webstorm: program tries to run firejailed nodejs

[tredondo]

The Node scripts I run have no reason to access ~/.ssh, and the nodejs-common profile rightfully blacklists that directory.

WebStorm however, is permitted to access ~/.ssh (rightfully).

The problem arises when debugging Node scripts with WebStorm:

Warning: an existing sandbox was detected. /usr/bin/node will run without any additional sandboxing features

How could I blacklist additional directories from the Node script when it's launched by WebStorm?

[rusty-snake]

You can not start a new sandbox inside a sandbox (firejail always inherits). Therefore you need to start the node script in an unsandboxed context. You could run WebStorm unsandboxed (Personally I don't understand why IDE should we "sandboxed". The sandbox for IDEs is always (very) weak because they need to run/debug/compile/test/... any code.) or you use systemd-run to escape the sandbox (requires noblacklist ${PATH}/systemd-run ¹):

#!/bin/sh
systemd-run --user --quiet --no-block /usr/bin/firejail --profile=nodejs /usr/bin/nodejs "$@"

IDK how WebStorm works, maybe you can directly configure to use this command or you place it in $PATH somewhere before the regular/firecfg node.

¹ The blacklist ${PATH}/systemd-run is only a mitigation, communication to the raw D-Bus interface is possible as well if it is allowed.

[tredondo]

I don't understand why IDE should we "sandboxed"

I'd like to sandbox any application that could exfiltrate data. Could IDEs though bypass the sandbox through the allowed debugging features?

IDK how WebStorm works, maybe you can directly configure to use this command

Yes, WebStorm supports defining the Node interpreter. I've created /usr/local/bin/node-escape.sh with the systemd-run command you suggested:

I've added the noblacklist ${PATH}/systemd-run to ${CONFIG}/webstorm.local, but get this error when running node-escape.sh from WebStorm:

** (process:338): WARNING **: 13:45:25.989: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

If I remove --quiet, the only extra output is

Running as unit: run-u777.service

[glitsj16]

** (process:338): WARNING **: 13:45:25.989: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

I'm not an expert on D-Bus, but a quick look at d-feet shows that org.freedesktop.PolicyKit1 lives on the system bus. The nodejs-common.profile blocks access to that via dbus-system none. Have you tried overriding this in a nodejs-common.local file yet?

dbus-system filter
dbus-system.talk org.freedesktop.PolicyKit1
ignore dbus-system none

[rusty-snake]

Cannot determine user of subject

My guess is rather ignore noroot in webstorm.local.

[rusty-snake]

I don't understand why IDE should we "sandboxed"

I'd like to sandbox any application that could exfiltrate data. Could IDEs though bypass the sandbox through the allowed debugging features?

Out of the nature of IDEs they can not have a thight profile (by default), just looking at webstorm:

• no include whitelist-common.inc or read-only ${HOME} => escape
• no dbus-{user,system} (filter|none) => escape (as you do)
• no net none => escape
• ...

So the sandbox is only a weak mitigation (instead of a strong mitigation).
On the other hand there are some restrictions which bother me when developing:

• nonewprivs => no sudo
• include disable-programs.inc => no dotfiles
• include disable-common.inc => no shell history, podman, flatpak, ...