-
-
Save glitsj16/efc56f0adeab6c88c53308fb3d68f8a1 to your computer and use it in GitHub Desktop.
# Firejail profile for linuxqq | |
# Description: IM client based on Electron | |
# This file is overwritten after every install/update | |
# Persistent local customizations | |
include linuxqq.local | |
# Persistent global definitions | |
include globals.local | |
# REMINDER: add counterpart `blacklist ${HOME}/.config/QQ` to `disable-programs.inc` | |
noblacklist ${HOME}/.config/QQ | |
# Allow opening hyperlinks with Firefox | |
# profiles access | |
noblacklist ${HOME}/.mozilla | |
whitelist ${HOME}/.mozilla | |
whitelist ${HOME}/.mozilla/firefox/profiles.ini | |
read-only ${HOME}/.mozilla/firefox/profiles.ini | |
# shell access | |
include allow-bin-sh.inc | |
include disable-shell.inc | |
# D-Bus access | |
dbus-user.talk org.mozilla.* | |
mkdir ${HOME}/.config/QQ | |
whitelist ${HOME}/.config/QQ | |
whitelist ${DESKTOP} | |
ignore apparmor | |
noprinters | |
# If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. | |
#private | |
# REMINDER: QQ executable name on Debian/Ubuntu is `qq` | |
# https://github.com/BeautyYuYanli/linuxqq-new-firejail/issues/1#issuecomment-1368366777 | |
# create an alias profile for that | |
private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | |
private-opt QQ | |
dbus-user filter | |
dbus-user.talk org.freedesktop.Notifications | |
dbus-user.talk org.freedesktop.portal.Desktop | |
dbus-user.talk org.freedesktop.portal.Fcitx | |
dbus-user.talk org.freedesktop.portal.IBus | |
dbus-user.talk org.freedesktop.ScreenSaver | |
dbus-user.talk org.gnome.Mutter.IdleMonitor | |
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | |
ignore dbus-user none | |
# Redirect | |
include electron.profile |
still can not open hyperlink
/usr/local/bin/xdg-open: line 561: grep: command not found
/usr/local/bin/xdg-open: line 562: grep: command not found
/usr/local/bin/xdg-open: line 574: grep: command not found
xdg-open: file 'http://bing.com/' does not exist
I added the grep and the list grew longer
/usr/local/bin/xdg-open: line 849: sed: command not found
/usr/local/bin/xdg-open: line 826: xdg-mime: command not found
/usr/local/bin/xdg-open: line 880: x-www-browser: command not found
/usr/local/bin/xdg-open: line 880: firefox: command not found
/usr/local/bin/xdg-open: line 880: iceweasel: command not found
/usr/local/bin/xdg-open: line 880: seamonkey: command not found
/usr/local/bin/xdg-open: line 880: mozilla: command not found
/usr/local/bin/xdg-open: line 880: epiphany: command not found
/usr/local/bin/xdg-open: line 880: konqueror: command not found
/usr/local/bin/xdg-open: line 880: chromium: command not found
/usr/local/bin/xdg-open: line 880: chromium-browser: command not found
/usr/local/bin/xdg-open: line 880: google-chrome: command not found
/usr/local/bin/xdg-open: line 880: www-browser: command not found
/usr/local/bin/xdg-open: line 880: links2: command not found
/usr/local/bin/xdg-open: line 880: elinks: command not found
/usr/local/bin/xdg-open: line 880: links: command not found
/usr/local/bin/xdg-open: line 880: lynx: command not found
/usr/local/bin/xdg-open: line 880: w3m: command not found
xdg-open: no method available for opening 'http://bing.com/'
May need to add all the browsers into private-bin to provide full support.
We might add support for input methods.
Added both.
still can not open hyperlink
Yeah, xdg-open
needs lots of commands to support it. I've added some but it might need more. We'll get there, first draft was put together as a base to start.
Thank you for testing and feed-back!
Opening directory will report an error, and then the web browser willed be used to open url file:///...
