-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Higher argument limits? (Error: too many arguments) #4633
Comments
@Artefact2 commented on Oct 23:
That's been the case from the beginning it seems:
int j;
for (i = 1, j = fullargc; i < argc && j < MAX_ARGS; i++, j++, fullargc++)
fullargv[j] = argv[i];
// replace argc/argv with fullargc/fullargv
argv = fullargv;
argc = j; @netblue30 Is there any specific reason for this limit? It seems that something like the following could be done instead: fullargv = malloc(strlen(argv) + 1); Anyway, I'm currently already working on 2 other things, so if anyone wants to |
Even if you would use malloc: Lines 1005 to 1008 in efbf74e
|
@rusty-snake commented on Oct 23:
Relates to #4583. |
On second thought, I don't know why a limit on argc would be needed (there is |
It's a security feature: argv (and environment) could be used to fill the stack area so that stack smashing would be easier. Similar check exists for environment variables too. Raising the limit to ARG_MAX (524288) wouldn't be a good idea, but 128 could be raised a bit higher. In general, portability to POSIX isn't very interesting for Firejail, since it depends on Linux-only features like mount namespaces, seccomp and capabilities. Without them Firejail would be useless. I don't think BSDs have anything comparable. |
@topimiettinen commented on Oct 23:
I see, that makes sense. But still, wouldn't it make more sense to check only
Never thought I'd get an appropriate occasion to do it, but: I'd just like to interject for a moment. What you're referring to as Linux, is The examples listed are kernel-level features, but limits.h is system-defined Anyway, POSIX was just an example in my previous comment; it's the only thing |
The important thing is actually the size, or the sum of all arguments.
I think calling a system GNU is exaggerating, there are many other non-GNU components in the system too and the distros also put a lot of effort to integration. The most important piece these days is the browser, which isn't GNU and a lot of old UNIX-like GNU or POSIX stuff with text UIs isn't very cool anymore. It isn't fair calling the phone systems 'Android' either, but calling it 'Linux/Bionic' would be silly.
Good points with portability to musl. Though does any distro use it for real? |
Alpine comes to mind. And many embedded distributions like OpenWrt. |
@topimiettinen commented on Oct 23:
So something like this? int i;
size_t total_argsz = argc;
for (i = 0; i < argc; i++) {
total_argsz += strlen(argv[i]) + 1;
if (total_argsz > SOME_ARG_MAX)
// die
}
The copypasta was posted mostly in jest to point out that there is more to As for Android, it takes an absurd amount of disk space (in the realm of Now, something similar could be said about the complexity of gcc/clang (either
Off the top of my head, from the distros that either do or did package firejail
Alpine is known for being small and so is often used on Docker containers. postmarketOS is based on Alpine and is intended for phones (and so is much Void is the one that officially supports the most BSD-y userland of the list Also, the main KISS Linux build is musl-based, but I'm not aware of any |
Yes. The calculation could also consider environment variables. Maybe simply (knowing the layout of argv/env/auxv in stack) just check that stack isn't used too much.
We're approaching the point where shell and other utils aren't used very much for lauching apps in for the typical installation: kernel -> systemd -> sddm -> 'systemd --user' -> app (browser etc.). Also the development is done more and more in the cloud, like this GitHub. With vscode.dev it's probably possible to do all development, including editing, remotely. With Meson build system, a shell isn't necessary when compiling and it's much saner (and faster) than Make. Perhaps Firejail should switch to Meson at some point. I've actually long wanted a system, which would have two operating modes:
Requiring a reboot to switch modes or even switch Secure Boot on/off from UEFI BIOS could be OK. Maybe the production image could be even produced by a CI job far away.
It's also very interesting from security point of view. Android uses a combination of UIDs and SELinux categories (or sensitivies) for each app. This makes a lot of sense, there's typically no need for app A to look at files for app B. Firejail helps a lot here by using mount namespaces and by rearranging the apps' views to the contents of $HOME, but it would be better if the OS also did something Android-like. There could be also snaps/appimages/flatpaks, but produced locally from distro packages with some distro-supported automatics.
Thanks. On Debian, musl is available, but it can't be used for pretty much anything, so I thought it's not ready for production. |
This change doesn't alter any checks, but it gives more specific errors when a sanity check of env vars or argv does not pass, which can point to limits to raise or at least give us better detailed bug reports. Signed-off-by: Hank Leininger <[email protected]> Bug: netblue30#3678 Bug: netblue30#3851 Bug: netblue30#4633
This change doesn't alter any checks, but it gives more specific errors when a sanity check of env vars or argv does not pass, which can point to limits to raise or at least give us better detailed bug reports. Signed-off-by: Hank Leininger <[email protected]> Bug: netblue30#3678 Bug: netblue30#3851 Bug: netblue30#4633
This change doesn't alter any checks, but it gives more specific errors when a sanity check of env vars or argv does not pass, which can point to limits to raise or at least give us better detailed bug reports. Signed-off-by: Hank Leininger <[email protected]> Bug: netblue30#3678 Bug: netblue30#3851 Bug: netblue30#4633
It seems that firejail has much lower limits for the number of arguments it supports (or the total size of argv), compared to other standard programs. This makes using firejail with long file lists a painful process, as standard tools like
find -exec
orxargs
won't work out of the box.Here's a simple way to reproduce:
For additionnal reference:
The text was updated successfully, but these errors were encountered: