The ˋ--forceˋ flag isn't working within distrobox

[neurodiverseEsoteric]

I tried running ˋfirejail --force ---private librewolfˋ inside a distrobox of archlinux on a fedora-based distro which doesn't offer librewolf at all, but firejail still ignored everything for being run inside of a "sandbox..."

[rusty-snake]

How old is your firejail?

You should upgrade to fix multiple vulnerabilities.

[rusty-snake]

Regarding LW:
https://librewolf.net/installation/fedora/
https://librewolf.net/installation/linux/

[neurodiverseEsoteric]

@rusty-snake

It's archlinux, it shouldn't be that old

[neurodiverseEsoteric]

@rusty-snake

That defeats the purpose of avoiding all host system and app breakages being blamed on my installing outsider software (it's not just librewolf)

[glitsj16]

I tried running ˋfirejail --force ---private librewolfˋ inside a distrobox of archlinux on a fedora-based distro which doesn't offer librewolf at all, but firejail still ignored everything for being run inside of a "sandbox..."

(1) I'm assuming the triple dash in ---private is a typo and isn't the actual command you ran.
(2) Firejail dropped the --force option since version 0.9.54:

firejail/RELNOTES

Lines 490 to 491 in db09546

	firejail (0.9.54) baseline; urgency=low
	* modif: --force removed

For example, when running firejail --force --private librewolf on Arch Linux with 0.9.72, you should see:

Error: invalid --force command line option

Not sure what the actual problem is. Can you rephrase your issue?

[neurodiverseEsoteric]

Oh if it did throw that error i didn't see it...how do I put --force back in?

[rusty-snake]

4c71ddb
https://github.com/turgs/firejail-force

[neurodiverseEsoteric]

ok thanks

[rusty-snake]

FWIW, the following contaiers are supported container=(lxc|docker|lxc-libvirt|systemd-nspawn|rkt) firejail ... according to

firejail/src/firejail/no_sandbox.c

Lines 29 to 38 in db09546

	int is_container(const char *str) {
	assert(str);
	if (strcmp(str, "lxc") == 0 ||
	strcmp(str, "docker") == 0 ||
	strcmp(str, "lxc-libvirt") == 0 ||
	strcmp(str, "systemd-nspawn") == 0 ||
	strcmp(str, "rkt") == 0)
	return 1;
	return 0;
	}

[neurodiverseEsoteric]

Wait nob that release is a thouzandoulus years old...

[neurodiverseEsoteric]

FWIW, the following contaiers are supported container=(lxc|docker|lxc-libvirt|systemd-nspawn|rkt) firejail ... according to

firejail/src/firejail/no_sandbox.c

Lines 29 to 38 in db09546

	int is_container(const char *str) {
	assert(str);
	if (strcmp(str, "lxc") == 0 ||
	strcmp(str, "docker") == 0 ||
	strcmp(str, "lxc-libvirt") == 0 ||
	strcmp(str, "systemd-nspawn") == 0 ||
	strcmp(str, "rkt") == 0)
	return 1;
	return 0;
	}

What would happen if I just naively added distrobox to the list?

[rusty-snake]

Either it works or it does not work.

[neurodiverseEsoteric]

It didn't work, firejail still detects a sandbox...

[rusty-snake]

firejail/src/firejail/no_sandbox.c

Lines 41 to 47 in db09546

	int check_namespace_virt(void) {
	EUID_ASSERT();
	// check container environment variable
	const char *str = env_get("container");
	if (str && is_container(str))
	return 1;

That's the first check, if it still detects a sandbox you added the wrong value.

[neurodiverseEsoteric]

Ah, it might be one of these pod-based labels:

https://github.com/89luca89/distrobox/blob/3435f4d27070a99668bfa29a3e508db4ecc09009/distrobox-create#L441-L469

(how did you get the code preview thing?)

[neurodiverseEsoteric]

Okay I added the right values, but...

Reading profile /usr/local/etc/firejail/librewolf.profile
Reading profile /usr/local/etc/firejail/firefox-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-proc.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-run-common.inc
Reading profile /usr/local/etc/firejail/whitelist-runuser-common.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
firejail version 0.9.73

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own io.gitlab.librewolf.*" and 1 other dbus-user filter rule.
Parent pid 15028, child pid 15029
Warning: cannot find /var/run/utmp
Error: cannot create /dev/zero device: Operation not permitted
Error: proc 15028 cannot sync with peer: unexpected EOF
Peer 15029 unexpectedly exited with status 1

[neurodiverseEsoteric]

Does podman support need to be added into firejail?

[rusty-snake]

1. Try if --profile=noprofile works.
2. Try rootfull podman with --privileged and --security-opt=label=disable --security-opt=seccomp=unconfined

[neurodiverseEsoteric]

By rootful podman you mean run distrobox with the --root flag?

[rusty-snake]

I never used distrobox but firejail might not work inside rootless podman (https://github.com/containers/podman#rootless).

[neurodiverseEsoteric]

Distrobox keeps freezing the entire OS whever I try creating a rootful container...and the podman command used to "enter" the container, ˋpodman exec,ˋ doesn't take the "--security-opt" flag, anyway...