github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6646] firecfg: program symlinks are removed when not in firecfg.config #3323

New issue

Closed

opened 2026-05-05 09:54:37 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:54:37 -06:00

Owner

Originally created by @Dieterbe on GitHub (Feb 11, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6646

Hello,

I noticed i used to have symlinks, that recently (after summer 2024) have started disappearing:

RemoveFile /usr/local/bin/zlib-flate
RemoveFile /usr/local/bin/ytmdesktop
RemoveFile /usr/local/bin/sum
RemoveFile /usr/local/bin/sha512sum
RemoveFile /usr/local/bin/sha256sum
RemoveFile /usr/local/bin/sha224sum
RemoveFile /usr/local/bin/sha1sum
RemoveFile /usr/local/bin/qpdf
RemoveFile /usr/local/bin/pwvucontrol
RemoveFile /usr/local/bin/md5sum
RemoveFile /usr/local/bin/gh
RemoveFile /usr/local/bin/fix-qdf

(output comes from the https://github.com/CyberShadow/aconfmgr tool).
indeed...

[root@xps17 ~]# which pwvucontrol
/usr/bin/pwvucontrol
[root@xps17 ~]# which sha256sum
/usr/bin/sha256sum

I've had this pacman hook on arch linux for about as long as i've used firejail:

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/local/bin/*
Target = usr/share/applications/*.desktop

[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'

i've modified the hook to just run /usr/bin/firecfg to make sure there were no errors (there weren't), although there was a warning:

:: Running post-transaction hooks...
(1/3) Arming ConditionNeedsUpdate...
(2/3) Configure symlinks in /usr/local/bin based on firecfg.config...
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
Removing all firejail symlinks:
(...)
[2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] Configuring symlinks in /usr/local/bin based on firecfg.config
(...)
[2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] Adding user root to Firejail access database in /etc/firejail/firejail.users
[2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] User root already in the database
[2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] 
[2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] Loading AppArmor profile
[2025-02-11T12:55:38+0100] [ALPM] running 'update-desktop-database.hook'...

this reveals (to me) it uses the firecfg.config to control which hooks are managed, so ...

[root@xps17 ~]# grep sha256sum /etc/firejail/firecfg.config
[root@xps17 ~]# 
[root@xps17 ~]# grep pwvucontrol /etc/firejail/firecfg.config
[root@xps17 ~]#

i've pulled the current codebase to see why these programs are no longer included. unfortunately, nothing is revealed:

~/c/firejail ❯❯❯ tig -G pwvucontrol ./src/firecfg/firecfg.config
tig: No revisions match the given arguments.
~/c/firejail ❯❯❯ tig -G sha256sum ./src/firecfg/firecfg.config                                                                                                                                                  ✘ 1 
tig: No revisions match the given arguments.
~/c/firejail ❯❯❯

any idea what's going on? thanks

Originally created by @Dieterbe on GitHub (Feb 11, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6646 Hello, I noticed i used to have symlinks, that recently (after summer 2024) have started disappearing: ``` RemoveFile /usr/local/bin/zlib-flate RemoveFile /usr/local/bin/ytmdesktop RemoveFile /usr/local/bin/sum RemoveFile /usr/local/bin/sha512sum RemoveFile /usr/local/bin/sha256sum RemoveFile /usr/local/bin/sha224sum RemoveFile /usr/local/bin/sha1sum RemoveFile /usr/local/bin/qpdf RemoveFile /usr/local/bin/pwvucontrol RemoveFile /usr/local/bin/md5sum RemoveFile /usr/local/bin/gh RemoveFile /usr/local/bin/fix-qdf ``` (output comes from the https://github.com/CyberShadow/aconfmgr tool). indeed... ``` [root@xps17 ~]# which pwvucontrol /usr/bin/pwvucontrol [root@xps17 ~]# which sha256sum /usr/bin/sha256sum ``` I've had this pacman hook on arch linux for about as long as i've used firejail: ``` [Trigger] Type = Path Operation = Install Operation = Upgrade Operation = Remove Target = usr/bin/* Target = usr/local/bin/* Target = usr/share/applications/*.desktop [Action] Description = Configure symlinks in /usr/local/bin based on firecfg.config... When = PostTransaction Depends = firejail Exec = /bin/sh -c 'firecfg >/dev/null 2>&1' ``` i've modified the hook to just run `/usr/bin/firecfg` to make sure there were no errors (there weren't), although there was a warning: ``` :: Running post-transaction hooks... (1/3) Arming ConditionNeedsUpdate... (2/3) Configure symlinks in /usr/local/bin based on firecfg.config... Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. Removing all firejail symlinks: (...) [2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] Configuring symlinks in /usr/local/bin based on firecfg.config (...) [2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] Adding user root to Firejail access database in /etc/firejail/firejail.users [2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] User root already in the database [2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] [2025-02-11T12:55:38+0100] [ALPM-SCRIPTLET] Loading AppArmor profile [2025-02-11T12:55:38+0100] [ALPM] running 'update-desktop-database.hook'... ``` this reveals (to me) it uses the firecfg.config to control which hooks are managed, so ... ``` [root@xps17 ~]# grep sha256sum /etc/firejail/firecfg.config [root@xps17 ~]# [root@xps17 ~]# grep pwvucontrol /etc/firejail/firecfg.config [root@xps17 ~]# ``` i've pulled the current codebase to see why these programs are no longer included. unfortunately, nothing is revealed: ``` ~/c/firejail ❯❯❯ tig -G pwvucontrol ./src/firecfg/firecfg.config tig: No revisions match the given arguments. ~/c/firejail ❯❯❯ tig -G sha256sum ./src/firecfg/firecfg.config ✘ 1 tig: No revisions match the given arguments. ~/c/firejail ❯❯❯ ``` any idea what's going on? thanks

gitea-mirror

2026-05-05 09:54:37 -06:00

closed this issue
added the
firecfg

notabug
labels

gitea-mirror commented

2026-05-05 09:54:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 11, 2025):

Which version of firejail are you using?
Does Arch or whatever override changes to /etc/firejail/firecfg.config? It should not modify this file if it was modified by an admin IMHO.

@rusty-snake commented on GitHub (Feb 11, 2025): 1. Which version of firejail are you using? 2. Does Arch or whatever override changes to `/etc/firejail/firecfg.config`? It should not modify this file if it was modified by an admin IMHO.

gitea-mirror commented

2026-05-05 09:54:41 -06:00

Author

Owner

@Dieterbe commented on GitHub (Feb 11, 2025):

i was using the wrong tig -G syntax. should be -G<term> without the space.
but this shows only sha256sum being added to the file, and no hits for pwvucontrol in git.

i have the latest version (0.9.72) installed, but seems this release dates from jan 2023. the sha256sum being added to the file in git was in feb 2023. there are 0 hits for pwvucontrol across all files across the entire history within the git repo. perhaps this one (and maybe others) were added manually. though i've been using the hook for a long time, but i'm not quite sure.

i have verified that my /etc/firejail/firecfg.config is identical to src/firecfg/firecfg.config in git at the 0.9.72 tag.

@Dieterbe commented on GitHub (Feb 11, 2025): i was using the wrong `tig -G` syntax. should be `-G<term>` without the space. but this shows only sha256sum being *added* to the file, and no hits for pwvucontrol in git. i have the latest version (0.9.72) installed, but seems this release dates from jan 2023. the sha256sum being added to the file in git was in feb 2023. there are 0 hits for pwvucontrol across all files across the entire history within the git repo. perhaps this one (and maybe others) were added manually. though i've been using the hook for a long time, but i'm not quite sure. i have verified that my /etc/firejail/firecfg.config is identical to src/firecfg/firecfg.config in git at the 0.9.72 tag.

gitea-mirror commented

2026-05-05 09:54:42 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 12, 2025):

I noticed i used to have symlinks, that recently (after summer 2024) have
started disappearing:
[...]
RemoveFile /usr/local/bin/pwvucontrol

~/c/firejail ❯❯❯ tig -G pwvucontrol ./src/firecfg/firecfg.config
tig: No revisions match the given arguments.

i was using the wrong tig -G syntax. should be -G<term> without the
space. but this shows only sha256sum being added to the file, and no hits
for pwvucontrol in git.

Indeed, it seems that pwvucontrol was never in firecfg.config.

So presumably you (or some other program) either added it to firecfg.config or
created the symlink manually.

sudo firecfg by default removes all symlinks in /usr/local/bin that point to
firejail (just like with sudo firecfg --clean) before creating new symlinls.

i have verified that my /etc/firejail/firecfg.config is identical to
src/firecfg/firecfg.config in git at the 0.9.72 tag.

So if pwvucontrol is not in firecfg.config and you (or the hook) execute
firecfg, then it should remove any pwvucontrol symlinks.

It seems to be working as intended, so closing.

If you can reproduce firecfg not creating symlinks for programs in
firecfg.config, feel free to comment.

@kmk3 commented on GitHub (Feb 12, 2025): > I noticed i used to have symlinks, that recently (after summer 2024) have > started disappearing: > > ``` > [...] > RemoveFile /usr/local/bin/pwvucontrol > ``` > ``` > ~/c/firejail ❯❯❯ tig -G pwvucontrol ./src/firecfg/firecfg.config > tig: No revisions match the given arguments. > ``` > i was using the wrong `tig -G` syntax. should be `-G<term>` without the > space. but this shows only sha256sum being _added_ to the file, and no hits > for pwvucontrol in git. Indeed, it seems that pwvucontrol was never in firecfg.config. So presumably you (or some other program) either added it to firecfg.config or created the symlink manually. `sudo firecfg` by default removes all symlinks in /usr/local/bin that point to firejail (just like with `sudo firecfg --clean`) before creating new symlinls. > i have verified that my /etc/firejail/firecfg.config is identical to > src/firecfg/firecfg.config in git at the 0.9.72 tag. So if pwvucontrol is not in firecfg.config and you (or the hook) execute `firecfg`, then it should remove any pwvucontrol symlinks. It seems to be working as intended, so closing. If you can reproduce firecfg not creating symlinks for programs in firecfg.config, feel free to comment.

gitea-mirror commented

2026-05-05 09:54:43 -06:00

Author

Owner

@Dieterbe commented on GitHub (Feb 12, 2025):

thanks @kmk3 , yeah the strange thing is that those symlinks were there to begin width. they must have appeared by running some command, perhaps while setting up firejail there were instructions somewhere that led to them being created. cause i'm pretty sure i didn't do this myself.
the other question is: should these programs not be included in firecfg.config ?

@Dieterbe commented on GitHub (Feb 12, 2025): thanks @kmk3 , yeah the strange thing is that those symlinks were there to begin width. they must have appeared by running some command, perhaps while setting up firejail there were instructions somewhere that led to them being created. cause i'm pretty sure i didn't do this myself. the other question is: should these programs not be included in firecfg.config ?

gitea-mirror commented

2026-05-05 09:54:44 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 13, 2025):

the other question is: should these programs not be included in
firecfg.config ?

Some of them (like pwvucontrol) don't even have a profile, in which case there
is no point.

Overall, programs are added (and removed) on a case by case basis.

As a user, if you want a specific program to have a symlink, make sure that it
is listed in your /etc/firejail/firecfg.config.

Or as of #5876, list all programs that you want symlinked in
/etc/firejail/firecfg.d/.

@kmk3 commented on GitHub (Feb 13, 2025): > the other question is: should these programs not be included in > firecfg.config ? Some of them (like pwvucontrol) don't even have a profile, in which case there is no point. Overall, programs are added (and removed) on a case by case basis. As a user, if you want a specific program to have a symlink, make sure that it is listed in your /etc/firejail/firecfg.config. Or as of #5876, list all programs that you want symlinked in /etc/firejail/firecfg.d/.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3323

No description provided.

Rows
Columns