github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #7046] Hide/Mask firejail process (pid 1) inside sandbox #3464

New issue

Closed

opened 2026-05-05 10:00:50 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 10:00:50 -06:00

Owner

Originally created by @liloman on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7046

Inside the sandbox you leak your sandbox technique and even configuration used

Describe the solution you'd like

bwrap \
  --ro-bind /etc/resolv.conf /etc/resolv.conf \
  --ro-bind /usr /usr \
  --ro-bind /bin /bin \
  --ro-bind /lib /lib \
  --ro-bind /lib64 /lib64 \
  --proc /proc \
  --dev /dev \
  --tmpfs /tmp \
  --unshare-all \
  --as-pid-1 \
  --die-with-parent \
  /bin/bash

bash-5.3$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1000           1  0.0  0.0 232692  4336 ?        S    19:26   0:00 /bin/bash
1000           2  0.0  0.0 234820  4308 ?        R+   19:26   0:00 ps aux

Or mask the process name:

bash$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
user         1  1.6  0.0   5192  2160 pts/3    S    20:32   0:00  FIREJAIL-NAME-MASKED-WITHOUT-ARGS
user         7  0.5  0.0 234184  5824 pts/3    S    20:32   0:00 bash
user        74  0.0  0.0 234824  4316 pts/3    R+   20:32   0:00 ps -ww aux

Describe alternatives you've considered

Proc hidepid doesnt compete here and breaks firemon. Bublewrap works nice using --as-pid-1

Additional context

Environment

Version of Firejail (firejail --version):

$ firejail --version
firejail version 0.9.78

Originally created by @liloman on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7046 ### Is your feature request related to a problem? Please describe. Inside the sandbox you leak your sandbox technique and even configuration used ### Describe the solution you'd like ```sh bwrap \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /usr /usr \ --ro-bind /bin /bin \ --ro-bind /lib /lib \ --ro-bind /lib64 /lib64 \ --proc /proc \ --dev /dev \ --tmpfs /tmp \ --unshare-all \ --as-pid-1 \ --die-with-parent \ /bin/bash ``` ```console bash-5.3$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 1000 1 0.0 0.0 232692 4336 ? S 19:26 0:00 /bin/bash 1000 2 0.0 0.0 234820 4308 ? R+ 19:26 0:00 ps aux ``` Or mask the process name: ```console bash$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND user 1 1.6 0.0 5192 2160 pts/3 S 20:32 0:00 FIREJAIL-NAME-MASKED-WITHOUT-ARGS user 7 0.5 0.0 234184 5824 pts/3 S 20:32 0:00 bash user 74 0.0 0.0 234824 4316 pts/3 R+ 20:32 0:00 ps -ww aux ``` ### Describe alternatives you've considered Proc hidepid doesnt compete here and breaks firemon. Bublewrap works nice using --as-pid-1 ### Additional context ### Environment - Version of Firejail (`firejail --version`): ```console $ firejail --version firejail version 0.9.78 ```

gitea-mirror

2026-05-05 10:00:50 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 10:00:52 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 28, 2026):

So basically what you need an equivalent for --as-pid-1 from bwrap:

       --as-pid-1
           Do not create a process with PID=1 in the sandbox to reap child processes.

I'll mark it as an enhancement.

breaks firemon

I don't remember why I was rejecting it with an error:

$ firemon --seccomp
Error: /proc is mounted hidepid, you would need to be root to run this command

It doesn't make sense not to show the information, I'll look into it, thanks!

@netblue30 commented on GitHub (Jan 28, 2026): So basically what you need an equivalent for --as-pid-1 from bwrap: ````` --as-pid-1 Do not create a process with PID=1 in the sandbox to reap child processes. ````` I'll mark it as an enhancement. > breaks firemon I don't remember why I was rejecting it with an error: ````` $ firemon --seccomp Error: /proc is mounted hidepid, you would need to be root to run this command ````` It doesn't make sense not to show the information, I'll look into it, thanks!

gitea-mirror commented

2026-05-05 10:00:53 -06:00

Author

Owner

@liloman commented on GitHub (Jan 28, 2026):

If if it isn't duabled to hide pid 1 It will fine just mask it inside the sandbox with something like --mask-parent=my-super-process.exe

In the AI era everything counts :)

breaks firemon

I don't remember why I was rejecting it with an error:
$ firemon --seccomp
Error: /proc is mounted hidepid, you would need to be root to run this command

I think It was grsecurity related :)

PD: I have two more bwrap related proposals but I need first research them

@liloman commented on GitHub (Jan 28, 2026): If if it isn't duabled to hide pid 1 It will fine just mask it inside the sandbox with something like --mask-parent=my-super-process.exe In the AI era everything counts :) > > > breaks firemon > > I don't remember why I was rejecting it with an error: > > ``` > $ firemon --seccomp > Error: /proc is mounted hidepid, you would need to be root to run this command > ``` I think It was grsecurity related :) PD: I have two more bwrap related proposals but I need first research them

gitea-mirror commented

2026-05-05 10:00:54 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 2, 2026):

The error in firemon is real!

$ firemon --seccomp
Error: /proc is mounted hidepid, you would need to be root to run this command

It has to do with the way they treat SUID processes in hidepid=2. You will have to run it using sudo.

The fix is in: hide pid 1 by default, although the process is still in the sandbox. I basically blacklist files in /proc directory. And I have a new command option --unhide-pid1 to make it visible.

              $ firejail --name=test    ### by default pid 1 is not visible
              [...]
              Child process initialized in 59.41 ms
              $  ps a
                  PID TTY      STAT   TIME COMMAND
                    4 ?        S      0:00 /bin/bash
                    5 ?        R+     0:00 ps a
              $ exit
              Parent is shutting down, bye…

              $ firejail --name=test --unhide-pid1  ### pid 1 is visible
              [...]
              Child process initialized in 58.29 ms
              $ ps a
                 PID TTY      STAT   TIME COMMAND
                    1 ?        S      0:00 firejail --name=test --unhide-pid1
                    4 ?        S      0:00 /bin/bash
                    6 ?        R+     0:00 ps a
              $ exit
              Parent is shutting down, bye…

commit: d3f182543d

@netblue30 commented on GitHub (Feb 2, 2026): The error in firemon is real! ````` $ firemon --seccomp Error: /proc is mounted hidepid, you would need to be root to run this command ````` It has to do with the way they treat SUID processes in hidepid=2. You will have to run it using sudo. The fix is in: hide pid 1 by default, although the process is still in the sandbox. I basically blacklist files in /proc directory. And I have a new command option --unhide-pid1 to make it visible. ````` $ firejail --name=test ### by default pid 1 is not visible [...] Child process initialized in 59.41 ms $ ps a PID TTY STAT TIME COMMAND 4 ? S 0:00 /bin/bash 5 ? R+ 0:00 ps a $ exit Parent is shutting down, bye… $ firejail --name=test --unhide-pid1 ### pid 1 is visible [...] Child process initialized in 58.29 ms $ ps a PID TTY STAT TIME COMMAND 1 ? S 0:00 firejail --name=test --unhide-pid1 4 ? S 0:00 /bin/bash 6 ? R+ 0:00 ps a $ exit Parent is shutting down, bye… ````` commit: https://github.com/netblue30/firejail/commit/d3f182543dfb43fd8612474c2d8fe53ee65f7ebc

gitea-mirror commented

2026-05-05 10:00:55 -06:00

Author

Owner

@liloman commented on GitHub (Feb 2, 2026):

Niiice 👍

Thanks.

Closing issue so. :)

@liloman commented on GitHub (Feb 2, 2026): Niiice 👍 Thanks. Closing issue so. :)

gitea-mirror referenced this issue

2026-05-05 10:55:05 -06:00

[PR #7148] build: remove etc-fixes directory #6340

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3464

No description provided.

Rows
Columns