Add a profile for keenwrite.bin

[Rosika2]

Hi all, 👋

as I needed an uncomplicated markdown editor with live preview I got hold of keenwrite.
It can be found here: https://gitlab.com/DaveJarvis/KeenWrite .

I just had to download keenwrite.bin, which seems to be a standalone executable, then:

chmod +x keenwrite.bin. So running the command ./keenwrite.bin from the respective directory would run it.

It works well this way but of course I´d like to run it within a private firejail sandbox.
So I wrote a tiny script for it:

batcat script_for_keenwrite.sh
───────┬────────────────────────────────────────────────────────────────────────
      │ File: script_for_keenwrite.sh
───────┼────────────────────────────────────────────────────────────────────────
  1   │ #!/bin/bash
  2   │ 
  3   │ cd /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/D
      │ okumente/Ergänzungen_zu_Programmen/zu_keenwrite/
  4   │ dir=$(pwd)
  5   │ firejail --private=$dir ./keenwrite.bin

It works as desired but as firejail doesn´t provide a dedicated profile for it, the default profile is used.
I wanted to change that to improve sandboxing. 😊

So I copied the contents of default.profile to /home/rosika/.config/firejail/keenwrite.bin.profile and then changed the values to be as permissive as
necessary and to be as restrictive as possible.
I came up with this:

# Firejail profile for keenwrite.bin
# This file is overwritten after every install/update
# Persistent local customizations
include default.local
# Persistent global definitions
include globals.local

# generic GUI profile
# depending on your usage, you can enable some of the commands below:

include disable-common.inc
include disable-devel.inc
# include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
# include disable-shell.inc
# include disable-write-mnt.inc
# include disable-xdg.inc

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# apparmor
caps.drop all
ipc-namespace
machine-id
net none
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

# disable-mnt
# private
# private-bin program
private-cache
private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
private-etc alternatives,fonts,machine-id
# private-lib
private-opt none
private-tmp

dbus-user none
dbus-system none

# memory-deny-write-execute
# read-only ${HOME}

What do you think of it? Is it good enough? Can it be improved somehow?

Thanks a lot for your help in advance.

Many greetings from Rosika 🙂

[glitsj16]

include default.local

Probably you don't need a keenwrite.bin.local, but including default.local without its parent default.profile could trip things up (if you have such a file).

How about disabling Wayland (blacklist ${RUNUSER}/wayland-*) or X11 (blacklist /tmp/.X11-unix)?

If your system has /usr/libexec, try to add it:
blacklist /usr/libexec

include disable-passwdmgr.inc

Do you actually still have that on your system? It got dropped and AFAICT isn't in 0.9.72...

Check if you can add these:
include disable-proc.inc
include whitelist-run-common.inc

net none

If you can use that (which is fine) netfilter is useless. Same for protocol unix,inet,inet6. Use protocol unix instead.

Check if you can add:
noprinters
seccomp.block-secondary
private-bin keenwrite.bin

[Rosika2]

@glitsj16 :

Thanks so much for your suggestions. ❤️
I´ll try them and report back.

Cheers from Rosika 🙂

[rusty-snake]

ignore noexe ${HOME}
include disable-exec.in

[Rosika2]

@rusty-snake 👋

Thanks a lot.

ignore noexe ${HOME}

I´m not quite sure, shouldn´t it be

ignore noexec ${HOME} :question:

Many greetings from Rosika

[rusty-snake]

Yes

[Rosika2]

@rusty-snake :

Thanks for the confirmation.

ignore noexec ${HOME} and include disable-exec.inc
prove to be good.

The programme starts perfectly.

Thank you so much. ❤️
Many greetings from Rosika 🙂

[Rosika2]

@glitsj16

Probably you don't need a keenwrite.bin.local, but including default.local without its parent default.profile could trip things up (if you have such a file).

What do you mean by "without its parent default.profile"?
There is default.profle in etc/firejail.

[glitsj16]

So I copied the contents of default.profile to /home/rosika/.config/firejail/keenwrite.bin.profile

default.local = child of default.profile / default.profile = parent of default.local

If this was a PR for a new profile we would request changing include default.local to include keenwrite.bin.local. Sure /etc/firejail/default.profile (the parent) exists, but you don't use it any longer in the context of keenwrite.bin.

[Rosika2]

@glitsj16 :

I see. Thanks for the explanation.

we would request changing include default.local to include keenwrite.bin.local

O.K. I´ll try that.

Many greetings from Rosika 🙂

[Rosika2]

include disable-proc.inc won´t let keenwrite start:

Error: cannot access profile file: disable-proc.inc

... neither does include whitelist-run-common.inc.

So I didn´t include those entries.

