-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error with private-tmp & /tmp as tmpfs #1590
Comments
Until we figure out what's going on, as root user open /etc/firejail/globals.local in a text editor and add "ignore private-tmp" to that file. This will disable private-tmp globally. |
OK, thank you. This is a better temporary fix than patching all the *.profile files in /etc/firejail. |
The file is included in all profile, so it should do the job. |
Not sure if it's the same bug, but my /tmp is a symlink, and firejail recently started failing with: The workaround above resolved the problem for me. Maybe also related to #744 about blacklisting a symlink? |
I just updated to 0.9.52 (Debian testing) and when I comment out "ignore private-tmp" globals.local, it fails to start firefox. If I run with --debug I get: In my case / is my SSD, and /tmp is a symlink to my HDD (ext4) which is mounted under /mnt/. |
Does |
Yes jplien@argos:~$ ls -ld /tmp/.X11-unix/ |
@jplien Does the line |
I did a grep and it is in some profiles but not in firefox or firefox-esr. I checked all of the files in this list: Found firefox-esr profile in /etc/firejail directory |
@chiraag-nataraj , it seems @jplien is on to something. This is my debug log for commit f66ea88:
and in /tmp
I guess the socket file triggers the error in fs_whitelist.c:859. |
@chiraag-nataraj |
@chiraag-nataraj oops, you're right, it's tmpfs but it isn't mounted on /tmp. It's tmpfs on /tmp type tmpfs (rw,relatime). So I'm not goint to do the same checks you asked jplien. Waiting for further instructions. |
Can someone please run EDIT: Just realized it's already there:
|
|
Hmmm, my X11 socket is owned by my user, not root:
|
Mine is owned by root because root is my
So, several issues involving user detection on my system... |
Hmm, interesting. How did you install firejail? Compile from source? |
Yes, I built 2bea8f6 from git source. The build recipe essentially does
and adds /etc/firejail/globals.local, which reads:
|
Yes disable-mnt is set in firefox-common.profile for me. |
@jplien Try commenting out |
@jplien Were you able to try commenting out |
@chiraag-nataraj, yes, it is still an issue, and now there's an error message even if I add I compiled the latest commit 43cbc6d. # mv /etc/firejail/globals.local{,-SUSPENDED}
# firejail --noprofile --private-tmp echo OK
Parent pid 10622, child pid 10623
The new log directory is /proc/10623/root/var/log
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 10622 cannot sync with peer: unexpected EOF
Peer 10623 unexpectedly exited with status 1
# firejail --noprofile echo OK
Parent pid 10698, child pid 10699
The new log directory is /proc/10699/root/var/log
Child process initialized in 32.89 ms
OK
Parent is shutting down, bye...
# uname -r
4.19.44
# firejail --version
firejail version 0.9.60~rc2
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK'
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 10909, child pid 10910
The new log directory is /proc/10910/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 409: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Debug 226: skip whitelisting of /tmp/.X11-unix
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 10909 cannot sync with peer: unexpected EOF
Peer 10910 unexpectedly exited with status 1
# ls -ld /tmp/.X11-unix/
drwxrwxrwt 2 root root 60 May 22 12:19 /tmp/.X11-unix/
# cat /etc/firejail/globals.local-SUSPENDED
ignore private-tmp
# mv /etc/firejail/globals.local{-SUSPENDED,}
# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK'
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 11087, child pid 11091
The new log directory is /proc/11091/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 409: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Debug 226: skip whitelisting of /tmp/.X11-unix
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 11087 cannot sync with peer: unexpected EOF
Peer 11091 unexpectedly exited with status 1
|
Can I see the output of |
@jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet.
This makes me think there is a symbolic link somewhere.
That's because of @chiraag-nataraj Confusingly the mounting on firejail/src/firejail/fs_whitelist.c Lines 725 to 730 in 43cbc6d
only to fail a little later with firejail/src/firejail/fs_whitelist.c Lines 993 to 994 in 43cbc6d
|
|
Even without # cat /etc/firejail/globals.local
ignore private-tmp
# firejail --private-tmp echo OK
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable server.profile **
Parent pid 19620, child pid 19621
The new log directory is /proc/19621/root/var/log
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 19620 cannot sync with peer: unexpected EOF
Peer 19621 unexpectedly exited with status 1 |
Ah right, there is a second reason. Profiles are parsed after the command line options. This means if you want to skip a command line option, the corresponding |
Okay, so |
I was still having problems with /tmp in firejail as of today. This thread spurred me to do something I'd been meaning to do for a long time: switch /tmp from a symlink to a bind mount. This seems to have resolved the issues I was having. I was able to remove ignore private-tmp from globals.local and it starts just fine now. |
I'm not sure why you think that my /tmp is symlinked. This is what I have: # ls -ld /tmp
drwxrwxrwt 16 root root 900 May 23 08:10 /tmp
# readlink -f /tmp
/tmp |
@step- How about |
# readlink -f /tmp/.X11-unix
/tmp/.X11-unix |
Looking at the code in
Question: Is your |
Yes, it is # ls -ld /run
lrwxrwxrwx 1 root root 3 May 21 22:26 /run -> tmp |
I think that's what's causing the issue... |
Also quoting the FHS
|
@chiraag-nataraj @smitsohu Thank you for providing an explanation of this issue, and for the FHS quote. Fatdog64 is designed as a non-sudo GNU Linux, so its view of security is different from the mainstream view, see Fatdog64 FAQ. I will ponder your recommendations and extend them to the Fatdog64 dev team for comments. Thank you again. |
No problem! I'll go ahead and close this issue since it seems we (finally!) figured out what was going on. If you're still running into the problem after un-symlinking |
My distro, Fatdog64, mounts /tmp on a tmpfs in RAM. It's the default setup OOTB. Firejail seems to not like it. Is there some way around it? Note that
System info
The text was updated successfully, but these errors were encountered: