rsync-download_only: private-bin is broken

[glitsj16]

Today I found my first ever use case for rsync-download_only.profile. But private-bin rsync is broken on my Arch Linux box (running firejail from git):

$ /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

$ firejail --quiet --noprofile /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

$ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version
Error: no suitable /usr/bin/rsync executable found

$ firejail --quiet --ignore=private-bin --profile=rsync-download_only /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

Obviously ignore private-bin fixes this. But I can't explain why private-bin rsync reports an error. Testing other apps using private-bin confirm it seems to work as expected. I'll do some more digging but I don't think Arch Linux does anything out of the ordinary packaging rsync compared to other distro's. If anyone can check this on a different distribution that would be helpful. @rusty-snake As you contributed this, can you double-check if private-bin works for you on Fedora please (if that's still your main distro)?

[Side note] foo.local refers to rsync.local although the hardening comment uses rsync-download_only.local - which can be easily fixed

firejail/etc/profile-m-z/rsync-download_only.profile

Line 6 in 854e54f

include rsync.local

firejail/etc/profile-m-z/rsync-download_only.profile

Line 25 in 854e54f

# Add the next line to your rsync-download_only.local to enable extra hardening.

[kmk3]

Works for me on Artix:

$ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version |
  grep version
rsync  version 3.2.7  protocol version 31

$ firejail --ignore='include rsync.local' --ignore='include globals.local' \
  --profile=rsync-download_only /usr/bin/rsync --version | grep version
rsync  version 3.2.7  protocol version 31

[Side note] foo.local refers to rsync.local although the hardening comment
uses rsync-download_only.local - which can be easily fixed

+1

$ firejail --quiet --profile=rsync-download_only /usr/bin/rsync --version
Error: no suitable /usr/bin/rsync executable found

By the way, you can probably keep the | grep version here since the errors
usually go to stderr.

[glitsj16]

Works for me on Artix

@kmk3 Thanks for your response. I do use an additional patch for #5650, but even when I take that out I'm seeing the breakage as posted above. Will have to do more debugging...

[kmk3]

@glitsj16 on Feb 28:

@kmk3 Thanks for your response. I do use an additional patch for #5650, but
even when I take that out I'm seeing the breakage as posted above. Will have
to do more debugging...

No problem; I'd suggest temporarily installing and testing with the non-git
Arch package (community/firejail 0.9.72-1) to rule out it being caused by
custom patches or regressions on master.

[kmk3]

Hello, is this still an issue?

Are you sure that it's not due to modifications in globals.local, etc?

[glitsj16]

Hello, is this still an issue?
Are you sure that it's not due to modifications in globals.local, etc?

Yes, the issue still shows for me. I've made absolutely sure to temporarily move my *.local files out of the way while testing. It works when I use private-bin rsync*. Baffled, but there it is :)

[kmk3]

It works when I use private-bin rsync*. Baffled, but there it is :)

$ pacman -Qlq rsync | grep bin
/usr/bin/
/usr/bin/rrsync
/usr/bin/rsync
/usr/bin/rsync-ssl

Does it work with just the following?

private-bin rsync,rsync-ssl

Are you using a wrapper script (such as in ~/bin) for rsync?

Or something that rsync might call, like ssh?

[glitsj16]

I was aware of /usr/bin/rrsync and /usr/bin/rsync-ssl while re-checking this issue. But no, adding rsync-ssl to private-bin does not solve it. Which is to be expected, because that is a shell script and rsync-download_only.profile blocks that via include disable-shell.inc...

Re-checked for wrappers, but again, nothing there either.