-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When /etc/fonts is a symlink to a directory, private-etc rules that invoke fcopy produce wrong directory structure and breaks apps (NixOS) #4887
Comments
Thanks for the bug! Try the latest on mainline git, I think I have a fix for fcopy. |
|
Yes, I can confirm. With commit 4e27b34 on top of rc1 I also get an empty |
And I can confirm that with firejail built from
|
New fix in, this time for localtime broken earlier. @reedriley, give it a try again. Thanks. |
I'm wondering if special-casing |
They do. This is from my NixOS system: Directories:
Files:
|
This fix at least resolves the electron app issues. So it's at least an improvement. But like @vs49688 says there are other directory symlinks. I think the old firejail handling of symlinks-to-files was probably correct; it's just the handling of symlinks-to-directories that was broken. Is it possible to run this logic only if |
Yes, probably there are other directories handled as symlinks on NixOS. Run a "ls -l /etc" and post it here. |
Done, see lsout.txt |
thanks @vs49688! The symlinks - plenty of them - are going in /etc/static. I'll bring in a new fix tomorrow. |
On my system; these are the directories in
i suspect the precise set will vary from installation to installation - for example I still think the right fix here is probably to modify Either that; or if we can't trust that the symlink won't point somewhere else in the appropriate threat models; we might need to change |
I'm reading about NixOS. Do you guys also have a /etc/config directory? |
Not on any of my systems, although someone could add one via environment.etc
Yeah, I should probably enable AppArmor.
Agreed. |
Here's a sketch of something that seems to work just fine for me: reedriley@c0822a0 With that patch applied; everything works the way I expect; and I get the following directory layout:
|
Or; alternatively; we could skip creating the empty |
Here's another fix that appears to work, which feels a lot less hacky: reedriley@967265d The flow:
Changing the With this patch, I get:
|
It turns out we already had all the support. It is --follow-link flag in fcopy, I just had to enable it for private-etc. Also reverted all the changes to fcopy. Fix here: 8c33968 |
I can confirm; this fix works for my system as well. Thanks! I'd flag there are probably other symlink issues lurking in firejail+NixOS; the distro relies on them heavily. But, if I hit any, I'll be sure to report them or submit a pull request, |
Sure, thanks! /etc should be fully fixed right now. The fix resolved all symlinks there. Closed for now. |
Description
On NixOS; the
/etc/fonts
directory is a symlink (to a symlink) to a directory. When a profile includes this inprivate-etc
; fcopy appears to copy the symlink into the target directory rather than resolving it as a directory and copying the contents over.In short; inside of a firejail; the "correct" path becomes
/etc/fonts/fonts
instead of/etc/fonts
.Steps to Reproduce
etc
with a symlink from/etc/fonts
to/etc/static/fonts
and a symlink from/etc/static/fonts
to some other location.Additional context
I think the fix here is probably to modify
fcopy
to behave differently if a source symlink is to a directory vs. a file; and add a corresponding unit test. If that's the case; I'm happy to work on a pull request - but given that this is in a fairly subtle space I wanted to check if my understanding is correct before I begin.Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
From running
firejail --debug
, I'm pretty confident the relevant section of the logs involve this snippet:Happy to provide more logs or perform more tests as requested.
The text was updated successfully, but these errors were encountered: