error with private-tmp & /tmp as tmpfs

[step-]

My distro, Fatdog64, mounts /tmp on a tmpfs in RAM. It's the default setup OOTB. Firejail seems to not like it. Is there some way around it? Note that

# firejail --noprofile --private-tmp echo OK
Parent pid 25719, child pid 25720
The new log directory is /proc/25720/root/var/log
Error mount tmpfs: fs_whitelist.c:774 fs_whitelist: No such file or directory
Error: proc 25719 cannot sync with peer: unexpected EOF
Peer 25720 unexpectedly exited with status 1

# firejail --noprofile echo OK
Parent pid 25730, child pid 25731
The new log directory is /proc/25731/root/var/log
Child process initialized in 34.86 ms
OK

Parent is shutting down, bye...

# mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
# 

System info

# uname -r
4.12.13

# firejail --version  # compiled github commit 2017.10.05 3884057 x86_64
firejail version 0.9.51

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

# cat /proc/filesystems
nodev	sysfs
nodev	rootfs
nodev	tmpfs
nodev	bdev
nodev	proc
nodev	cpuset
nodev	cgroup
nodev	cgroup2
nodev	devtmpfs
nodev	binfmt_misc
nodev	debugfs
nodev	securityfs
nodev	sockfs
nodev	dax
nodev	bpf
nodev	pipefs
nodev	ramfs
nodev	rpc_pipefs
nodev	devpts
	ext3
	ext2
	ext4
	squashfs
	minix
	vfat
	msdos
	iso9660
nodev	nfs
nodev	nfs4
nodev	nfsd
nodev	cifs
	ntfs
	fuseblk
nodev	fuse
nodev	fusectl
	udf
	xfs
	f2fs
nodev	pstore
nodev	aufs
nodev	mqueue
	btrfs
# 

[netblue30]

Until we figure out what's going on, as root user open /etc/firejail/globals.local in a text editor and add "ignore private-tmp" to that file. This will disable private-tmp globally.

[step-]

OK, thank you. This is a better temporary fix than patching all the *.profile files in /etc/firejail.

[netblue30]

The file is included in all profile, so it should do the job.

[jplien]

Not sure if it's the same bug, but my /tmp is a symlink, and firejail recently started failing with:
Error: invalid whitelist path /tmp/.X11-unix

The workaround above resolved the problem for me. Maybe also related to #744 about blacklisting a symlink?

[chiraag-nataraj]

Hmm, is this bug still valid? I actually do the same thing the OP does (mount /tmp as a tmpfs), but my firejail works fine with private-tmp. @step- and @jplien, is this still an issue?

[jplien]

I just updated to 0.9.52 (Debian testing) and when I comment out "ignore private-tmp" globals.local, it fails to start firefox.

If I run with --debug I get:
Error: invalid whitelist path /tmp/.X11-unix

In my case / is my SSD, and /tmp is a symlink to my HDD (ext4) which is mounted under /mnt/.

[chiraag-nataraj]

Does /tmp/.X11-unix exist?

[jplien]

Yes

jplien@argos:~$ ls -ld /tmp/.X11-unix/
drwxrwxrwt 2 root root 4096 Jan 8 21:11 /tmp/.X11-unix/

[Fred-Barclay]

@jplien Does the line disable-mnt exist in globals.local or your firefox profile?

[jplien]

I did a grep and it is in some profiles but not in firefox or firefox-esr. I checked all of the files in this list:

Found firefox-esr profile in /etc/firejail directory
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc

[step-]

@chiraag-nataraj , it seems @jplien is on to something. This is my debug log for commit f66ea88:

# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK' 
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 20675, child pid 20676
The new log directory is /proc/20676/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 393: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Error mount tmpfs: fs_whitelist.c:859 fs_whitelist: No such file or directory
Error: proc 20675 cannot sync with peer: unexpected EOF
Peer 20676 unexpectedly exited with status 1

and in /tmp

# find /tmp/.X11-unix -ls
  1022    0 drwxrwxrwt   2 root     root           60 Jan  9 18:33 /tmp/.X11-unix
  1023    0 srwxrwxrwx   1 root     root            0 Jan  9 18:33 /tmp/.X11-unix/X0
# file /tmp/.X11-unix/X0
/tmp/.X11-unix/X0: socket

I guess the socket file triggers the error in fs_whitelist.c:859.

[chiraag-nataraj]

@step- Nah, the socket shouldn't trigger that error. I have the same socket and everything works fine. Is your /tmp also symlinked to somewhere in /mnt?

@jplien Do you happen to have disable-mnt enabled in /etc/firejail/firejail.config?

[step-]

@chiraag-nataraj
Yes, my /tmp is mounted on /mnt.
My distro, Fatdog64, mounts /tmp as a tmpfs in RAM. It's the default setup OOTB.

