github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5727] build: --enable-private-lib is broken #3076

New issue
Closed
opened 2026-05-05 09:43:09 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:43:09 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Mar 10, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5727

After the recent changes introduced by b689b69f6c I can't enable private-lib support (without a dirty hack as shown below).

OS: Arch Linux (fully updated)
firejail built from git (kept on par with master)

For quite a while I configure/build with AppArmor and GCC analyzer support:

./configure --prefix=/usr --enable-analyzer --enable-apparmor
make

Now that private-lib support is disabled by default I added the needed flag to enable support for it:

./configure --prefix=/usr --enable-analyzer --enable-apparmor --enable-private-lib
make

Configure output confirms enabling private-lib support:

Compile options:
   CC: gcc
   CFLAGS: -march=native -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection
   LDFLAGS: -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now
   EXTRA_CFLAGS:  -fstack-clash-protection -fstack-protector-strong -fanalyzer -Wno-analyzer-malloc-leak 
   EXTRA_LDFLAGS: 
   LIBS:  -lapparmor 
   fatal warnings: 
   gcov instrumentation: 
   install as a SUID executable: -DHAVE_SUID
   install contrib scripts: yes
   prefix: /usr
   sysconfdir: /etc
   Spectre compiler patch: yes

Features:
   allow tmpfs as regular user: -DHAVE_USERTMPFS
   always enforce filters: 
   apparmor: -DHAVE_APPARMOR
   busybox workaround: no
   chroot: -DHAVE_CHROOT
   DBUS proxy support: -DHAVE_DBUSPROXY
   disable user profiles: 
   enable --output logging: -DHAVE_OUTPUT
   file transfer support: -DHAVE_FILE_TRANSFER
   firetunnel support: 
   global config: -DHAVE_GLOBALCFG
   IDS support: 
   LTS: 
   manpage support: -DHAVE_MAN
   network: -DHAVE_NETWORK
   overlayfs support: 
   private home support: -DHAVE_PRIVATE_HOME
   private lib support: -DHAVE_PRIVATE_LIB
   SELinux labeling support: 
   user namespace: -DHAVE_USERNS
   X11 sandboxing support: -DHAVE_X11

BUT, after building & installing I can't use private-lib and firejail reports support for it is disabled:

$ firejail --version
firejail version 0.9.73

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-lib support is disabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Not sure what's happening with b689b69f6c (yet) but I wonder if someone can reproduce.

FWIW, adding -DHAVE_PRIVATE_LIB explicitly to CFLAGS does fix enabling private-lib support. But that shouldn't be necessary if I understand things correctly...

Originally created by @ghost on GitHub (Mar 10, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5727 After the recent changes introduced by https://github.com/netblue30/firejail/commit/b689b69f6c3b8a8ba633d6300cef6a19972d53dc I can't enable `private-lib` support (without a dirty hack as shown below). OS: Arch Linux (fully updated) firejail built from git (kept on par with master) For quite a while I configure/build with AppArmor and GCC analyzer support: ``` ./configure --prefix=/usr --enable-analyzer --enable-apparmor make ``` Now that private-lib support is `disabled by default` I added the needed flag to enable support for it: ``` ./configure --prefix=/usr --enable-analyzer --enable-apparmor --enable-private-lib make ``` Configure output confirms enabling private-lib support: ``` Compile options: CC: gcc CFLAGS: -march=native -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection LDFLAGS: -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now EXTRA_CFLAGS: -fstack-clash-protection -fstack-protector-strong -fanalyzer -Wno-analyzer-malloc-leak EXTRA_LDFLAGS: LIBS: -lapparmor fatal warnings: gcov instrumentation: install as a SUID executable: -DHAVE_SUID install contrib scripts: yes prefix: /usr sysconfdir: /etc Spectre compiler patch: yes Features: allow tmpfs as regular user: -DHAVE_USERTMPFS always enforce filters: apparmor: -DHAVE_APPARMOR busybox workaround: no chroot: -DHAVE_CHROOT DBUS proxy support: -DHAVE_DBUSPROXY disable user profiles: enable --output logging: -DHAVE_OUTPUT file transfer support: -DHAVE_FILE_TRANSFER firetunnel support: global config: -DHAVE_GLOBALCFG IDS support: LTS: manpage support: -DHAVE_MAN network: -DHAVE_NETWORK overlayfs support: private home support: -DHAVE_PRIVATE_HOME private lib support: -DHAVE_PRIVATE_LIB SELinux labeling support: user namespace: -DHAVE_USERNS X11 sandboxing support: -DHAVE_X11 ``` BUT, after building & installing I can't use private-lib and firejail reports support for it is `disabled`: ```console $ firejail --version firejail version 0.9.73 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` Not sure what's happening with https://github.com/netblue30/firejail/commit/b689b69f6c3b8a8ba633d6300cef6a19972d53dc (yet) but I wonder if someone can reproduce. FWIW, adding `-DHAVE_PRIVATE_LIB` explicitly to CFLAGS `does` fix enabling private-lib support. But that shouldn't be necessary if I understand things correctly...
gitea-mirror commented 2026-05-05 09:43:11 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 10, 2023):

The flag is named --disable-private-lib, isn't it?

<!-- gh-comment-id:1463989734 --> @rusty-snake commented on GitHub (Mar 10, 2023): The flag is named `--disable-private-lib`, isn't it?
gitea-mirror commented 2026-05-05 09:43:13 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 10, 2023):

The flag is named --disable-private-lib, isn't it?

Well, I'm confused somewhat by the commit. There's indeed a reference to disable-private-lib:

ddb685c1ec/configure (L1385)

Also to enable-private-lib:

ddb685c1ec/configure (L3492-L3503)

I've tried several variations but will do so again. Using disable-private-lib would be a rather odd flag to do the opposite, no?

<!-- gh-comment-id:1464070057 --> @ghost commented on GitHub (Mar 10, 2023): > The flag is named --disable-private-lib, isn't it? Well, I'm confused somewhat by the commit. There's indeed a reference to `disable-private-lib`: https://github.com/netblue30/firejail/blob/ddb685c1ec66f9164e0721b0d8bb5ccb1a75e22d/configure#L1385 Also to `enable-private-lib`: https://github.com/netblue30/firejail/blob/ddb685c1ec66f9164e0721b0d8bb5ccb1a75e22d/configure#L3492-L3503 I've tried several variations but will do so again. Using `disable-private-lib` would be a rather odd flag to do the opposite, no?
gitea-mirror commented 2026-05-05 09:43:14 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 10, 2023):

Oh, one more detail. I always build with makechrootpkg or the like on Arch Linux. That should avoid any interference from existing firejailed commands (like makepkg for example). My script hasn't changed for as long as private-lib was supported by default. So when I noticed the commit that turned this around I made an edit to it. And things started to break... Anyway, thanks for your input!

<!-- gh-comment-id:1464080538 --> @ghost commented on GitHub (Mar 10, 2023): Oh, one more detail. I always build with makechrootpkg or the like on Arch Linux. That should avoid any interference from existing firejailed commands (like makepkg for example). My script hasn't changed for as long as private-lib was supported by default. So when I noticed the commit that turned this around I made an edit to it. And things started to break... Anyway, thanks for your input!
gitea-mirror commented 2026-05-05 09:43:15 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 13, 2023):

UPDATE

(1) Opened #5732 to fix generating private-lib entrees in our man pages. AFAICT only man firejail and man firejail-profiles are affected.

(2) Did some more digging and it looks like 87948b3ffe from #5504 is involved. When reverting this commit in my PKGBUILD the enable-private-lib flag works as expected without needing to explicitly add -DHAVE_PRIVATE_LIB explicitly to CFLAGS.

@kmk3 Any thoughts on these latest observations?

<!-- gh-comment-id:1466011874 --> @ghost commented on GitHub (Mar 13, 2023): UPDATE (1) Opened #5732 to fix generating private-lib entrees in our man pages. AFAICT only `man firejail` and `man firejail-profiles` are affected. (2) Did some more digging and it looks like https://github.com/netblue30/firejail/commit/87948b3ffe9e8e704c55509cd6c747547b3c7072 from #5504 is involved. When reverting this commit in my PKGBUILD the `enable-private-lib` flag works as expected without needing to explicitly add -DHAVE_PRIVATE_LIB explicitly to CFLAGS. @kmk3 Any thoughts on these latest observations?
gitea-mirror commented 2026-05-05 09:43:15 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 13, 2023):

I got it here. I'll bring in a fix today.

Later: Sorry for the previous message, I think is working fine on Debian stable:

$ firejail --private-bin=bash,ls,cd,pwd,cat --private-lib
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 39362, child pid 39363
4 programs installed in 12.27 ms
Standard C library installed in 3.16 ms
Firejail libraries installed in 2.30 ms
Program libraries installed in 10.62 ms
Installed 32 libraries and 2 directories
Child process initialized in 145.48 ms
netblue@debian:~/github/firejail$ ls /bin
bash  cat  ls  pwd
netblue@debian:~/github/firejail$ ls /lib
firejail  ld-linux-x86-64.so.2	locale	x86_64-linux-gnu
netblue@debian:~/github/firejail$
<!-- gh-comment-id:1466555562 --> @netblue30 commented on GitHub (Mar 13, 2023): ~~I got it here. I'll bring in a fix today.~~ Later: Sorry for the previous message, I think is working fine on Debian stable: ````` $ firejail --private-bin=bash,ls,cd,pwd,cat --private-lib Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 39362, child pid 39363 4 programs installed in 12.27 ms Standard C library installed in 3.16 ms Firejail libraries installed in 2.30 ms Program libraries installed in 10.62 ms Installed 32 libraries and 2 directories Child process initialized in 145.48 ms netblue@debian:~/github/firejail$ ls /bin bash cat ls pwd netblue@debian:~/github/firejail$ ls /lib firejail ld-linux-x86-64.so.2 locale x86_64-linux-gnu netblue@debian:~/github/firejail$ `````
gitea-mirror commented 2026-05-05 09:43:15 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 13, 2023):

Later: Sorry for the previous message, I think is working fine on Debian stable

That's good to know, thanks.

Just to be clear, only problem is with enabling private-lib. Once that is achieved (for me on Arch Linux via either adding to CFLAGS or via reverting 87948b3ffe) it does work fine, just like it did before b689b69f6c. Thanks for looking at it once more.

<!-- gh-comment-id:1466783312 --> @ghost commented on GitHub (Mar 13, 2023): > Later: Sorry for the previous message, I think is working fine on Debian stable That's good to know, thanks. Just to be clear, only problem is with `enabling` private-lib. Once that is achieved (for me on Arch Linux via either adding to CFLAGS _or_ via reverting https://github.com/netblue30/firejail/commit/87948b3ffe9e8e704c55509cd6c747547b3c7072) it does work fine, just like it did before https://github.com/netblue30/firejail/commit/b689b69f6c3b8a8ba633d6300cef6a19972d53dc. Thanks for looking at it once more.
gitea-mirror commented 2026-05-05 09:43:17 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 15, 2023):

UPDATE:

Looks like #5732 fixed this! Apologies for the noise, this is not a bug after all.

<!-- gh-comment-id:1469814690 --> @ghost commented on GitHub (Mar 15, 2023): UPDATE: Looks like #5732 fixed this! Apologies for the noise, this is not a bug after all.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3076
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?