pigmonkey / firewarden Goto Github PK

"Installed" (gitcloned) on Ubuntu 16.04 LTS
placed firewarden script on /usr/bin/ and /usr/local/bin/
ran $ firewarden firefox
got an invalid --private-srv error
ran $ firewarden firefox http://google.com
got an invalid --private-srv error
ran $ sudo firewarden firefox
got an invalid --private-srv error

how to fix this?

Hi man,
I get this since few day.
I use arch with last firejail-git r4189.0c2cbf05-1

❯ firewarden -d -i chromium https://www.nsa.gov/ia/
Reading profile /home/cyril/.config/firejail/chromium.profile
Reading profile /home/cyril/.config/firejail/chromium-common.profile
Reading profile /etc/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 15614, child pid 15615

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-15614       A7:67:6C:85:99:C1  10.10.33.33      255.255.0.0      UP    

Error: "firewarden/2018-08-29T09:19:43+02:00" is an invalid filename
Error: proc 15614 cannot sync with peer: unexpected EOF

Any idea?

As in the title. Or you prefer not?

not an issue, rather a question

Hi altogether,

What I want to do is make firewarden a bit stricter. I want to exclude access to /mnt and /media.
To be clear: I still want to access a single dedicated file on /media[...]. But that should be it. No other files from there should be accessible.

As far as the --private option is concerned netblue30 once told me:

"You can also block /mnt and /media. I’m not doing it by default because people use to bring all kind of video and music files on USB devices and play them. Or they can bring documents and work on them.
To disable it use --disable-mnt (disables both /media and /mnt). On older firejail versions use --blacklist=/media."

(https://firejail.wordpress.com/documentation-2/basic-usage/ )

So I downloaded the firewarden bash script (https://github.com/pigmonkey/firewarden/archive/master.zip )
and modified line 118 in such a way that instead of

/usr/bin/firejail --private-srv=firewarden-"$now" --private-opt=firewarden-"$now" $quiet $homeopt $netopt $devopt "$app" "${appopt[@]}" "${finalargs[@]}"

I use

/usr/bin/firejail --disable-mnt --private-srv=firewarden-"$now" --private-opt=firewarden-"$now" $quiet $homeopt $netopt $devopt "$app" "${appopt[@]}" "${finalargs[@]}"

I just added "--disable-mnt" as an additional parameter.
I tried it out and it works.

So just to confirm: Have I done it correctly?

Thanks in advance.

Greetings.
Rosika

/usr/bin/firewarden: line 196: $arg_length: substring expression < 0
Reading profile /etc/firejail/waterfox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 143456, child pid 143457
Warning: skipping firewarden-2021-06-02T14:20:10-07:00 for private /opt
Private /opt installed in 0.08 ms
Warning: skipping firewarden-2021-06-02T14:20:10-07:00 for private /srv
Private /srv installed in 0.07 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 179.63 ms
Error: no suitable waterfox executable found

Parent is shutting down, bye...

It also can't work with waterfox-g3 (command not found), and making a symlink didn't work either...

Steps to reproduce:

1. firewarden firefox
2. Navigate to file:///
3. Select /opt

Actual results:
The contents are readable

Expected results:
Directory contents are blacklisted

Hi @pigmonkey !
This morning I noticed your package in AUR.
It sounded interesting, so I decided to create a new package for Void linux, see here, but something is wrong when I run your script...
I'm not very experienced in packaging, but I try to learn, so your help will be very appreciated! 😉

Regards.