github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1781] Unable to build profile for mono binaries run by binfmt-support #1206

New issue

Closed

opened 2026-05-05 07:39:07 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 07:39:07 -06:00

Owner

Originally created by @ckuethe on GitHub (Feb 21, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1781

I have ckan in my home directory which is a mono (.net) binary. I have binfmt-support installed which magically invokes mono if I just set the x bit on the binary, so ./ckan works from a shell. The firejail profile builder is unable to figure out what to do though.

Host info as requested:
Kernel: 4.15.4-041504-generic #201802162207 SMP Fri Feb 16 22:08:57 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.10
DISTRIB_CODENAME=artful
DISTRIB_DESCRIPTION="Ubuntu 17.10"

$ firejail --version 
firejail version 0.9.52

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

$ mono --version
Mono JIT compiler version 5.8.0.108 (tarball Fri Jan 19 18:18:21 UTC 2018)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           __thread
	SIGSEGV:       altstack
	Notifications: epoll
	Architecture:  amd64
	Disabled:      none
	Misc:          softdebug 
	LLVM:          supported, not enabled.
	GC:            sgen (concurrent by default)

$ firejail --debug --build=ckan.profile /home/ckuethe/bin/ckan
command len 12 + 1 + 1
	/usr/bin/firejail
	--quiet
	--output=/tmp/firejail-trace
	--noprofile
	--caps.drop=all
	--nonewprivs
	--trace
	--shell=none
	/usr/bin/strace
	-c
	-f
	-o/tmp/firejail-strace
	/home/ckuethe/bin/ckan
	(null)
run-detectors: unable to find an interpreter for /home/ckuethe/bin/ckan
4:ckan:exec /usr/lib/binfmt-support/run-detectors:0
4:ckan:opendir /var/lib/binfmts:0x5608c4931bc0
4:ckan:fopen /home/ckuethe/bin/ckan:0x5608c49302f0

... and firejail stops here, and the app doesn't run

Originally created by @ckuethe on GitHub (Feb 21, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1781 I have [ckan](https://github.com/KSP-CKAN/CKAN/) in my home directory which is a mono (.net) binary. I have binfmt-support installed which magically invokes mono if I just set the `x` bit on the binary, so `./ckan` works from a shell. The firejail profile builder is unable to figure out what to do though. Host info as requested: Kernel: `4.15.4-041504-generic #201802162207 SMP Fri Feb 16 22:08:57 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux` ``` $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=17.10 DISTRIB_CODENAME=artful DISTRIB_DESCRIPTION="Ubuntu 17.10" ``` ``` $ firejail --version firejail version 0.9.52 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ``` $ mono --version Mono JIT compiler version 5.8.0.108 (tarball Fri Jan 19 18:18:21 UTC 2018) Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com TLS: __thread SIGSEGV: altstack Notifications: epoll Architecture: amd64 Disabled: none Misc: softdebug LLVM: supported, not enabled. GC: sgen (concurrent by default) ``` ``` $ firejail --debug --build=ckan.profile /home/ckuethe/bin/ckan command len 12 + 1 + 1 /usr/bin/firejail --quiet --output=/tmp/firejail-trace --noprofile --caps.drop=all --nonewprivs --trace --shell=none /usr/bin/strace -c -f -o/tmp/firejail-strace /home/ckuethe/bin/ckan (null) run-detectors: unable to find an interpreter for /home/ckuethe/bin/ckan 4:ckan:exec /usr/lib/binfmt-support/run-detectors:0 4:ckan:opendir /var/lib/binfmts:0x5608c4931bc0 4:ckan:fopen /home/ckuethe/bin/ckan:0x5608c49302f0 ``` ... and firejail stops here, and the app doesn't run

gitea-mirror

2026-05-05 07:39:07 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:39:12 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Feb 21, 2018):

G'day @ckuethe !
What does firejail --noprofile /home/ckuethe/bin/ckan do?

@Fred-Barclay commented on GitHub (Feb 21, 2018): G'day @ckuethe ! What does `firejail --noprofile /home/ckuethe/bin/ckan` do?

gitea-mirror commented

2026-05-05 07:39:14 -06:00

Author

Owner

@ckuethe commented on GitHub (Feb 21, 2018):

$ firejail --noprofile /home/ckuethe/bin/ckan
Parent pid 30138, child pid 30139
Child process initialized in 47.28 ms
run-detectors: unable to find an interpreter for /home/ckuethe/bin/ckan

Parent is shutting down, bye...

As ckan is a mono binary, I told firejail to run mono and firejail --build=ckan.profile mono /home/ckuethe/bin/ckan is able to generate a profile.

@ckuethe commented on GitHub (Feb 21, 2018): ``` $ firejail --noprofile /home/ckuethe/bin/ckan Parent pid 30138, child pid 30139 Child process initialized in 47.28 ms run-detectors: unable to find an interpreter for /home/ckuethe/bin/ckan Parent is shutting down, bye... ``` As ckan is a mono binary, I told firejail to run mono and `firejail --build=ckan.profile mono /home/ckuethe/bin/ckan` is able to generate a profile.

gitea-mirror commented

2026-05-05 07:39:15 -06:00

Author

Owner

@ckuethe commented on GitHub (Feb 21, 2018):

$ file /home/ckuethe/bin/ckan
/home/ckuethe/bin/ckan: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

@ckuethe commented on GitHub (Feb 21, 2018): ``` $ file /home/ckuethe/bin/ckan /home/ckuethe/bin/ckan: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows ```

gitea-mirror commented

2026-05-05 07:39:16 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 21, 2018):

/proc/sys/fs/binfmt_misc is blocked by default, which is where handlers are registered.

~~It'll probably need to be whitelisted in src/firejail/fs.c~~

It is actually explicitly blacklisted (odd that grep didn't find that for me the first time) here https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L570

It was added in d7b05860cf

@SkewedZeppelin commented on GitHub (Feb 21, 2018): /proc/sys/fs/binfmt_misc is blocked by default, which is where handlers are registered. ~~It'll probably need to be whitelisted in src/firejail/fs.c~~ It is actually explicitly blacklisted (odd that grep didn't find that for me the first time) here https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L570 It was added in d7b05860cfe2e2f9a0e4efd1eb56000437f8f371

gitea-mirror commented

2026-05-05 07:39:18 -06:00

Author

Owner

@ckuethe commented on GitHub (Feb 21, 2018):

Even when running with --noprofile?

@ckuethe commented on GitHub (Feb 21, 2018): Even when running with `--noprofile`?

gitea-mirror commented

2026-05-05 07:39:21 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 21, 2018):

@ckuethe even with --noprofile there are still a few restrictions in place, restricted /proc being one of them

@SkewedZeppelin commented on GitHub (Feb 21, 2018): @ckuethe even with --noprofile there are still a few restrictions in place, restricted /proc being one of them

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1206

No description provided.

Rows
Columns