Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using firejail with private /home with a folder on /home mount point but outside of users folders #3877

Closed
esp13 opened this issue Jan 9, 2021 · 53 comments

Comments

@esp13
Copy link

esp13 commented Jan 9, 2021

Hi,

I can start firejail with the private folder inside a chosen folder itself inside my home account :
firejail --noprofile --private=/home/username/thefolderIwant

I can start firejail with the private folder inside a chosen folder itself inside an other partition/drive :
firejail --noprofile --private=/mnt/otherpartitionordrive/thefolderIwant

But I don't understand why I can't start firejail with the private folder directly inside a chosen folder on /home with the right permissions :
firejail --noprofile --private=/home/thefolderIwantnotinsideuserhome

I got this error:

Error opening private directory: fs_home.c:262 fs_private_homedir: No such file or directory
Error: proc 1990 cannot sync with peer: unexpected EOF
Peer 1991 unexpectedly exited with status 1

I checked the permissions they are the same:

stat -c "%a %n" /home/username/thefolderIwant
775 /home/username/thefolderIwant
stat -c "%a %n" /mnt/otherpartitionordrive/thefolderIwant
775 /mnt/otherpartitionordrive/thefolderIwant
stat -c "%a %n" /home/thefolderIwantnotinsideuserhome
775 /home/thefolderIwantnotinsideuserhome

What am I missing?

@smitsohu
Copy link
Collaborator

smitsohu commented Jan 9, 2021

I think it should work if you add --allusers to your options.

If it doesn't work, what is your Firejail version?

@esp13
Copy link
Author

esp13 commented Jan 10, 2021

I think it should work if you add --allusers to your options.

If it doesn't work, what is your Firejail version?

Thank you much for your fast and correct answer :)
It works with the --allusers option +1:

So I guess Firejail treats the /home mount point differently from other mount points, even though permission on this specific folder is allowed for all users, good to know.

@esp13 esp13 closed this as completed Jan 10, 2021
@esp13
Copy link
Author

esp13 commented Jan 10, 2021

Please tell me if I shouldn't ask more question on this ticket, otherwise I have some:

  1. Is it safe to use this --allusers option with a profile file?
  2. Is it possible to run an app with a custom profile file AND a custom isolated home folder? Something like that ?
    Inside .sh file:
    cd /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome && sleep 1 && firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile --allusers bash -c "sleep 1

@rusty-snake
Copy link
Collaborator

  1. You mean to add allusers to a profile? It's the same as using it on the command-line.
  2. Yes. In addition, you can put the private home/thefolderIwantnotinsideuserhome/FireJail/SteamHome in /home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile, so you just use firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile steam.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

1. You mean to add `allusers` to a profile? It's the same as using it on the command-line.

2. Yes. In addition, you can put the `private home/thefolderIwantnotinsideuserhome/FireJail/SteamHome` in `/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile`, so you just use `firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile steam`.

Hi, thank you for your answer,

  1. Yes. Ok it works. Is it safe to use this option ?
  2. Nice I will do so now. But I still have something that look strange for me: I start the sandbox with a private home folder and inside the sandbox, the $HOME variable still point on the real home and not on the private folder specified. Is it normal? is there a workaround?

@rusty-snake
Copy link
Collaborator

  1. It exposes all other directories in /home. However if you are the only user there is nothing to expose and if there are other users there home should be 770 or stricter (from a security perspective) so that only the presence of the other directories is exposed.
  2. This is exactly what you want when you use private /foo/bar. /foo/bar becomes you $HOME in the sandbox.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

1. It exposes all other directories in /home. However if you are the only user there is nothing to expose and if there are other users there home should be 770 or stricter (from a security perspective) so that only the presence of the other directories is exposed.

Is there a way to authorise the access to the private folder /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome but not to all the upper folders inside firejail?

2. This is exactly what you want when you use private /foo/bar. /foo/bar becomes you $HOME in the sandbox.

Maybe my English is too bad I meant the opposite:

Before launching firejail:
echo $HOME
return
/home/myrealusername

After launching firejail:
firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers
echo $HOME
still return
/home/myrealusername

I expected 'echo $HOME' to return this inside firejail:
/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/

My firejail version:

firejail --version
firejail version 0.9.62

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

@rusty-snake
Copy link
Collaborator

  1. I'm not sure what exactly you mean (/ is a upper folder and restricting access would make sense). Maybe blacklist /home/foo/bar is what you're looking for.
  2. It's the way private works read 1, 2, the manpage or play a bit with it. You could use --env=HOME=/home/foo/bar to set $HOME to your expected value. But this can break programs because getpw* will still return /home/user.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

1. I'm not sure what exactly you mean (`/` is a upper folder and restricting access would make sense). Maybe `blacklist /home/foo/bar` is what you're looking for.

On my /home mount point:

  • user1/ (my real user home)
  • user2/
  • userx/
  • thefolderIwantnotinsideuserhome/

On the thefolderIwantnotinsideuserhome/FireJail/:

  • SteamHome/ (Fake home for steam)
  • XxxHome/ (Other fake homes for other apps)

The Steam app shouldn't being able to see anything else than /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/

So Steam firejailed with --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers shouldn't have access to :

  • user1/ (anyway will not be accessible from any other user due to permissions)
  • user2/
  • userx/
  • thefolderIwantnotinsideuserhome/FireJail/XxxHome/
2. It's the way `private` works read [1](https://firejail.wordpress.com/documentation-2/firefox-guide/#work), [2](https://firejail.wordpress.com/documentation-2/basic-usage/#private), the manpage or play a bit with it. You could use `--env=HOME=/home/foo/bar` to set `$HOME` to your expected value. But this can break programs because `getpw*` will still return `/home/user`.

The manpage:
"[...] $ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &

Both Mozilla Thunderbird and Firefox think ~/work is the user home directory [...]"

So shouldn't echo $HOME or getpw* return /home/username/work in this case?
On this manpage example, how will firefox and thunderbird think ~/work is the home directory if echo ~ and echo $HOME return /home/username/ (it will not return /home/username/work)
I certainly missed something, sorry for the troubles :/

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

mmmm... by testing I think I'm close to understand:
inside firejailed shell with --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/

when i make :
touch ~/test.txt
the file is created inside /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
and not inside /home/user/

When I make ls ~ I see it
So even $HOME or ~ are pointing the real user home directory it goes inside the fake one
It's Voodoo for me lol

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

I'm progressing on the problem:
The fake home directory wasn't the cause of my troubles.
I have a permission issue.

Outside FireJail:
ls -la

drwx------ 1 myuser myuser   68 déc.  31 11:36 .
drwx------ 1 myuser myuser   10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser myuser   94 janv.  1 09:33 Aspyr
-rw------- 1 myuser myuser  218 nov.  28 20:03 recently-used.xbel
drwx------ 1 myuser myuser 1048 janv.  8 20:14 Steam
drwxrwxr-x 1 myuser myuser   32 nov.  11 13:20 vulkan

But inside FireJail for same files, some doesn't have an owner and have different rights:
ls -la

drwx------ 1 myuser   myuser     68 déc.  31 11:36 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

This result in permission rejection.

Maybe it is because I created these files on another computer and moved them after on my new fresh install.
Is there a way to fix this problem properly?

@rusty-snake
Copy link
Collaborator

  1. There are two things, see the directory and see in the directory. The first, only see selected directories isn't possible. The later, see only in selected is possible using blacklist.
# Either
blacklist /home/foo1
blacklist /home/foo2
# Or
noblacklist /home/foo3
blacklist /home/*

If these directories belong to an other human user the should be inaccessible for other anyway.

  1. Looks like these dirs are blacklisted.
    noblacklist ${HOME}/.local/share/Steam

    noblacklist ${HOME}/.local/share/vulkan

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

1. There are two things, see the directory and see _in_ the directory. The first, only see selected directories isn't possible. The later, see only in selected is possible using `blacklist`.
# Either
blacklist /home/foo1
blacklist /home/foo2
# Or
noblacklist /home/foo3
blacklist /home/*

If these directories belong to an other human user the should be inaccessible for other anyway.

firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers --blacklist=/home/* --noblacklist=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
Or
firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers --noblacklist=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --blacklist=/home/*

Both result in a

Error chdir: sandbox.c:1040 sandbox: Permission denied
Error: proc 3343944 cannot sync with peer: unexpected EOF
Peer 3343945 unexpectedly exited with status 1
3. Looks like these dirs are blacklisted.
   https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L18
   
   https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L22

Yes I comment this cause I wanted this to stay in the fake home folder.

@rusty-snake
Copy link
Collaborator

  1. Now the things become difficult … firejail --allusers --noblacklist=/home/user "--blacklist=/home/*" --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

1. Now the things become difficult … `firejail --allusers --noblacklist=/home/user "--blacklist=/home/*" --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome`.

This worked, but I can't explain myself how, it's magic ^^
--noblacklist=/home/user I fears this will result on letting the app a full access to the real home folder... but no :)
"--blacklist=/home/*" what is the aim of the double quote? to execute this after? Can I write --blacklist="/home/*" instead?

How should I write this inside the profile file?

But inside FireJail, the permissions are still the same :
ls -la

drwx------ 1 myuser   myuser     68 déc.  31 11:36 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

If I uncomment this lines in the profile file:

#noblacklist ${HOME}/.killingfloor
#noblacklist ${HOME}/.local/share/3909/PapersPlease
#noblacklist ${HOME}/.local/share/aspyr-media
#noblacklist ${HOME}/.local/share/cdprojektred
#noblacklist ${HOME}/.local/share/feral-interactive
#noblacklist ${HOME}/.local/share/Steam
#noblacklist ${HOME}/.local/share/SuperHexagon
#noblacklist ${HOME}/.local/share/Terraria
#noblacklist ${HOME}/.local/share/vpltd
#noblacklist ${HOME}/.local/share/vulkan
#noblacklist ${HOME}/.steam
#noblacklist ${HOME}/.steampath
#noblacklist ${HOME}/.steampid

The app will still create the files inside the fake home folder?
Why do we need this?

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

ahhh steam just put a lot of files in my real home directory... I'm sad :(

How does it do this from inside firejail?

-edit2-
Because I wasn't inside FireJail... I was testing to put --blacklist="/home/*" instead of "--blacklist=/home/*" but this result in error cause I wrote --noblacklist=home/thefolderIwantnotinsideuserhome/FireJail/SteamHome instead of --noblacklist=/home/user and I didn't see at first...

@rusty-snake
Copy link
Collaborator

"--blacklist=/home/*" what is the aim of the double quote?

They stop your shell from expanding the *. If you use special characters like *?!${} you need to tell your shell that it should treat they literally instead of expanding. For some characters like !$ you must use single quote.

How does it do this from inside firejail?

firejail does it, look at the mkdir and mkfile commands in the profile. There a very old bug for it: #903.

--blacklist="/home/" instead of "--blacklist=/home/"

Both should be the same.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

--blacklist="/home/" instead of "--blacklist=/home/"

Both should be the same.

You are right, I checked, I updated my texts before.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

How should I write this inside the profile file?

I goes with

allusers
private /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
noblacklist ~
blacklist /home/*

What do you think?

But inside FireJail, the permissions are still the same :
ls -la

drwx------ 1 myuser   myuser     68 déc.  31 11:36 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

If I uncomment this lines in the profile file:

#noblacklist ${HOME}/.killingfloor
#noblacklist ${HOME}/.local/share/3909/PapersPlease
#noblacklist ${HOME}/.local/share/aspyr-media
#noblacklist ${HOME}/.local/share/cdprojektred
#noblacklist ${HOME}/.local/share/feral-interactive
#noblacklist ${HOME}/.local/share/Steam
#noblacklist ${HOME}/.local/share/SuperHexagon
#noblacklist ${HOME}/.local/share/Terraria
#noblacklist ${HOME}/.local/share/vpltd
#noblacklist ${HOME}/.local/share/vulkan
#noblacklist ${HOME}/.steam
#noblacklist ${HOME}/.steampath
#noblacklist ${HOME}/.steampid

The app will still create the files inside the fake home folder?
Why do we need this?

It seems to be still necessary to unquote this with the previous profile, but why? Isn't the noblacklist ~ supposed to make the stuff?

@rusty-snake
Copy link
Collaborator

Sorry I don't get your last question.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

Sorry I don't get your last question.

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

noblacklist ${HOME}/.killingfloor
noblacklist ${HOME}/.local/share/3909/PapersPlease
noblacklist ${HOME}/.local/share/aspyr-media
noblacklist ${HOME}/.local/share/cdprojektred
noblacklist ${HOME}/.local/share/feral-interactive
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/SuperHexagon
noblacklist ${HOME}/.local/share/Terraria
noblacklist ${HOME}/.local/share/vpltd
noblacklist ${HOME}/.local/share/vulkan
noblacklist ${HOME}/.steam
noblacklist ${HOME}/.steampath
noblacklist ${HOME}/.steampid

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

I wanted to check graphically what the FireJailed app will be able to see on the disk so I went with firejail --profile=/home/FireJail_customsteam.profile bash -c "nemo" but I get a normal user access, did I missed something?

Maybe should I use firejail --profile=/home/FireJail_customsteam.profile bash -c "nemo-desktop" instead? But this crashed

@rusty-snake
Copy link
Collaborator

did I missed something?

nemo likely runs already (in the background) and nemo (inside the sandbox) talks to nemo (outside) which then opens a new window.

Options:

  1. Terminate all running nemo instances. Note: this can have side effects like missing desktop icons (IDK which DE you use).
  2. Start firejail with --dbus-user=none.

Aside: the bash -c is overkill, just nemo works too.

@rusty-snake
Copy link
Collaborator

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

On (no)blacklist and (no)whitelist the ${HOME} macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

2. Start firejail with `--dbus-user=none`.

Thank you it works with --nodbus option

So results:

  • No access to real home user folder => OK
  • No access to other folders on /home (only first folder name can be watched but can't be opened) => OK
  • Access to others disks possible (with write permissions!!) => Not OK !

@rusty-snake
Copy link
Collaborator

Access to others disks possible (with write permissions!!) => Not OK !

add disable-mnt

The problem with steam.profile is that it is a profile which should work with many different programs/games resulting in a relative weak profile to not break ugly written games.

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

On (no)blacklist and (no)whitelist the ${HOME} macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

As I use a fake home folder why does have I to specify each of this folders individually?
with those lines commented I get:

~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser     76 janv. 16 20:29 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup  40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

with those lines active I get

~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser      76 janv. 16 20:29 .
drwx------ 1 myuser   myuser      10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser      94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup   40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser     218 nov.  28 20:03 recently-used.xbel
drwx------ 1 myuser   myuser    1048 janv.  8 20:14 Steam
drwxrwxr-x 1 myuser   myuser      32 nov.  11 13:20 vulkan

I don't understand why

I can create and modify a lot of files/folders in this fake home folder as I want.
Why for this specifics ones I need to noblacklist it?

@esp13
Copy link
Author

esp13 commented Jan 16, 2021

Access to others disks possible (with write permissions!!) => Not OK !

add disable-mnt

This worked great thank you :)

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

On (no)blacklist and (no)whitelist the ${HOME} macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

As I use a fake home folder why does have I to specify each of this folders individually?
with those lines commented I get:

~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser     76 janv. 16 20:29 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup  40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

with those lines active I get

~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser      76 janv. 16 20:29 .
drwx------ 1 myuser   myuser      10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser      94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup   40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser     218 nov.  28 20:03 recently-used.xbel
drwx------ 1 myuser   myuser    1048 janv.  8 20:14 Steam
drwxrwxr-x 1 myuser   myuser      32 nov.  11 13:20 vulkan

I don't understand why

I can create and modify a lot of files/folders in this fake home folder as I want.
Why for this specifics ones I need to noblacklist it?

It is really hard to understand.
I started a fresh new installation with all this noblacklist commented in firejail steam profile,
the files created have this permissions:

ls -la ../../../.local/share/
total 0
drwx------ 1 myuser myuser  10 janv. 16 22:27 .
drwx------ 1 myuser myuser  10 janv. 16 22:27 ..
drwx------ 1 myuser myuser 842 janv. 17 10:28 Steam

I just close the sandbox and re-open it the same way, I got this:

ls -la ../../../.local/share/
total 0
drwx------ 1 myuser   myuser    10 janv. 16 22:27 .
drwx------ 1 myuser   myuser    10 janv. 16 22:27 ..
dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam

Anyway, I have an other problem : a segmentation fault (core dumped) but seems to happen to a lot of people even outside of firejail.

@rusty-snake
Copy link
Collaborator

Why for this specifics ones I need to noblacklist it?

Because these special ones have a blacklist command in disable-programs.inc

I just close the sandbox and re-open it the same way, I got this:

The blacklist only takes effect if the files are present when the sandbox is started.

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

Why for this specifics ones I need to noblacklist it?

Because these special ones have a blacklist command in disable-programs.inc

I just close the sandbox and re-open it the same way, I got this:

The blacklist only takes effect if the files are present when the sandbox is started.

Oh this is easier to understand, thank you!
As I run steam on a fake home and this file is containing at 99% home folders, I could safely comment this include disable-programs.inc line right?

@rusty-snake
Copy link
Collaborator

As I run steam on a fake home and this file is containing at 99% home folders,

and the remaining 1% are covered by private-tmp and include whitelist-var-common.inc.

I could safely comment this include disable-programs.inc line right?

Yes, but why? Just keep the noblacklist.

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

Yes, but why? Just keep the noblacklist.

Yes but as I use a fake home folder I find weird to remove a lot of permissions with include disable-programs.inc to put some back whit this noblacklist
If I upgrade firejail, and some new steam folders permissions are removed with disable-programs.inc as I will keep my custom profile this will result on blocking this new folders.
And maybe I will earn some execution time by avoiding removing a lot of permissions and putting some back after. Perhaps... 0.00001s earned :-D

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

I'm progressing, now I get

Gtk-Message: Failed to load module "xapp-gtk3-module" I think this comes from my distro as I get this for other app outside firejail

Gtk-Message: Failed to load module "gail"

Gtk-Message: Failed to load module "atk-bridge"

Could not connect to X session manager: None of the authentication protocols specified are supported

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

I'm progressing, now I get

Gtk-Message: Failed to load module "xapp-gtk3-module" I think this comes from my distro as I get this for other app outside firejail

Gtk-Message: Failed to load module "gail"

Gtk-Message: Failed to load module "atk-bridge"

Could not connect to X session manager: None of the authentication protocols specified are supported

It was seccomp fault. Once I commented it, no more crashing error.
Maybe it's cause I have an AMD GPU? https://github.com/netblue30/firejail/issues/3219

@rusty-snake
Copy link
Collaborator

Try seccomp !kcmp.

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

Try seccomp !kcmp.

This worked, thank you :)

-Edit-
No I must have made a mistake (not saved I think)
With seccomp !kcmp it doesn't work neither

So now here his my profile file:

#ME : Custom Steam profile with fake home folder based on original firejail steam profile 
#ME : with a lot of help of rusty-snake

#ME : I give a name to be able to kill the sandbox easily with --shutdown=steam
name steam
#ME : to be able to access to the folder on /home even if the folder isn't inside personal current user's home folder 
allusers
#ME : Fake personal user home folder only for steam
private /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
#ME : Forbidden to be able to go on other folders on /home except the fake home folder from previous line
noblacklist ~
blacklist /home/*
#ME : To disable the access to other disks
disable-mnt
#ME : For testing access rights visually with nemo (without this, nemo inside firejail can communicate with an other nemo instance outside the sandbox)
#nodbus


#ME : Don't know what it is for : I comment
# Persistent local customizations
#include default.local
# Persistent global definitions
#include globals.local

#ME : allows to restore the rights to prohibited lines in the etc/firejail/disable-programs.inc file
#ME : As I commented disable-programs.inc below I don't need this anymore
#noblacklist ${HOME}/.killingfloor
#noblacklist ${HOME}/.local/share/3909/PapersPlease
#noblacklist ${HOME}/.local/share/aspyr-media
#noblacklist ${HOME}/.local/share/cdprojektred
#noblacklist ${HOME}/.local/share/feral-interactive
#noblacklist ${HOME}/.local/share/Steam
#noblacklist ${HOME}/.local/share/SuperHexagon
#noblacklist ${HOME}/.local/share/Terraria
#noblacklist ${HOME}/.local/share/vpltd
#noblacklist ${HOME}/.local/share/vulkan
#noblacklist ${HOME}/.steam
#noblacklist ${HOME}/.steampath
#noblacklist ${HOME}/.steampid

#ME : Will not work without this
# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
noblacklist /sbin
noblacklist /usr/sbin

# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc

# Allow python (blacklisted by disable-interpreters.inc)
include	allow-python2.inc
include	allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc

#ME : This is for forbidden access to a lot of folders inside user home folder for many apps.
#ME : As I run inside a fake home folder I can comment
#include disable-programs.inc

#ME : See inside this file etc/firejail/whitelist-var-common.inc what is authorised
include whitelist-var-common.inc

# allow-debuggers needed for running some games with proton
allow-debuggers
caps.drop all
#ipc-namespace
netfilter
# nodbus disabled as it breaks appindicator support
#nodbus
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
# novideo should be commented for VR
novideo
protocol unix,inet,inet6,netlink
#ME : seccomp commented because it crash, maybe problems with AMD GPU and mesa > certain version
#ME : replaced by seccomp !kcmp. No idea how it works - NO it doesn't work with this neither => comment
# seccomp cause sometimes issues (see #2860, #2951),
# comment it or add 'ignore seccomp' to steam.local if so.
#seccomp
#seccomp !kcmp
#ME : shell none commented cause it crashed without comment. Anyway I want steam to run inside the shell to see debug messages
#shell none
# tracelog disabled as it breaks integrated browser
#tracelog

# private-bin is disabled while in testing, but has been tested working with multiple games
#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
# extra programs are available which might be needed for select games
#private-bin java,java-config,mono
# picture viewers are needed for viewing screenshots
#private-bin eog,eom,gthumb,pix,viewnior,xviewer

#ME : Don"t know what this is for, I think it is for creating temporaly private folders for dev, etc tmp. But not sure
# private-dev should be commented for controllers
private-dev
# private-etc breaks a small selection of games on some systems, comment to support those
private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
private-tmp

@esp13
Copy link
Author

esp13 commented Jan 17, 2021

I will make a custom profile for the French application molotov.tv
As it doesn't exist in etc/firejail,
do you have an idea of a similar application were the firejail profile exist I could start with?

Molotov.tv is an application to watch tv on computer through internet (it use DRM)
It is distributed as an .Appimage file.

@rusty-snake
Copy link
Collaborator

do you have an idea where I could start with?

/usr/share/doc/firejail/profile.template

@esp13
Copy link
Author

esp13 commented Jan 22, 2021

do you have an idea where I could start with?

/usr/share/doc/firejail/profile.template

Thank you, yes this is the default profile. I guess there are no already custom profile for appimage files?
As this is going far away from original issue, I opened a new one here.
Please tell me if I shouldn't

PS : for information this link from basic-usage tutorial is going nowhere

@esp13
Copy link
Author

esp13 commented Feb 14, 2021

Access to others disks possible (with write permissions!!) => Not OK !

add disable-mnt

Hello,
Is it possible to use 'disable-mnt' but to allow at the same time some exceptions for some folders?
I tried this without succes:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1

Neither with this:

noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1

Neither this from #3581 :

noblacklist /media/user/
blacklist /media/*
noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1
blacklist /media/user/*

@esp13
Copy link
Author

esp13 commented Feb 14, 2021

I finally get it by many tries :

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /mnt/*
#disable-mnt

But I would like to understand why this worked

@rusty-snake
Copy link
Collaborator

Is it possible to use 'disable-mnt' but to allow at the same time some exceptions for some folders?

No, but there are other ways to have the same effect: #3580, #3581, #3912 (comment), ...

I tried this without succes:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1

whitelist adds restriction rather removing any of them. You can only whitelist files which you can access when running with --ignore=whitelist.

Neither with this:

noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1

Since these paths are never blacklisted, a noblacklist has no effect.

Neither this from #3581 :

noblacklist /media/user/
blacklist /media/*
noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1
blacklist /media/user/*

#3581 (comment) and the following

I finally get it by many tries

🎉

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /mnt/*
#disable-mnt

You should add blacklist /run/mnt and blacklist /run/media and change blacklist /mnt/* to blacklist /mnt for better security.

But I would like to understand why this worked

Because you commented/ignoreed disable-mnt. Therefore you can start adding more selective commands.

@esp13
Copy link
Author

esp13 commented Feb 15, 2021

Hello,

Thank you again for your detailed answers.

whitelist adds restriction rather removing any of them. You can only whitelist files which you can access when running with --ignore=whitelist.

Yes of course I forget that a whitelist refuse all except what is expressively allowed!
In firejail this works by mount points right? ~, /dev, /media, /mnt, /opt, /srv, /var, and /tmp
So it is why I didn't had to blacklist /media in my usage cause I used whitelist inside this folder right?

You should add blacklist /run/mnt and blacklist /run/media and change blacklist /mnt/* to blacklist /mnt for better security.

so I will go with:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ?

@rusty-snake
Copy link
Collaborator

Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ?

Together with noblacklist /media:

noblacklist /media
whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /media
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

@esp13
Copy link
Author

esp13 commented Feb 16, 2021

Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ?

Together with noblacklist /media:

It doesn't seem to work, in this case the app get full /media access:

noblacklist /media
#whitelist /media/user/usbkey1
#whitelist /media/user/disk1/folder1
blacklist /media
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

@rusty-snake
Copy link
Collaborator

Why did you comment the whitelist?

@esp13
Copy link
Author

esp13 commented Feb 16, 2021

Why did you comment the whitelist?

This was the aim.
My question was to find a way to blacklist /media if the whitelist are removed from the profile.
While copying to a new profile file for an other app, I fear to remove the whitelist lines (cause not needed anymore) but to forget to add the blacklist /media line.

@esp13
Copy link
Author

esp13 commented Feb 16, 2021

But maybe i could just add a comment on my whitelist lines:

whitelist /media/user/usbkey1 #remember to add blacklist /media if this whitelist are removed
whitelist /media/user/disk1/folder1 #remember to add blacklist /media if this whitelist are removed
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

@rusty-snake
Copy link
Collaborator

You can add blacklist /media, but only if you add noblacklist /media too. As long as you keep the whitelist and the noblacklist together (maybe even mixed; whitelist noblacklist whitelist), you likely remove the noblacklist together with the whitelist and end with blacklist /media.

@esp13
Copy link
Author

esp13 commented Feb 17, 2021

You can add blacklist /media, but only if you add noblacklist /media too. As long as you keep the whitelist and the noblacklist together (maybe even mixed; whitelist noblacklist whitelist), you likely remove the noblacklist together with the whitelist and end with blacklist /media.

Is there a way to put whitelist /media/user/disk1/folder1 and noblacklist /media on the same line?

Is whitelist /media/user/disk1/folder1 putting the folder in read-only for the sandbox or does it comes from elsewhere?
Edit: I get it:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
read-write /media/user/disk1/folder1
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

I had to run sudo usermod -a -G vboxsf user inside the virtualbox

@rusty-snake
Copy link
Collaborator

Is there a way to put whitelist /media/user/disk1/folder1 and noblacklist /media on the same line?

No, one command per line.

Is whitelist /media/user/disk1/folder1 putting the folder in read-only for the sandbox or does it comes from elsewhere?

Some where else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants