github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5598] Profile with join-or-start option does not work with "--profile=" #3039

New issue

Open

opened 2026-05-05 09:41:06 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:41:06 -06:00

Owner

Originally created by @ferreum on GitHub (Jan 17, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5598

Description

When specifying a profile with --profile= option that contains join-or-start, firejail fails to join an existing sandbox and prints an error.
Starting the sandbox works. Only joining seems to be affected.

Steps to Reproduce

Assume a minimal profile joinme.profile for testing, that only contains a join-or-start option:

> cat joinme.profile
join-or-start joinme

In one terminal, run firejail with that profile:

> firejail --profile=joinme.profile sh
Reading profile joinme.profile
Parent pid 6936, child pid 6938
Child process initialized in 6.45 ms
sh-5.1$

While the first sandbox is running, run the same command in a separate terminal:

> firejail --profile=joinme.profile sh
Reading profile joinme.profile
Switching to pid 6938, the first child process inside the sandbox
Changing root to /proc/6938/root
Error: --shell=none configured, but no program specified

Expected behavior

firejail joins the existing sandbox.

Actual behavior

firejail prints "Error: --shell=none configured, but no program specified" and exits.

Behavior without a profile

Joining without profile works:

> firejail --noprofile --join=joinme sh
Switching to pid 6938, the first child process inside the sandbox
Changing root to /proc/6938/root
Child process initialized in 2.47 ms
sh-5.1$ exit
> firejail --noprofile --join-or-start=joinme sh
Switching to pid 6938, the first child process inside the sandbox
Changing root to /proc/6938/root
Child process initialized in 3.27 ms
sh-5.1$

Additional context

Seems to be argument parsing related. Specifying --debug changes the error message (last line):

> firejail --debug --profile=joinme.profile sh
Reading profile joinme.profile
Switching to pid 6938, the first child process inside the sandbox
Changing root to /proc/6938/root
Set caps filter 1ffffffffff
Drop privileges: pid 4, uid 1000, gid 1000, force_nogroups 0
Error: invalid option --profile=joinme.profile after --join

That message makes no sense as there's no --join before --profile.

Environment

Linux distribution and version: Arch Linux
arch firejail pkg version 0.9.72-1

firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

See "Steps to Reproduce" and "Additional context" above.

Originally created by @ferreum on GitHub (Jan 17, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5598  ### Description When specifying a profile with `--profile=` option that contains `join-or-start`, firejail fails to join an existing sandbox and prints an error. Starting the sandbox works. Only joining seems to be affected. ### Steps to Reproduce 1. Assume a minimal profile `joinme.profile` for testing, that only contains a `join-or-start` option: ``` > cat joinme.profile join-or-start joinme ``` 2. In one terminal, run firejail with that profile: ``` > firejail --profile=joinme.profile sh Reading profile joinme.profile Parent pid 6936, child pid 6938 Child process initialized in 6.45 ms sh-5.1$ ``` 3. While the first sandbox is running, run the same command in a separate terminal: ``` > firejail --profile=joinme.profile sh Reading profile joinme.profile Switching to pid 6938, the first child process inside the sandbox Changing root to /proc/6938/root Error: --shell=none configured, but no program specified ``` ### Expected behavior firejail joins the existing sandbox. ### Actual behavior firejail prints "Error: --shell=none configured, but no program specified" and exits. ### Behavior without a profile Joining without profile works: ``` > firejail --noprofile --join=joinme sh Switching to pid 6938, the first child process inside the sandbox Changing root to /proc/6938/root Child process initialized in 2.47 ms sh-5.1$ exit > firejail --noprofile --join-or-start=joinme sh Switching to pid 6938, the first child process inside the sandbox Changing root to /proc/6938/root Child process initialized in 3.27 ms sh-5.1$ ``` ### Additional context Seems to be argument parsing related. Specifying `--debug` changes the error message (last line): ``` > firejail --debug --profile=joinme.profile sh Reading profile joinme.profile Switching to pid 6938, the first child process inside the sandbox Changing root to /proc/6938/root Set caps filter 1ffffffffff Drop privileges: pid 4, uid 1000, gid 1000, force_nogroups 0 Error: invalid option --profile=joinme.profile after --join ``` That message makes no sense as there's no `--join` before `--profile`. ### Environment - Linux distribution and version: Arch Linux - arch firejail pkg version `0.9.72-1` ``` firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log See "Steps to Reproduce" and "Additional context" above.

gitea-mirror added the

security

label 2026-05-05 09:41:06 -06:00

gitea-mirror commented

2026-05-05 09:41:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 17, 2023):

Likely a regression from 4d79566ae3 and following.

