github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5179] kodi: can access non-media paths #2904

New issue
Closed
opened 2026-05-05 09:34:01 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 09:34:01 -06:00
Owner
Copy link

Originally created by @tomasz-c on GitHub (Jun 7, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5179

Description

I noticed that the kodi profile for firejail 0.9.68 does not seem to work.

From the file manager in Kodi I can browse all directories, drives (not just those defined in the profile) and delete data from them (if Linux permissions allow it). Surely in some previous version this worked correctly.

Steps to Reproduce

  1. run Kodi:
    firejail --profile=/etc/firejail/kodi.profile kodi

  2. go to Settings

  3. run the file manager

  4. try to browse all directories or delete files

Expected behavior

No ability to view or delete files outside the media folders defined in the profile.

Actual behavior

Possible to view and delete files outside the media folders defined in the profile.

Behavior without a profile

In terms of viewing and deleting files, the same as with a profile.

Environment

  • Linux distribution: Arch Linux
  • Firejail version: 0.9.68
  • Kodi version: 19.4
Originally created by @tomasz-c on GitHub (Jun 7, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5179 ### Description I noticed that the kodi profile for firejail 0.9.68 does not seem to work. From the file manager in Kodi I can browse all directories, drives (not just those defined in the profile) and delete data from them (if Linux permissions allow it). Surely in some previous version this worked correctly. ### Steps to Reproduce 1. run Kodi: `firejail --profile=/etc/firejail/kodi.profile kodi` 2. go to Settings 3. run the file manager 4. try to browse all directories or delete files ### Expected behavior No ability to view or delete files outside the media folders defined in the profile. ### Actual behavior Possible to view and delete files outside the media folders defined in the profile. ### Behavior without a profile In terms of viewing and deleting files, the same as with a profile. ### Environment - Linux distribution: Arch Linux - Firejail version: 0.9.68 - Kodi version: 19.4
gitea-mirror 2026-05-05 09:34:01 -06:00
  • closed this issue
  • added the
    wontfix
         label
gitea-mirror commented 2026-05-05 09:34:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 7, 2022):

Second note that kodi.profile isn't whitelisting profile and does not set disable-mnt. So if you can access /mnt/foo/bar or ~/Downloads/frogs.png this is expected.

<!-- gh-comment-id:1149020268 --> @rusty-snake commented on GitHub (Jun 7, 2022): > Second note that kodi.profile isn't whitelisting profile and does not set `disable-mnt`. So if you can access `/mnt/foo/bar` or `~/Downloads/frogs.png` this is expected.
gitea-mirror commented 2026-05-05 09:34:05 -06:00
Author
Owner
Copy link

@tomasz-c commented on GitHub (Jun 7, 2022):

@rusty-snake
But I understand that if I have home mounted from a separate partition it doesn't matter?
I can also view the contents of /etc and this should not work?

<!-- gh-comment-id:1149030407 --> @tomasz-c commented on GitHub (Jun 7, 2022): @rusty-snake But I understand that if I have home mounted from a separate partition it doesn't matter? I can also view the contents of /etc and this should not work?
gitea-mirror commented 2026-05-05 09:34:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 7, 2022):

But I understand that if I have home mounted from a separate partition it doesn't matter?

I don't understand what you mean.

I can also view the contents of /etc and this should not work?

Where is /etc restricted (via whitelisting) in kodi.profile? answer: nowhere

<!-- gh-comment-id:1149033612 --> @rusty-snake commented on GitHub (Jun 7, 2022): > But I understand that if I have home mounted from a separate partition it doesn't matter? I don't understand what you mean. > I can also view the contents of /etc and this should not work? Where is `/etc` restricted (via whitelisting) in kodi.profile? <sub>answer: nowhere</sub>
gitea-mirror commented 2026-05-05 09:34:07 -06:00
Author
Owner
Copy link

@tomasz-c commented on GitHub (Jun 7, 2022):

I don't understand what you mean.

Mounting /dev/sdXY to /home
I don't know how disable-mnt works, but from what I found it should only block access to /mnt

Where is /etc restricted (via whitelisting) in kodi.profile? answer: nowhere

This is a bit unintuitive to me, as I always thought whitelists were for unlocking :)

I don't know firejail profile configuration well, I reported this bug because this behavior in my opinion is dangerous: allowing kodi to access everything as well as delete files. Because of the support for plugins that don't necessarily pass any security audits and can even be potentially malicious (I know of one such case).
I know that in the past firejail with the default kodi profile didn't allow this, so if it does now I consider it a bug, but if this behavior is expected then somehow I will understand it and close the bug :)

