firejail just went crazy (rant)

[githlp]

i have suffered enough now for several month..

first, a lot of applications do not work anymore in their regular scheme they are supposed to work - you cannot download to specific directories anymore, you cannot open downloaded files with standard file manager anymore, you cannot access standard config files for several programs anymore etc.. etc.. etc..

At least the provided config files destroy/prohibit every useful and WANTED operation every firejailed program needs to work properly.

So i really wondered what might be the use case of those extreme restrictions and over that, standard users are not capable of reconfigure all these tight restrictions of their own.

Why not leave programs the rights they need for their usual work and restrict every side-step or unnecessary internet/filesystem access and fine we are.. PROs that know where to screw around could tighten restrictions anyway the way they like, no problem..

As i discovered today (probably after another profile update) that even my standard browsers cannot access the internet anymore (but on cli or called with /usr/bin/firefox there is no problem) i will uninstall firejail and leave my system as it WORKED before, no pain as with every update of these firejail profiles..

It's really a pity - i thought this project would be a good approach to strengthen the security on my system, i did not expect it to prohibit every normal usage ..

Thanx for all the fish

[kmk3]

Hello, this seems more like a discussion topic than an actionable issue, so I'm
converting it into a discussion.

[kmk3]

@githlp on Sep 27:

i have suffered enough now for several month..

first, a lot of applications do not work anymore in their regular scheme they
are supposed to work - you cannot download to specific directories anymore,
you cannot open downloaded files with standard file manager anymore, you
cannot access standard config files for several programs anymore etc.. etc..
etc..

At least the provided config files destroy/prohibit every useful and WANTED
operation every firejailed program needs to work properly.

So i really wondered what might be the use case of those extreme restrictions
and over that, standard users are not capable of reconfigure all these tight
restrictions of their own.

Why not leave programs the rights they need for their usual work and restrict
every side-step or unnecessary internet/filesystem access and fine we are..
PROs that know where to screw around could tighten restrictions anyway the
way they like, no problem..

As i discovered today (probably after another profile update) that even my
standard browsers cannot access the internet anymore (but on cli or called
with /usr/bin/firefox there is no problem)

What profiles/programs would those be?

By "after another profile update", it sounds like the updates are happening
more frequently than not.

How are these updates being done?

Are you using firejail-git or updating profiles manually by any chance?

you cannot download to specific directories anymore

you cannot access standard config files for several programs anymore

standard browsers cannot access the internet anymore

By "anymore", do you mean that these issues happen compared to not using
firejail at all or that they started happening in more recent firejail
versions?

Either way, those sound like bugs; please consider reporting each one at:

• https://github.com/netblue30/firejail/issues/new?assignees=&labels=&template=bug_report.md&title=

I'd be especially interested in the "you cannot access standard config files"
one, as it sounds like a bug that is both rather bad and also easy to
reproduce and fix.

i will uninstall firejail and leave my system as it WORKED before, no pain as
with every update of these firejail profiles..

It's really a pity - i thought this project would be a good approach to
strengthen the security on my system, i did not expect it to prohibit every
normal usage ..

Thanx for all the fish

Sorry to see you go; we'll be here if you change your mind.

---

Kind of relates to #2097.

[rusty-snake]

you cannot open downloaded files with standard file manager anymore,

If you want to be able to run all programs in the sandbox, you need to give it permission for everything => effectively unsandboxed.

At least the provided config files

Which release had you installed? Every release have a lot of improvements and fixes so using a older release can negatively affect UX.

destroy/prohibit every useful and WANTED operation every firejailed program needs to work properly.

Generally we want to find a compromises of security on the one hand and peoples workflow. Like you attack surface of the program (browser vs. xeyes), are the required permissions sandbox-safe or unsafe, how common is a specific workflow, is this workflow common for less technical users or experts, ...

Why not leave programs the rights they need for their usual work and restrict every side-step or unnecessary internet/filesystem access and fine we are.

1. What if these rights allow full-sandbox escape but are only needed for the winking emoji in the about menu (extrem example but you get what I mean).
2. What are necessary filesystem accesses?

   • Linux does not have an API to know if it happens because of user interaction.

   • To quote Dan Walsh (https://danwalsh.livejournal.com/72697.html):

     File system access. Users expect firefox to be able to upload and download files anywhere they want on the desktop. If I was czar of the OS, I could state that upload files must go into ~/Upload and Download files go into ~/Download, but then users would want to upload photos from ~/Photos. Or to create their own random directories. Blocking access to any particular directory including .ssh would be difficult, since someone probably has a web based ssh session or some other tool that can use ssh public key to authenticate.

     Even accessing private keys in .ssh or .gnupg is necessary filesystem access. That's who desktop Linux security model is today.