[GH-ISSUE #374] Losing internet access on blacklist /var

gitea-mirror commented

2026-05-05 05:28:01 -06:00

Owner

Originally created by @msva on GitHub (Mar 22, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/374

Hi!
I'm not sure if it is really issue, but since it is no place to just talk about firejail (like irc channel or xmpp muc), I'd ask here.

So, in previous versions of firejail I've profile, containing blacklist /var working fine, but with latest git master it leads to no internet access in jailed application.
I've reproduced it with both $ firejail --private --blacklist=/var firefox and $ firejail --private --whitelist=/var/cache.

I guess, it needs /var/run/firejail there (isn't it?), but unfortunately, it is not possible to just whitelist /var/run/firejail (it says 'wrong path', because /var/run is a symlink to /run on my system (distro FHS policy), and you're checking path to be local in fs_whitelist.c).
And noblacklist /var/run/firejail+blacklist /var seems to doesn't help in that situation too.

So, how is that possible to be in this situation?

And one thing more: not sure if should create separate issue, or can be discussed here:
in git master (not sure starting from which commit) ping/ping6 stopped to work and saying operation not permitted (while both of them do have suid-bit on 65534 user (under which pid 1 (firejail) is running). Reproduceable even in clean $ firejail --private.

Originally created by @msva on GitHub (Mar 22, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/374 Hi! I'm not sure if it is really issue, but since it is no place to just talk about firejail (like irc channel or xmpp muc), I'd ask here. So, in previous versions of firejail I've profile, containing `blacklist /var` working fine, but with latest git master it leads to no internet access in jailed application. I've reproduced it with both `$ firejail --private --blacklist=/var firefox` and `$ firejail --private --whitelist=/var/cache`. I guess, it needs `/var/run/firejail` there (isn't it?), but unfortunately, it is not possible to just `whitelist /var/run/firejail` (it says 'wrong path', because `/var/run` is a symlink to `/run` on my system (distro FHS policy), and you're checking path to be local in fs_whitelist.c). And `noblacklist /var/run/firejail`+`blacklist /var` seems to doesn't help in that situation too. So, how is that possible to be in this situation? --- And one thing more: not sure if should create separate issue, or can be discussed here: in git master (not sure starting from which commit) ping/ping6 stopped to work and saying `operation not permitted` (while both of them do have suid-bit on 65534 user (under which pid 1 (firejail) is running). Reproduceable even in clean `$ firejail --private`.

gitea-mirror

2026-05-05 05:28:01 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:28:06 -06:00

Author

Owner

@msva commented on GitHub (Mar 22, 2016):

Actually, talking about main question in the issue (not the ping issue):
why do whitelist supports only several paths, but not allowing some random paths?

And also why don't allow to whitelist external symlinks? The only security issue I know about that is allowing to execute binaries from the "host", but it working only if there is some bugs at kernel level (see last overlayfs+namespaces bug). And I don't think possibility of such bugs is a reason for firejail to disallow such useful functionality ;)

@msva commented on GitHub (Mar 22, 2016): Actually, talking about main question in the issue (not the ping issue): why do `whitelist` supports only several paths, but not allowing some random paths? And also why don't allow to whitelist external symlinks? The only security issue I know about that is allowing to execute binaries from the "host", but it working only if there is some bugs at kernel level (see last overlayfs+namespaces bug). And I don't think possibility of such bugs is a reason for firejail to disallow such useful functionality ;)

gitea-mirror commented

2026-05-05 05:28:09 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 22, 2016):

Blacklisting /var is a very bad idea. Lots of software use /var, and usually they expect the files to be there read/write. Sometimes they just crash without any kind of error recovery.

For example, I run on a Ubuntu 10.04 "firejail --blacklist=/var firefox" and I get:

(firefox:2): IBUS-WARNING **: Unable to load /var/lib/dbus/machine-id: Failed to open file '/var/lib/dbus/machine-id': Permission denied

I still get network connectivity, but something is definitely broken - in this case IBus, using a foreign keyboard mapping will not work.

ping/ping6: SUID binaries are disabled in the sandbox, so ping will not work. For testing you can try to run with --noprofile. This will enable SUID binaries.

65534 is a user id without any privileges. The kernel uses it to replace unwanted users in a user namespace.

External symlinks in --whitelist open the sandbox to all kind of exploits, so I have to disable them.

Allowing external symlinks under

@netblue30 commented on GitHub (Mar 22, 2016): Blacklisting /var is a very bad idea. Lots of software use /var, and usually they expect the files to be there read/write. Sometimes they just crash without any kind of error recovery. For example, I run on a Ubuntu 10.04 "firejail --blacklist=/var firefox" and I get: ``` (firefox:2): IBUS-WARNING **: Unable to load /var/lib/dbus/machine-id: Failed to open file '/var/lib/dbus/machine-id': Permission denied ``` I still get network connectivity, but something is definitely broken - in this case IBus, using a foreign keyboard mapping will not work. ping/ping6: SUID binaries are disabled in the sandbox, so ping will not work. For testing you can try to run with --noprofile. This will enable SUID binaries. 65534 is a user id without any privileges. The kernel uses it to replace unwanted users in a user namespace. External symlinks in --whitelist open the sandbox to all kind of exploits, so I have to disable them. Allowing external symlinks under

gitea-mirror commented

2026-05-05 05:28:12 -06:00

Author

Owner

@msva commented on GitHub (Mar 22, 2016):

Yeah, I know that some software _can_ use /var and it can brake something, but I doing that (white/blacklisting /var/*) only with properly testing and full responsibility for the result ;)

And I wanted very much to hide /var and some other "non-standard" directories from some proprietary software I forced to use. And whitelist would be ideal variant, because I want they don't know that such path exist at all, and not just be forbidden to open them.

