Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nowhitelist option does not disable whitelisting entirely #2882

Open
jose1711 opened this issue Jul 31, 2019 · 7 comments
Open

Nowhitelist option does not disable whitelisting entirely #2882

jose1711 opened this issue Jul 31, 2019 · 7 comments
Labels
bug Something isn't working

Comments

@jose1711
Copy link
Contributor

Say I have a profile shipped with firejail that enables whitelisting of $DOWNLOADS. Something like this:

# cat /etc/firejail/foo.profile
include foo.local
whitelist ${DOWNLOADS}

Let's assume we want to disable whitelisting so we create a foo.local file and add nowhitelist:

nowhitelist ${DOWNLOADS}

One would expect that whitelisting is effectively disabled but this is not true:

~ ls -l random_file                                                
-rw-r--r-- 1 jose users 7 Jul 31 22:41 random_file
~ firejail --profile=/etc/firejail/foo.profile ls -la ~/random_file      
Reading profile /etc/firejail/foo.profile
Reading profile /etc/firejail/foo.local
Parent pid 15790, child pid 15791
Child process initialized in 62.67 ms
ls: cannot access '/home/jose/random_file': No such file or directory

Parent is shutting down, bye...
@netblue30
Copy link
Owner

As soon as it runs into a whitelist statement, firejail will mount a temporary filesystem on top of your directory. It doesn't matter if you already unwhitelisted the file.

@jose1711
Copy link
Contributor Author

jose1711 commented Aug 1, 2019

Note that here whitelist and nowhitelist both mention the same directory. So my understanding of this would be:

  • firejail builds a list of files/directories to be whitelisted
  • ${DOWNLOADS} enters this list but is shortly removed from it by nowhitelist option
  • at the end there are no files/dirs to be whitelisted hence the mounting over tempfs does not occur

@rusty-snake
Copy link
Collaborator

@jose1711 Not looked in the code, but I think @netblue30 mean that firejail do the mount on top of $HOME (or what every) once it finds a whitelist and then check which files need to be bind-mounted.

Here firejail see a whitelist ${HOME}/something and mount a new empty fs on top of $HOME then it see it has do be bind-mount ${DOWNLOADS} but Uhh wait there was prevouisly a nowhitelist ${DOWNLOADS}. So it skip the bind-mount of DOWNLOADS and go ahead (to the next whitelist ~/some).

@rusty-snake
Copy link
Collaborator

How to proceed?

@blinux45 blinux45 mentioned this issue Sep 17, 2019
Closed
@rusty-snake
Copy link
Collaborator

If there is no whitelist ${HOME} after nowhitelist the whitelisting of ${HOME} should IMHO be disabled, because it will break disabling whitelist in .local files and force users to copy .profile or edit in etc.

@rusty-snake rusty-snake added the bug Something isn't working label Nov 10, 2019
@rusty-snake
Copy link
Collaborator

@smitsohu this get fixed once or new whitelist implementation gets merged, right?

@smitsohu
Copy link
Collaborator

@rusty-snake the alternative whitelist implementation would fix it, yes.

@rusty-snake rusty-snake mentioned this issue Jun 7, 2020
Closed
@rusty-snake rusty-snake mentioned this issue Mar 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jose1711 @netblue30 @smitsohu @rusty-snake