pigmonkey / firewarden Goto Github PK
View Code? Open in Web Editor NEWOpen a file via the specified application within a private Firejail sandbox.
License: The Unlicense
Open a file via the specified application within a private Firejail sandbox.
License: The Unlicense
"Installed" (gitcloned) on Ubuntu 16.04 LTS
placed firewarden script on /usr/bin/ and /usr/local/bin/
ran $ firewarden firefox
got an invalid --private-srv error
ran $ firewarden firefox http://google.com
got an invalid --private-srv error
ran $ sudo firewarden firefox
got an invalid --private-srv error
how to fix this?
Hi man,
I get this since few day.
I use arch with last firejail-git r4189.0c2cbf05-1
❯ firewarden -d -i chromium https://www.nsa.gov/ia/
Reading profile /home/cyril/.config/firejail/chromium.profile
Reading profile /home/cyril/.config/firejail/chromium-common.profile
Reading profile /etc/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 15614, child pid 15615
Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0-15614 A7:67:6C:85:99:C1 10.10.33.33 255.255.0.0 UP
Error: "firewarden/2018-08-29T09:19:43+02:00" is an invalid filename
Error: proc 15614 cannot sync with peer: unexpected EOF
Any idea?
As in the title. Or you prefer not?
not an issue, rather a question
Hi altogether,
What I want to do is make firewarden a bit stricter. I want to exclude access to /mnt and /media.
To be clear: I still want to access a single dedicated file on /media[...]. But that should be it. No other files from there should be accessible.
As far as the --private option is concerned netblue30 once told me:
"You can also block /mnt and /media. I’m not doing it by default because people use to bring all kind of video and music files on USB devices and play them. Or they can bring documents and work on them.
To disable it use --disable-mnt (disables both /media and /mnt). On older firejail versions use --blacklist=/media."
(https://firejail.wordpress.com/documentation-2/basic-usage/ )
So I downloaded the firewarden bash script (https://github.com/pigmonkey/firewarden/archive/master.zip )
and modified line 118 in such a way that instead of
/usr/bin/firejail --private-srv=firewarden-"$now" --private-opt=firewarden-"$now" $quiet $homeopt $netopt $devopt "$app" "${appopt[@]}" "${finalargs[@]}"
I use
/usr/bin/firejail --disable-mnt --private-srv=firewarden-"$now" --private-opt=firewarden-"$now" $quiet $homeopt $netopt $devopt "$app" "${appopt[@]}" "${finalargs[@]}"
I just added "--disable-mnt" as an additional parameter.
I tried it out and it works.
So just to confirm: Have I done it correctly?
Thanks in advance.
Greetings.
Rosika
/usr/bin/firewarden: line 196: $arg_length: substring expression < 0
Reading profile /etc/firejail/waterfox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 143456, child pid 143457
Warning: skipping firewarden-2021-06-02T14:20:10-07:00 for private /opt
Private /opt installed in 0.08 ms
Warning: skipping firewarden-2021-06-02T14:20:10-07:00 for private /srv
Private /srv installed in 0.07 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 179.63 ms
Error: no suitable waterfox executable found
Parent is shutting down, bye...
It also can't work with waterfox-g3 (command not found), and making a symlink didn't work either...
Steps to reproduce:
firewarden firefox
file:///
Actual results:
The contents are readable
Expected results:
Directory contents are blacklisted
Hi @pigmonkey !
This morning I noticed your package in AUR.
It sounded interesting, so I decided to create a new package for Void linux, see here, but something is wrong when I run your script...
I'm not very experienced in packaging, but I try to learn, so your help will be very appreciated! 😉
Regards.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.