//nb: your comment is cut on "under" word and looks unfinished.

@msva commented on GitHub (Mar 22, 2016): Yeah, I know that some software **_can**_ use `/var` and it can brake something, but I doing that (white/blacklisting `/var/*`) only with properly testing and full responsibility for the result ;) And I wanted very much to hide `/var` and some other "non-standard" directories from some proprietary software I forced to use. And `whitelist` would be ideal variant, because I want they don't know that such path exist at all, and not just be forbidden to open them. //nb: your comment is cut on "under" word and looks unfinished.

gitea-mirror commented

2026-05-05 05:28:14 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 22, 2016):

OK, I think if I allow in --whitelist /var/run and /var/lock to point outside /var, all would be fine. I'll bring in a fix.

@netblue30 commented on GitHub (Mar 22, 2016): OK, I think if I allow in --whitelist /var/run and /var/lock to point outside /var, all would be fine. I'll bring in a fix.

gitea-mirror commented

2026-05-05 05:28:16 -06:00

Author

Owner

@msva commented on GitHub (Mar 22, 2016):

By the way, isn't it a way to ask firejail to not whitelist, but create new /var/run inside?

And question about one more restriction:

Error: tmpfs available only when running the sandbox as root

But firejail do mount tmpfs on parent directories of whitelisted things. So, what is the point of such restriction?

And, also, can you share your thoughts, what can be the reason of the fact, that any jailed soft losing access to internet if it has no access to run? Was I right on suggestion, that jail need access to some files in firejail's directory for that?

And one more thing: I think, it will be nice to hide firejail mountpoints and other service things from jailed software. I think, this is security breach:

 firejail --private --quiet ls /var/run/firejail/name -l

итого 1
-rw-r--r-- 1 65534 65534 6 мар 22 20:41 31825
-rw-r--r-- 1 65534 65534 6 мар 22 15:30 32221
-rw-r--r-- 1 65534 65534 6 мар 22 12:18 3286

So, any jailed software

can suggest it is runned in firejail (by looking on PID1),
get real PIDs of another jailed software (including itself)

@msva commented on GitHub (Mar 22, 2016): By the way, isn't it a way to ask firejail to not whitelist, but create new `/var/run` inside? And question about one more restriction: > Error: tmpfs available only when running the sandbox as root But firejail do mount tmpfs on parent directories of whitelisted things. So, what is the point of such restriction? --- And, also, can you share your thoughts, what can be the reason of the fact, that any jailed soft losing access to internet if it has no access to run? Was I right on suggestion, that jail need access to some files in firejail's directory for that? --- And one more thing: I think, it will be nice to hide firejail mountpoints and other service things from jailed software. I think, this _is_ security breach: ``` firejail --private --quiet ls /var/run/firejail/name -l итого 1 -rw-r--r-- 1 65534 65534 6 мар 22 20:41 31825 -rw-r--r-- 1 65534 65534 6 мар 22 15:30 32221 -rw-r--r-- 1 65534 65534 6 мар 22 12:18 3286 ``` So, any jailed software 1) can suggest it is runned in firejail (by looking on PID1), 2) get real PIDs of another jailed software (including itself)

gitea-mirror commented

2026-05-05 05:28:19 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 23, 2016):

I think on your platform you have /etc/resolv.conf a symlink in /run. So, if /run disappears you will not get network connectivity. I would make /etc/resolv.conf a real file.

I'll bring in fixes for all the other issues, thanks.

@netblue30 commented on GitHub (Mar 23, 2016): I think on your platform you have /etc/resolv.conf a symlink in /run. So, if /run disappears you will not get network connectivity. I would make /etc/resolv.conf a real file. I'll bring in fixes for all the other issues, thanks.

gitea-mirror commented

2026-05-05 05:28:22 -06:00

Author

Owner

@msva commented on GitHub (Mar 23, 2016):

~~I do not have /etc/resolv.conf as symlink to /run/*. It is regular file~~
I do, sorry. It is connman hijacked it :(.
thanks

@msva commented on GitHub (Mar 23, 2016): 1) ~~I do not have `/etc/resolv.conf` as symlink to `/run/*`. It is regular file~~ I do, sorry. It is `connman` hijacked it :(. 2) thanks

gitea-mirror commented

2026-05-05 05:28:23 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 23, 2016):

I put a fix in for /var/run and /var/lock, you can whitelist them now. Also, I mounted tmpfs on top of /run/firejail/{bandwidth,name,network,x11}, so there won't be any information leaks.

tmps as user opens the door to some nice SUID exploits, so I had to remove it. Let me know if you find something else, thanks!

@netblue30 commented on GitHub (Mar 23, 2016): I put a fix in for /var/run and /var/lock, you can whitelist them now. Also, I mounted tmpfs on top of /run/firejail/{bandwidth,name,network,x11}, so there won't be any information leaks. tmps as user opens the door to some nice SUID exploits, so I had to remove it. Let me know if you find something else, thanks!

Rows
Columns

[GH-ISSUE #374] Losing internet access on blacklist /var #266