[44:0101/163721.278945:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.portal.OpenURI.OpenDirectory: object_path= /org/freedesktop/portal/desktop: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
[43:0101/163146.087144:ERROR:platform_util_linux.cc(238)] Error calling OpenDirectory
/usr/local/bin/xdg-mime: line 1125: readlink: command not found
xdg-mime: no method available for querying MIME type of ''
xdg-mime: mimetype argument missing
Try 'xdg-mime --help' for more information.
my solution of xdg-open
is using https://github.com/flatpak/flatpak-xdg-utils/blob/main/src/xdg-open.c
And it should allow dbus.user.talk org.freedesktop.portal.Desktop
Just install flatpak-xdg-utils
and write a simple wrapper in /usr/local/bin/xdg-open
#!/bin/sh
[ x"$container" != x"firejail" ] && exec /usr/bin/xdg-open $@
exec /usr/lib/flatpak-xdg-utils/xdg-open $@
https://github.com/flatpak/xdg-desktop-portal
it seems like a general method to deal with the problem. any way to integrate it into Firejail?
xdg-desktop-portal
Added dbus.user.talk org.freedesktop.portal.Desktop
.
Also added readlink
to private-bin
.
Disabled AppArmor. My audit log shows QQ trying to create /opt/QQ/resources/app/app_launcher/launcher.log as the user that started it. As that user never should be root QQ obviously doesn't have the privileges to write there.
@cubercsl @BeautyyuYanli Another round of changes. I'm facing a few problems due to not knowing/reading/writing Chinese (apologies for that), so I'm blindly taking stabs at creating a working profile that's as tight as possible. No rush, but please test the latest revision when you find the time.
Thanks for your patience!
hyperlink still works well after deleting these lines
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
# shell access
include allow-bin-sh.inc
include disable-shell.inc
my solution of
xdg-open
is using github.com/flatpak/flatpak-xdg-utils/blob/main/src/xdg-open.c And it should allowdbus.user.talk org.freedesktop.portal.Desktop
Just install
flatpak-xdg-utils
and write a simple wrapper in/usr/local/bin/xdg-open
#!/bin/sh [ x"$container" != x"firejail" ] && exec /usr/bin/xdg-open $@ exec /usr/lib/flatpak-xdg-utils/xdg-open $@
The approach is available. While $@
should be replaced by "${@}"
to support filename with whitespace.
Adding private-bin one by one may be not able to support all the file types, which can be downloaded inside QQ.
I've noticed there are many issues about xdg-open in Firejail, and also someone using a wrapper to escapce sandbox. While it seems nobody talking xdg-desktop-portal. Is it possiable to be a secure way to use xdg-open inside firejail?
@BeautyyuYanli
my solution ofxdg-open
is using github.com/flatpak/flatpak-xdg-utils/blob/main/src/xdg-open.c And it should allowdbus.user.talk org.freedesktop.portal.Desktop
Just installflatpak-xdg-utils
and write a simple wrapper in/usr/local/bin/xdg-open
#!/bin/sh [ x"$container" != x"firejail" ] && exec /usr/bin/xdg-open $@ exec /usr/lib/flatpak-xdg-utils/xdg-open $@The approach is available. While
$@
should be replaced by"${@}"
to support filename with whitespace.Adding private-bin one by one may be not able to support all the file types, which can be downloaded inside QQ.
I've noticed there are many issues about xdg-open in Firejail, and also someone using a wrapper to escapce sandbox. While it seems nobody talking xdg-desktop-portal. Is it possiable to be a secure way to use xdg-open inside firejail?
netblue30/firejail#3881 (comment)
this comment had mentioned to use the portal and give a code. I think it is similar with xdg-open in flatpak-xdg-utils or calling xdg-open when env DE=flatpak.
my apology for misunderstanding that thread. So is it a good practice?
my apology for misunderstanding that thread. So is it a good practice?
Using xdg-desktop-portal is indeed good practice. But it's something that Firejail has no control over. It's up to the user to install the correct packages for the DE in use (KDE, GNOME, Sway, ...) The comment refers to yet another way to open hyperlinks with a private-bin that uses a custom C version of xdg-open.
But this is all moot when private-bin
would indeed be difficult to support all possible file types which can be downloaded inside QQ. It's better to leave that out and have a profile that will work for most use cases (if not all).
hyperlink still works well after deleting these lines
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
include allow-bin-sh.inc
include disable-shell.inc
That's odd. In my testing so far I always need those lines. Do you have an electron.local or anything in globals.local that might explain this. I don't think it's any problem keeping those in regardless, as those lines make the sandbox tighter anyway.
The most use cases:
- text/plain
- text/html
- inode/directory
Media files can be opened by QQ's inside player, so it's no need to concern.
Or just don't use private-bin. I think it's okey too.
We might add support for input methods.