[chiraag-nataraj]

@step- Mine's also a tmpfs (Debian), but that doesn't really imply it's mounted in /mnt... Anyway, can you do the same checks we asked @jplien to do? So either disable-mnt in the profile file(s) or disable-mnt in firejail.config? Meanwhile, I'll download Fatdog64 and give it a whirl.

[step-]

@chiraag-nataraj oops, you're right, it's tmpfs but it isn't mounted on /tmp. It's tmpfs on /tmp type tmpfs (rw,relatime). So I'm not goint to do the same checks you asked jplien. Waiting for further instructions.

[smitsohu]

Can someone please run firejail --private-tmp --debug-whitelists?

EDIT: Just realized it's already there:

Debug 393: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Error mount tmpfs: fs_whitelist.c:859 fs_whitelist: No such file or directory

[step-]

@smitsohu

# firejail --noprofile --private-tmp --debug-whitelists
Parent pid 22130, child pid 22131
The new log directory is /proc/22131/root/var/log
Debug 449: new_name #/tmp/.X11-unix#, whitelist
real path /tmp/.X11-unix
Mounting tmpfs on /tmp directory
Error mount tmpfs: fs_whitelist.c:966 fs_whitelist: No such file or directory
Error: proc 22130 cannot sync with peer: unexpected EOF
Peer 22131 unexpectedly exited with status 1

[chiraag-nataraj]

Hmmm, my X11 socket is owned by my user, not root:

$ find /tmp/.X11-unix/ -ls
     9961      0 drwxrwxrwt   2 root     root           60 Jul 22 10:57 /tmp/.X11-unix/
    19735      0 srwxrwxrwx   1 chiraag  chiraag         0 Jul 22 10:57 /tmp/.X11-unix/X0

[step-]

# find /tmp/.X11-unix/ -ls
  1105    0 drwxrwxrwt   2 root     root           60 Jul 22 21:03 /tmp/.X11-unix/
  1106    0 srwxrwxrwx   1 root     root            0 Jul 22 21:03 /tmp/.X11-unix/X0

Mine is owned by root because root is my $USER and real identity. Fatdog64 is a sudo-less GNU/Linux multi-user system, but the default user is root and everyone is encouraged to run as root.
There exists a regular user named 'spot', which I use to run browsers and other network programs. I tried running firejail as user spot without success. The terminal transcript follows.

# run-as-spot firejail --noprofile --private-tmp echo OK
Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly.
See "man firejail-users" for more details.
# firecfg
Removing all firejail symlinks:

Configuring symlinks in /usr/local/bin based on firecfg.config
   Xephyr created
   cherrytree created
   cvlc created
   dnsmasq created
8< --- snip snip --- 8<
   vlc created
   wget created
   xpra created
Error: cannot detect login user in order to set desktop files in ~/.local/share/applications
# man firejail-users
# cat /etc/firejail/firejail.users
cat: /etc/firejail/firejail.users: No such file or directory
# echo spot > /etc/firejail/firejail.users
# su spot
spot$  firejail --noprofile --private-tmp echo OK
Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly.
See "man firejail-users" for more details.
spot$ cat /etc/firejail/firejail.users
spot
spot$ 

So, several issues involving user detection on my system...

[chiraag-nataraj]

Hmm, interesting. How did you install firejail? Compile from source?

[step-]

Yes, I built 2bea8f6 from git source. The build recipe essentially does

/configure --prefix=/usr --libdir=/usr/lib64 &&
	make &&
	make install-strip

and adds /etc/firejail/globals.local, which reads:

# private-tmp directive doesn't work for Fatdog64
# https://github.com/netblue30/firejail/issues/1590
ignore private-tmp

[jplien]

Yes disable-mnt is set in firefox-common.profile for me.

[chiraag-nataraj]

@jplien Try commenting out disable-mnt and your issue should be resolved (hopefully).

[chiraag-nataraj]

@jplien Were you able to try commenting out disable-mnt?

[chiraag-nataraj]

Is this still an issue for @step- and/or @jplien?

[step-]

@chiraag-nataraj, yes, it is still an issue, and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local.

I compiled the latest commit 43cbc6d.

# mv /etc/firejail/globals.local{,-SUSPENDED}

# firejail --noprofile --private-tmp echo OK
Parent pid 10622, child pid 10623
The new log directory is /proc/10623/root/var/log
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 10622 cannot sync with peer: unexpected EOF
Peer 10623 unexpectedly exited with status 1

# firejail --noprofile echo OK
Parent pid 10698, child pid 10699
The new log directory is /proc/10699/root/var/log
Child process initialized in 32.89 ms
OK

Parent is shutting down, bye...