@rusty-snake commented on GitHub (Jan 17, 2023): Likely a regression from 4d79566ae3cef90700264f962837887a2d26fcf2 and following.

gitea-mirror commented

2026-05-05 09:41:10 -06:00

Author

Owner

@ferreum commented on GitHub (Jan 18, 2023):

I found a way to trigger this without --profile= as well. Since this looks like a problem with argument parsing to me, I think it's the same issue.

The conditions are similar to above, but you need a profile containing join-or-start in the firejail profiles directory.

The invocation to join works in some cases, but if the program gets arguments starting with -- firejail gets confused:

Assume a test profile echo.profile in the user's firejail path:

> cat ~/.config/firejail/echo.profile
join-or-start joinme

Run the sandbox:

firejail --profile=:echo sh
Reading profile /home/me/.config/firejail/echo.profile
Parent pid 3361, child pid 3363
Child process initialized in 9.04 ms
sh-5.1$

Try to join with echo:

firejail echo --a --b
Reading profile /home/me/.config/firejail/echo.profile
Switching to pid 3363, the first child process inside the sandbox
Changing root to /proc/3363/root
Error: invalid option --b after --join

firejail seems to get confused about which arguments belong to the sandboxed program. It reports --b as a problematic option, but that option is for echo, not for firejail.

The criteria to trigger this are strange:

it reports the second option, if two consecutive arguments starting with -- are encountered
leading arguments without -- are ignored (firejail echo a b c --a --b --c) reports --b
an argument starting with -- followed by one without works correctly (firejail echo --a x --b --c works)

This confusion about arguments seems similar to --debug changing the error message in the first report. In both cases the invocation works if the sandbox isn't already running.

@ferreum commented on GitHub (Jan 18, 2023): I found a way to trigger this without `--profile=` as well. Since this looks like a problem with argument parsing to me, I think it's the same issue. The conditions are similar to above, but you need a profile containing `join-or-start` in the firejail profiles directory. The invocation to join works in some cases, but if the program gets arguments starting with `--` firejail gets confused: 1. Assume a test profile `echo.profile` in the user's firejail path: ``` > cat ~/.config/firejail/echo.profile join-or-start joinme ``` 2. Run the sandbox: ``` firejail --profile=:echo sh Reading profile /home/me/.config/firejail/echo.profile Parent pid 3361, child pid 3363 Child process initialized in 9.04 ms sh-5.1$ ``` 3. Try to join with echo: ``` firejail echo --a --b Reading profile /home/me/.config/firejail/echo.profile Switching to pid 3363, the first child process inside the sandbox Changing root to /proc/3363/root Error: invalid option --b after --join ``` firejail seems to get confused about which arguments belong to the sandboxed program. It reports `--b` as a problematic option, but that option is for echo, not for firejail. The criteria to trigger this are strange: - it reports the second option, if two consecutive arguments starting with `--` are encountered - leading arguments without `--` are ignored (`firejail echo a b c --a --b --c`) reports `--b` - an argument starting with `--` followed by one without works correctly (`firejail echo --a x --b --c` works) This confusion about arguments seems similar to `--debug` changing the error message in the first report. In both cases the invocation works if the sandbox isn't already running.

gitea-mirror commented

2026-05-05 09:41:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 18, 2023):

If firejail consfuses child arguments with its own arguments this sound like it could be a security vulnerability. Labeling as security for now.

Ping @netblue30 @smitsohu @topimiettinen @reinerh

@rusty-snake commented on GitHub (Jan 18, 2023): If firejail consfuses child arguments with its own arguments this sound like it could be a security vulnerability. Labeling as security for now. Ping @netblue30 @smitsohu @topimiettinen @reinerh

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3039

No description provided.

Rows
Columns