github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1920] Lists of libraries for private-lib #1285

New issue
Closed
opened 2026-05-05 07:47:42 -06:00 by gitea-mirror · 19 comments
gitea-mirror commented 2026-05-05 07:47:42 -06:00
Owner
Copy link

Originally created by @chiraag-nataraj on GitHub (May 2, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1920

So I was trying to get private-lib to work for Firefox and finally succeeded. Most of the dependencies can easily be extracted by ldd (since just whitelisting /usr/lib/firefox isn't enough. But even after that, I couldn't get firefox to work properly. It turned out there were other random dependencies (e.g. /usr/lib/x86_64-linux-gnu/nss) which don't show up anywhere in the library dependencies but which are crucial for firefox to work properly.

For now, I've just hard-coded it, but I'm trying to figure out how I can automatically extract them, since this feels very kludgy. I'm going to experiment a bit to see if I can reduce the hard-coded bits, but I wanted to see if anyone else has run across this and how people are using private-lib more generally.

[edit]
Never mind. The only dependency I had to add manually was nss. Could we ensure that nss is whitelisted whenever libnss3 (and other libraries in that collection) are whitelisted?

Also, if the script might be helpful for others, I'll put it here:

#!/bin/bash

get_deps()
{
    ldd "$1" | grep -v "/lib64" | grep -v 'not a dynamic' | grep -v "linux-vdso" | grep -v '/usr/lib/.*/.*/.*.so' | grep -v "not found" | grep '^	' | awk -F '=>' '{ print $1; };' | sed 's/(.*//g' | sort | uniq
}

get_folders()
{
    ldd "$1" | grep -v "/lib64" | grep -v 'not a dynamic' | grep -v "linux-vdso" | grep '/usr/lib/.*/.*/.*.so' | grep -o '/.*/' | sed 's/\/usr\/lib\///g' | sed 's/\/$//g' | sort | uniq
}

compile_list()
{
    PRIMARY="$1"
    SECONDARY="$2"
    LIBS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_deps "$file"; done | sort | uniq`)
    LIBFLDRS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_folders "$file"; done | sort | uniq`)
    LIBS2=(`echo "$SECONDARY" | tr ',' ' '`)
    echo "${LIBS[@]}" "${LIBFLDRS[@]}" "${LIBS2[@]}" | tr ' ' ','
}

Here's an example of using it (in this case, firefox):

#!/bin/bash

# Replace this with whatever you save the above file to
. ~/scripts/gen_libraries

LIBS=`compile_list /usr/lib/firefox nss,pulseaudio,libpulse.so.0,libFLAC.so,libogg.so,libvorbis.so,libvorbisenc.so,libGL.so.1`

firejail --private-lib="$LIBS" firefox $*
Originally created by @chiraag-nataraj on GitHub (May 2, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1920 So I was trying to get `private-lib` to work for Firefox and finally succeeded. Most of the dependencies can easily be extracted by `ldd` (since just whitelisting `/usr/lib/firefox` isn't enough. But even after that, I couldn't get firefox to work properly. It turned out there were other random dependencies (e.g. `/usr/lib/x86_64-linux-gnu/nss`) which don't show up anywhere in the library dependencies but which are crucial for firefox to work properly. For now, I've just hard-coded it, but I'm trying to figure out how I can automatically extract them, since this feels very kludgy. I'm going to experiment a bit to see if I can reduce the hard-coded bits, but I wanted to see if anyone else has run across this and how people are using `private-lib` more generally. [edit] Never mind. The only dependency I had to add manually was `nss`. Could we ensure that `nss` is whitelisted whenever `libnss3` (and other libraries in that collection) are whitelisted? Also, if the script might be helpful for others, I'll put it here: ``` #!/bin/bash get_deps() { ldd "$1" | grep -v "/lib64" | grep -v 'not a dynamic' | grep -v "linux-vdso" | grep -v '/usr/lib/.*/.*/.*.so' | grep -v "not found" | grep '^ ' | awk -F '=>' '{ print $1; };' | sed 's/(.*//g' | sort | uniq } get_folders() { ldd "$1" | grep -v "/lib64" | grep -v 'not a dynamic' | grep -v "linux-vdso" | grep '/usr/lib/.*/.*/.*.so' | grep -o '/.*/' | sed 's/\/usr\/lib\///g' | sed 's/\/$//g' | sort | uniq } compile_list() { PRIMARY="$1" SECONDARY="$2" LIBS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_deps "$file"; done | sort | uniq`) LIBFLDRS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_folders "$file"; done | sort | uniq`) LIBS2=(`echo "$SECONDARY" | tr ',' ' '`) echo "${LIBS[@]}" "${LIBFLDRS[@]}" "${LIBS2[@]}" | tr ' ' ',' } ``` Here's an example of using it (in this case, firefox): ``` #!/bin/bash # Replace this with whatever you save the above file to . ~/scripts/gen_libraries LIBS=`compile_list /usr/lib/firefox nss,pulseaudio,libpulse.so.0,libFLAC.so,libogg.so,libvorbis.so,libvorbisenc.so,libGL.so.1` firejail --private-lib="$LIBS" firefox $* ```
gitea-mirror commented 2026-05-05 07:47:46 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

In a related vein, when I try using private-lib for Telegram (using the same scheme - run ldd on the executable and then add in hard-wired directories if necessary), I have whitelisted /usr/lib/x86_64-linux-gnu/alsa-lib as required for sound, but I still get a warning that it couldn't open a file in that directory (ALSA lib conf.c:3545:(snd_config_hooks_call) Cannot open shared library libasound_module_conf_pulse.so (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_conf_pulse.so: libasound_module_conf_pulse.so: cannot open shared object file: No such file or directory)). When I use --ls to see if the file exists, I see that it does. I'm not quite sure why this is happening.

<!-- gh-comment-id:386039940 --> @chiraag-nataraj commented on GitHub (May 2, 2018): In a related vein, when I try using `private-lib` for Telegram (using the same scheme - run `ldd` on the executable and then add in hard-wired directories if necessary), I have whitelisted `/usr/lib/x86_64-linux-gnu/alsa-lib` as required for sound, but I still get a warning that it couldn't open a file in that directory (`ALSA lib conf.c:3545:(snd_config_hooks_call) Cannot open shared library libasound_module_conf_pulse.so (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_conf_pulse.so: libasound_module_conf_pulse.so: cannot open shared object file: No such file or directory)`). When I use `--ls` to see if the file exists, I see that it does. I'm not quite sure why this is happening.
gitea-mirror commented 2026-05-05 07:47:47 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (May 2, 2018):

Not all libraries are dynamically linked into the binary. ldd only retrieves the ones that are.

But programs can also load libraries/plugins during runtime with dlopen (what probably happens with alsa modules). To figure them out, you need to actually run the program and trace it's dlopen calls.

<!-- gh-comment-id:386043363 --> @reinerh commented on GitHub (May 2, 2018): Not all libraries are dynamically linked into the binary. ldd only retrieves the ones that are. But programs can also load libraries/plugins during runtime with dlopen (what probably happens with alsa modules). To figure them out, you need to actually run the program and trace it's dlopen calls.
gitea-mirror commented 2026-05-05 07:47:49 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

Cool, figured out that I needed to manually whitelist pulseaudio and it works!

@reinerh Yeah, that's how I figured out that I needed to whitelist the nss directory. So I guess there's no real automated way to do this...darn.

<!-- gh-comment-id:386047324 --> @chiraag-nataraj commented on GitHub (May 2, 2018): Cool, figured out that I needed to manually whitelist pulseaudio and it works! @reinerh Yeah, that's how I figured out that I needed to whitelist the nss directory. So I guess there's no real automated way to do this...darn.
gitea-mirror commented 2026-05-05 07:47:50 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (May 2, 2018):

@chiraag-nataraj Can you post your private-lib filter? I'll test it across several distros and if it works well we can possibly add it to the firefox profile.

