mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #3851] Compiled-in environment/arg limits causing issues #2422
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2422
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @hlein on GitHub (Dec 28, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3851
Bug and expected behavior
88258569cbadded some reasonable-looking limits on environment (number and size of environment variables) and arguments (number, maybe also size?).Except... this causes some regressions with things that used to work fine.
It would be great if these limits could be specified in firejail config files rather than compiled in, so that I could then arrange for .local overrides where needed. Or failing that, activated by an on-by-default flag like
--envcheck, which could be suppressed with--ignore-envcheck.Examples:
On gentoo, during package building, some keywords and targets get expanded into quite-large environment variables. For instance the build system keeps track of which Python versions you have installed, and which targets / USE flags (optional compile-time features) you have enabled; some package-flag / dependency calculations then explode if you have say python-2.7, python-3.6, python-3.7, and python-3.8 all installed at once. This can exceed the current hardcoded limits, so builds can fail at strange points (patch, strings, fontforge for some reason) if the build user's processes are being firejail'ed. If I could arrange for the build user to have higher limits, it could still benefit from firejail otherwise, and the rest of the system's firejail uses could benefit from the reasonable lower defaults.
I also have some file-syncing scripts / Makefiles that bundle up different file sets and rsync them by explicit argument list (
rsync a b c d e f g h i j ... targethost:). I could modify these to pipe a list to rsync and do--files=from=-, but it would be simpler to just increase the ceilings in anrsync.localandssh.local, and/or pass a--ignore-envcheckto firejail in those cases.@SkewedZeppelin commented on GitHub (Dec 28, 2020):
Yep.
I've had these patched out in my personal builds forever.
@rusty-snake commented on GitHub (Mar 8, 2021):
Fixed by #3322?
@rusty-snake commented on GitHub (Apr 6, 2021):
Duplicate of #3678?
@hlein commented on GitHub (May 16, 2021):
Nope. Using
b5a4035912, which should include1c7ea15b30from #3322:In the "rsync a ridiculously long list of filenames" test, I get:
Error: too many argumentsSimilar thing when emerging a package on Gentoo when
patchhas been firejail'ed:Error: too many environment variables(Different part of the same overall set of changes.)
@hlein commented on GitHub (May 16, 2021):
Hm, related but I don't think a dupe. #3678 seems to be strictly about "a single env var that exceeds a length limit", but in this case the number of arguments, the number of env vars, and the env var lengths cause problems.
@kmk3 commented on GitHub (Oct 22, 2025):
Closing as a duplicate of:
As making the count/length configurable for both arguments and environment
variables should also resolve this issue.
If that is not the case, please clarify.