profiles: split commands that increase/reduce access #6687
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kmk3
force-pushed
the
template-split-res-sections
branch
from
8e4c0ce to
21ec6f6
Compare
This should clarify which commands do what (increase/reduce access) and also make etc/templates/profile.template more consistent with etc/profile-m-z/noprofile.profile. This is a follow-up to netblue30#6660. See also the discussion at [1]. [1] netblue30#6660 (comment)
See etc/profile-m-z/noprofile.profile.
Command used to search for the relevant profiles:
git grep -El 'allow-debuggers|allusers|keep-|writable-' -- etc
kmk3
force-pushed
the
template-split-res-sections
branch
from
21ec6f6 to
fe64b62
Compare
|
Thoughts on merging this? |
|
Looks fine to me. |
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 1, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 1, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 4, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 5, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Apr 5, 2025
Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 0013202 ("feature: add notpm command & keep tpm devices in private-dev (netblue30#6390)", 2024-07-09). See also commit ee1c264 ("feature: block /dev/ntsync & add keep-dev-ntsync command (netblue30#6660)", 2025-03-06) and the discussion at PR netblue30#6660. This is a follow-up to netblue30#6687.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should clarify which commands do what (increase/reduce access) and
also make etc/templates/profile.template more consistent with
etc/profile-m-z/noprofile.profile.
Command used to search for the relevant profiles:
This is a follow-up to #6660.
See also the discussion at [1].
[1] #6660 (comment)