arch deprecate firejail
This commit is contained in:
ducoterra
190
arch.md
190
arch.md
@@ -11,7 +11,8 @@
|
||||
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
|
||||
- [Firewall](#firewall)
|
||||
- [AppArmor](#apparmor)
|
||||
- [Firejail](#firejail)
|
||||
- [Install Apparmor](#install-apparmor)
|
||||
- [Custom Profiles](#custom-profiles)
|
||||
- [Chroots](#chroots)
|
||||
- [Fingerprint Reader Support](#fingerprint-reader-support)
|
||||
- [Setup](#setup)
|
||||
@@ -32,6 +33,8 @@
|
||||
- [Virtualization](#virtualization)
|
||||
- [Arch Guests](#arch-guests)
|
||||
- [CUPS Printing](#cups-printing)
|
||||
- [Flatpak](#flatpak)
|
||||
- [Discord](#discord)
|
||||
- [Steam](#steam)
|
||||
- [XWayland](#xwayland)
|
||||
- [Wireguard](#wireguard)
|
||||
@@ -53,6 +56,9 @@
|
||||
- [Help](#help)
|
||||
- [Update Grub](#update-grub)
|
||||
- [Downgrading Kernel](#downgrading-kernel)
|
||||
- [Deprecated](#deprecated)
|
||||
- [Deprecated Security](#deprecated-security)
|
||||
- [Firejail](#firejail)
|
||||
|
||||
<!-- /TOC -->
|
||||
|
||||
@@ -267,8 +273,11 @@ sudo ufw enable
|
||||
|
||||
#### AppArmor
|
||||
|
||||
I would recommend running apparmor with the default profiles. You could load the profiles
|
||||
in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of that.
|
||||
##### Install Apparmor
|
||||
|
||||
Apparmor protects your system by limiting the access binaries have to specific files.
|
||||
All binaries which are protected by apparmor profiles have a whitelist of allowed
|
||||
paths they can touch, even if they run as root.
|
||||
|
||||
1. `sudo pacman -S apparmor`
|
||||
2. `sudo systemctl enable --now apparmor`
|
||||
@@ -285,59 +294,64 @@ in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of t
|
||||
|
||||
5. `reboot`
|
||||
|
||||
#### Firejail
|
||||
##### Custom Profiles
|
||||
|
||||
Firejail launches supported applications in a sandboxed environment where it limits access
|
||||
to system files and resources.
|
||||
You will likely need to create custom profiles for your apps. There are a few ways to
|
||||
do this but the least painful ways are as follows:
|
||||
|
||||
For example:
|
||||
1. A profile already exists in `/usr/share/apparmor/extra-profiles/`
|
||||
|
||||
- Firefox will not be able to access more than a small subset of your home directory.
|
||||
- VSCode will not be able to acces ~/.config/autostart.
|
||||
Check here first. More than likely there's a good starting point. This will probably
|
||||
need to be tuned but you can (and should) copy it to /etc/apparmor.d
|
||||
|
||||
1. `sudo pacman -S firejail`
|
||||
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
|
||||
3. `sudo firecfg`
|
||||
4. `firecfg --fix`
|
||||
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
|
||||
6. Add a pacman hook to apply firejail on install
|
||||
2. No profile exists in `/usr/share/apparmor/extra-profiles/`
|
||||
|
||||
/etc/pacman.d/hooks/firejail.hook
|
||||
You can use `aa-genprof <binary>` to generate a profile for that binary and begin
|
||||
listening to log events. Then, launch the application and use it as intended. When
|
||||
you've done what you consider to be the typical use-case you should.
|
||||
|
||||
```conf
|
||||
[Trigger]
|
||||
Type = Path
|
||||
Operation = Install
|
||||
Operation = Upgrade
|
||||
Operation = Remove
|
||||
Target = usr/bin/*
|
||||
Target = usr/share/applications/*.desktop
|
||||
1. Press `s` until it begins recommending additions to your profile
|
||||
2. Use (A) or (D) to add or deny paths
|
||||
3. Use (G) to glob a path
|
||||
4. Use (N) to write a custom path
|
||||
5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
|
||||
6. When done, (F) to finish and (S) to save.
|
||||
7. Use `apparmor_parser -r /etc/apparmor.d/<profile>` to reload the profile
|
||||
8. Run `aa-enforce /etc/apparmor.d/<profile>` to set to enforce mode
|
||||
9. Try to launch the app. It will probably crash
|
||||
10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/<profile>`, launch app, repeat until it works
|
||||
11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`.
|
||||
|
||||
[Action]
|
||||
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
|
||||
When = PostTransaction
|
||||
Depends = firejail
|
||||
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
|
||||
```
|
||||
From <https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html>
|
||||
|
||||
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
|
||||
```text
|
||||
Access Modes
|
||||
File permission access modes consists of combinations of the following modes:
|
||||
|
||||
```bash
|
||||
firejail --noprofile firefox
|
||||
```
|
||||
|
||||
You'll probably want to enable the following
|
||||
|
||||
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
|
||||
|
||||
/etc/firejail/firejail.config
|
||||
|
||||
```conf
|
||||
browser-disable-u2f no
|
||||
chroot yes
|
||||
firejail-prompt yes
|
||||
force-nonewprivs yes
|
||||
tracelog yes
|
||||
r - read
|
||||
w - write -- conflicts with append
|
||||
a - append -- conflicts with write
|
||||
ux - unconfined execute
|
||||
Ux - unconfined execute -- scrub the environment
|
||||
px - discrete profile execute
|
||||
Px - discrete profile execute -- scrub the environment
|
||||
cx - transition to subprofile on execute
|
||||
Cx - transition to subprofile on execute -- scrub the environment
|
||||
ix - inherit execute
|
||||
pix - discrete profile execute with inherit fallback
|
||||
Pix - discrete profile execute with inherit fallback -- scrub the environment
|
||||
cix - transition to subprofile on execute with inherit fallback
|
||||
Cix - transition to subprofile on execute with inherit fallback -- scrub the
|
||||
environment
|
||||
pux - discrete profile execute with fallback to unconfined
|
||||
PUx - discrete profile execute with fallback to unconfined -- scrub the environment
|
||||
cux - transition to subprofile on execute with fallback to unconfined
|
||||
CUx - transition to subprofile on execute with fallback to unconfined -- scrub the
|
||||
environment
|
||||
deny x - disallow execute (in rules with the deny qualifier)
|
||||
m - allow PROT_EXEC with mmap(2) calls
|
||||
l - link
|
||||
k - lock
|
||||
```
|
||||
|
||||
#### Chroots
|
||||
@@ -350,14 +364,6 @@ You can create chroot environments to run firejails or just use for testing purp
|
||||
4. `pacstrap -K /chroots/testing/ base base-devel`
|
||||
5. `arch-chroot /chroots/testing`
|
||||
|
||||
With firejail
|
||||
|
||||
1. `sudo firejail --noprofile --chroot=/chroots/testing`
|
||||
2. `adduser ducoterra`
|
||||
3. `pacman -S firefox`
|
||||
4. `exit`
|
||||
5. `firejail --chroot=/chroots/testing`
|
||||
|
||||
#### Fingerprint Reader Support
|
||||
|
||||
##### Setup
|
||||
@@ -653,6 +659,16 @@ sudo pacman -S qemu-guest-agent spice-vdagent
|
||||
3. `sudo systemctl start cups`
|
||||
4. `sudo systemctl start avahi-daemon`
|
||||
|
||||
### Flatpak
|
||||
|
||||
```bash
|
||||
sudo pacman -S flatpak
|
||||
```
|
||||
|
||||
### Discord
|
||||
|
||||
1. `flatpak install com.discordapp.Discord`
|
||||
|
||||
### Steam
|
||||
|
||||
<https://wiki.archlinux.org/title/Official_repositories#multilib>
|
||||
@@ -1105,3 +1121,67 @@ If you want to downgrade to a kernel that wasn't previously installed:
|
||||
1. Download linux... and linux-headers... from above
|
||||
2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
|
||||
3. `reboot`
|
||||
|
||||
## Deprecated
|
||||
|
||||
### Deprecated Security
|
||||
|
||||
#### Firejail
|
||||
|
||||
Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
|
||||
almost exactly the same thing but runs in the kernel at boot and protects you more
|
||||
completely. I'm leaving this here in case you're interested but realistically you
|
||||
should just learn apparmor.
|
||||
|
||||
Firejail launches supported applications in a sandboxed environment where it limits access
|
||||
to system files and resources.
|
||||
|
||||
For example:
|
||||
|
||||
- Firefox will not be able to access more than a small subset of your home directory.
|
||||
- VSCode will not be able to acces ~/.config/autostart.
|
||||
|
||||
1. `sudo pacman -S firejail`
|
||||
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
|
||||
3. `sudo firecfg`
|
||||
4. `firecfg --fix`
|
||||
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
|
||||
6. Add a pacman hook to apply firejail on install
|
||||
|
||||
/etc/pacman.d/hooks/firejail.hook
|
||||
|
||||
```conf
|
||||
[Trigger]
|
||||
Type = Path
|
||||
Operation = Install
|
||||
Operation = Upgrade
|
||||
Operation = Remove
|
||||
Target = usr/bin/*
|
||||
Target = usr/share/applications/*.desktop
|
||||
|
||||
[Action]
|
||||
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
|
||||
When = PostTransaction
|
||||
Depends = firejail
|
||||
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
|
||||
```
|
||||
|
||||
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
|
||||
|
||||
```bash
|
||||
firejail --noprofile firefox
|
||||
```
|
||||
|
||||
You'll probably want to enable the following
|
||||
|
||||
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
|
||||
|
||||
/etc/firejail/firejail.config
|
||||
|
||||
```conf
|
||||
browser-disable-u2f no
|
||||
chroot yes
|
||||
firejail-prompt yes
|
||||
force-nonewprivs yes
|
||||
tracelog yes
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user