<!-- gh-comment-id:1149047912 --> @tomasz-c commented on GitHub (Jun 7, 2022): > I don't understand what you mean. Mounting /dev/sdXY to /home I don't know how `disable-mnt` works, but from what I found it should only block access to /mnt > Where is `/etc` restricted (via whitelisting) in kodi.profile? answer: nowhere This is a bit unintuitive to me, as I always thought whitelists were for unlocking :) I don't know firejail profile configuration well, I reported this bug because this behavior in my opinion is dangerous: allowing kodi to access everything as well as delete files. Because of the support for plugins that don't necessarily pass any security audits and can even be potentially malicious (I know of one such case). I know that in the past firejail with the default kodi profile didn't allow this, so if it does now I consider it a bug, but if this behavior is expected then somehow I will understand it and close the bug :)
gitea-mirror commented 2026-05-05 09:34:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 7, 2022):

I don't know how disable-mnt works, but from what I found it should only block access to /mnt

Yes, disable-mnt is about /mnt (and /media, /run/media, /run/mnt).

<!-- gh-comment-id:1149069573 --> @rusty-snake commented on GitHub (Jun 7, 2022): > I don't know how disable-mnt works, but from what I found it should only block access to /mnt Yes, `disable-mnt` is about /mnt (and /media, /run/media, /run/mnt).
gitea-mirror commented 2026-05-05 09:34:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 7, 2022):

This is a bit unintuitive to me, as I always thought whitelists were for unlocking :)

blacklist/whitelist (or denylist/blocklist/allowlist) describe the concept:

  • blacklist: Everything that has not explicitly forbidden is allowed.
  • whitelist: Everything that has not explicitly allowed is forbidden.
<!-- gh-comment-id:1149070722 --> @rusty-snake commented on GitHub (Jun 7, 2022): > This is a bit unintuitive to me, as I always thought whitelists were for unlocking :) blacklist/whitelist (or denylist/blocklist/allowlist) describe the concept: - blacklist: Everything that has not explicitly forbidden is allowed. - whitelist: Everything that has not explicitly allowed is forbidden.
gitea-mirror commented 2026-05-05 09:34:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 7, 2022):

I don't know firejail profile configuration well, I reported this bug because this behavior in my opinion is dangerous: allowing kodi to access everything as well as delete files. Because of the support for plugins that don't necessarily pass any security audits and can even be potentially malicious (I know of one such case).

You're right that the kodi.profile is rather weak and we could/should harden it (for the reason you said and the general idea). However to much hardening will break plugins and custom locations for media files so people will come here and say that kodi.profile is to strict and breaks kodi. That's the general problem with distributed sandbox configurations, find the compromise between security (strict as possible) and usability (weak as necessary). I'm not sure if kodi.profile should be whitelisting by default but we should at least add a comment ("Add the following lines to your kodi.local for whitelisting").

I know that in the past firejail with the default kodi profile didn't allow this

I do not see any such commits. Maybe you did this in your kodi.local?

<!-- gh-comment-id:1149077657 --> @rusty-snake commented on GitHub (Jun 7, 2022): > I don't know firejail profile configuration well, I reported this bug because this behavior in my opinion is dangerous: allowing kodi to access everything as well as delete files. Because of the support for plugins that don't necessarily pass any security audits and can even be potentially malicious (I know of one such case). You're right that the kodi.profile is rather weak and we could/should harden it (for the reason you said and the general idea). However to much hardening will break plugins and custom locations for media files so people will come here and say that kodi.profile is to strict and breaks kodi. That's the general problem with distributed sandbox configurations, find the compromise between security (strict as possible) and usability (weak as necessary). I'm not sure if kodi.profile should be whitelisting by default but we should at least add a comment ("Add the following lines to your kodi.local for whitelisting"). > I know that in the past firejail with the default kodi profile didn't allow this I do not see any such commits. Maybe you did this in your kodi.local?
gitea-mirror commented 2026-05-05 09:34:08 -06:00
Author
Owner
Copy link

@tomasz-c commented on GitHub (Jun 11, 2022):

You're right that the kodi.profile is rather weak and we could/should harden it (for the reason you said and the general idea). However to much hardening will break plugins and custom locations for media files so people will come here and say that kodi.profile is to strict and breaks kodi. That's the general problem with distributed sandbox configurations, find the compromise between security (strict as possible) and usability (weak as necessary). I'm not sure if kodi.profile should be whitelisting by default but we should at least add a comment ("Add the following lines to your kodi.local for whitelisting").

Hardening, even too much I think is a better solution than giving the appearance of protection. I would be more worried about the reactions of people who have had their data deleted :) I was convinced that the Kodi profile protects me as before and only by accident I noticed that it allows ... much.

I do not see any such commits. Maybe you did this in your kodi.local?

Unfortunately I don't have any individual configuration, but wouldn't it be possible to restore the behavior that used to be? That kodi had access only to default media directories?

If I may ask, can you suggest what in the kodi profile causes that:

noblacklist ${HOME}/.kodi
noblacklist ${MUSIC}
noblacklist ${PICTURES}
noblacklist ${VIDEOS}

it doesn't restrict access only to those directories?

