On Fri, May 20, 2016 at 11:57:32AM +0000, ban...@openmailbox.org wrote:
> While firecfg handles symlinks well and per package hacks to create symlinks
> are no longer necessary, it still needs a way to make it seamless and
> automatically protect users. There is already precedent in Debian for
> automatic protection should a security application be installed:
> 
> "Please automatically enable AppArmor when the userspace tools are
> installed"
> https://bugs.debian.org/702030
> 
> The only clean way to implement this is a dpkg trigger. Run firecfg - if
> some option is set in a .d config filder - each time something is installed
> to /usr/bin/, /sbin or perhaps best even / (therefore running it every time
> during apt-get). Otherwise there will always be inconsistencies about
> whether an installed firejail, and profile, and a "to be contained" binary
> is installed at the same time will result in using firejail. A state where
> sometimes things work for some users but not for all is quite horrible.

Hm, the problem with this approach is that packages are not allowed to
modify /usr/local(/bin) on their own, so firecfg can't be called by a
dpkg trigger.

Placing the symlinks somewhere else (like /usr/lib/firejail/) with dpkg
triggers would work, but the user would have to amend PATH (as currently
only /usr/local/bin comes before the other binary paths), though this
would be a one-time configuration.

> Manually running firecfg also does not work for software that has profiles
> but where the package gets installed by the user after firejail was
> installed. I speculate for reasons of cleanness, it does not be create
> symlinks for binaries that are not yet installed in preparation that it may
> one day be installed.

I think another reason is that firecfg can't know where the binary will
eventually be installed (/sbin, /usr/bin, /usr/games, ...).

Attachment: signature.asc
Description: Digital signature

Reply via email to