From b035d312aa9999162896791534a6fd97bc9bbd12 Mon Sep 17 00:00:00 2001 From: Colin Date: Sat, 25 May 2024 10:21:17 +0000 Subject: [PATCH] firejail: purge --- hosts/common/net/dns.nix | 7 ++-- hosts/common/programs/default.nix | 1 - hosts/common/programs/firefox.nix | 2 +- hosts/common/programs/firejail.nix | 8 ---- hosts/common/programs/nicotine-plus.nix | 10 +---- hosts/common/programs/sanebox.nix | 1 - hosts/modules/gui/default.nix | 2 +- modules/programs/default.nix | 16 ++++---- modules/vpn.nix | 2 +- overlays/cross.nix | 24 +++++------ pkgs/additional/sanebox/default.nix | 4 +- pkgs/additional/sanebox/sanebox | 53 +------------------------ 12 files changed, 31 insertions(+), 99 deletions(-) delete mode 100644 hosts/common/programs/firejail.nix diff --git a/hosts/common/net/dns.nix b/hosts/common/net/dns.nix index 78297a4b..1e133505 100644 --- a/hosts/common/net/dns.nix +++ b/hosts/common/net/dns.nix @@ -1,7 +1,6 @@ # things to consider when changing these parameters: # - temporary VPN access (`sane-vpn up ...`) # - servo `ovpns` namespace (it *relies* on /etc/resolv.conf mentioning 127.0.0.53) -# - jails: `firejail --net=br-ovpnd-us --noprofile --dns=46.227.67.134 ping 1.1.1.1` # # components: # - /etc/nsswitch.conf: @@ -18,9 +17,9 @@ # - modern implementations hardcodes `127.0.0.53` and then systemd-resolved proxies everything (and caches). # # namespacing: -# - each namespace can use a different /etc/resolv.conf to specify different DNS servers (see `firejail --dns=...`) +# - each namespace may use a different /etc/resolv.conf to specify different DNS servers # - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers. -# - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether. +# - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether. { config, lib, ... }: lib.mkMerge [ { @@ -33,7 +32,7 @@ lib.mkMerge [ # instead, running the stub resolver on a known address in the root ns lets us rewrite packets # in servo's ovnps namespace to use the provider's DNS resolvers. # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?) - # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf. + # TODO: improve trust-dns recursive resolver and then remove this services.resolved.enable = true; #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`. # without DNSSEC: # - dig matrix.org => works diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix index 8c0e3877..58c50f2c 100644 --- a/hosts/common/programs/default.nix +++ b/hosts/common/programs/default.nix @@ -39,7 +39,6 @@ ./fcitx5.nix ./feedbackd.nix ./firefox.nix - ./firejail.nix ./flare-signal.nix ./fontconfig.nix ./fractal.nix diff --git a/hosts/common/programs/firefox.nix b/hosts/common/programs/firefox.nix index 47b83490..d8a6db9c 100644 --- a/hosts/common/programs/firefox.nix +++ b/hosts/common/programs/firefox.nix @@ -351,7 +351,7 @@ in # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session. env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts"; - # alternative to PASSWORD_STORE_DIR, but firejail doesn't handle this symlink well + # alternative to PASSWORD_STORE_DIR: # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts"; # flush the cache to disk to avoid it taking up too much tmp. diff --git a/hosts/common/programs/firejail.nix b/hosts/common/programs/firejail.nix deleted file mode 100644 index 3c74e825..00000000 --- a/hosts/common/programs/firejail.