firejail on certain programs gives Error mounting tmpfs: fs.c:499 fs_tmpfs: Invalid argument

[ben-cooper]

System

• xuname:
  Void 5.12.14_1 x86_64-musl AuthenticAMD notuptodate rFFFFF
• package:
  firejail-0.9.66_1

Expected behavior

Running firejail firefox or firejail mpv should launch these programs within firejail.

Actual behavior

Running firejail firefox returns:

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 19549, child pid 19552
Warning: cannot find /dev/null/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Error mounting tmpfs: fs.c:499 fs_tmpfs: Invalid argument
Error: proc 19549 cannot sync with peer: unexpected EOF
Peer 19552 unexpectedly exited with status 1

Steps to reproduce the behavior

1. Run firejail firefox in the terminal.

[darmon77]

You can send us what this prints firejail --debug firefox

[ben-cooper]

Here you go:

log.txt

[wibed]

same here:

su - user -c "DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/1002/dbus-1/services firejail --debug firefox | nc termbin.com 9999"

http:https://termbin.com/1i8t

[D-RX]

I worked with upstream on this (see netblue30/firejail#4387; the problem was that the MS_REMOUNT flag was not being cleared before some calls to mount).
The upstream commit ba5f5c8 should fix this bug, as I verified by manually patching /usr/bin/firejail to match that commit (clearing the MS_REMOUNT flag before the call to mount).

I expect this will be fixed in the next firejail release.

[ben-cooper]

That's great to hear. Thanks for looking into this.

[Piraty]

worth to note: alpine removed firejail (which i second)

1. https://gitlab.alpinelinux.org/alpine/aports/-/issues/12635
2. https://gitlab.alpinelinux.org/alpine/aports/-/commit/a583a65eab6c9a60d027f712a965c969448bce65

[darmon77]

Firejail, more than a solution, can be a big problem, many are unaware of the danger, and others settle for the illusive peace of mind of being the only user.
It is never a good idea to run applications as root using SUIDs.

[kmk3]

Hello, netblue30/firejail#4387 should be fixed as of firejail 0.9.68 (released
5 days ago).

[kmk3]

For those concerned about the security/usability tradeoffs of firejail, there
have been multiple discussions about it, the latest of which appears to be the
following one (see also the linked threads of previous discussions):

• Does firejail improve the security of my system? thoughts by @rusty-snake netblue30/firejail#4601

If you have anything new to add there, feel free to do so.

If you have discovered a security bug, please report it as explained on SECURITY.md.

[rusty-snake]

For those concerned about the security/usability tradeoffs of firejail, there
have been multiple discussions about it, the latest of which appears to be the
following one (see also the linked threads of previous discussions):

Regarding the removal from alpine I wrote something at netblue30/firejail#4210 (comment).

[Piraty]

0.9.68 is in the repo now, b770010