[netblue30]

I'll try it out.

[nyancat18]

@netblue30 and waterfox (a good firefox fork) :D

[CreamyCookie]

Could you add rambox (open source alternative to Franz multi messenger)?

https://github.com/saenzramiro/rambox

[0xBRM]

Discord.

[netblue30]

Moved to #1139

[pemartins1]

I'd like to request a profile for Geary Email Client (https://github.com/GNOME/geary).

Thank you very much and keep up with the good work.