[GH-ISSUE #4887] When /etc/fonts is a symlink to a directory, private-etc rules that invoke fcopy produce wrong directory structure and breaks apps (NixOS) #2800

New issue

Closed

opened 2026-05-05 09:27:26 -06:00 by gitea-mirror · 20 comments

gitea-mirror commented 2026-05-05 09:27:26 -06:00

Owner

Copy link

Originally created by @reedriley on GitHub (Feb 1, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4887

Description

On NixOS; the /etc/fonts directory is a symlink (to a symlink) to a directory. When a profile includes this in private-etc; fcopy appears to copy the symlink into the target directory rather than resolving it as a directory and copying the contents over.

In short; inside of a firejail; the "correct" path becomes /etc/fonts/fonts instead of /etc/fonts.

Steps to Reproduce

1. Install NixOS; or set up etc with a symlink from /etc/fonts to /etc/static/fonts and a symlink from /etc/static/fonts to some other location.
2. Run a profile for basically any electron app.
3. Observe that it hits issues involving fonts.

Additional context

I think the fix here is probably to modify fcopy to behave differently if a source symlink is to a directory vs. a file; and add a corresponding unit test. If that's the case; I'm happy to work on a pull request - but given that this is in a fairly subtle space I wanted to check if my understanding is correct before I begin.

Environment

• NixOS 21.11
• Firejail version 0.9.68rc1

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

From running firejail --debug, I'm pretty confident the relevant section of the logs involve this snippet:

Copying files in the new /etc directory:
Copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts 

Happy to provide more logs or perform more tests as requested.

Originally created by @reedriley on GitHub (Feb 1, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4887 ### Description On NixOS; the `/etc/fonts` directory is a symlink (to a symlink) to a directory. When a profile includes this in `private-etc`; fcopy appears to copy the symlink into the target directory rather than resolving it as a directory and copying the contents over. In short; inside of a firejail; the "correct" path becomes `/etc/fonts/fonts` instead of `/etc/fonts`. ### Steps to Reproduce 1. Install NixOS; or set up `etc` with a symlink from `/etc/fonts` to `/etc/static/fonts` and a symlink from `/etc/static/fonts` to some other location. 2. Run a profile for basically any electron app. 3. Observe that it hits issues involving fonts. ### Additional context I _think_ the fix here is probably to modify `fcopy` to behave differently if a source symlink is to a directory vs. a file; and add a corresponding unit test. If that's the case; I'm happy to work on a pull request - but given that this is in a fairly subtle space I wanted to check if my understanding is correct before I begin. ### Environment - NixOS 21.11 - Firejail version 0.9.68rc1 ### Checklist - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log From running `firejail --debug`, I'm pretty confident the relevant section of the logs involve this snippet: ``` Copying files in the new /etc directory: Copying /etc/fonts to private /etc Creating empty /run/firejail/mnt/etc/fonts directory sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts ``` Happy to provide more logs or perform more tests as requested.

gitea-mirror 2026-05-05 09:27:26 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:27:29 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 2, 2022):

Thanks for the bug! Try the latest on mainline git, I think I have a fix for fcopy.

<!-- gh-comment-id:1028212037 --> @netblue30 commented on GitHub (Feb 2, 2022): Thanks for the bug! Try the latest on mainline git, I think I have a fix for fcopy.

gitea-mirror commented 2026-05-05 09:27:30 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 2, 2022):

firejail --noprofile --debug --private-etc=localtime ls -l /etc now shows an empty /etc. Can anyone confirm.

<!-- gh-comment-id:1028228904 --> @rusty-snake commented on GitHub (Feb 2, 2022): `firejail --noprofile --debug --private-etc=localtime ls -l /etc` now shows an empty `/etc`. Can anyone confirm.

gitea-mirror commented 2026-05-05 09:27:31 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Feb 2, 2022):

firejail --noprofile --debug --private-etc=localtime ls -l /etc now shows an empty /etc. Can anyone confirm.

Yes, I can confirm. With commit 4e27b344ed on top of rc1 I also get an empty /etc.

<!-- gh-comment-id:1028287456 --> @reinerh commented on GitHub (Feb 2, 2022): > `firejail --noprofile --debug --private-etc=localtime ls -l /etc` now shows an empty `/etc`. Can anyone confirm. Yes, I can confirm. With commit 4e27b344ed2ff6a15030d3d4c5c5fc9994baf504 on top of rc1 I also get an empty `/etc`.

gitea-mirror commented 2026-05-05 09:27:33 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 2, 2022):

And I can confirm that with firejail built from master installed on NixOS that:

1. /etc/fonts/ looks sane again for a few profiles I tested, and also
2. the electron apps that had been broken without a hacky workaround are functional again.

<!-- gh-comment-id:1028333907 --> @reedriley commented on GitHub (Feb 2, 2022): And I can confirm that with firejail built from `master` installed on NixOS that: 1. `/etc/fonts/` looks sane again for a few profiles I tested, and also 2. the electron apps that had been broken without a hacky workaround are functional again.

gitea-mirror commented 2026-05-05 09:27:33 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 2, 2022):

New fix in, this time for localtime broken earlier. @reedriley, give it a try again. Thanks.

<!-- gh-comment-id:1028356576 --> @netblue30 commented on GitHub (Feb 2, 2022): New fix in, this time for localtime broken earlier. @reedriley, give it a try again. Thanks.

gitea-mirror commented 2026-05-05 09:27:34 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Feb 2, 2022):

I'm wondering if special-casing /etc/fonts is sufficient for NixOS. AFAIK they use a lot of symlinks, so probably also for other configuration (and application) files.

<!-- gh-comment-id:1028358460 --> @reinerh commented on GitHub (Feb 2, 2022): I'm wondering if special-casing `/etc/fonts` is sufficient for NixOS. AFAIK they use a lot of symlinks, so probably also for other configuration (and application) files.

gitea-mirror commented 2026-05-05 09:27:35 -06:00

Author

Owner

Copy link

@vs49688 commented on GitHub (Feb 2, 2022):

They do. This is from my NixOS system:

Directories:

$ find /etc -maxdepth 1 -type l -xtype d
/etc/kbd
/etc/static
/etc/dbus-1
/etc/cups
/etc/fonts
/etc/zoneinfo
/etc/terminfo

Files:

$ find /etc -maxdepth 1 -type l -xtype f
/etc/hostid
/etc/resolvconf.conf
/etc/set-environment
/etc/locale.conf
/etc/shells
/etc/nscd.conf
/etc/fstab
/etc/hosts
/etc/profile
/etc/issue
/etc/fuse.conf
/etc/localtime
/etc/netgroup
/etc/nanorc
/etc/nsswitch.conf
/etc/rpc
/etc/mtab
/etc/bashrc
/etc/hostname
/etc/services
/etc/sddm.conf
/etc/login.defs
/etc/ipsec.secrets
/etc/tlp.conf
/etc/ethertypes
/etc/inputrc
/etc/host.conf
/etc/protocols
/etc/man_db.conf
/etc/os-release
/etc/vconsole.conf

<!-- gh-comment-id:1028366171 --> @vs49688 commented on GitHub (Feb 2, 2022): They do. This is from my NixOS system: Directories: ``` $ find /etc -maxdepth 1 -type l -xtype d /etc/kbd /etc/static /etc/dbus-1 /etc/cups /etc/fonts /etc/zoneinfo /etc/terminfo ``` Files: ``` $ find /etc -maxdepth 1 -type l -xtype f /etc/hostid /etc/resolvconf.conf /etc/set-environment /etc/locale.conf /etc/shells /etc/nscd.conf /etc/fstab /etc/hosts /etc/profile /etc/issue /etc/fuse.conf /etc/localtime /etc/netgroup /etc/nanorc /etc/nsswitch.conf /etc/rpc /etc/mtab /etc/bashrc /etc/hostname /etc/services /etc/sddm.conf /etc/login.defs /etc/ipsec.secrets /etc/tlp.conf /etc/ethertypes /etc/inputrc /etc/host.conf /etc/protocols /etc/man_db.conf /etc/os-release /etc/vconsole.conf ```

gitea-mirror commented 2026-05-05 09:27:36 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 2, 2022):

This fix at least resolves the electron app issues. So it's at least an improvement. But like @vs49688 says there are other directory symlinks.

I think the old firejail handling of symlinks-to-files was probably correct; it's just the handling of symlinks-to-directories that was broken. Is it possible to run this logic only if src is a symlink that resolves to a directory?

<!-- gh-comment-id:1028369786 --> @reedriley commented on GitHub (Feb 2, 2022): This fix at least resolves the electron app issues. So it's at least an improvement. But like @vs49688 says there are other directory symlinks. I think the old firejail handling of symlinks-to-files was probably correct; it's just the handling of symlinks-to-directories that was broken. Is it possible to run this logic only if `src` is a symlink that resolves to a directory?

gitea-mirror commented 2026-05-05 09:27:36 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 2, 2022):

Yes, probably there are other directories handled as symlinks on NixOS. Run a "ls -l /etc" and post it here.

<!-- gh-comment-id:1028383562 --> @netblue30 commented on GitHub (Feb 2, 2022): Yes, probably there are other directories handled as symlinks on NixOS. Run a "ls -l /etc" and post it here.

gitea-mirror commented 2026-05-05 09:27:36 -06:00

Author

Owner

Copy link

@vs49688 commented on GitHub (Feb 2, 2022):

Yes, probably there are other directories handled as symlinks on NixOS. Run a "ls -l /etc" and post it here.

Done, see lsout.txt

<!-- gh-comment-id:1028387061 --> @vs49688 commented on GitHub (Feb 2, 2022): > Yes, probably there are other directories handled as symlinks on NixOS. Run a "ls -l /etc" and post it here. Done, see [lsout.txt](https://github.com/netblue30/firejail/files/7990253/lsout.txt)

gitea-mirror commented 2026-05-05 09:27:37 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 2, 2022):

thanks @vs49688! The symlinks - plenty of them - are going in /etc/static. I'll bring in a new fix tomorrow.

<!-- gh-comment-id:1028397756 --> @netblue30 commented on GitHub (Feb 2, 2022): thanks @vs49688! The symlinks - plenty of them - are going in /etc/static. I'll bring in a new fix tomorrow.

gitea-mirror commented 2026-05-05 09:27:37 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 2, 2022):

On my system; these are the directories in /etc that are symlinks to other directories:

$ find /etc -maxdepth 1 -type l -xtype d | sort
/etc/apparmor.d
/etc/cups
/etc/dbus-1
/etc/fonts
/etc/kbd
/etc/static
/etc/terminfo
/etc/zoneinfo

i suspect the precise set will vary from installation to installation - for example apparmor.d isn't present on @vs49688's system.

I still think the right fix here is probably to modify fcopy semantics when the "source" argument is a symlink to a directory vs. symlink to a file? Just like how fcopy has different semantics when the "source" argument is a directory vs. a file? (duplicate_dir vs. duplicate_file?)

Either that; or if we can't trust that the symlink won't point somewhere else in the appropriate threat models; we might need to change private-etc profiles to encode whether an entry is a directory or a file. (e.g., by using a trailing slash - we could treat fonts/ and fonts as having distinct meanings?)

<!-- gh-comment-id:1028397966 --> @reedriley commented on GitHub (Feb 2, 2022): On my system; these are the directories in `/etc` that are symlinks to other directories: ``` $ find /etc -maxdepth 1 -type l -xtype d | sort /etc/apparmor.d /etc/cups /etc/dbus-1 /etc/fonts /etc/kbd /etc/static /etc/terminfo /etc/zoneinfo ``` i suspect the precise set will vary from installation to installation - for example `apparmor.d` isn't present on @vs49688's system. I still think the right fix here is probably to modify `fcopy` semantics when the "source" argument is a symlink to a directory vs. symlink to a file? Just like how `fcopy` has different semantics when the "source" argument is a directory vs. a file? (`duplicate_dir` vs. `duplicate_file`?) Either that; or if we can't trust that the symlink won't point somewhere else in the appropriate threat models; we might need to change `private-etc` profiles to encode whether an entry is a directory or a file. (e.g., by using a trailing slash - we could treat `fonts/` and `fonts` as having distinct meanings?)

gitea-mirror commented 2026-05-05 09:27:38 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 2, 2022):

I'm reading about NixOS. Do you guys also have a /etc/config directory?

<!-- gh-comment-id:1028403997 --> @netblue30 commented on GitHub (Feb 2, 2022): I'm reading about NixOS. Do you guys also have a /etc/config directory?

gitea-mirror commented 2026-05-05 09:27:38 -06:00

Author

Owner

Copy link

@vs49688 commented on GitHub (Feb 2, 2022):

I'm reading about NixOS. Do you guys also have a /etc/config directory?

Not on any of my systems, although someone could add one via environment.etc

i suspect the precise set will vary from installation to installation - for example apparmor.d isn't present on @vs49688's system.

Yeah, I should probably enable AppArmor.

I still think the right fix here is probably to modify fcopy semantics when the "source" argument is a symlink to a directory vs. symlink to a file? Just like how fcopy has different semantics when the "source" argument is a directory vs. a file? (duplicate_dir vs. duplicate_file?)

Agreed.

<!-- gh-comment-id:1028419893 --> @vs49688 commented on GitHub (Feb 2, 2022): > I'm reading about NixOS. Do you guys also have a /etc/config directory? Not on any of my systems, although someone could add one via [environment.etc](https://search.nixos.org/options?channel=21.11&show=environment.etc&from=0&size=50&sort=relevance&type=packages&query=environment.etc) > i suspect the precise set will vary from installation to installation - for example `apparmor.d` isn't present on @vs49688's system. > Yeah, I should probably enable AppArmor. > I still think the right fix here is probably to modify `fcopy` semantics when the "source" argument is a symlink to a directory vs. symlink to a file? Just like how `fcopy` has different semantics when the "source" argument is a directory vs. a file? (`duplicate_dir` vs. `duplicate_file`?) > Agreed.

gitea-mirror commented 2026-05-05 09:27:39 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 2, 2022):

Here's a sketch of something that seems to work just fine for me: c0822a0fe1

With that patch applied; everything works the way I expect; and I get the following directory layout:

$ firejail --noprofile --quiet --private-etc=localtime,fonts ls -l --recursive /etc/
/etc/:
total 0
dr-xr-xr-x 4 root root 100 Feb  2 17:53 fonts
lrwxrwxrwx 1 root root  88 Feb  2 17:53 localtime -> /nix/store/6cc9lmldp0w0vvgr5k1h1gr8i6hn791b-tzdata-2021c/share/zoneinfo/America/New_York

/etc/fonts:
total 0
dr-xr-xr-x 2 root root  60 Feb  2 17:53 2.11
dr-xr-xr-x 2 root root 480 Feb  2 17:53 conf.d
lrwxrwxrwx 1 root root  83 Feb  2 17:53 fonts.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/etc/fonts/fonts.conf

/etc/fonts/2.11:
total 0
lrwxrwxrwx 1 root root 83 Feb  2 17:53 fonts.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/etc/fonts/fonts.conf

/etc/fonts/conf.d:
total 0
lrwxrwxrwx 1 root root  66 Feb  2 17:53 00-nixos-cache.conf -> /nix/store/dipzgbynmr5gmgn732dacbsavj107xi2-fc-00-nixos-cache.conf
lrwxrwxrwx 1 root root 113 Feb  2 17:53 10-hinting-slight.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/10-hinting-slight.conf
lrwxrwxrwx 1 root root  70 Feb  2 17:53 10-nixos-rendering.conf -> /nix/store/9nvnd8s7ac3y94cywa5iwjx9ccmb1rm9-fc-10-nixos-rendering.conf
lrwxrwxrwx 1 root root 117 Feb  2 17:53 10-scale-bitmap-fonts.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf
lrwxrwxrwx 1 root root 116 Feb  2 17:53 20-unhint-small-vera.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/20-unhint-small-vera.conf
lrwxrwxrwx 1 root root 113 Feb  2 17:53 30-metric-aliases.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/30-metric-aliases.conf
lrwxrwxrwx 1 root root 107 Feb  2 17:53 40-nonlatin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/40-nonlatin.conf
lrwxrwxrwx 1 root root 106 Feb  2 17:53 45-generic.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/45-generic.conf
lrwxrwxrwx 1 root root 104 Feb  2 17:53 45-latin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/45-latin.conf
lrwxrwxrwx 1 root root 108 Feb  2 17:53 49-sansserif.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/49-sansserif.conf
lrwxrwxrwx 1 root root 103 Feb  2 17:53 50-user.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/50-user.conf
lrwxrwxrwx 1 root root 104 Feb  2 17:53 51-local.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/51-local.conf
lrwxrwxrwx 1 root root  74 Feb  2 17:53 52-nixos-default-fonts.conf -> /nix/store/k8lbdziyr4ghki6csr8qnlshh273bv7k-fc-52-nixos-default-fonts.conf
lrwxrwxrwx 1 root root  73 Feb  2 17:53 53-nixos-reject-type1.conf -> /nix/store/bw6w7yazrr5rbwsy4x4v3bfjqzd7v223-fc-53-nixos-reject-type1.conf
lrwxrwxrwx 1 root root  65 Feb  2 17:53 53-no-bitmaps.conf -> /nix/store/2ffyf8rn2ib5hjx2q0k3jgd1vj4lllin-fc-53-no-bitmaps.conf
lrwxrwxrwx 1 root root 106 Feb  2 17:53 60-generic.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/60-generic.conf
lrwxrwxrwx 1 root root 104 Feb  2 17:53 60-latin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/60-latin.conf
lrwxrwxrwx 1 root root 112 Feb  2 17:53 65-fonts-persian.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/65-fonts-persian.conf
lrwxrwxrwx 1 root root 107 Feb  2 17:53 65-nonlatin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/65-nonlatin.conf
lrwxrwxrwx 1 root root 106 Feb  2 17:53 69-unifont.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/69-unifont.conf
lrwxrwxrwx 1 root root 108 Feb  2 17:53 80-delicious.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/80-delicious.conf
lrwxrwxrwx 1 root root 108 Feb  2 17:53 90-synthetic.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/90-synthetic.conf

