-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch to bind user home directories #459
Comments
The order Firejail applies the commands will prevent you from doing it. This is something that will work: Start with a naked root sandbox where you apply the bind:
Switch to your user:
Start the real x11 sandbox using --force:
Or you can do all in one line:
|
I assume if I want to apply secomp filters or something like that, I'd best do that in the "last" firejail (the --force one) ? Should first firejail come with --noprofile, or could it have one? If "naked" firejail is started with a specific profile, would the second (--force) one honor the profile (esp whitelist directive) ? |
Yes, seccomp is applied to the second sandbox. If you put it in the first sandbox, the second one will not start. And yes, you can use also use a profile for the first sandbox, but don't put in anything that might prevent the second sandbox from starting, such as seccomp, caps etc. Whitelisting should work in the first profile. |
Okay, thanks! Last (maybe) question (tangentially related, but might deserve own issue) Let's say I want to run program in a "hollow" non-persistent homedir (as achieved by --private) but want to make one specific directory in the new homedir available to host and/or persistent. What profile and command line directives and in what order would achieve that ? |
You would use --whitelist. Example:
will create a "hollow" /home/user directory with /home/user/somedir imported form the filesystem and it will be persistent. |
just a couple of cents, there is a patch allowing to mount a few home subdirectories in bind mode, thus their content is fully synchronized between a host and sandbox. I do not know how secure it is, is it possible to escape somehow using such kind of binding or not... |
Thanks, I'll look into it. |
Isn't |
I too have an interest in launching firejailed apps from a limited user, but in a firejail environment that was initially set up using "root-stuff" "--force" still works for me (version 0.9.44.8 Debian 8) but if it is "on its way out" that may cause issues for me later on so I would like to know what's best practice is for the kind of thing I'm doing P.S.: |
It was removed due to security concerns so I doubt it will be ever restored. |
@Vincent43 @netblue30 , is running firejail "as someone else" unsafe in principle, or is it just --user implementation that was not very safe? I'm currently doing run firejail as root, set up environment, then use daemonize binary (easy to build on most platforms) to run another firejail with --force and proper profile (including seccomp and capability filters) . Seems to be working fine and daemonize offers a few neat bells and whistles. using su to launch second firejail also works, I just kind of like daemonize more. Is such a methodology somehow bad? |
Something like |
Hi!
Perhaps a silly question, but it was mentioned that --x11 is not available for root.
Would it work for cases where firejail is called like
sudo firejail --x11 --user=non-root-user --net=br1 program-name
?
Reason for sudoing: need to bind a "host" directory into the sandbox at startup (so the jailed program's output is available to certain processes at host), thus plan to have whitelist directory directive in the profile and it requires root.
program that needs to be jailed can run as non-root (hence --user=non-root-user)
The text was updated successfully, but these errors were encountered: