github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #261] On older kernels, file blacklisted in running jail can't be removed (from outside of jail) #185

New issue
Closed
opened 2026-05-05 05:16:20 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 05:16:20 -06:00
Owner
Copy link

Originally created by @manevich on GitHub (Jan 26, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/261

File blacklisted in running jail can't be removed (from outside of jail).
This causes serious inconvenience when using firejail with long running (eg. server) processes.
For example, preventing user from updating system normally, as files like /bin/su, /bin/mount, /usr/bin/sudo are blacklisted by default.

Steps to reproduce:

  • OS: Debian Jessie, with stock kernel.
  • Create file that will be blacklisted in jail, file must be created before running firejail:
$touch ~/.netrc
  • Run firejail:
$firejail firefox
  • From outside of jail, run
$rm ~/.netrc
rm: cannot remove ‘/home/user/.netrc’: Device or resource busy
Originally created by @manevich on GitHub (Jan 26, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/261 File blacklisted in running jail can't be removed (from outside of jail). This causes serious inconvenience when using firejail with long running (eg. server) processes. For example, preventing user from updating system normally, as files like `/bin/su`, `/bin/mount`, `/usr/bin/sudo` are blacklisted by default. Steps to reproduce: - OS: Debian Jessie, with stock kernel. - Create file that will be blacklisted in jail, **file must be created before running firejail**: ``` shell $touch ~/.netrc ``` - Run firejail: ``` shell $firejail firefox ``` - From outside of jail, run ``` shell $rm ~/.netrc rm: cannot remove ‘/home/user/.netrc’: Device or resource busy ```
gitea-mirror 2026-05-05 05:16:20 -06:00
gitea-mirror commented 2026-05-05 05:16:25 -06:00
Author
Owner
Copy link

@genodeftest commented on GitHub (Jan 26, 2016):

I cannot reproduce this issue. Which version are you using? I am running version 59f6010 and cea5874 from git. Not with a user-local ~/.netrc file nor with a global file like /usr/bin/su.

<!-- gh-comment-id:174937063 --> @genodeftest commented on GitHub (Jan 26, 2016): I cannot reproduce this issue. Which version are you using? I am running version 59f6010 and cea5874 from git. Not with a user-local `~/.netrc` file nor with a global file like /usr/bin/su.
gitea-mirror commented 2026-05-05 05:16:27 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Jan 26, 2016):

Well, I was wrong closing this issue.
Reproduced it with cea58747d6 version.

File must be created before running firejail, missed this when closed bug.
I am using Debian Jessie with stock kernel:

$ cat /etc/debian_version
8.3
$ uname -a
Linux localhost 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux

Updating description with some clarifications.

<!-- gh-comment-id:175032437 --> @manevich commented on GitHub (Jan 26, 2016): Well, I was wrong closing this issue. Reproduced it with https://github.com/netblue30/firejail/commit/cea58747d61dc56ff8bb57aa02786cd8cc423bca version. File must be created before running firejail, missed this when closed bug. I am using Debian Jessie with stock kernel: ``` $ cat /etc/debian_version 8.3 $ uname -a Linux localhost 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux ``` Updating description with some clarifications.
gitea-mirror commented 2026-05-05 05:16:29 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Jan 26, 2016):

Looks like issue with old kernel, on same system with newer kernel everything fine.

$ uname -a
Linux localhost 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-7~bpo8+1 (2016-01-19) x86_64 GNU/Linux
<!-- gh-comment-id:175092334 --> @manevich commented on GitHub (Jan 26, 2016): Looks like issue with old kernel, on same system with newer kernel everything fine. ``` $ uname -a Linux localhost 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-7~bpo8+1 (2016-01-19) x86_64 GNU/Linux ```
gitea-mirror commented 2026-05-05 05:16:32 -06:00
Author
Owner
Copy link

@genodeftest commented on GitHub (Jan 26, 2016):

That's a good explanation. I was running a 4.3.x kernel when unable to reproduce.

<!-- gh-comment-id:175145953 --> @genodeftest commented on GitHub (Jan 26, 2016): That's a good explanation. I was running a 4.3.x kernel when unable to reproduce.
gitea-mirror commented 2026-05-05 05:16:36 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 27, 2016):

I'm surprised this didn't come earlier. Blacklisting is implementing by mounting an empty, read-only file or directory on top of the original file. The kernel, at least the older kernels, will refuse to delete the file because it is a mount point in some other place in the system. There is nothing we can do about it at application level.

<!-- gh-comment-id:175622131 --> @netblue30 commented on GitHub (Jan 27, 2016): I'm surprised this didn't come earlier. Blacklisting is implementing by mounting an empty, read-only file or directory on top of the original file. The kernel, at least the older kernels, will refuse to delete the file because it is a mount point in some other place in the system. There is nothing we can do about it at application level.
gitea-mirror commented 2026-05-05 05:16:39 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 1, 2016):

I documented the problem on project page: https://firejail.wordpress.com/support/known-problems/

<!-- gh-comment-id:177978705 --> @netblue30 commented on GitHub (Feb 1, 2016): I documented the problem on project page: https://firejail.wordpress.com/support/known-problems/
gitea-mirror commented 2026-05-05 05:16:41 -06:00
Author
Owner
Copy link

@david-drinn commented on GitHub (May 27, 2016):

Does someone know the specific kernel fix/change that resolved this in Linux kernel 3.18 or newer? I'm at a slightly older kernel, and don't currently have the option to update the kernel to 3.18+, but can request fixes. EDIT: Oh, is it due to the 3.18 OverlayFS feature mentioned elsewhere in the firejail docs?

<!-- gh-comment-id:222237304 --> @david-drinn commented on GitHub (May 27, 2016): Does someone know the specific kernel fix/change that resolved this in Linux kernel 3.18 or newer? I'm at a slightly older kernel, and don't currently have the option to update the kernel to 3.18+, but can request fixes. EDIT: Oh, is it due to the 3.18 OverlayFS feature mentioned elsewhere in the firejail docs?
gitea-mirror commented 2026-05-05 05:16:44 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 31, 2016):

No, it has nothing do with OverlayFS. I think it was just on of those small kernel fixes that never get mentioned as a feature.

<!-- gh-comment-id:222706638 --> @netblue30 commented on GitHub (May 31, 2016): No, it has nothing do with OverlayFS. I think it was just on of those small kernel fixes that never get mentioned as a feature.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#185
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?