[Rosika2]

noprinters won´t let keenwrite start:

Error: line 50 in /home/rosika/.config/firejail/keenwrite.bin.profile is invalid # lone 50 is noprinters

seccomp.block-secondary works alright.

private-bin keenwrite.bin won´t let keenwrite run:

So this is what it looks like now:

# Firejail profile for keenwrite.bin
# This file is overwritten after every install/update
# Persistent local customizations
# include default.local
# Persistent global definitions
include globals.local

# generic GUI profile
# depending on your usage, you can enable some of the commands below:

ignore noexec ${HOME}

blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
# include disable-shell.inc
# include disable-write-mnt.inc
# include disable-xdg.inc

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# apparmor
caps.drop all
ipc-namespace
machine-id
net none
# netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog
seccomp.block-secondary

# disable-mnt
# private
# private-bin program
private-cache
private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
private-etc alternatives,fonts,machine-id
# private-lib
private-opt none
private-tmp

dbus-user none
dbus-system none

# memory-deny-write-execute
# read-only ${HOME}

[glitsj16]

include disable-passwdmgr.inc

include disable-proc.inc won´t let keenwrite start:
Error: cannot access profile file: disable-proc.inc

noprinters won´t let keenwrite start:
Error: line 50 in /home/rosika/.config/firejail/keenwrite.bin.profile is invalid

Smells like you're using an outdated Firejail.

[Rosika2]

@glitsj16 :

Smells like you're using an outdated Firejail.

That might be. 😐

My system is Linux Lite 6.2 .

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Linux Lite 6.2
Release:	22.04
Codename:	jammy

So it´s using the official Ubuntu repositories, I guess.

firejail version 0.9.66

Cheers from Rosika 🙂

[glitsj16]

firejail version 0.9.66

Better upgrade as soon as possible:

firejail/README.md

Lines 89 to 128 in 84ade11

	### Ubuntu
	For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly
	advised** to use the
	[PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
	How to add and install from the PPA:
	```sh
	sudo add-apt-repository ppa:deki/firejail
	sudo apt-get update
	sudo apt-get install firejail firejail-profiles
	```
	Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to
	CVE-2021-26910 for months after a patch for it was posted on Launchpad:
	* [CVE-2021-26910](https://github.com/advisories/GHSA-2q4h-h5jp-942w)
	* [firejail version in Ubuntu 20.04 LTS is vulnerable to
	CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
	See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
	> What software is supported by the Ubuntu Security team?
	>
	> Ubuntu is currently divided into four components: main, restricted, universe
	> and multiverse. All binary packages in main and restricted are supported by
	> the Ubuntu Security team for the life of an Ubuntu release, while binary
	> packages in universe and multiverse are supported by the Ubuntu community.
	Additionally, the PPA version is likely to be more recent and to contain more
	profile fixes.
	See the following discussions for details:
	* [Should I keep using the version of firejail available in my distro
	repos?](https://github.com/netblue30/firejail/discussions/4666)
	* [How to install the latest version on Ubuntu and
	derivatives](https://github.com/netblue30/firejail/discussions/4663)

Once you're on the latest stable release you should be able to use include disable-proc.inc and noprinters.

[Rosika2]

@glitsj16 :

I did what you recommended, but it was no good for me. 😦

Now I got firejail version 0.9.72-2 but firetools didn´t work with firejail´s new version any longer.
So I upgraded firtools, too. It was version 0.9.72-1 now and I cound start it again, which was nice in the beginning.

But the new version of firetools is awful. It changed my personal layout and anything I created.
I don´t like it. 😞

So I reverted firejail and firetools to the previous version.
Firejail is 0.9.66-2 again but it works with the older version of firetools the way I set it up.

BTW:

• CVE-2021-26910
• firejail version in Ubuntu 20.04 LTS is vulnerable to
  CVE-2021-26910

I looked up the links you kindly provided.
They seem to refer to an even earlier version of firejail:

Firejail before 0.9.64.4 allows attackers to bypass [...]

But I´m back to firejail 0.9.66-2, like I said.
So I might still not be affected by the above mentioned bug ❓ 🤔

Many thanks and many greetings from Rosika 🙂

[rusty-snake]

0.9.70:

security: CVE-2022-31214 - root escalation in --join logic
Reported by Matthias Gerstner, working exploit code was provided to our
development team. In the same time frame, the problem was independently
reported by Birk Blechschmidt. Full working exploit code was also provided.

[glitsj16]

But the new version of firetools is awful. It changed my personal layout and anything I created.
I don´t like it.

Try moving your prior configuration out of the way and check the firetools issue tracker. Especially #71 might prove informational. Feel free to report your observations there.

