Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Cannot whitelist home folders correctly #2059

Closed
t4777sd opened this issue Jul 24, 2018 · 2 comments
Closed

Bug: Cannot whitelist home folders correctly #2059

t4777sd opened this issue Jul 24, 2018 · 2 comments
Labels
information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required

Comments

@t4777sd
Copy link

t4777sd commented Jul 24, 2018

It appears there is some error prevention logic that prevents whitelisting home folders when run as root

sudo firejail --noprofile --whitelist=/home/user ls

Outputs error and says invalid whitelist path

Strangely, so does the following even though it IS the root home folder:

sudo firejail --noprofile --whitelist=/root ls

This command will succeed even though it is NOT the root home folder and does not even exist:

sudo firejail --noprofile --whitelist=/home/root ls

This command will also fail even though it explictly sets the homefolder of root to another:

sudo (
export HOME="/home/user"
firejail --noprofile --whitelist=/home/user ls
)

  • the last one was put in a bash script and the script called with sudo to guarantee that HOME exports correctly

None of these cases should really be failing. If there is some strange error correction going on, then the last one where the HOME is set should work.
@chiraag-nataraj
Copy link
Collaborator

Looking at the docs (man firejail), it says the following about --whitelist:

       --whitelist=dirname_or_filename
              Whitelist  directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded
              inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The  top  di‐
              rectory could be user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp.

              Symbolic link handling: with the exception of user home, both the link and the real file should be in the same top directory. For
              user home, both the link and the real file should be owned by the user.

              Example:
              $ firejail --noprofile --whitelist=~/.mozilla
              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
              $ firejail "--whitelist=/home/username/My Virtual Machines"

@chiraag-nataraj chiraag-nataraj added the information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required label Jul 24, 2018
@chiraag-nataraj
Copy link
Collaborator

I'm going to close this as discussion should probably move over to #2041.

@t4777sd t4777sd mentioned this issue Jul 24, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t4777sd @chiraag-nataraj