server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

arch deprecate firejail

Browse Source
This commit is contained in:
ducoterra
2023-08-21 09:31:19 -04:00
parent 099f5e9beb
commit 5dca511841
1 changed files with 135 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
arch.md
View File

@@ -11,7 +11,8 @@
- [TPM2 LUKS Decryption](#tpm2-luks-decryption) - [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Firewall](#firewall) - [Firewall](#firewall)
- [AppArmor](#apparmor) - [AppArmor](#apparmor)
- [Firejail](#firejail) - [Install Apparmor](#install-apparmor)
- [Custom Profiles](#custom-profiles)
- [Chroots](#chroots) - [Chroots](#chroots)
- [Fingerprint Reader Support](#fingerprint-reader-support) - [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup) - [Setup](#setup)
@@ -32,6 +33,8 @@
- [Virtualization](#virtualization) - [Virtualization](#virtualization)
- [Arch Guests](#arch-guests) - [Arch Guests](#arch-guests)
- [CUPS Printing](#cups-printing) - [CUPS Printing](#cups-printing)
- [Flatpak](#flatpak)
- [Discord](#discord)
- [Steam](#steam) - [Steam](#steam)
- [XWayland](#xwayland) - [XWayland](#xwayland)
- [Wireguard](#wireguard) - [Wireguard](#wireguard)
@@ -53,6 +56,9 @@
- [Help](#help) - [Help](#help)
- [Update Grub](#update-grub) - [Update Grub](#update-grub)
- [Downgrading Kernel](#downgrading-kernel) - [Downgrading Kernel](#downgrading-kernel)
- [Deprecated](#deprecated)
- [Deprecated Security](#deprecated-security)
- [Firejail](#firejail)
<!-- /TOC --> <!-- /TOC -->
@@ -267,8 +273,11 @@ sudo ufw enable
#### AppArmor #### AppArmor
I would recommend running apparmor with the default profiles. You could load the profiles ##### Install Apparmor
in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of that.
Apparmor protects your system by limiting the access binaries have to specific files.
All binaries which are protected by apparmor profiles have a whitelist of allowed
paths they can touch, even if they run as root.
1. `sudo pacman -S apparmor` 1. `sudo pacman -S apparmor`
2. `sudo systemctl enable --now apparmor` 2. `sudo systemctl enable --now apparmor`
@@ -285,59 +294,64 @@ in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of t
5. `reboot` 5. `reboot`
#### Firejail ##### Custom Profiles
Firejail launches supported applications in a sandboxed environment where it limits access You will likely need to create custom profiles for your apps. There are a few ways to
to system files and resources. do this but the least painful ways are as follows:
For example: 1. A profile already exists in `/usr/share/apparmor/extra-profiles/`
- Firefox will not be able to access more than a small subset of your home directory. Check here first. More than likely there's a good starting point. This will probably
- VSCode will not be able to acces ~/.config/autostart. need to be tuned but you can (and should) copy it to /etc/apparmor.d
1. `sudo pacman -S firejail` 2. No profile exists in `/usr/share/apparmor/extra-profiles/`
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
3. `sudo firecfg`
4. `firecfg --fix`
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
6. Add a pacman hook to apply firejail on install
/etc/pacman.d/hooks/firejail.hook You can use `aa-genprof <binary>` to generate a profile for that binary and begin
listening to log events. Then, launch the application and use it as intended. When
you've done what you consider to be the typical use-case you should.
```conf 1. Press `s` until it begins recommending additions to your profile
[Trigger] 2. Use (A) or (D) to add or deny paths
Type = Path 3. Use (G) to glob a path
Operation = Install 4. Use (N) to write a custom path
Operation = Upgrade 5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
Operation = Remove 6. When done, (F) to finish and (S) to save.
Target = usr/bin/* 7. Use `apparmor_parser -r /etc/apparmor.d/<profile>` to reload the profile
Target = usr/share/applications/*.desktop 8. Run `aa-enforce /etc/apparmor.d/<profile>` to set to enforce mode
9. Try to launch the app. It will probably crash
10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/<profile>`, launch app, repeat until it works
11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`.
[Action] From <https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html>
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
```
You can run firejail with noprofile to fix access issues (like firefox gnome connector) ```text
Access Modes
File permission access modes consists of combinations of the following modes:
```bash r - read
firejail --noprofile firefox w - write -- conflicts with append
``` a - append -- conflicts with write
ux - unconfined execute
You'll probably want to enable the following Ux - unconfined execute -- scrub the environment
px - discrete profile execute
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'` Px - discrete profile execute -- scrub the environment
cx - transition to subprofile on execute
/etc/firejail/firejail.config Cx - transition to subprofile on execute -- scrub the environment
ix - inherit execute
```conf pix - discrete profile execute with inherit fallback
browser-disable-u2f no Pix - discrete profile execute with inherit fallback -- scrub the environment
chroot yes cix - transition to subprofile on execute with inherit fallback
firejail-prompt yes Cix - transition to subprofile on execute with inherit fallback -- scrub the
force-nonewprivs yes environment
tracelog yes pux - discrete profile execute with fallback to unconfined
PUx - discrete profile execute with fallback to unconfined -- scrub the environment
cux - transition to subprofile on execute with fallback to unconfined
CUx - transition to subprofile on execute with fallback to unconfined -- scrub the
environment
deny x - disallow execute (in rules with the deny qualifier)
m - allow PROT_EXEC with mmap(2) calls
l - link
k - lock
``` ```
#### Chroots #### Chroots
@@ -350,14 +364,6 @@ You can create chroot environments to run firejails or just use for testing purp
4. `pacstrap -K /chroots/testing/ base base-devel` 4. `pacstrap -K /chroots/testing/ base base-devel`
5. `arch-chroot /chroots/testing` 5. `arch-chroot /chroots/testing`
With firejail
1. `sudo firejail --noprofile --chroot=/chroots/testing`
2. `adduser ducoterra`
3. `pacman -S firefox`
4. `exit`
5. `firejail --chroot=/chroots/testing`
#### Fingerprint Reader Support #### Fingerprint Reader Support
##### Setup ##### Setup
@@ -653,6 +659,16 @@ sudo pacman -S qemu-guest-agent spice-vdagent
3. `sudo systemctl start cups` 3. `sudo systemctl start cups`
4. `sudo systemctl start avahi-daemon` 4. `sudo systemctl start avahi-daemon`
### Flatpak
```bash
sudo pacman -S flatpak
```
### Discord
1. `flatpak install com.discordapp.Discord`
### Steam ### Steam
<https://wiki.archlinux.org/title/Official_repositories#multilib> <https://wiki.archlinux.org/title/Official_repositories#multilib>
@@ -1105,3 +1121,67 @@ If you want to downgrade to a kernel that wasn't previously installed:
1. Download linux... and linux-headers... from above 1. Download linux... and linux-headers... from above
2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst` 2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
3. `reboot` 3. `reboot`
## Deprecated
### Deprecated Security
#### Firejail
Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
almost exactly the same thing but runs in the kernel at boot and protects you more
completely. I'm leaving this here in case you're interested but realistically you
should just learn apparmor.
Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.
For example:
- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail`
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
3. `sudo firecfg`
4. `firecfg --fix`
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
6. Add a pacman hook to apply firejail on install
/etc/pacman.d/hooks/firejail.hook
```conf
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/share/applications/*.desktop
[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
```
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
```bash
firejail --noprofile firefox
```
You'll probably want to enable the following
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
/etc/firejail/firejail.config
```conf
browser-disable-u2f no
chroot yes
firejail-prompt yes
force-nonewprivs yes
tracelog yes
```