github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1529] remount pulseaudio noexec #1020

New issue

Closed

opened 2026-05-05 07:18:52 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:18:52 -06:00

Owner

Originally created by @smitsohu on GitHub (Sep 4, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1529

This is actually an old issue (#1238), sorry for bringing it up again, but I believe with the recent addition of new features it could be interesting to have a second look:

In order to fully leverage the power of the new memory-deny-write-execute option in conjunction with noexec ${HOME} and noexec /tmp, it seems quite desirable to deprive unprivileged users from all remaining locations that still permit execution. As far as I can see, there is only ~/.config/pulse left with an exec flag currently (could /tmp/pulse* be relevant too?).

IMHO it should be safe to remount this folder noexec, nodev, nosuid by default. By closing the last of a kind loophole it would be a significant addition for certain configurations.

Originally created by @smitsohu on GitHub (Sep 4, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1529 This is actually an old issue (#1238), sorry for bringing it up again, but I believe with the recent addition of new features it could be interesting to have a second look: In order to fully leverage the power of the new `memory-deny-write-execute` option in conjunction with `noexec ${HOME}` and `noexec /tmp`, it seems quite desirable to deprive unprivileged users from all remaining locations that still permit execution. As far as I can see, there is only ~/.config/pulse left with an exec flag currently (could /tmp/pulse* be relevant too?). IMHO it should be safe to remount this folder noexec, nodev, nosuid by default. By closing the last of a kind loophole it would be a significant addition for certain configurations.

gitea-mirror closed this issue

2026-05-05 07:18:53 -06:00

gitea-mirror commented

2026-05-05 07:18:55 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 4, 2017):

@SpotComms It was reverted. ~/.config/pulse is still with exec flag as of now.

@smitsohu commented on GitHub (Sep 4, 2017): @SpotComms It was reverted. `~/.config/pulse` is still with exec flag as of now.

gitea-mirror commented

2026-05-05 07:18:56 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 4, 2017):

This is interesting! Here is what I find inside firejail --noexec=~ --noexec=/tmp

│     └─/home/ed/.config/pulse         ....         tmpfs           rw,nosuid,mode=755

Few days ago I tried in a VM, it was the same.

@smitsohu commented on GitHub (Sep 4, 2017): This is interesting! Here is what I find inside `firejail --noexec=~ --noexec=/tmp` ``` │ └─/home/ed/.config/pulse .... tmpfs rw,nosuid,mode=755 ``` Few days ago I tried in a VM, it was the same.

gitea-mirror commented

2026-05-05 07:18:57 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 4, 2017):

In findmnt trees it's the last entry we need to look for, so you have an exec flag, too. You can easily convince yourself, just place an executable there and try to run it from inside the sandbox

@smitsohu commented on GitHub (Sep 4, 2017): In `findmnt` trees it's the last entry we need to look for, so you have an exec flag, too. You can easily convince yourself, just place an executable there and try to run it from inside the sandbox

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1020

No description provided.

Rows
Columns