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ lib, config, ... }: -{ - sane.programs.firejail = {}; - - programs.firejail = lib.mkIf config.sane.programs.firejail.enabled { - enable = true; #< install the suid binary - }; -} diff --git a/hosts/common/programs/nicotine-plus.nix b/hosts/common/programs/nicotine-plus.nix index e6d97dbb..c27d3914 100644 --- a/hosts/common/programs/nicotine-plus.nix +++ b/hosts/common/programs/nicotine-plus.nix @@ -2,15 +2,7 @@ { pkgs, ... }: { sane.programs.nicotine-plus = { - packageUnwrapped = pkgs.nicotine-plus.overrideAttrs (upstream: { - postInstall = (upstream.postInstall or "") + '' - # XXX: nixpkgs creates this symlink, seemingly just for convenience; - # third-party tools like `firejail` lack a profile for "nicotine-plus", and just for "nicotine" instead. - rm $out/bin/nicotine-plus - ''; - }); - - sandbox.method = "firejail"; + sandbox.method = "bwrap"; sandbox.whitelistWayland = true; sandbox.net = "vpn"; diff --git a/hosts/common/programs/sanebox.nix b/hosts/common/programs/sanebox.nix index 647fe395..b5af4a76 100644 --- a/hosts/common/programs/sanebox.nix +++ b/hosts/common/programs/sanebox.nix @@ -18,7 +18,6 @@ in sane.programs.sanebox = { packageUnwrapped = pkgs.sanebox.override { bubblewrap = cfg.bubblewrap.package; - firejail = cfg.firejail.package; landlock-sandboxer = pkgs.landlock-sandboxer.override { # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version, # the sandboxer may nag about one or the other wanting to be updated. diff --git a/hosts/modules/gui/default.nix b/hosts/modules/gui/default.nix index fd8899d0..6ee4bbbc 100644 --- a/hosts/modules/gui/default.nix +++ b/hosts/modules/gui/default.nix @@ -165,7 +165,7 @@ in # "monero-gui" # x86-only # "mumble" # "nheko" # Matrix chat client - # "nicotine-plus" # soulseek client. before re-enabling this, get it to run without firejail. + # "nicotine-plus" # soulseek client. before re-enabling this make sure it's properly sandboxed! # "obsidian" # "openscad" # 3d modeling # "rhythmbox" # local music player diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 74b8e02a..b7f482c3 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -51,7 +51,7 @@ let "/etc" #< especially for /etc/profiles/per-user/$USER/bin "/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin) - "/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant. TODO: remove! + "/run/wrappers" #< SUID wrappers. TODO: remove! # /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv "/run/opengl-driver" "/run/opengl-driver-32" #< XXX: doesn't exist on aarch64? @@ -254,7 +254,7 @@ let ''; }; sandbox.method = mkOption { - type = types.nullOr (types.enum [ "bwrap" "capshonly" "firejail" "landlock" ]); + type = types.nullOr (types.enum [ "bwrap" "capshonly" "pastaonly" "landlock" ]); default = null; #< TODO: default to something non-null description = '' how/whether to sandbox all binaries in the package. @@ -394,10 +394,8 @@ let description = '' extra arguments to pass to the sandbox wrapper. example: [ - "--sanebox-firejail-arg" - "--whitelist=''${HOME}/.ssh" - "--sanebox-firejail-arg" - "--keep-dev-shm" + "--sanebox-dns" + "1.1.1.1" ] ''; }; @@ -436,7 +434,11 @@ let ; suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ "bubblewrap" "passt" - ] ++ lib.optionals (config.sandbox.method == "firejail") [ "firejail" ]; + ] ++ lib.optionals (config.sandbox.method == "pastaonly") [ + "passt" + ] ++ lib.optionals (config.sandbox.method == "capshonly") [ + "libcap_ng" + ]; # declare a fs dependency for each secret, but don't specify how to populate it yet. # can't populate it here because it varies per-user. # this gets the symlink into the sandbox, but not the actual secret. diff --git a/modules/vpn.nix b/modules/vpn.nix index 77f3af2e..e7373b41 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -207,7 +207,7 @@ let # linux will drop inbound packets if it thinks a reply to that packet wouldn't exit via the same interface (rpfilter). # wg-quick has a solution via `iptables -j CONNMARK`, and that does work for system-wide VPNs, - # but i couldn't get that to work for firejail/netns with SNAT, so set rpfilter to "loose". + # but i couldn't get that to work for netns with SNAT, so set rpfilter to "loose". networking.firewall.checkReversePath = "loose"; # networking.firewall.extraCommands = with pkgs; '' diff --git a/overlays/cross.nix b/overlays/cross.nix index 0065b471..e2dc1a06 100644 --- a/overlays/cross.nix +++ b/overlays/cross.nix @@ -574,18 +574,18 @@ in with final; { # }); # 2024/02/27: upstreaming is unblocked - firejail = prev.firejail.overrideAttrs (upstream: { - # firejail executes its build outputs to produce the default filter list. - # i think we *could* copy the default filters from pkgsBuildBuild, but that doesn't seem future proof - # for any (future) arch-specific filtering - postPatch = (upstream.postPatch or "") + (let - emulator = stdenv.hostPlatform.emulator buildPackages; - in lib.optionalString (!prev.stdenv.buildPlatform.canExecute prev.stdenv.hostPlatform) '' - substituteInPlace Makefile \ - --replace-fail ' src/fseccomp/fseccomp' ' ${emulator} src/fseccomp/fseccomp' \ - --replace-fail ' src/fsec-optimize/fsec-optimize' ' ${emulator} src/fsec-optimize/fsec-optimize' - ''); - }); + # firejail = prev.firejail.overrideAttrs (upstream: { + # # firejail executes its build outputs to produce the default filter list. + # # i think we *could* copy the default filters from pkgsBuildBuild, but that doesn't seem future proof + # # for any (future) arch-specific filtering + # postPatch = (upstream.postPatch or "") + (let + # emulator = stdenv.hostPlatform.emulator buildPackages; + # in lib.optionalString (!prev.stdenv.buildPlatform.canExecute prev.stdenv.hostPlatform) '' + # substituteInPlace Makefile \ + # --replace-fail ' src/fseccomp/fseccomp' ' ${emulator} src/fseccomp/fseccomp' \ + # --replace-fail ' src/fsec-optimize/fsec-optimize' ' ${emulator} src/fsec-optimize/fsec-optimize' + # ''); + # }); # flare-signal = prev.flare-signal.override { # # fixes "cargo:warning=aarch64-unknown-linux-gnu-gcc: error: unrecognized command-line option ‘-m64’" diff --git a/pkgs/additional/sanebox/default.nix b/pkgs/additional/sanebox/default.nix index 270ee756..d857f2f2 100644 --- a/pkgs/additional/sanebox/default.nix +++ b/pkgs/additional/sanebox/default.nix @@ -2,7 +2,6 @@ , bash , bubblewrap , passt -, firejail , landlock-sandboxer , libcap , substituteAll @@ -23,7 +22,6 @@ stdenv.mkDerivation { runHook preBuild substitute $src sanebox \ --replace-fail '@bwrap@' '${lib.getExe bubblewrap}' \ - --replace-fail '@firejail@' '${lib.getExe' firejail "firejail"}' \ --replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \ --replace-fail '@capsh@' '${lib.getExe' libcap "capsh"}' \ --replace-fail '@pasta@' '${lib.getExe' passt "pasta"}' @@ -42,7 +40,7 @@ stdenv.mkDerivation { description = '' helper program to run some other program in a sandbox. factoring this out allows: - 1. to abstract over the particular sandbox implementation (bwrap, firejail, ...). + 1. to abstract over the particular sandbox implementation (bwrap, landlock, ...). 2. to modify sandbox settings without forcing a rebuild of the sandboxed package. ''; mainProgram = "sanebox"; diff --git a/pkgs/additional/sanebox/sanebox b/pkgs/additional/sanebox/sanebox index 1048fe4e..439eedba 100755 --- a/pkgs/additional/sanebox/sanebox +++ b/pkgs/additional/sanebox/sanebox @@ -2,7 +2,6 @@ ## BUILD-TIME SUBSTITUTIONS ### _FALLBACK: if `` isn't on PATH, then use this instead -FIREJAIL_FALLBACK='@firejail@' BWRAP_FALLBACK='@bwrap@' LANDLOCK_SANDBOXER_FALLBACK='@landlockSandboxer@' CAPSH_FALLBACK='@capsh@' @@ -59,7 +58,6 @@ cliArgs=() # - "landlock" # - "capshonly" # - "pastaonly" -# - "firejail" # - "none" method= # autodetect: set non-empty to add any path-like entities intended for the binary's CLI, into its sandbox. @@ -86,13 +84,12 @@ keepNamespace=() netDev= # IPv4 address of the default gateway associated with the bridged network device (usually that's just the VPN's IP addr) netGateway= -# list of IP addresses to use for DNS servers inside the sandbox (firejail only) +# list of IP addresses to use for DNS servers inside the sandbox (not supported by all backends) dns=() # list of `VAR=VALUE` environment variables to add to the sandboxed program's environment portalEnv=() # arguments to forward onto a specific backend (if that backend is active) -firejailFlags=() bwrapFlags=() usage() { @@ -113,7 +110,7 @@ usage() { echo ' invoke the program directly, instead of inside a sandbox' echo ' --sanebox-dry-run' echo ' show what would be `exec`uted but do not perform any action' - echo ' --sanebox-method ' + echo ' --sanebox-method ' echo ' use a specific sandboxer' echo ' --sanebox-autodetect ' echo ' add files which appear later as CLI arguments into the sandbox' @@ -123,7 +120,6 @@ usage() { echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files' echo ' --sanebox-no-portal' echo ' undo a previous `--sanebox-portal` arg' - echo ' --sanebox-firejail-arg ' echo ' --sanebox-bwrap-arg ' echo ' --sanebox-net-dev ' echo ' --sanebox-net-gateway ' @@ -508,11 +504,6 @@ parseArgs() { # override a previous --sanebox-portal call portalEnv=() ;; - (--sanebox-firejail-arg) - local fjFlag=$1 - shift - firejailFlags+=("$fjFlag") - ;; (--sanebox-bwrap-arg) local bwrapFlag=$1 shift @@ -568,45 +559,6 @@ parseArgs() { } -## FIREJAIL BACKEND - -firejailSetup() { - debug "firejailSetup: noop" -} -firejailIngestPath() { - # XXX: firejail flat-out refuses to whitelist certain root paths - # this exception list is non-exhaustive - case $1 in - (/bin | /etc) ;; - (*) - firejailFlags+=("--noblacklist=$1" "--whitelist=$1") - ;; - esac -} -firejailIngestNetDev() { - # XXX: to use a VPN tunnel named `vpn-xyz`, we keep around and link it to a bridge `br-vpn-xyz` externally. - # firejail can then spawn a veth from this bridge and namespace it that way. - firejailFlags+=("--net=br-$1") -} -firejailIngestNetGateway() { - debug "firejailIngestNetGateway: noop" -} -firejailIngestDns() { - firejailFlags+=("--dns=$1") -} -firejailIngestKeepNamespace() { - debug "firejailIngestKeepNamespace: noop" -} - -firejailGetCli() { - locate _firejail "firejail" "$FIREJAIL_FALLBACK" - cliArgs=( - "$_firejail" "${firejailFlags[@]}" -- - env "${portalEnv[@]}" "${cliArgs[@]}" - ) -} - - ## BUBBLEWRAP BACKEND bwrapUnshareCgroup=(--unshare-cgroup) @@ -952,7 +904,6 @@ maybeAutodetectPaths() { ### path sorting: if the app has access both to /FOO and /FOO/BAR, some backends get confused. # notably bwrap, --bind /FOO /FOO followed by --bind /FOO/BAR /FOO/BAR results in /FOO being accessible but /FOO/BAR *not*. # so reduce the paths to the minimal set which includes those requested. -# for more sophisticated (i.e. complex) backends like firejail, this may break subpaths which were blacklisted earlier. canonicalizePaths() { # remove '//' and simplify '.', '..' paths, into canonical absolute logical paths. local canonPaths=()