# uname -r
4.19.44

# firejail --version
firejail version 0.9.60~rc2

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK' 
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 10909, child pid 10910
The new log directory is /proc/10910/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 409: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Debug 226: skip whitelisting of /tmp/.X11-unix
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 10909 cannot sync with peer: unexpected EOF
Peer 10910 unexpectedly exited with status 1

# ls -ld /tmp/.X11-unix/
drwxrwxrwt 2 root root 60 May 22 12:19 /tmp/.X11-unix/

# cat /etc/firejail/globals.local-SUSPENDED
ignore private-tmp

# mv /etc/firejail/globals.local{-SUSPENDED,} 

# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK' 
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 11087, child pid 11091
The new log directory is /proc/11091/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 409: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Debug 226: skip whitelisting of /tmp/.X11-unix
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 11087 cannot sync with peer: unexpected EOF
Peer 11091 unexpectedly exited with status 1

[chiraag-nataraj]

Can I see the output of findmnt?

[smitsohu]

@jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet.

@step-

Debug 226: skip whitelisting of /tmp/.X11-unix

This makes me think there is a symbolic link somewhere.

and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local.

That's because of --noprofile

@chiraag-nataraj Confusingly the mounting on /run/firejail/mnt/orig-tmp apparently first succeeds here

firejail/src/firejail/fs_whitelist.c

Lines 725 to 730 in 43cbc6d

	// /tmp mountpoint
	if (tmp_dir) {
	// keep a copy of real /tmp directory in RUN_WHITELIST_TMP_DIR
	mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0);
	if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
	errExit("mount bind");

only to fail a little later with No such file or directory

firejail/src/firejail/fs_whitelist.c

Lines 993 to 994 in 43cbc6d

	if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
	errExit("mount tmpfs");

[step-]

@chiraag-nataraj

Can I see the output of findmnt?

# findmnt 
TARGET                       SOURCE                  FSTYPE   OPTIONS
/                            aufs                    aufs     rw,relatime,si=f17293007f47e3d0
├─/proc                      proc                    proc     rw,relatime
├─/sys                       sysfs                   sysfs    rw,relatime
│ ├─/sys/fs/cgroup           cgroup                  cgroup   rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids
│ └─/sys/fs/fuse/connections fusectl                 fusectl  rw,relatime
├─/dev                       devtmpfs                devtmpfs rw,relatime,size=8202780k,nr_inodes=2050695,mode=755
│ ├─/dev/pts                 devpts                  devpts   rw,relatime,gid=3,mode=620,ptmxmode=000
│ └─/dev/shm                 tmpfs                   tmpfs    rw,relatime,mode=777
├─/aufs/pup_init             tmpfs                   tmpfs    ro,relatime,mode=755
├─/aufs/kernel-modules       /dev/loop0              squashfs ro,relatime
├─/aufs/devbase              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro               /dev/loop1              squashfs ro,relatime
├─/aufs/devsave              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_save             /dev/sdb2[/os-fd64-803/fd64save]
│                                                    ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_rw               tmpfs                   tmpfs    rw,relatime,mode=755,gid=500
├─/tmp                       tmpfs                   tmpfs    rw,relatime
├─/mnt/sdb2                  /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
│ └─/mnt/sdb2                /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro10             /dev/loop10             squashfs ro,relatime
├─/aufs/pup_ro11             /dev/loop11             squashfs ro,relatime
├─/aufs/pup_ro12             /dev/loop12             squashfs ro,relatime
├─/aufs/pup_ro13             /dev/loop13             squashfs ro,relatime
├─/mnt/FDOG                  /dev/sdg1               ext4     rw,relatime
├─/mnt/LxData                /dev/sdg1[/lxdata]      ext4     rw,relatime
├─/mnt/S                     /dev/sdg1[/s]           ext4     rw,relatime
├─/aufs/pup_ro14             /dev/loop14             squashfs ro,relatime
├─/aufs/pup_ro15             /dev/loop15             squashfs ro,relatime
├─/aufs/pup_ro16             /dev/loop16             squashfs ro,relatime
├─/aufs/pup_ro17             /dev/loop17             squashfs ro,relatime
└─/aufs/pup_ro18             /dev/loop18             squashfs ro,relatime

[step-]

@smitsohu

@step-

and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local.

That's because of --noprofile

Even without --noprofile

# cat /etc/firejail/globals.local 
ignore private-tmp

# firejail --private-tmp echo OK
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable server.profile **

Parent pid 19620, child pid 19621
The new log directory is /proc/19621/root/var/log
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 19620 cannot sync with peer: unexpected EOF
Peer 19621 unexpectedly exited with status 1

[smitsohu]

Even without --noprofile

Ah right, there is a second reason. Profiles are parsed after the command line options. This means if you want to skip a command line option, the corresponding --ignore= must be present on the command line.

[chiraag-nataraj]

@chiraag-nataraj

Can I see the output of findmnt?