<!-- gh-comment-id:1152981420 --> @tomasz-c commented on GitHub (Jun 11, 2022): > You're right that the kodi.profile is rather weak and we could/should harden it (for the reason you said and the general idea). However to much hardening will break plugins and custom locations for media files so people will come here and say that kodi.profile is to strict and breaks kodi. That's the general problem with distributed sandbox configurations, find the compromise between security (strict as possible) and usability (weak as necessary). I'm not sure if kodi.profile should be whitelisting by default but we should at least add a comment ("Add the following lines to your kodi.local for whitelisting"). Hardening, even too much I think is a better solution than giving the appearance of protection. I would be more worried about the reactions of people who have had their data deleted :) I was convinced that the Kodi profile protects me as before and only by accident I noticed that it allows ... much. > I do not see any such commits. Maybe you did this in your kodi.local? Unfortunately I don't have any individual configuration, but wouldn't it be possible to restore the behavior that used to be? That kodi had access only to default media directories? If I may ask, can you suggest what in the kodi profile causes that: ``` noblacklist ${HOME}/.kodi noblacklist ${MUSIC} noblacklist ${PICTURES} noblacklist ${VIDEOS} ``` it doesn't restrict access only to those directories?
gitea-mirror commented 2026-05-05 09:34:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 11, 2022):

Talking about access to files in $HOME, you need this:

mkdir ${HOME}/.kodi
whitelist ${HOME}/.kodi
whitelist ${MUSIC}
whitelist ${PICTURES}
whitelist ${VIDEOS}
include whitelist-common.inc

But there's much more space for improvements in kodi.profile

<!-- gh-comment-id:1152982130 --> @rusty-snake commented on GitHub (Jun 11, 2022): Talking about access to files in $HOME, you need this: ``` mkdir ${HOME}/.kodi whitelist ${HOME}/.kodi whitelist ${MUSIC} whitelist ${PICTURES} whitelist ${VIDEOS} include whitelist-common.inc ``` But there's much more space for improvements in kodi.profile
gitea-mirror commented 2026-05-05 09:34:09 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jun 14, 2022):

@tomasz-c commented on Jun 11:

You're right that the kodi.profile is rather weak and we could/should
harden it (for the reason you said and the general idea). However to much
hardening will break plugins and custom locations for media files so people
will come here and say that kodi.profile is to strict and breaks kodi.
That's the general problem with distributed sandbox configurations, find
the compromise between security (strict as possible) and usability (weak as
necessary). I'm not sure if kodi.profile should be whitelisting by default
but we should at least add a comment ("Add the following lines to your
kodi.local for whitelisting").

Hardening, even too much I think is a better solution than giving the
appearance of protection. I would be more worried about the reactions of
people who have had their data deleted :) I was convinced that the Kodi
profile protects me as before and only by accident I noticed that it allows
... much.

Related: #4760.

<!-- gh-comment-id:1154748745 --> @kmk3 commented on GitHub (Jun 14, 2022): @tomasz-c commented [on Jun 11](https://github.com/netblue30/firejail/issues/5179#issuecomment-1152981420): > > You're right that the kodi.profile is rather weak and we could/should > > harden it (for the reason you said and the general idea). However to much > > hardening will break plugins and custom locations for media files so people > > will come here and say that kodi.profile is to strict and breaks kodi. > > That's the general problem with distributed sandbox configurations, find > > the compromise between security (strict as possible) and usability (weak as > > necessary). I'm not sure if kodi.profile should be whitelisting by default > > but we should at least add a comment ("Add the following lines to your > > kodi.local for whitelisting"). > > Hardening, even too much I think is a better solution than giving the > appearance of protection. I would be more worried about the reactions of > people who have had their data deleted :) I was convinced that the Kodi > profile protects me as before and only by accident I noticed that it allows > ... much. Related: #4760.
gitea-mirror commented 2026-05-05 09:34:10 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 24, 2024):

The reported issue seems to be that kodi can access paths in the user home
other than its own paths and ~/Music, ~/Picures and ~/Videos.

In which case it seems to be intentional in order to avoid being too
restrictive and potentially breaking plugins and different user setups.

So closing as wontfix.

If this is not accurate, feel free to comment.

If you have a specific bug or improvement, feel free to open a new issue.

<!-- gh-comment-id:2308280962 --> @kmk3 commented on GitHub (Aug 24, 2024): The reported issue seems to be that kodi can access paths in the user home other than its own paths and ~/Music, ~/Picures and ~/Videos. In which case it seems to be intentional in order to avoid being too restrictive and potentially breaking plugins and different user setups. So closing as wontfix. If this is not accurate, feel free to comment. If you have a specific bug or improvement, feel free to open a new issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2904
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?