<!-- gh-comment-id:1028435667 --> @reedriley commented on GitHub (Feb 2, 2022): Here's a sketch of something that seems to work just fine for me: https://github.com/reedriley/firejail/commit/c0822a0fe1dc84b8d83d57775a9ee842e61b60b6 With that patch applied; everything works the way I expect; and I get the following directory layout: ``` $ firejail --noprofile --quiet --private-etc=localtime,fonts ls -l --recursive /etc/ /etc/: total 0 dr-xr-xr-x 4 root root 100 Feb 2 17:53 fonts lrwxrwxrwx 1 root root 88 Feb 2 17:53 localtime -> /nix/store/6cc9lmldp0w0vvgr5k1h1gr8i6hn791b-tzdata-2021c/share/zoneinfo/America/New_York /etc/fonts: total 0 dr-xr-xr-x 2 root root 60 Feb 2 17:53 2.11 dr-xr-xr-x 2 root root 480 Feb 2 17:53 conf.d lrwxrwxrwx 1 root root 83 Feb 2 17:53 fonts.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/etc/fonts/fonts.conf /etc/fonts/2.11: total 0 lrwxrwxrwx 1 root root 83 Feb 2 17:53 fonts.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/etc/fonts/fonts.conf /etc/fonts/conf.d: total 0 lrwxrwxrwx 1 root root 66 Feb 2 17:53 00-nixos-cache.conf -> /nix/store/dipzgbynmr5gmgn732dacbsavj107xi2-fc-00-nixos-cache.conf lrwxrwxrwx 1 root root 113 Feb 2 17:53 10-hinting-slight.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/10-hinting-slight.conf lrwxrwxrwx 1 root root 70 Feb 2 17:53 10-nixos-rendering.conf -> /nix/store/9nvnd8s7ac3y94cywa5iwjx9ccmb1rm9-fc-10-nixos-rendering.conf lrwxrwxrwx 1 root root 117 Feb 2 17:53 10-scale-bitmap-fonts.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf lrwxrwxrwx 1 root root 116 Feb 2 17:53 20-unhint-small-vera.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/20-unhint-small-vera.conf lrwxrwxrwx 1 root root 113 Feb 2 17:53 30-metric-aliases.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/30-metric-aliases.conf lrwxrwxrwx 1 root root 107 Feb 2 17:53 40-nonlatin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/40-nonlatin.conf lrwxrwxrwx 1 root root 106 Feb 2 17:53 45-generic.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/45-generic.conf lrwxrwxrwx 1 root root 104 Feb 2 17:53 45-latin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/45-latin.conf lrwxrwxrwx 1 root root 108 Feb 2 17:53 49-sansserif.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/49-sansserif.conf lrwxrwxrwx 1 root root 103 Feb 2 17:53 50-user.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/50-user.conf lrwxrwxrwx 1 root root 104 Feb 2 17:53 51-local.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/51-local.conf lrwxrwxrwx 1 root root 74 Feb 2 17:53 52-nixos-default-fonts.conf -> /nix/store/k8lbdziyr4ghki6csr8qnlshh273bv7k-fc-52-nixos-default-fonts.conf lrwxrwxrwx 1 root root 73 Feb 2 17:53 53-nixos-reject-type1.conf -> /nix/store/bw6w7yazrr5rbwsy4x4v3bfjqzd7v223-fc-53-nixos-reject-type1.conf lrwxrwxrwx 1 root root 65 Feb 2 17:53 53-no-bitmaps.conf -> /nix/store/2ffyf8rn2ib5hjx2q0k3jgd1vj4lllin-fc-53-no-bitmaps.conf lrwxrwxrwx 1 root root 106 Feb 2 17:53 60-generic.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/60-generic.conf lrwxrwxrwx 1 root root 104 Feb 2 17:53 60-latin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/60-latin.conf lrwxrwxrwx 1 root root 112 Feb 2 17:53 65-fonts-persian.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/65-fonts-persian.conf lrwxrwxrwx 1 root root 107 Feb 2 17:53 65-nonlatin.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/65-nonlatin.conf lrwxrwxrwx 1 root root 106 Feb 2 17:53 69-unifont.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/69-unifont.conf lrwxrwxrwx 1 root root 108 Feb 2 17:53 80-delicious.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/80-delicious.conf lrwxrwxrwx 1 root root 108 Feb 2 17:53 90-synthetic.conf -> /nix/store/xba54gdybnaca93w85vmzrqg1n0njxg6-fontconfig-2.13.94/share/fontconfig/conf.avail/90-synthetic.conf ```

gitea-mirror commented 2026-05-05 09:27:39 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 2, 2022):

Or; alternatively; we could skip creating the empty /etc/fonts directory in this case somehow. (Perhaps by modifying create_empty_dir_as_root to use lstat instead of stat? Or build_dirs in fs_etc.c to use lstat instead of stat?)

<!-- gh-comment-id:1028455201 --> @reedriley commented on GitHub (Feb 2, 2022): Or; alternatively; we could skip creating the empty `/etc/fonts` directory in this case somehow. (Perhaps by modifying `create_empty_dir_as_root` to use `lstat` instead of `stat`? Or `build_dirs` in `fs_etc.c` to use `lstat` instead of `stat`?)

gitea-mirror commented 2026-05-05 09:27:39 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 3, 2022):

Here's another fix that appears to work, which feels a lot less hacky: 967265dead

The flow:

1. fs_etc.c used to resolve the symlink /etc/fonts to a directory; and therefore create an empty directory.
2. Then, fcopy moved the symlink into the newly created empty directory screwing up the structure.

