-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support "include" directive for conditionals and negative conditionals #6459
Comments
There is one thing you have to consider. Also Edit actually we already have
|
I am not a security expert, so would you mind elaborating a malicious app could steal data if it's networking is disabled? Is there an easy way to break out of the network jail so it can upload data to a remote server? Or would it require some type of user action, such as the program with no net-access modifies another program that it hopes will be run unsandboxed (such as modifying the .profile file), so then that program can upload the data?
Hmmm, I see what you mean that for most people that would be the case. I modified it so firejail is always run with Another way to do this that is perhaps more generalizable
Then, allow these to be conditionals. For example:
This resolves the issue of these "flags" not being known. Then, users can pass a flag. This is especially important when wanting to use the "default" program on a new program. For example: firejail --conditional="net=0" --conditional="personal=0" --conditional="images=1" Then the conditions the user created would include whatever was needed based on the flag data they passed. What do you think about this idea? |
The concept of user-defineable conditionals seems useful even without "include" directive support. Should it be made into a separate feature enhancement for tracking? In general, some conditionals could be useful even for standard profiles. For example: paranoid=1 Currently, many profiles enable net access for example to not break some very rarely used feature. So, basically net access was enabled for a feature 1% of people use like maybe a music program uses it to fetch lyrics on request as an example. Expanded use of conditions could allow profiles to be written to have more aggressive profiles when it's okay if the program works 99% instead of 100%. |
Yes, anything in that direction.
I somewhere suggested a
If you already need to construct a firejail cmd, you can simply add the wanted includes. Conditionals an interesting for the firecfg case where you don't have a firejail cmd. |
Is your feature request related to a problem? Please describe.
I want to create very restrictive sandbox when net is enabled because the biggest risk is stealing private data. If net is NOT enabled, then I would like to have a looser profile that enables more data access.
In addition, support of negative conditionals.
Describe the solution you'd like
Describe alternatives you've considered
Nothing as clean as this. Currently I have to use a loader script to load different profiles. Would be much easier to be able to add a conditional to global.inc to make software-wide.
I looked at #2158 and could not see any real reason why
include
was excluded.The text was updated successfully, but these errors were encountered: