policies.json in Firefox flatpak
Categories
(Core :: Widget: Gtk, enhancement)
Tracking
()
People
(Reporter: theevilskeleton, Assigned: mkaply)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Expected results:
I'd like to request the feature to utilize policies.json's in the Firefox flatpak. I don't think this can be done in the flatpak yet.
|
||
Comment 1•3 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 2•3 years ago
|
||
Component was set for this enhancement in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one
|
Assignee | |
Comment 3•3 years ago
|
||
I'm honestly not even sure how this stuff works.
Can the Flatpak read anything outside of its directory?
Like etc or something like that?
|
Reporter | |
Comment 4•3 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #3)
I'm honestly not even sure how this stuff works.
Can the Flatpak read anything outside of its directory?
Like etc or something like that?
The only directory it has direct access to is the Downloads directory.
|
|
Reporter | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
Martin: how does it get access to downloads?
Could we somehow provide access to etc/firefox/policies?
How do other Flatpaks handle enterprise policy?
|
||
Comment 6•3 years ago
|
||
Hi, that depends on flatpak build script, you can allow access to anywhere you want. So yes, access to /etc/firefox/* should be granted for reading by flatpak sandbox. This needs to be done on Mozilla flatpak build script. Mihai, I guess we need to add it to https://searchfox.org/mozilla-central/source/taskcluster/docker/firefox-flatpak/runme.sh right?
|
||
Comment 7•3 years ago
|
||
(In reply to Martin Stránský [:stransky] from comment #6)
Hi, that depends on flatpak build script, you can allow access to anywhere you want. So yes, access to /etc/firefox/* should be granted for reading by flatpak sandbox. This needs to be done on Mozilla flatpak build script. Mihai, I guess we need to add it to https://searchfox.org/mozilla-central/source/taskcluster/docker/firefox-flatpak/runme.sh right?
Apologies for delays in replying here.
Yes, it should be possible. IIRC we already grant a set of permissions at build generation time, such as pulseaudio, access to X11 or the network. If I read the docs right, we can extent that via the filesystem directive. Seems like we already do that for access a specific XDG folder in here. Sounds like adding --filesystem=/etc/firefox/policies might solve it if that's where the policies.json file ends up being.
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
||
Updated•3 years ago
|
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/444f30000d44 Allow Flatpak to access sytem policies. r=mtabara
|
||
Comment 10•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 11•3 years ago
|
||
Comment in phabricator says this won't actually work. Reopening so we can verify that.
"Just a heads up – this is not going to work. There is --filesystem=host-etc but that exposes full /etc at /run/host/etc (and bumps flatpak version requirement), also Firefox would need to create a symlink from /run/host/etc/firefox to in-sandbox /etc/firefox."
|
||
Updated•3 years ago
|
|
||
Comment 12•3 years ago
|
||
It's easy to test:
> flatpak run --command=stat org.mozilla.firefox//beta /etc/firefox/policies
stat: cannot statx '/etc/firefox/policies': No such file or directory
> flatpak info -m org.mozilla.firefox//beta | grep /policies
filesystems=xdg-download;/etc/firefox/policies;
To expand on my comment from Phabricator, /app/bin/firefox is already a shell script. After adding --filesystem=host-etc to build-finish, it would be enough to add ln -s /run/host/etc/firefox /etc/firefox there.
|
||
Comment 13•3 years ago
|
||
Adding --filesystem=host-etc would introduce sandbox hole and I don't think exposing whole /etc in order to access one file is rational. You may look at what chromium flatpak did: https://github.com/flathub/org.chromium.Chromium#orgchromiumchromiumpolicy however this is complicated and not exactly what users may expect.
|
|
||
Comment 14•3 years ago
|
||
Which is why I mention host-etc. It's what users expect.
|
|
||
Comment 15•3 years ago
|
||
Yes but it was considered as even worse solution.
|
|
||
Comment 16•3 years ago
|
||
Sorry, considered by who exactly? It's exactly what it's for, to expose files from /etc. There is nothing philosophical about it.
|
|
||
Comment 17•3 years ago
|
||
By people from Endless os who made chromium flatpak. Making an effort to provide flatpak friendly solutions in apps would look like waste of time if disabling sandbox is accepted without second thoughts. Some consistency would be appreciated.
I'm not touching any philosophy whatever it means here. My point was written above so let me repeat it: I don't think exposing whole /etc in order to access one file is rational.
|
|
Reporter | |
Comment 18•3 years ago
|
||
(In reply to Emerson Bernier from comment #13)
Adding --filesystem=host-etc would introduce sandbox hole and I don't think exposing whole /etc in order to access one file is rational. [...]
I'm not a security expert and this might be off-topic, but how so? Writing in /etc requires root access, and no Flatpak bundle comes with a program that can potentially give root access inside the sandbox.
