feature: add notpm command & keep tpm devices in private-dev #6390
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rusty-snake
reviewed
Jun 22, 2024
|
@rusty-snake Added a commit that adds |
|
After this is committed, we should also update the Wiki: https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options |
glitsj16
reviewed
Jun 23, 2024
glitsj16
reviewed
Jun 23, 2024
glitsj16
reviewed
Jun 23, 2024
glitsj16
approved these changes
Jun 23, 2024
|
Amended and force-pushed with alphabetical ordering. |
|
There are some other missing changes:
See commit 760f50f ("landlock: move commands into profile and add |
kmk3
changed the title
qdii
force-pushed
the
master
branch
3 times, most recently
from
0a57213 to
6d50555
Compare
|
It looks like force-pushing is making other updates obsolete. |
kmk3
requested changes
Jun 29, 2024
There was a problem hiding this comment.
This PR already makes substantial changes by adding the new command; leave the
profile changes (other than the ones for default.profile and profile.template)
for after this PR to make reviewing easier.
In the parts of the code that are mostly alphabetically sorted (such as in the
man pages), it makes sense to put notpm before notv.
But in some parts of the code, for whatever reason the multimedia-related
options (nosound, noautopulse, no3d, notv, nodvd) are sorted
together, so for consistency put notpḿ before nou2f, as was suggested in
the previous review.
That is:
notv,nou2f->notpm,notv,nou2fnodvd,nou2f->nodvd,notpm,nou2f
Also, avoid sorting things in this PR (especially in the same commit).
After this PR I might try to make these parts more consistent.
OK, reverted the long list of profile changes. I stored it in another branch to propose later.
OK, I see.
This sentence confuses me, because I interpreted the two previous paragraphs as a ask to actually sort these options in a certain way. Or do you want to merge this PR, and do the sorting in a different one? I'm happy either way.
|
kmk3
force-pushed
the
master
branch
2 times, most recently
from
4da75ef to
1d80642
Compare
Sorry, I meant avoid sorting/moving existing lines while adding new lines at
In general it seems better to avoid refactoring in PRs that just add a new
I fixed the sorting, squashed the commits, edited the commit message and Let me know if there are any issues. |
kmk3
approved these changes
Jul 4, 2024
This was referenced Jul 4, 2024
An ssh private key may be stored in a Trusted Platform Module (TPM) device and `private-dev` in ssh.profile currently breaks this use-case, as it does not keep tpm devices (see netblue30#6379). So add a new `notpm` command and keep tpm devices in /dev by default with `private-dev` unless `notpm` is used.
kmk3
force-pushed
the
master
branch
2 times, most recently
from
6b97aad to
8bfc334
Compare
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Jul 9, 2024
This command is deprecated and may be confused for a hardening option. This amends commit 5a61202 ("rename noautopulse to keep-config-pulse", 2021-05-13) / PR netblue30#4278. This is a follow-up to netblue30#6390.
kmk3
added a commit
that referenced
this pull request
Jul 11, 2024
kmk3
added a commit
that referenced
this pull request
Jul 15, 2024
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 1, 2025
The `notpm` command will be deprecated. Relates to netblue30#6390.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 1, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 1, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 4, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 5, 2025
The `notpm` command will be deprecated. Relates to netblue30#6390.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 5, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 5, 2025
The `notpm` command will be deprecated. Relates to netblue30#6390.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 5, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 25, 2025
This group is apparently used by tpm2-tss for accessing TPM devices.
udev rules from tpm2-tss 4.1.3[1]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
Misc: This was noticed on netblue30#6700.
Relates to netblue30#6390.
[1] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
kmk3
added a commit
that referenced
this pull request
Apr 26, 2025
This group is apparently used by tpm2-tss for accessing TPM devices.
udev rules from tpm2-tss 4.1.3[1]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
Misc: This was noticed on #6700.
Relates to #6390.
[1] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 26, 2025
Treat them like `/dev/tpm[0-9]*` devices.
It seems that `/dev/tpm[0-9]*` allows direct access to the TPM device
while `/dev/tpmrm[0-9]*` mediates access through a "resource manager"
inside of the kernel (for example, to facilitate concurrent access).
Alternatively, it looks like the resource management can be done in
userspace through tpm2-abrmd, the "TPM2 Access Broker & Resource
Management Daemon", which also supports older kernels (Linux 3.x vs
4.12) [1] [2].
udev rules from tpm2-tss 4.1.3[3]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
This is a follow-up to netblue30#6718.
Misc: This was noticed on netblue30#6700.
Relates to netblue30#6390.
[1] https://github.com/tpm2-software/tpm2-abrmd
[2] tpm2-software/tpm2-tss-engine#149
[3] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 29, 2025
Treat them like `/dev/tpm[0-9]*` devices.
It seems that `/dev/tpm[0-9]*` allows direct access to the TPM device
while `/dev/tpmrm[0-9]*` mediates access through a "resource manager"
inside of the kernel (for example, to facilitate concurrent access).
Alternatively, it looks like the resource management can be done in
userspace through tpm2-abrmd, the "TPM2 Access Broker & Resource
Management Daemon", which also supports older kernels (Linux 3.x vs
4.12) [1] [2] [3].
udev rules from tpm2-tss 4.1.3[4]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
This is a follow-up to netblue30#6718.
Misc: This was noticed on netblue30#6700.
Relates to netblue30#6390.
[1] https://github.com/tpm2-software/tpm2-abrmd
[2] tpm2-software/tpm2-abrmd#830
[3] tpm2-software/tpm2-tss-engine#149
[4] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
kmk3
added a commit
that referenced
this pull request
Apr 29, 2025
Treat them like `/dev/tpm[0-9]*` devices.
It seems that `/dev/tpm[0-9]*` allows direct access to the TPM device
while `/dev/tpmrm[0-9]*` mediates access through a "resource manager"
inside of the kernel (for example, to facilitate concurrent access).
Alternatively, it looks like the resource management can be done in
userspace through tpm2-abrmd, the "TPM2 Access Broker & Resource
Management Daemon", which also supports older kernels (Linux 3.x vs
4.12) [1] [2] [3].
udev rules from tpm2-tss 4.1.3[4]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
This is a follow-up to #6718.
Misc: This was noticed on #6700.
Relates to #6390.
[1] https://github.com/tpm2-software/tpm2-abrmd
[2] tpm2-software/tpm2-abrmd#830
[3] tpm2-software/tpm2-tss-engine#149
[4] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 29, 2025
Paths:
* `/dev/tcm[0-9]*`
* `/dev/tcmrm[0-9]*`
Apparently Trusted Cryptography Module (TCM) is a standard from China
that is an alternative to the TCG Trusted Compute Module (TPM)
standard[1].
udev rules from tpm2-tss master[2]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
KERNEL=="tcm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tcmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
This is a follow-up to netblue30#6719.
Relates to netblue30#6390.
Misc: This was noticed on netblue30#6700.
[1] tpm2-software/tpm2-tss#2905
[2] https://github.com/tpm2-software/tpm2-tss/blob/b2ab12f860598afb759ecef81bf662a70811557c/dist/tpm-udev.rules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and
private-devin ssh.profile currently breaks this use-case,as it does not keep tpm devices (see #6379).
So add a new
notpmcommand and keep tpm devices in /dev by defaultwith
private-devunlessnotpmis used.Tested locally with:
Fixes #6379.