-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New profile: luarocks #4596
base: master
Are you sure you want to change the base?
New profile: luarocks #4596
Conversation
DO NOT MERGE! Please review. MERGE BLOCKER: firecfg does not create the necessary symlink in /usr/local/bin /usr/bin/luarocks however is a proper working binary. Another annoyance from this: Neovim has a package manager called packer, which pollutes $HOME with manifest-5-[1-4].zip and a pile of .rockspec and .src.rock files.
If anyone has an idea that would be great. I do also have a profile for neovim that depends on luarocks working properly. I noticed the same issue for vim: /usr/local/bin is not created for me. With |
Closed by accident! If you create the symbolic link manually, does it work as expected?
In other words, is this an issue with |
If you do not add luarocks to firecfg.config, firecfg will not create symlinks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A first review (without hardening suggestions).
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Second round, hardening suggestions.
noblacklist in allow-lua.inc must corresponds to blacklist section for lua in disable-interpreters.inc
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* disable /run/user/userid * use well tested whitelist-usr-share-common.inc * use disable-X11.inc
* dont break various application sandboxes with noblacklist /usr/include/lua* Instead insert it manually for luarocks. * remove redundant `blacklist /usr/share/lua` from disable-interpreters.inc
@rusty-snake Can I rebase, squash and force-push with you as co-author and the following text or do you think more changes are needed? Add profile for luarocks
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> |
@@ -481,6 +481,7 @@ lowriter | |||
# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
luarocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Status quo of the default profile is very undesirable, because luarocks search
does not update the package list.
Both options are annoying to some degree:
- If sandboxed on default, luarocks may have too few privileges to invoke external compilers ie to compile luaformat
- If not sandboxed, evil lua programs/plugins in neovim may trivially invoke luarocks to do bad stuff.
noblacklist /usr/share/lua | ||
noblacklist /usr/share/lua* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to check why there was these two.
# Disallow blocking access to Lua header files. | ||
noblacklist /usr/include/lua* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When is /usr/include/lua…
used? Current behaviour of allow-lua.inc is strange, allow /usr/include
but not /usr/include/lua*
.
Currently this is how we handle /usr/include
:
$ grep /usr/include /etc/firejail/*
/etc/firejail/allow-lua.inc:noblacklist /usr/include
/etc/firejail/allow-nodejs.inc:noblacklist /usr/include/node
/etc/firejail/allow-python2.inc:noblacklist /usr/include/python2*
/etc/firejail/allow-python3.inc:noblacklist /usr/include/python3*
/etc/firejail/disable-devel.inc:blacklist /usr/include
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/lua*
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/node
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/python2*
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/python3*
/etc/firejail/hashcat.profile:noblacklist /usr/include
whitelist ${HOME}/.netrc | ||
whitelist ${HOME}/.config/pkcs11 | ||
whitelist ${HOME}/.wget-hsts | ||
whitelist ${HOME}/.cache/luarocks | ||
whitelist ${HOME}/luarocks/cmd/external | ||
whitelist ${HOME}/.nix-profile/bin | ||
whitelist ${HOME}/.luarocks | ||
whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing mkdir
/mkfile
for some of them.
whitelist ${HOME}/luarocks/cmd/external | ||
whitelist ${HOME}/.nix-profile/bin | ||
whitelist ${HOME}/.luarocks | ||
whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing blacklist
/noblacklist
/read-only
for some of them.
|
||
whitelist ${HOME}/.netrc | ||
whitelist ${HOME}/.config/pkcs11 | ||
whitelist ${HOME}/.wget-hsts |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary?
edit: this line: whitelist ${HOME}/.wget-hsts
whitelist ${HOME}/.netrc | ||
whitelist ${HOME}/.config/pkcs11 | ||
whitelist ${HOME}/.wget-hsts | ||
whitelist ${HOME}/.cache/luarocks | ||
whitelist ${HOME}/luarocks/cmd/external | ||
whitelist ${HOME}/.nix-profile/bin | ||
whitelist ${HOME}/.luarocks | ||
whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs discussion: Missing wc.
whitelist ${HOME}/.netrc | ||
whitelist ${HOME}/.config/pkcs11 | ||
whitelist ${HOME}/.wget-hsts | ||
whitelist ${HOME}/.cache/luarocks | ||
whitelist ${HOME}/luarocks/cmd/external | ||
whitelist ${HOME}/.nix-profile/bin | ||
whitelist ${HOME}/.luarocks | ||
whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs discussion: Do we want to use whitelisting for package-managers/build-systems by default.
whitelist ${HOME}/.config/pkcs11 | ||
whitelist ${HOME}/.wget-hsts | ||
whitelist ${HOME}/.cache/luarocks | ||
whitelist ${HOME}/luarocks/cmd/external |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing else from ~/luarocks
required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The answer to this question depends on "Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)".
To what degree does firejail want to allow invoking build systems or running stuff from a package manager (which sounds like bad security practice).
User experience: cd /home/user/dev/git/c/neovim/.deps && /home/user/dev/git/c/neovim/.deps/usr/bin/luarocks build nvim-client 0.2.3-1 CC=/usr/bin/cc LD=/usr/bin/cc
Error: Could not find a result named nvim-client 0.2.3-1: No results matching query were found for Lua 5.1.
To check if it is available for other Lua versions, use --check-lua-versions.
[user@pc .deps]$ cd /home/user/dev/git/c/neovim/.deps && /home/user/dev/git/c/neovim/.deps/usr/bin/luarocks install nvim-client 0.2.3-1 CC=/usr/bin/cc LD=/usr/bin/cc There is a manifest.zip file written to $HOME, which contains this info. Also $HOME is cluttered with *src.rock and *.rockspec files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ups, I forgot to click "Submit review".
@@ -481,6 +481,7 @@ lowriter | |||
# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
luarocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Status quo of the default profile is very undesirable, because luarocks search
does not update the package list.
Both options are annoying to some degree:
- If sandboxed on default, luarocks may have too few privileges to invoke external compilers ie to compile luaformat
- If not sandboxed, evil lua programs/plugins in neovim may trivially invoke luarocks to do bad stuff.
whitelist ${HOME}/.config/pkcs11 | ||
whitelist ${HOME}/.wget-hsts | ||
whitelist ${HOME}/.cache/luarocks | ||
whitelist ${HOME}/luarocks/cmd/external |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The answer to this question depends on "Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)".
To what degree does firejail want to allow invoking build systems or running stuff from a package manager (which sounds like bad security practice).
DO NOT MERGE! Please review.
MERGE BLOCKER: firecfg does not create the necessary symlink in
/usr/local/bin
/usr/bin/luarocks however is a proper working binary.
Another annoyance from this: Neovim has a package manager called packer,
which pollutes $HOME with manifest-5-[1-4].zip and a pile of .rockspec
and .src.rock files.