Changing the build_dirs function in fs_etc.c to use lstat instead of stat allows it to handle this case correctly and preserve the directory structure rather than warping it.

With this patch, I get:

$ firejail --noprofile --quiet --private-etc=localtime,fonts ls -l --recursive /etc/
/etc/:
total 0
lrwxrwxrwx 1 root root 69 Feb  2 20:08 fonts -> /nix/store/6yzk4cmmdywc33lr6bf5iladr7rjih0w-fontconfig-conf/etc/fonts
lrwxrwxrwx 1 root root 88 Feb  2 20:08 localtime -> /nix/store/6cc9lmldp0w0vvgr5k1h1gr8i6hn791b-tzdata-2021c/share/zoneinfo/America/New_York

<!-- gh-comment-id:1028508555 --> @reedriley commented on GitHub (Feb 3, 2022): Here's another fix that appears to work, which feels a lot less hacky: https://github.com/reedriley/firejail/commit/967265dead0a085025220d5a6199aeb8d654ce63 The flow: 1. `fs_etc.c` used to resolve the symlink `/etc/fonts` to a directory; and therefore create an empty directory. 2. Then, `fcopy` moved the symlink _into_ the newly created empty directory screwing up the structure. Changing the `build_dirs` function in `fs_etc.c` to use `lstat` instead of `stat` allows it to handle this case correctly and preserve the directory structure rather than warping it. With this patch, I get: ``` $ firejail --noprofile --quiet --private-etc=localtime,fonts ls -l --recursive /etc/ /etc/: total 0 lrwxrwxrwx 1 root root 69 Feb 2 20:08 fonts -> /nix/store/6yzk4cmmdywc33lr6bf5iladr7rjih0w-fontconfig-conf/etc/fonts lrwxrwxrwx 1 root root 88 Feb 2 20:08 localtime -> /nix/store/6cc9lmldp0w0vvgr5k1h1gr8i6hn791b-tzdata-2021c/share/zoneinfo/America/New_York ```

gitea-mirror commented 2026-05-05 09:27:40 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 3, 2022):

It turns out we already had all the support. It is --follow-link flag in fcopy, I just had to enable it for private-etc. Also reverted all the changes to fcopy.

Fix here: 8c33968747

<!-- gh-comment-id:1029035516 --> @netblue30 commented on GitHub (Feb 3, 2022): It turns out we already had all the support. It is --follow-link flag in fcopy, I just had to enable it for private-etc. Also reverted all the changes to fcopy. Fix here: https://github.com/netblue30/firejail/commit/8c33968747016a8e473719db19f723f310a3a5a3

gitea-mirror commented 2026-05-05 09:27:40 -06:00

Author

Owner

Copy link

@reedriley commented on GitHub (Feb 4, 2022):

I can confirm; this fix works for my system as well. Thanks!

I'd flag there are probably other symlink issues lurking in firejail+NixOS; the distro relies on them heavily. But, if I hit any, I'll be sure to report them or submit a pull request,

<!-- gh-comment-id:1030183225 --> @reedriley commented on GitHub (Feb 4, 2022): I can confirm; this fix works for my system as well. Thanks! I'd flag there are probably other symlink issues lurking in firejail+NixOS; the distro relies on them heavily. But, if I hit any, I'll be sure to report them or submit a pull request,

gitea-mirror commented 2026-05-05 09:27:41 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 4, 2022):

I'd flag there are probably other symlink issues lurking in firejail+NixOS; the distro relies on them heavily.

Sure, thanks! /etc should be fully fixed right now. The fix resolved all symlinks there. Closed for now.

<!-- gh-comment-id:1030192649 --> @netblue30 commented on GitHub (Feb 4, 2022): > I'd flag there are probably other symlink issues lurking in firejail+NixOS; the distro relies on them heavily. Sure, thanks! /etc should be fully fixed right now. The fix resolved all symlinks there. Closed for now.

gitea-mirror referenced this issue 2026-05-05 10:21:54 -06:00

[PR #2800] [MERGED] Hardening a few profiles #4533

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2800

No description provided.