[Rosika2]

Hi again, 👋

Thanks all for your replies.

@rusty-snake :

I looked at https://seclists.org/oss-sec/2022/q2/188 and it says:

the following report describes a local root exploit vulnerability in
Firejail [1] version 0.9.68 (and likely various older versions)

O.K., you'were right from the beginning. I´ll have to install the latest firejail version then. 😊
Thanks.

@glitsj16 :

Thanks for the links.

We are moving to a text-based configuration. Create a file ~/.config/firetools/uiapps where you list all your additional applications, based on the model from /usr/lib/firetools/uiapps or in the man page.

I didn´t know that.
O.K., defining some personal firejail commands can still be done. Great.
I´ll look into it.

Many thanks to both of you and many greetings from Rosika 🙂

[Rosika2]

Hi all, 👋

O.K. Success after all. 👍

I added firejail´s PPA and upgraded firejail, firejail-profiles and firetools to the latest version:
all are on 0.9.72 now.

It took me some time to edit /usr/lib/firetools/uiapps (commented out some apps) and to create ~/.config/firetools/uiapps to get my old ones back. But in the end it worked out fine. 😉

E.g.:

firefox;Mozilla Firefox;:resources/firefox;firejail --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2 firefox

for getting my old firefox config back, firefox running in a dedicated provate directory.

BTW:

I found out that in /usr/lib/firetools/uiapps the entry for falkon seems to be not quite correct.
It´s written "falcon" instead of "falkon" (with a "k").
I changed it and now it´s running just fine:

falkon;Falkon Web Browser;falkon;firejail --private --dns=1.1.1.1 --dns=9.9.9.9 falkon -no-remote

Now I can get back to editing keenwrite.bin.profile.
I´ll report back in due course.

In the meantime: thanks a lot for your help. ❤️

Many greetings from Rosika

[glitsj16]

Congrats, that's a much more secure setup you have now!

BTW:
I found out that in /usr/lib/firetools/uiapps the entry for falkon seems to be not quite correct.
It´s written "falcon" instead of "falkon" (with a "k").

Would be apprciated if you report this at https://github.com/netblue30/firetools/issues.

UPDATE
I took the liberty to report this here.

[Rosika2]

@glitsj16 :

Hi again. 👋

Thanks for reporting the issue on my behalf.
I would´ve done it it , of course, as well. You beat me to it. 😉

I´m glad I´ve done the upgrade to the new version.
Haven´t had the time yet to modify my keenwrite.bin.profile but will do so in due course and report back.

Thanks a lot for your help.

Many greetings from Rosika 🙂

[Rosika2]

Hi all, 👋

I´ve updated keenwrite.bin.profile and it looks like this now:

# Firejail profile for keenwrite.bin
# This file is overwritten after every install/update
# Persistent local customizations
# include default.local
# Persistent global definitions
include globals.local

# generic GUI profile
# depending on your usage, you can enable some of the commands below:

ignore noexec ${HOME}

blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# include disable-passwdmgr.inc
include disable-programs.inc
# include disable-shell.inc
# include disable-write-mnt.inc
# include disable-xdg.inc
include disable-proc.inc
include whitelist-run-common.inc
 
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# apparmor
caps.drop all
ipc-namespace
machine-id
net none
# netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
noprinters
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog
seccomp.block-secondary

# disable-mnt
# private
# private-bin program
private-cache
private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
private-etc alternatives,fonts,machine-id
# private-lib
private-opt none
private-tmp

dbus-user none
dbus-system none

# memory-deny-write-execute
# read-only ${HOME}

I had to comment out include disable-passwdmgr.inc though. Otherwise the programme wouldn´t start.
It looks pretty good now, I guess. 😉

Thank you very much @glitsj16 and @rusty-snake for your help. It´s highly appreciated. 👍

Many greetings from Rosika 🙂

[glitsj16]

Yeah, looks as tight as you can get it given the specific limitations.

I had to comment out include disable-passwdmgr.inc though. Otherwise the programme wouldn´t start.

That include file no longer exists in 0.9.72. Firejail will refuse to start in situations like this, regardless of the program you're trying to run.

[Rosika2]

Yeah, looks as tight as you can get it given the specific limitations.

Thanks for the confirmation. ❤️

include disable-passwdmgr.inc no longer exists in 0.9.72

Good to know. That´s the explanation then.

Thank you very much for helping me. I´m always amazed at the quality of support you provide.

Have a nice day and many greetings from Rosika 🙂

[Rosika2]

Thank you very much @glitsj16 and @rusty-snake for your help. It´s highly appreciated. 👍

Sorry for the typo. It should be a thumbs-up, of course.
I just corrected it.