github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2029] Possible conflict with noexec and whitelist #1367

New issue
Closed
opened 2026-05-05 07:56:51 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 07:56:51 -06:00
Owner
Copy link

Originally created by @Fred-Barclay on GitHub (Jul 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2029

Related to #839 and #1628, but this doesn't require read-only while they do.

  1. Whitelist an executable file
  2. Apply noexec to a parent directory, but without wildcards. For example, noexec ${HOME}.
  3. If you run the file inside firejail, it will be executed despite noexec.

For example, I've created ~/Desktop/test.sh with the following contents:

echo "this file is being executed"

~/Desktop/test.profile:

whitelist ${HOME}/Desktop/test.sh
noexec ${HOME}

It's being executed when I run it in firejail:

$ firejail --profile=/home/fred/Desktop/test.profile /home/fred/Desktop/test.sh
Reading profile /home/fred/Desktop/test.profile
Parent pid 16967, child pid 16968
Child process initialized in 31.97 ms
this file is being executed

Parent is shutting down, bye...

Order of operations doesn't matter either -- putting noexec ${HOME} before the whitelist still allows execution.

There are a few ways to keep the file from being executed. Using wildcards prevents execution; noexec ${HOME}/Desktop/* and noexec ${HOME}/*/* both work in this case, although noexec ${HOME}/Desktop/ allows execution.

Also, noexec works as expected if there are no whitelists in the sandbox (or, naturally, if the executable isn't whitelisted).

EDIT: --debug output:

$ firejail --debug --profile=/home/fred/Desktop/test.profile /home/fred/Desktop/test.sh
Reading profile /home/fred/Desktop/test.profile
Autoselecting /bin/bash as shell
Building quoted command line: '/home/fred/Desktop/test.sh' 
Command name #test.sh#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 17466, child pid 17467
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/fred/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Debug 443: new_name #/home/fred/Desktop/test.sh#, whitelist
Debug 544: fname #/home/fred/Desktop/test.sh#, cfg.homedir #/home/fred#
Replaced whitelist path: whitelist /home/fred/Desktop/test.sh
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 0
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Drop privileges: pid 3, uid 1000, gid 1000, nogroups 0
Drop privileges: pid 4, uid 1000, gid 1000, nogroups 0
Whitelisting /home/fred/Desktop/test.sh
1021 1019 8:3 /fred/Desktop/test.sh /home/fred/Desktop/test.sh rw,relatime master:38 - ext4 /dev/sda3 rw,data=ordered
fsname=/fred/Desktop/test.sh dir=/home/fred/Desktop/test.sh fstype=ext4
Mounting noexec /home/fred
Disable /sys/fs
Disable /sys/module
Drop privileges: pid 5, uid 1000, gid 1000, nogroups 0
Drop privileges: pid 6, uid 1000, gid 1000, nogroups 0
1026 1019 0:96 /pulse /home/fred/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
fsname=/pulse dir=/home/fred/.config/pulse fstype=tmpfs
Current directory: /home/fred/Desktop
DISPLAY=:0 parsed as 0
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
starting application
LD_PRELOAD=(null)
Running '/home/fred/Desktop/test.sh'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/home/fred/Desktop/test.sh' 
Child process initialized in 19.90 ms
this file is being executed
monitoring pid 7

Sandbox monitor: waitpid 7 retval 7 status 0

Parent is shutting down, bye...
Originally created by @Fred-Barclay on GitHub (Jul 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2029 Related to #839 and #1628, but this doesn't require `read-only` while they do. 1. Whitelist an executable file 2. Apply `noexec` to a parent directory, but without wildcards. For example, `noexec ${HOME}`. 3. If you run the file inside firejail, it will be executed despite `noexec`. For example, I've created ~/Desktop/test.sh with the following contents: ``` echo "this file is being executed" ``` ~/Desktop/test.profile: ``` whitelist ${HOME}/Desktop/test.sh noexec ${HOME} ``` It's being executed when I run it in firejail: ``` $ firejail --profile=/home/fred/Desktop/test.profile /home/fred/Desktop/test.sh Reading profile /home/fred/Desktop/test.profile Parent pid 16967, child pid 16968 Child process initialized in 31.97 ms this file is being executed Parent is shutting down, bye... ``` Order of operations doesn't matter either -- putting `noexec ${HOME}` before the whitelist still allows execution. There are a few ways to keep the file from being executed. Using wildcards prevents execution; `noexec ${HOME}/Desktop/*` and `noexec ${HOME}/*/*` both work in this case, although `noexec ${HOME}/Desktop/` allows execution. Also, `noexec` works as expected if there are no whitelists in the sandbox (or, naturally, if the executable isn't whitelisted). EDIT: `--debug` output: ``` $ firejail --debug --profile=/home/fred/Desktop/test.profile /home/fred/Desktop/test.sh Reading profile /home/fred/Desktop/test.profile Autoselecting /bin/bash as shell Building quoted command line: '/home/fred/Desktop/test.sh' Command name #test.sh# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 17466, child pid 17467 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/fred/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Debug 443: new_name #/home/fred/Desktop/test.sh#, whitelist Debug 544: fname #/home/fred/Desktop/test.sh#, cfg.homedir #/home/fred# Replaced whitelist path: whitelist /home/fred/Desktop/test.sh Drop privileges: pid 2, uid 1000, gid 1000, nogroups 0 Mounting a new /home directory Mounting a new /root directory Create a new user directory Drop privileges: pid 3, uid 1000, gid 1000, nogroups 0 Drop privileges: pid 4, uid 1000, gid 1000, nogroups 0 Whitelisting /home/fred/Desktop/test.sh 1021 1019 8:3 /fred/Desktop/test.sh /home/fred/Desktop/test.sh rw,relatime master:38 - ext4 /dev/sda3 rw,data=ordered fsname=/fred/Desktop/test.sh dir=/home/fred/Desktop/test.sh fstype=ext4 Mounting noexec /home/fred Disable /sys/fs Disable /sys/module Drop privileges: pid 5, uid 1000, gid 1000, nogroups 0 Drop privileges: pid 6, uid 1000, gid 1000, nogroups 0 1026 1019 0:96 /pulse /home/fred/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 fsname=/pulse dir=/home/fred/.config/pulse fstype=tmpfs Current directory: /home/fred/Desktop DISPLAY=:0 parsed as 0 Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 starting application LD_PRELOAD=(null) Running '/home/fred/Desktop/test.sh' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/home/fred/Desktop/test.sh' Child process initialized in 19.90 ms this file is being executed monitoring pid 7 Sandbox monitor: waitpid 7 retval 7 status 0 Parent is shutting down, bye... ```
gitea-mirror 2026-05-05 07:56:51 -06:00
gitea-mirror commented 2026-05-05 07:56:57 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

I wonder if this is intended behavior. What exactly should the behavior be if you whitelist a binary and mark a parent directory/mount point noexec? Should the binary run and violate noexec or not run and defeat your intent? Clearly, if you are whitelisting an executable file, you want to run it (otherwise, there's no reason to whitelist it). So while on the face of it it seems counterintuitive, I think this behavior actually makes some logical sense.

<!-- gh-comment-id:405116349 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): I wonder if this is intended behavior. What exactly should the behavior be if you whitelist a binary and mark a parent directory/mount point noexec? Should the binary run and violate noexec or not run and defeat your intent? Clearly, if you are whitelisting an executable file, you want to run it (otherwise, there's no reason to whitelist it). So while on the face of it it seems counterintuitive, I think this behavior actually makes some logical sense.
gitea-mirror commented 2026-05-05 07:57:00 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

Now my question is if you whitelist an executable file which creates another executable file and tries to run it, will that second file run? I'm off to test.

<!-- gh-comment-id:405116396 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): Now my question is if you whitelist an executable file which creates another executable file and tries to run it, will that _second_ file run? I'm off to test.
gitea-mirror commented 2026-05-05 07:57:04 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

Awesome, this works as intended: the second script is prevented from running.

$ firejail --noexec=${HOME} --whitelist=~/Desktop/test.sh ~/Desktop/test.sh
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 8452, child pid 8455
Child process initialized in 72.17 ms
This is the first script running
/home/chiraag/Desktop/test.sh: line 6: /home/chiraag/Desktop/test2.sh: Permission denied

Parent is shutting down, bye...

Here's test.sh:

#!/bin/bash

echo "This is the first script running"
echo -e "#!/bin/bash\necho This is the second script running" >> ~/Desktop/test2.sh
chmod +x ~/Desktop/test2.sh
~/Desktop/test2.sh

As you can tell, the second script can't run due to the noexec on the parent mountpoint.

<!-- gh-comment-id:405116655 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): Awesome, this works as intended: the second script is prevented from running. ``` $ firejail --noexec=${HOME} --whitelist=~/Desktop/test.sh ~/Desktop/test.sh Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 8452, child pid 8455 Child process initialized in 72.17 ms This is the first script running /home/chiraag/Desktop/test.sh: line 6: /home/chiraag/Desktop/test2.sh: Permission denied Parent is shutting down, bye... ``` Here's `test.sh`: ``` #!/bin/bash echo "This is the first script running" echo -e "#!/bin/bash\necho This is the second script running" >> ~/Desktop/test2.sh chmod +x ~/Desktop/test2.sh ~/Desktop/test2.sh ``` As you can tell, the second script can't run due to the `noexec` on the parent mountpoint.
gitea-mirror commented 2026-05-05 07:57:05 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

So basically, noexec can be more understood as "Don't run anything unless I explicitly whitelist it" rather than a blanket "Don't run anything". This actually makes for a decently flexible jail, since you can basically not allow arbitrary binaries to run while whitelisting ones you trust.

<!-- gh-comment-id:405116703 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): So basically, `noexec` can be more understood as "Don't run anything unless I explicitly whitelist it" rather than a blanket "Don't run anything". This actually makes for a decently flexible jail, since you can basically not allow arbitrary binaries to run while whitelisting ones you trust.
gitea-mirror commented 2026-05-05 07:57:07 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Jul 16, 2018):

@chiraag-nataraj it would be nice to know if this is intended behavior -- we should probably document it if so. I'm not convinced it makes sense but I do see what you're talking about. 😉

<!-- gh-comment-id:405337519 --> @Fred-Barclay commented on GitHub (Jul 16, 2018): @chiraag-nataraj it would be nice to know if this is intended behavior -- we should probably document it if so. I'm not convinced it makes sense but I do see what you're talking about. :wink:
gitea-mirror commented 2026-05-05 07:57:10 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 16, 2018):

Tagged it with both - that way, we can remove whichever one doesn't apply 😉

<!-- gh-comment-id:405356748 --> @chiraag-nataraj commented on GitHub (Jul 16, 2018): Tagged it with both - that way, we can remove whichever one doesn't apply :wink:
gitea-mirror commented 2026-05-05 07:57:12 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 21, 2018):

@netblue30 Is this a bug or is this desired behavior?

<!-- gh-comment-id:414706586 --> @chiraag-nataraj commented on GitHub (Aug 21, 2018): @netblue30 Is this a bug or is this desired behavior?
gitea-mirror commented 2026-05-05 07:57:13 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Nov 26, 2018):

moving the discussion to #2200

<!-- gh-comment-id:441680963 --> @smitsohu commented on GitHub (Nov 26, 2018): moving the discussion to #2200
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1367
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?