<!-- gh-comment-id:386076131 --> @Fred-Barclay commented on GitHub (May 2, 2018): @chiraag-nataraj Can you post your private-lib filter? I'll test it across several distros and if it works well we can possibly add it to the firefox profile.
gitea-mirror commented 2026-05-05 07:47:52 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

@Fred-Barclay Well currently I'm generating it dynamically, but this is the current filter returned for Firefox:

libatk-1.0.so.0,libatk-bridge-2.0.so.0,libatspi.so.0,libblkid.so.1,libbsd.so.0,libcairo-gobject.so.2,libcairo.so.2,libc.so.6,libdatrie.so.1,libdbus-1.so.3,libdbus-glib-1.so.2,libdl.so.2,libepoxy.so.0,libevent-2.1.so.6,libexpat.so.1,libffi.so.6,libfontconfig.so.1,libfreetype.so.6,libfribidi.so.0,libgcc_s.so.1,libgcrypt.so.20,libgdk-3.so.0,libgdk_pixbuf-2.0.so.0,libgdk-x11-2.0.so.0,libgio-2.0.so.0,libglib-2.0.so.0,libgmodule-2.0.so.0,libgobject-2.0.so.0,libgpg-error.so.0,libgraphite2.so.3,libgthread-2.0.so.0,libgtk-3.so.0,libgtk-x11-2.0.so.0,libharfbuzz.so.0,libhunspell-1.6.so.0,libICE.so.6,libjsoncpp.so.1,liblz4.so.1,liblzma.so.5,libmount.so.1,libm.so.6,libnspr4.so,libnss3.so,libnssutil3.so,libpango-1.0.so.0,libpangocairo-1.0.so.0,libpangoft2-1.0.so.0,libpcre.so.3,libpixman-1.so.0,libplc4.so,libplds4.so,libpng16.so.16,libpthread.so.0,libresolv.so.2,librt.so.1,libselinux.so.1,libsmime3.so,libSM.so.6,libsqlite3.so.0,libssl3.so,libstartup-notification-1.so.0,libstdc++.so.6,libsystemd.so.0,libthai.so.0,libuuid.so.1,libvpx.so.5,libwayland-client.so.0,libwayland-cursor.so.0,libwayland-egl.so.1,libX11.so.6,libX11-xcb.so.1,libXau.so.6,libxcb-render.so.0,libxcb-shm.so.0,libxcb.so.1,libxcb-util.so.0,libXcomposite.so.1,libXcursor.so.1,libXdamage.so.1,libXdmcp.so.6,libXext.so.6,libXfixes.so.3,libXinerama.so.1,libXi.so.6,libxkbcommon.so.0,libXrandr.so.2,libXrender.so.1,libXt.so.6,libz.so.1,nss,pulseaudio,nvidia,python3.6,gconv,libpulse.so.0,libFLAC.so.8,libogg.so.0,libopus.so.0,libvorbis.so.0,libvorbisenc.so.2,libavcodec.so.57,libavutil.so.55,libcrystalhd.so.3,libdrm.so.2,libGL.so.1

(note that everything including and after nss was added manually)
(note also that I'm not sure which of those is already included by default - this list could probably be culled a bit)