[📦 org.mozilla.firefox ~]$ su
bash: su: command not found
[📦 org.mozilla.firefox ~]$ sudo
bash: sudo: command not found
|
|
||
Comment 19•3 years ago
|
||
I didn't write it gives you straightforward root access (in such case that option would be nonsense). I said it exposes whole /etc so app can read all system configs and some of them may be sensitive.
|
|
||
Comment 20•3 years ago
|
||
Side issue is that host-etc exist only since flatpak 1.8 so it won't help for users of non-recent distros unless the get latest flatpak frpom somewhere.
|
||
Comment 21•3 years ago
|
||
Would there be any opposition to assigning --filesystem=/etc/firefox/ to the default Flatpak permissions? You can define the exact system directories that you want to be able to access from the sandbox, without having to rely on a special parameter, or accessing the entirety of /etc.
|
|
Assignee | |
Comment 22•3 years ago
|
||
Per comment 11 (https://bugzilla.mozilla.org/show_bug.cgi?id=1682462#c11) that won't work.
we already add /etc/firefox/policies to the flatpak permissions:
https://searchfox.org/mozilla-central/source/taskcluster/docker/firefox-flatpak/runme.sh#150
But it doesn't give us the access (as far as I know)
|
|
||
Comment 23•3 years ago
|
||
I looked into it and I now see that yes, etc-host is required because /etc is blacklisted otherwise.
|
|
||
Comment 24•3 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #22)
Per comment 11 (https://bugzilla.mozilla.org/show_bug.cgi?id=1682462#c11) that won't work.
we already add /etc/firefox/policies to the flatpak permissions:
https://searchfox.org/mozilla-central/source/taskcluster/docker/firefox-flatpak/runme.sh#150
But it doesn't give us the access (as far as I know)
I recommend to revert commit which added /etc/firefox/policies in flatpak permissions. It has no purpose and confuses people.
|
|
Reporter | |
Comment 25•3 years ago
|
||
(In reply to Emerson Bernier from comment #24)
(In reply to Mike Kaply [:mkaply] from comment #22)
Per comment 11 (https://bugzilla.mozilla.org/show_bug.cgi?id=1682462#c11) that won't work.
we already add /etc/firefox/policies to the flatpak permissions:
https://searchfox.org/mozilla-central/source/taskcluster/docker/firefox-flatpak/runme.sh#150
But it doesn't give us the access (as far as I know)
I recommend to revert commit which added /etc/firefox/policies in flatpak permissions. It has no purpose and confuses people.
I second this.
|
|
Assignee | |
Comment 26•3 years ago
|
||
|
||
Comment 27•3 years ago
|
||
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/d67394aeba45 Revert policy access change that doesn't work. r=mtabara DONTBUILD
|
|
||
Updated•3 years ago
|
|
|
||
Comment 28•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 29•3 years ago
|
||
So does anyone have any thoughts as to the right way to do this?
|
|
Assignee | |
Comment 30•3 years ago
|
||
Chrome has a specific entry point for policies
https://github.com/flathub/org.chromium.Chromium/blob/master/org.chromium.Chromium.yaml#L51
|
||
Comment 31•2 years ago
|
||
Hi folks, I helped with the original Flatpak for Firefox and happy to help here too in terms of the Flatpak parts. I think @mkaply is heading in the right direction with an extension point; Flatpak apps tend towards not using system-wide configuration. Instead by defining an extension point, the the administrator / OS can arrange for system-wide policies to be placed in "unmanaged extensions" (ie folders which get treated as extensions) in /var/lib/flatpak or symlink back to the host's /etc paths etc - so it's more flexible for the Flatpak to bring these system files via extensions.
The problem is that, if I understand correctly, Firefox can only read one policies.json file, and the Flatpak already provides one in order to prevent Firefox from attempting to auto-update (and giving the user prompts they cannot do anything about) and disabling the default browser check. So we need to figure that out before worrying about how we get the policies.json file into the sandbox, in a place that Firefox will read.
Is there any way to achieve the same policies inside Firefox as code (ie detecting the Flatpak environment - which can be as easy as checking for the existence of /.flatpak-info) to vary these behaviours, and then we would "free" the policies.json to be provided through an extension point. Or, alternatively (which is how Chromium works I think, so the extension behaviour for Flatpak is simpler) is there any provision for Firefox to read and merge multiple policy files so we could have a stack of the Flatpak policies, those from the system, those from other extensions, etc?
|
|
Assignee | |
Comment 32•2 years ago
|
||
IF we removed the policies.json in the Flatpak, could the Flatpak access an external system point to get the policies?
|
|
||
Comment 33•2 years ago
|
||
Yes, we might need to patch in (or influence at runtime - environment variable?) a Flatpak-specific path that would be an extension point under /app which the admin can use to feed in a policies.json from outside. We could potentially also emulate with a small script which merged the Flatpak policy settings into the external file and produced a merged policies.json at runtime, but it would be cleaner if the updater/default check worked as intended when running under a Flatpak.
|
||
Comment 34•2 years ago
|
||
Any update on this? I was really sad to see that the original changes didn't work and we still don't have an option to configure this like we can with distro provided Firefox, or Snap.
|
|
Assignee | |
Comment 35•2 years ago
|
||
Unfortunately I don't know enough about how to get this working in Flatpak. I'm surprised it's not as easy to add an external access point as it is with the Snap...
|
|
||
Comment 36•11 months ago
|
||
This was fixed by https://phabricator.services.mozilla.com/D168803
Duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1814897
|
||
Updated•11 months ago
|
Description
•