# findmnt 
TARGET                       SOURCE                  FSTYPE   OPTIONS
/                            aufs                    aufs     rw,relatime,si=f17293007f47e3d0
├─/proc                      proc                    proc     rw,relatime
├─/sys                       sysfs                   sysfs    rw,relatime
│ ├─/sys/fs/cgroup           cgroup                  cgroup   rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids
│ └─/sys/fs/fuse/connections fusectl                 fusectl  rw,relatime
├─/dev                       devtmpfs                devtmpfs rw,relatime,size=8202780k,nr_inodes=2050695,mode=755
│ ├─/dev/pts                 devpts                  devpts   rw,relatime,gid=3,mode=620,ptmxmode=000
│ └─/dev/shm                 tmpfs                   tmpfs    rw,relatime,mode=777
├─/aufs/pup_init             tmpfs                   tmpfs    ro,relatime,mode=755
├─/aufs/kernel-modules       /dev/loop0              squashfs ro,relatime
├─/aufs/devbase              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro               /dev/loop1              squashfs ro,relatime
├─/aufs/devsave              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_save             /dev/sdb2[/os-fd64-803/fd64save]
│                                                    ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_rw               tmpfs                   tmpfs    rw,relatime,mode=755,gid=500
├─/tmp                       tmpfs                   tmpfs    rw,relatime
├─/mnt/sdb2                  /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
│ └─/mnt/sdb2                /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro10             /dev/loop10             squashfs ro,relatime
├─/aufs/pup_ro11             /dev/loop11             squashfs ro,relatime
├─/aufs/pup_ro12             /dev/loop12             squashfs ro,relatime
├─/aufs/pup_ro13             /dev/loop13             squashfs ro,relatime
├─/mnt/FDOG                  /dev/sdg1               ext4     rw,relatime
├─/mnt/LxData                /dev/sdg1[/lxdata]      ext4     rw,relatime
├─/mnt/S                     /dev/sdg1[/s]           ext4     rw,relatime
├─/aufs/pup_ro14             /dev/loop14             squashfs ro,relatime
├─/aufs/pup_ro15             /dev/loop15             squashfs ro,relatime
├─/aufs/pup_ro16             /dev/loop16             squashfs ro,relatime
├─/aufs/pup_ro17             /dev/loop17             squashfs ro,relatime
└─/aufs/pup_ro18             /dev/loop18             squashfs ro,relatime

Okay, so /tmp isn't a symlink. If /tmp/.X11-unix isn't a symbolic link either, I'm very confused. Just to confirm, can you do an ls -lh /tmp/.X11-unix and report back with the output?

[jplien]

I was still having problems with /tmp in firejail as of today. This thread spurred me to do something I'd been meaning to do for a long time: switch /tmp from a symlink to a bind mount. This seems to have resolved the issues I was having. I was able to remove ignore private-tmp from globals.local and it starts just fine now.

[step-]

@smitsohu

@jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet.

I'm not sure why you think that my /tmp is symlinked. This is what I have:

# ls -ld /tmp
drwxrwxrwt 16 root root 900 May 23 08:10 /tmp
# readlink -f /tmp
/tmp

[chiraag-nataraj]

@step- How about readlink -f /tmp/.X11-unix?

[step-]

@step- How about readlink -f /tmp/.X11-unix?

# readlink -f /tmp/.X11-unix
/tmp/.X11-unix

[chiraag-nataraj]

I'm not sure why you think that my /tmp is symlinked. This is what I have:

Looking at the code in fs_whitelist.c, the "skip whitelisting of " lines come about when either:

1. The mount point doesn't exist.
2. The mount point is a symbolic link.

Question: Is your /run/ directory a symlink to anywhere?

[step-]

Yes, it is

# ls -ld /run
lrwxrwxrwx 1 root root 3 May 21 22:26 /run -> tmp

[chiraag-nataraj]

I think that's what's causing the issue...firejail stores the original stuff in /run/firejail/<blah>, and...well...it can't really do that in your case. You should mount it as a separate tmpfs (not symlink it) and you should be fine.

[smitsohu]

Also quoting the FHS

/run should not be writable for unprivileged users; it is a major security problem if any user can write in this directory.

[step-]

@chiraag-nataraj @smitsohu Thank you for providing an explanation of this issue, and for the FHS quote. Fatdog64 is designed as a non-sudo GNU Linux, so its view of security is different from the mainstream view, see Fatdog64 FAQ. I will ponder your recommendations and extend them to the Fatdog64 dev team for comments. Thank you again.

[chiraag-nataraj]

No problem! I'll go ahead and close this issue since it seems we (finally!) figured out what was going on. If you're still running into the problem after un-symlinking /run, please feel free to re-open and we'll do some further debugging :)