<!-- gh-comment-id:386078338 --> @chiraag-nataraj commented on GitHub (May 2, 2018): @Fred-Barclay Well currently I'm generating it dynamically, but this is the current filter returned for Firefox: ``` libatk-1.0.so.0,libatk-bridge-2.0.so.0,libatspi.so.0,libblkid.so.1,libbsd.so.0,libcairo-gobject.so.2,libcairo.so.2,libc.so.6,libdatrie.so.1,libdbus-1.so.3,libdbus-glib-1.so.2,libdl.so.2,libepoxy.so.0,libevent-2.1.so.6,libexpat.so.1,libffi.so.6,libfontconfig.so.1,libfreetype.so.6,libfribidi.so.0,libgcc_s.so.1,libgcrypt.so.20,libgdk-3.so.0,libgdk_pixbuf-2.0.so.0,libgdk-x11-2.0.so.0,libgio-2.0.so.0,libglib-2.0.so.0,libgmodule-2.0.so.0,libgobject-2.0.so.0,libgpg-error.so.0,libgraphite2.so.3,libgthread-2.0.so.0,libgtk-3.so.0,libgtk-x11-2.0.so.0,libharfbuzz.so.0,libhunspell-1.6.so.0,libICE.so.6,libjsoncpp.so.1,liblz4.so.1,liblzma.so.5,libmount.so.1,libm.so.6,libnspr4.so,libnss3.so,libnssutil3.so,libpango-1.0.so.0,libpangocairo-1.0.so.0,libpangoft2-1.0.so.0,libpcre.so.3,libpixman-1.so.0,libplc4.so,libplds4.so,libpng16.so.16,libpthread.so.0,libresolv.so.2,librt.so.1,libselinux.so.1,libsmime3.so,libSM.so.6,libsqlite3.so.0,libssl3.so,libstartup-notification-1.so.0,libstdc++.so.6,libsystemd.so.0,libthai.so.0,libuuid.so.1,libvpx.so.5,libwayland-client.so.0,libwayland-cursor.so.0,libwayland-egl.so.1,libX11.so.6,libX11-xcb.so.1,libXau.so.6,libxcb-render.so.0,libxcb-shm.so.0,libxcb.so.1,libxcb-util.so.0,libXcomposite.so.1,libXcursor.so.1,libXdamage.so.1,libXdmcp.so.6,libXext.so.6,libXfixes.so.3,libXinerama.so.1,libXi.so.6,libxkbcommon.so.0,libXrandr.so.2,libXrender.so.1,libXt.so.6,libz.so.1,nss,pulseaudio,nvidia,python3.6,gconv,libpulse.so.0,libFLAC.so.8,libogg.so.0,libopus.so.0,libvorbis.so.0,libvorbisenc.so.2,libavcodec.so.57,libavutil.so.55,libcrystalhd.so.3,libdrm.so.2,libGL.so.1 ``` (note that everything including and after `nss` was added manually) (note also that I'm not sure which of those is already included by default - this list could probably be culled a bit)
gitea-mirror commented 2026-05-05 07:47:53 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

Here's a tentative list of libraries for mutt:

libassuan.so.0,libbz2.so.1.0,libcom_err.so.2,libc.so.6,libdl.so.2,libffi.so.6,libgmp.so.10,libgnutls.so.30,libgpg-error.so.0,libgpgme.so.11,libgssapi_krb5.so.2,libhogweed.so.4,libidn2.so.0,libidn.so.11,libk5crypto.so.3,libkeyutils.so.1,libkrb5.so.3,libkrb5support.so.0,libm.so.6,libncursesw.so.5,libnettle.so.6,libp11-kit.so.0,libpthread.so.0,libresolv.so.2,libsasl2.so.2,libtasn1.so.6,libtinfo.so.5,libtokyocabinet.so.9,libunistring.so.2,libz.so.1,x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,gconv

(everything after and including sasl2 was added manually)

<!-- gh-comment-id:386096827 --> @chiraag-nataraj commented on GitHub (May 2, 2018): Here's a tentative list of libraries for mutt: ``` libassuan.so.0,libbz2.so.1.0,libcom_err.so.2,libc.so.6,libdl.so.2,libffi.so.6,libgmp.so.10,libgnutls.so.30,libgpg-error.so.0,libgpgme.so.11,libgssapi_krb5.so.2,libhogweed.so.4,libidn2.so.0,libidn.so.11,libk5crypto.so.3,libkeyutils.so.1,libkrb5.so.3,libkrb5support.so.0,libm.so.6,libncursesw.so.5,libnettle.so.6,libp11-kit.so.0,libpthread.so.0,libresolv.so.2,libsasl2.so.2,libtasn1.so.6,libtinfo.so.5,libtokyocabinet.so.9,libunistring.so.2,libz.so.1,x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,gconv ``` (everything after and including `sasl2` was added manually)
gitea-mirror commented 2026-05-05 07:47:54 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

Here's a tentative list for Viber:

libasound.so.2,libasyncns.so.0,libbsd.so.0,libcap.so.2,libc.so.6,libdbus-1.so.3,libdl.so.2,libEGL.so.1,libexpat.so.1,libffi.so.6,libFLAC.so.8,libfontconfig.so.1,libfreetype.so.6,libgcc_s.so.1,libgcrypt.so.20,libGLdispatch.so.0,libglib-2.0.so.0,libGL.so.1,libgmodule-2.0.so.0,libgobject-2.0.so.0,libgpg-error.so.0,libgthread-2.0.so.0,libICE.so.6,libicudata.so.52,libicui18n.so.52,libicuuc.so.52,liblz4.so.1,liblzma.so.5,libm.so.6,libnsl.so.1,libnspr4.so,libnss3.so,libnssutil3.so,libnvidia-glcore.so.390.48,libnvidia-tls.so.390.48,libogg.so.0,libpcre.so.3,libplc4.so,libplds4.so,libpng12.so.0,libpng16.so.16,libpthread.so.0,libpulsecommon-11.1.so,libpulse-mainloop-glib.so.0,libpulse.so.0,libqrencode.so,libQt5Concurrent.so.5,libQt5Core.so.5,libQt5DBus.so.5,libQt5Gui.so.5,libQt5Location.so.5,libQt5Multimedia.so.5,libQt5Network.so.5,libQt5Positioning.so.5,libQt5PrintSupport.so.5,libQt5Qml.so.5,libQt5Quick.so.5,libQt5Sql.so.5,libQt5WebChannel.so.5,libQt5WebEngineCore.so.5,libQt5WebEngine.so.5,libQt5WebSockets.so.5,libQt5Widgets.so.5,libresolv.so.2,librt.so.1,libsmime3.so,libSM.so.6,libsndfile.so.1,libstdc++.so.6,libsystemd.so.0,libuuid.so.1,libvorbisenc.so.2,libvorbis.so.0,libwrap.so.0,libX11.so.6,libX11-xcb.so.1,libXau.so.6,libxcb.so.1,libXcomposite.so.1,libXcursor.so.1,libXdamage.so.1,libXdmcp.so.6,libXext.so.6,libXfixes.so.3,libXi.so.6,libXrandr.so.2,libXrender.so.1,libXss.so.1,libXtst.so.6,libz.so.1,nss,pulseaudio,openssl-1.0.0,libcrypto.so.1.0.0,libssl.so.1.0.0

(everything after and including nss was added manually)
(also, firejail throws up a bunch of warnings because some of these libraries are bundled with Viber, so they're not in the standard path)

<!-- gh-comment-id:386101583 --> @chiraag-nataraj commented on GitHub (May 2, 2018): Here's a tentative list for Viber: ``` libasound.so.2,libasyncns.so.0,libbsd.so.0,libcap.so.2,libc.so.6,libdbus-1.so.3,libdl.so.2,libEGL.so.1,libexpat.so.1,libffi.so.6,libFLAC.so.8,libfontconfig.so.1,libfreetype.so.6,libgcc_s.so.1,libgcrypt.so.20,libGLdispatch.so.0,libglib-2.0.so.0,libGL.so.1,libgmodule-2.0.so.0,libgobject-2.0.so.0,libgpg-error.so.0,libgthread-2.0.so.0,libICE.so.6,libicudata.so.52,libicui18n.so.52,libicuuc.so.52,liblz4.so.1,liblzma.so.5,libm.so.6,libnsl.so.1,libnspr4.so,libnss3.so,libnssutil3.so,libnvidia-glcore.so.390.48,libnvidia-tls.so.390.48,libogg.so.0,libpcre.so.3,libplc4.so,libplds4.so,libpng12.so.0,libpng16.so.16,libpthread.so.0,libpulsecommon-11.1.so,libpulse-mainloop-glib.so.0,libpulse.so.0,libqrencode.so,libQt5Concurrent.so.5,libQt5Core.so.5,libQt5DBus.so.5,libQt5Gui.so.5,libQt5Location.so.5,libQt5Multimedia.so.5,libQt5Network.so.5,libQt5Positioning.so.5,libQt5PrintSupport.so.5,libQt5Qml.so.5,libQt5Quick.so.5,libQt5Sql.so.5,libQt5WebChannel.so.5,libQt5WebEngineCore.so.5,libQt5WebEngine.so.5,libQt5WebSockets.so.5,libQt5Widgets.so.5,libresolv.so.2,librt.so.1,libsmime3.so,libSM.so.6,libsndfile.so.1,libstdc++.so.6,libsystemd.so.0,libuuid.so.1,libvorbisenc.so.2,libvorbis.so.0,libwrap.so.0,libX11.so.6,libX11-xcb.so.1,libXau.so.6,libxcb.so.1,libXcomposite.so.1,libXcursor.so.1,libXdamage.so.1,libXdmcp.so.6,libXext.so.6,libXfixes.so.3,libXi.so.6,libXrandr.so.2,libXrender.so.1,libXss.so.1,libXtst.so.6,libz.so.1,nss,pulseaudio,openssl-1.0.0,libcrypto.so.1.0.0,libssl.so.1.0.0 ``` (everything after and including `nss` was added manually) (also, `firejail` throws up a bunch of warnings because some of these libraries are bundled with Viber, so they're not in the standard path)
gitea-mirror commented 2026-05-05 07:47:55 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

Here's a tentative list for Telegram:
pulseaudio,libpulse.so.0

<!-- gh-comment-id:386102354 --> @chiraag-nataraj commented on GitHub (May 2, 2018): Here's a tentative list for Telegram: `pulseaudio,libpulse.so.0`
gitea-mirror commented 2026-05-05 07:47:56 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

To be clear, I have not tested these extensively in the sense that some functionality may well be broken. All I can attest to is that on my machine, it works with the functionality I require 😉 😂

<!-- gh-comment-id:386147969 --> @chiraag-nataraj commented on GitHub (May 2, 2018): To be clear, I have not tested these extensively in the sense that some functionality may well be broken. All I can attest to is that on _my_ machine, it works with the functionality _I_ require :wink: :joy:
gitea-mirror commented 2026-05-05 07:47:57 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

Here's a (very) tentative list for Signal (and other Electron apps):
nss,pulseaudio,locale,gconv,libsqlite3.so.0,libudev.so.1,libvorbisenc.so.2,libvorbis.so.0,libogg.so.0,libFLAC.so.8,libasyncns.so.0,libsndfile.so.1,libwrap.so.0,libSM.so.6,libICE.so.6,libcap.so.2,libpulse.so.0,libnotify.so.4,libGL.so.1

<!-- gh-comment-id:386155974 --> @chiraag-nataraj commented on GitHub (May 2, 2018): Here's a (very) tentative list for Signal (and other Electron apps): `nss,pulseaudio,locale,gconv,libsqlite3.so.0,libudev.so.1,libvorbisenc.so.2,libvorbis.so.0,libogg.so.0,libFLAC.so.8,libasyncns.so.0,libsndfile.so.1,libwrap.so.0,libSM.so.6,libICE.so.6,libcap.so.2,libpulse.so.0,libnotify.so.4,libGL.so.1`
gitea-mirror commented 2026-05-05 07:47:57 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 3, 2018):

Also, @netblue30, @Fred-Barclay, and others:

Is there any way we can make these filters dynamic? In the script posted above, I re-enumerate the list of libraries on each run, since this should (hopefully) help ensure a smooth upgrade experience and shouldn't force too much tinkering. This is one reason I was disappointed that I need to hardcode some of the dependencies manually, since if they change, the filter (and application) will break.

[edit]
I modified the script slightly to ensure that any subdirectories in the ldd list are automatically captured and added (yay less manual labor!). This, of course, still leaves libraries which are loaded with dlopen...

<!-- gh-comment-id:386166405 --> @chiraag-nataraj commented on GitHub (May 3, 2018): Also, @netblue30, @Fred-Barclay, and others: Is there any way we can make these filters dynamic? In the script posted above, I re-enumerate the list of libraries on each run, since this should (hopefully) help ensure a smooth upgrade experience and shouldn't force too much tinkering. This is one reason I was disappointed that I need to hardcode some of the dependencies manually, since if they change, the filter (and application) will break. [edit] I modified the script slightly to ensure that any subdirectories in the `ldd` list are automatically captured and added (yay less manual labor!). This, of course, still leaves libraries which are loaded with `dlopen`...
gitea-mirror commented 2026-05-05 07:47:58 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 3, 2018):

mpd Just Works™

<!-- gh-comment-id:386186898 --> @chiraag-nataraj commented on GitHub (May 3, 2018): `mpd` Just Works™
gitea-mirror commented 2026-05-05 07:48:00 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 4, 2018):

Here's a tentative list for fetchmail + getmail_maildir as the MDA:
nss,ssl,python2.7,libnss_resolve.so.2,libnss_mdns4_minimal.so.2,locale,libnss_files.so.2,libnsl.so.1,libnss_nis.so.2,libnss_compat.so.2,libutil.so.1,libz.so.1,libm.so.6

<!-- gh-comment-id:386493235 --> @chiraag-nataraj commented on GitHub (May 4, 2018): Here's a tentative list for fetchmail + getmail_maildir as the MDA: `nss,ssl,python2.7,libnss_resolve.so.2,libnss_mdns4_minimal.so.2,locale,libnss_files.so.2,libnsl.so.1,libnss_nis.so.2,libnss_compat.so.2,libutil.so.1,libz.so.1,libm.so.6`
gitea-mirror commented 2026-05-05 07:48:02 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 4, 2018):

gerbera Just Works™

<!-- gh-comment-id:386612448 --> @chiraag-nataraj commented on GitHub (May 4, 2018): `gerbera` Just Works™
gitea-mirror commented 2026-05-05 07:48:02 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (May 4, 2018):

The lists are always going to be fragile. A robust way would be to consult distro package dependencies and whitelist everything that the program depends on. That would also be almost useless, for example in Debian a package can depend on any basic system component (like bash) without stating dependencies explicitly. What we're doing with the private-lib is to generate more minimal set of dependencies manually. The effort to do this and also to keep the lists up to date as other components change may make sense for critical apps like browsers, maybe less so for others.

Perhaps it would be better to provide a tool, which analyzes what files an application uses in a non-enforcing trial run and generates the lists automatically. When a library changes, the tool may have to be rerun.

<!-- gh-comment-id:386661697 --> @topimiettinen commented on GitHub (May 4, 2018): The lists are always going to be fragile. A robust way would be to consult distro package dependencies and whitelist everything that the program depends on. That would also be almost useless, for example in Debian a package can depend on any basic system component (like bash) without stating dependencies explicitly. What we're doing with the private-lib is to generate more minimal set of dependencies manually. The effort to do this and also to keep the lists up to date as other components change may make sense for critical apps like browsers, maybe less so for others. Perhaps it would be better to provide a tool, which analyzes what files an application uses in a non-enforcing trial run and generates the lists automatically. When a library changes, the tool may have to be rerun.
gitea-mirror commented 2026-05-05 07:48:03 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 4, 2018):

Right, so with the script above, I can dynamically generate (most of) the dependencies for most programs. In some cases, that's all I needed (e.g. gerbera). In the vast majority of them, I also had to hardcode some extra libraries and folders. The script in the OP would help solve part of this issue, since most of the dependencies are resolved automatically based on what libraries the program depends on at the time of running and this would be distro-agnostic.

If we use the script from the first post, we only need to worry about updating the hard-coded dependencies (the second argument to compile_list). If we decide to go with it, the next step is to integrate this into firejail proper so that it happens transparently (maybe a private-lib.extra field with the contents of the second argument to compile_list?). I'm just spit-balling here though.

[edit]

If we want to do this in C, we should be able to get the library dependencies (as we do with ldd) by setting LD_TRACE_LOADED_OBJECTS to a non-empty value (not sure if there are security implications, though? found this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514408 but I think that's just an ldd issue, not an issue with this technique?). But I think the combination of dynamically resolving dependencies and having a static set of secondary, indirect dependencies makes sense.

<!-- gh-comment-id:386664254 --> @chiraag-nataraj commented on GitHub (May 4, 2018): Right, so with the script above, I can dynamically generate (most of) the dependencies for most programs. In some cases, that's all I needed (e.g. `gerbera`). In the vast majority of them, I also had to hardcode some extra libraries and folders. The script in the OP would help solve part of this issue, since most of the dependencies are resolved automatically based on what libraries the program depends on at the time of running and this would be distro-agnostic. If we use the script from the first post, we only need to worry about updating the hard-coded dependencies (the second argument to compile_list). If we decide to go with it, the next step is to integrate this into firejail proper so that it happens transparently (maybe a `private-lib.extra` field with the contents of the second argument to compile_list?). I'm just spit-balling here though. [edit] If we want to do this in C, we should be able to get the library dependencies (as we do with `ldd`) by setting `LD_TRACE_LOADED_OBJECTS` to a non-empty value (not sure if there are security implications, though? found this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514408 but I think that's just an `ldd` issue, not an issue with this technique?). But I think the combination of dynamically resolving dependencies and having a static set of secondary, indirect dependencies makes sense.
gitea-mirror commented 2026-05-05 07:48:05 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (May 5, 2018):

We already have fldd which is used to build the private-lib list by checking library dependencies, it can of course be enhanced to match what your script can do and/or fix it if it doesn't detect the same libraries as ldd.

But I was thinking of using system call ptrace or other means (libtrace, kernel probes, SystemTap) to build the list based on trial run. That way also extra libraries opened later and their folders can be detected.

<!-- gh-comment-id:386786764 --> @topimiettinen commented on GitHub (May 5, 2018): We already have `fldd` which is used to build the private-lib list by checking library dependencies, it can of course be enhanced to match what your script can do and/or fix it if it doesn't detect the same libraries as `ldd`. But I was thinking of using system call `ptrace` or other means (`libtrace`, kernel probes, SystemTap) to build the list based on trial run. That way also extra libraries opened later and their folders can be detected.
gitea-mirror commented 2026-05-05 07:48:05 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 5, 2018):

Ohhh...right. I think one thing that might be worth adding is scanning for ELF files if passed a directory a la find (so for example, it would scan for all ELF files in /usr/lib/firefox/ and add their dependencies). This might go a little bit towards making this process less painful? One other thing my script does (and idk if this is useful and/or easily doable in fldd) is parse the list output by ldd to detect subfolders of /usr/lib/ and automatically whitelist those folders (rather than particular libraries, since it's likely the program will need other things in those folders).

As for learning mode, I think that's a great idea - run the program without private-lib, ask the user to do what they normally do, store the list of libraries loaded in memory, and (probably) cache it. Ideally, we'd also remove the list of automatically-determined dependencies so that the list of hard-coded stuff is a lot less (basically the second argument to my function above).

<!-- gh-comment-id:386814552 --> @chiraag-nataraj commented on GitHub (May 5, 2018): Ohhh...right. I think one thing that might be worth adding is scanning for ELF files if passed a directory a la `find` (so for example, it would scan for all ELF files in `/usr/lib/firefox/` and add their dependencies). This might go a little bit towards making this process less painful? One other thing my script does (and idk if this is useful and/or easily doable in `fldd`) is parse the list output by `ldd` to detect subfolders of `/usr/lib/` and automatically whitelist those folders (rather than particular libraries, since it's likely the program will need other things in those folders). As for learning mode, I think that's a great idea - run the program without `private-lib`, ask the user to do what they normally do, store the list of libraries loaded in memory, and (probably) cache it. Ideally, we'd also remove the list of automatically-determined dependencies so that the list of hard-coded stuff is a lot less (basically the second argument to my function above).
gitea-mirror commented 2026-05-05 07:48:07 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 10, 2018):

So we can definitely include private-lib with some of these profiles (e.g. gerbera, mpd). Others probably need some testing (and probably manual tweaking on the part of users).
With respect to firefox, I figured out the problem - the firefox executable itself doesn't depend on much. What it does is read in a list of (arch/OS-dependent?) dependencies from /usr/lib/firefox/dependentlibs.list. The reason my script worked is that if it is provided a directory (e.g. /usr/lib/firefox), it goes through and finds all ELF binaries and libraries and runs ldd on them (rather than just the binaries specified in private-bin). @netblue30, is this something we can think about for fldd?

<!-- gh-comment-id:388165120 --> @chiraag-nataraj commented on GitHub (May 10, 2018): So we can definitely include `private-lib` with some of these profiles (e.g. `gerbera`, `mpd`). Others probably need some testing (and probably manual tweaking on the part of users). With respect to `firefox`, I figured out the problem - the `firefox` executable itself doesn't depend on much. What it does is read in a list of (arch/OS-dependent?) dependencies from `/usr/lib/firefox/dependentlibs.list`. The reason my script worked is that if it is provided a directory (e.g. `/usr/lib/firefox`), it goes through and finds all ELF binaries and libraries and runs ldd on them (rather than just the binaries specified in `private-bin`). @netblue30, is this something we can think about for `fldd`?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1285
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?