github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3991] private-etc doesn't allow subdirs #2495

New issue

Closed

opened 2026-05-05 09:10:43 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 09:10:43 -06:00

Owner

Originally created by @g-v-egidy on GitHub (Feb 15, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3991

Bug and expected behavior
I want to allow a program access to the directory /etc/pki/ca-trust/ and below, but not to /etc/pki/tls/private.
As the private keys are really sensitvie, I want not just rely on blacklisting, but remove the private keys fully from the mount with the private-etc option.

When I try to use this in a profile file:

private-etc alternatives,crypto-policies,hostname,hosts,ld.so.cache,resolv.conf,localtime,ssl,pki/ca-trust

I get the error:

Error: "pki/ca-trust" is an invalid filename

The manpage suggests that copying subdirs of /etc is allowed as the example given there:

Example:
              $ firejail --private-etc=group,hostname,localtime, \
              nsswitch.conf,passwd,resolv.conf,default/motd-news

uses default/motd-news.

Environment

CentOS 8.3 on x86_64.
firejail 0.9.64.4

Originally created by @g-v-egidy on GitHub (Feb 15, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3991 **Bug and expected behavior** I want to allow a program access to the directory /etc/pki/ca-trust/ and below, but not to /etc/pki/tls/private. As the private keys are really sensitvie, I want not just rely on blacklisting, but remove the private keys fully from the mount with the private-etc option. When I try to use this in a profile file: ``` private-etc alternatives,crypto-policies,hostname,hosts,ld.so.cache,resolv.conf,localtime,ssl,pki/ca-trust ``` I get the error: ``` Error: "pki/ca-trust" is an invalid filename ``` The manpage suggests that copying subdirs of /etc is allowed as the example given there: ``` Example: $ firejail --private-etc=group,hostname,localtime, \ nsswitch.conf,passwd,resolv.conf,default/motd-news ``` uses default/motd-news. **Environment** - CentOS 8.3 on x86_64. - firejail 0.9.64.4

gitea-mirror

2026-05-05 09:10:43 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 09:10:46 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 15, 2021):

A simple workaround for now would be to switch from private-etc to whitelist. It is about as secure as long as you don't add a writable-etc option.

whitelist /etc/alternatives
whitelist /etc/crypto-policies
whitelist /etc/hostname
whitelist /etc/hosts
whitelist /etc/ld.so.cache
whitelist /etc/resolv.conf
whitelist /etc/localtime
whitelist /etc/ssl
whitelist /etc/pki/ca-trust

@smitsohu commented on GitHub (Feb 15, 2021): A simple workaround for now would be to switch from `private-etc` to `whitelist`. It is about as secure as long as you don't add a `writable-etc` option. ``` whitelist /etc/alternatives whitelist /etc/crypto-policies whitelist /etc/hostname whitelist /etc/hosts whitelist /etc/ld.so.cache whitelist /etc/resolv.conf whitelist /etc/localtime whitelist /etc/ssl whitelist /etc/pki/ca-trust ```

gitea-mirror commented

2026-05-05 09:10:47 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 15, 2021):

Alternatively you can also layer noblacklist / blacklist on top of the private-etc:

noblacklist /etc/pki/ca-trust
blacklist /etc/pki/*
private-etc alternatives,crypto-policies,hostname,hosts,ld.so.cache,resolv.conf,localtime,ssl,pki

@smitsohu commented on GitHub (Feb 15, 2021): Alternatively you can also layer `noblacklist` / `blacklist` on top of the private-etc: ``` noblacklist /etc/pki/ca-trust blacklist /etc/pki/* private-etc alternatives,crypto-policies,hostname,hosts,ld.so.cache,resolv.conf,localtime,ssl,pki ```

gitea-mirror commented

2026-05-05 09:10:48 -06:00

Author

Owner

@g-v-egidy commented on GitHub (Feb 15, 2021):

Thanks for your quick reply.

I'm already using the blacklist solution for now. But it would be nice if private-etc could be improved to also allow the subdirs, because I think this is more secure.

@g-v-egidy commented on GitHub (Feb 15, 2021): Thanks for your quick reply. I'm already using the blacklist solution for now. But it would be nice if private-etc could be improved to also allow the subdirs, because I think this is more secure.

gitea-mirror commented

2026-05-05 09:10:48 -06:00

Author

Owner

@brisad commented on GitHub (Mar 11, 2021):

Hi! I recently found Firejail, and thought I'd start to help out a little. So I just took a look a this problem and wanted to see if I could fix it.

I am guessing here that the expected behavior would be that

private-etc pki/ca-trust

would yield /etc/pki/ca-trust.

private-lib on the other hand, which does support sub-directories, maps

private-lib a/b/c

to /lib/c (not /lib/a/b/c). That is, it copies the target path to the top level /lib dir.

For consistency within Firejail, I would assume it should follow the private-lib implementation. But perhaps that won't solve @g-v-egidy 's problem. What is the right approach here?

@brisad commented on GitHub (Mar 11, 2021): Hi! I recently found Firejail, and thought I'd start to help out a little. So I just took a look a this problem and wanted to see if I could fix it. I am guessing here that the expected behavior would be that ``` private-etc pki/ca-trust ``` would yield `/etc/pki/ca-trust`. `private-lib` on the other hand, which does support sub-directories, maps ``` private-lib a/b/c ``` to `/lib/c` (not `/lib/a/b/c`). That is, it copies the target path to the top level `/lib` dir. For consistency within Firejail, I would assume it should follow the `private-lib` implementation. But perhaps that won't solve @g-v-egidy 's problem. What is the right approach here?

gitea-mirror commented

2026-05-05 09:10:49 -06:00

Author

Owner

@g-v-egidy commented on GitHub (Mar 11, 2021):

For libs the exact path usually doesn't matter as long as it is within the configured ld.so.conf.
For /etc the exact path really matters and just copying files without preserving their path is useless.

So I think private-etc should work differently than private-lib in this regard.

@g-v-egidy commented on GitHub (Mar 11, 2021): For libs the exact path usually doesn't matter as long as it is within the configured ld.so.conf. For /etc the exact path really matters and just copying files without preserving their path is useless. So I think private-etc should work differently than private-lib in this regard.

gitea-mirror commented

2026-05-05 09:10:49 -06:00

Author

Owner

@brisad commented on GitHub (Mar 11, 2021):

Didn't think about that, but now that you say it, it's very true. Thanks :)

@brisad commented on GitHub (Mar 11, 2021): Didn't think about that, but now that you say it, it's very true. Thanks :)

gitea-mirror commented

2026-05-05 09:10:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 11, 2021):

#4045

@rusty-snake commented on GitHub (Mar 11, 2021): #4045

gitea-mirror commented

2026-05-05 09:10:50 -06:00

Author

Owner

@brisad commented on GitHub (Apr 25, 2021):

Sorry for disappearing right after offering to help. It's been busy times. But I finally took a shot at this and attached a PR.

@brisad commented on GitHub (Apr 25, 2021): Sorry for disappearing right after offering to help. It's been busy times. But I finally took a shot at this and attached a PR.

gitea-mirror referenced this issue

2026-05-05 10:18:36 -06:00

[PR #2495] [MERGED] Fix mpDris2 for Debian/Ubuntu #4358

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2495

No description provided.

Rows
Columns