mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #3975] Running xpdf in friejail #2486
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2486
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @domivogt on GitHub (Feb 11, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3975
This (hopefully) isn't a bug report but just a usage question:
I want to run xpdf in a sandbox. Problem is that a simple
$ fireail xpdf /some/path/pdffile
Does not work because the path is not whitelisted. Whitelisting the whole system seems wrong; xpdf should simply have read access to the file on the command line and nothing else (except config files of course). However, it's not so easy to figure out at which position xpdf's files arguemnt is. It's not necessarily the last one.
@rusty-snake commented on GitHub (Feb 11, 2021):
Duplicate of #838
@rusty-snake commented on GitHub (Feb 11, 2021):
xpdf has a blacklisting profile, did you add the whitelisting stuff?
@domivogt commented on GitHub (Feb 11, 2021):
I've not changed anything. This is the problem I want to solve:
It works if the file is in $HOME.
@rusty-snake commented on GitHub (Feb 11, 2021):
No globals.local or other *.local and nothing in firejail.config. Ok, does it work with
firejail --noprofile /usr/bin/xpdf /data/foo.pdf.Also is /data mounted with something "crazy" like fuse, nfs, ...?
EDIT: or symlinked from somewhere? Shows
firejail --debug xpdf /data/foo.pdfanything like "Disable /data"?@domivogt commented on GitHub (Feb 11, 2021):
Firejail-0.9.64.4 is just installed as built, without any changes to anything (except seamonkey.local and iceweasel.local).
Yes. However, it looks weird overall: If the file is in /data/.../foo.pdf, it works. If it's in /home/data/.../foo.pdf it doesn't. (/home is on a different partition, but not mounted with any exciting options:
Is /home treated differently than other dirs?
/data is just a world readable directory in the root filesystem.
Nope.
No.
@rusty-snake commented on GitHub (Feb 11, 2021):
Yes, only
/home/useris present without--allusers.@domivogt commented on GitHub (Feb 11, 2021):
Fair enough. So, assuming you have the full path of a file, like /data/som/subdir/file.pdf. Is there a simple way to whitelist that path, and only that path, regardless of any other active rules?
(And if that's possible, is it possible to remove write permissions on the path and to the file?)
@rusty-snake commented on GitHub (Feb 11, 2021):
read-only /path/to/file, if you only view pdfs, you couldread-only /dataandread-only ${HOME}.No, the are multiple options granting/denying access to a file.
WorkEDIT: it can not work.firejail --withelist=/data/foo.pdf xpdf /data/pdf?@rusty-snake commented on GitHub (Apr 6, 2021):
Looks like you need to comment the profile and the uncomment it line for line to find the cause.
@rusty-snake commented on GitHub (May 12, 2021):
I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.