-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
whitelist/blacklist nesting + private-bin #2969
Comments
This is because whitelisting in /bin is unsupported currently. Quoting the man page:
Your other observation is interesting:
That doesn't work, indeed. It's probably because we mount /bin with a |
I think you should keep "nosuid", especially since you can also work with capabilities. Strictly speaking "ping" only needs "cap_net_raw", and no suid bit or full root rights. This is practiced under Debian, for example, so that "ping" can be used entirely with user rights. Due to the potential danger, suid binaries should be consistently defused or eliminated. |
Thank you for the responses. First, using /home, a "supported directory": TEST #1 TEST #2 In the two examples above, the whitelisting of /home/topdir/subdir is ignored by firejail. TEST #3 whitelist /home/myuser/firejail TEST #4 |
More infos: https://github.com/netblue30/firejail/wiki/Creating-Profiles#common-mistakes
Nope, but
|
Thank you very much rusty-snake: This is different from the customary meaning and for this reason counterintuitive. I had read the man page, but it did not register. Old habits die hard and may I suggest adding a clarification to the man page. I don't think I will be the only one to be confused by this. Regarding the ping issue, uncommenting |
Are you not the only one, there are several issues like this. If you write or customize profiles then IMHO this the biggest barrier at the moment.
I had overlooked this, sorry. As @smitsohu say /bin is mounted |
@FOSSONLY I understand where you are coming from, but as Firejail in general allows running suid programs, and a user can choose freely among all the options, there is probably not much to gain from a On a per-sandbox base, we actually don't need With that said, a nosuid mounted /bin (/usr/bin and so on) looks to me more like a bug than a feature. |
Just FYI, I managed to work around this, though my interest was in a "/extra" partition that contained several documents, and I wanted to make sure that when I opened one of them, libreoffice or zathura or whatever I used could not even see any of the others. Here's what I did. It's a bit kludgey, and the root step has to be repeated every boot after logging in, but it seems to work.
Viewing the files is done by a script that
There's also some cleanup involved, which I have not yet looked at (the file stays there forever, visible to later sessions, though because of the hard link it is not taking up extra space). Am new(-ish) to firejail, at least for anything more than the defaults, so it would be nice if someone could comment on this. Basically I got around the limits of |
@sitaramc Yes, it is perfectly fine to work around the whitelist limitation with bind-mounting. I only wonder if you could just bind-mount the entire /extra to a place where whitelisting is possible, avoiding the linking step. And don't forget to also blacklist the original /extra directory in order to not expose your data there. |
You can bind mount from fstab. IDK if RUNUSER already exists when the mounts are performed, but you can use a systemd-unit if not. |
On Tue, Nov 12, 2019 at 05:49:20AM -0800, smitsohu wrote:
Yes, it is perfectly fine to work around the limitation with bind-mounting. I only wonder if you could just bind-mount the entire /extra to a place where whitelisting is possible, avoiding the linking step.
I'll have to try that; thanks
And don't forget to also blacklist the original /extra directory in order to not expose your data there.
oh yes I forgot to mention that I'd already done this (long
ago), forgetting that I might occasionally need to access those
old files.
|
I'm closing here due to inactivity, please fell free to reopen if you have more questions. |
This issue is somewhat similar to:
#2882
I cannot figure out the whitelist/blacklist priorities within firejail.
If I set:
whitelist /bin/bash
noblacklist /bin/bash
blacklist /bin
I get: Error invalid whitelist path /bin/bash
No matter how I order my whitelists/blacklist, I do not seem to be able to whitelist a subdirectory or a single file within a blacklisted directory.
On a slightly different try, if I set:
private-bin bash,ls,cat,ping,iptables
When I run ping w.x.y.z, I get
ping: socket: Operation not permitted
With ls -l /bin
I get
-rwxr-xr-x-r l root 0 68976 ping
The suid for ping is set to 'x' and not to 's'
Not sure how to remedy that once inside firejail.
The text was updated successfully, but these errors were encountered: