github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #527] Firejail does not work with OrbitalApps portable applications #370

New issue
Closed
opened 2026-05-05 05:42:25 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 05:42:25 -06:00
Owner
Copy link

Originally created by @igor2x on GitHub (May 19, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/527

Hi,
OrbitalApps are designed to work on Ubuntu 16.04 Desktop 64-bit. Other Linux distributions are not tested and may not work.

  1. On Ubuntu 16.04 Desktop 64-bit I installed firejail from official repository.
  2. Display firejail version:
    firejail --version
    Output is: firejail version 0.9.38
  3. From OrbitalApps web page: https://www.orbital-apps.com/ download ISO file. Direct link currently is: https://www.orbital-apps.com/files/orb-launcher/orb-launcher_0.1.047.iso
  4. Save ISO file on your computer.
  5. Right click on ISO file and select Open With | Disk Image Mounter.
  6. Click on Run button and supply root password to mount image.
  7. That's it about installing program. Now download one of the applications from: https://www.orbital-apps.com/blog/2016/portable-apps-for-ubuntu-16-04 I have downloaded VLC Media Player from: https://www.orbital-apps.com/download/portable_apps_linux/vlc/ with direct download link: https://www.orbital-apps.com/download/portable_apps_linux/vlc/1463608756/vlc_2.2.2_portable_64bits.orb
  8. Rigth click on .orb file and select Open With ORB Launcher. VLC Media Player should be started. OK, close it down.
  9. Open Terminal and type in:
    orb vlc_2.2.2_portable_64bits.orb
    And application outputs the following info and applications starts up successfully.
Starting ORB Launcher 0.1.047...
Homepage: www.orbital-apps.com

ORB Launcher: file_path: /home/igor/Downloads/vlc_2.2.2_portable_64bits.orb
ORB Launcher: OK, file exists...
ORB Launcher: OK, file is readable...
ORB Launcher: Architecture set to: x86_64
ORB_SPECIFICATION_VERSION=0.0.2
ORB_TOTAL_SIZE_BYTES=39370752
ORB_CREATION_TIMESTAMP_UNIX=1463608756
ORB_IS_PORTABLE_APP=true
ORB_METADATA_END=
ORB Launcher: ORB_TOTAL_SIZE_BYTES: 39370752
ORB Launcher: ORB_CREATION_TIMESTAMP_UNIX: 1463608756
ORB Launcher: OK, file size is correct
ALWAYS_CHECK_WHITELIST=false
ALWAYS_WARN_ABOUT_UNTRUSTED_FILES=false
ORB Launcher: Skipping the whitelist_check
ORB Launcher: Using the normal home at ( /home/igor )
ORB Launcher: Will not check if file is trusted or not, based on configuration.
ORB Launcher: mount_dir_iso = /tmp/tmp.H7xhvppV3T
ORB Launcher: Trying to mount file with fuseiso...
ORB Launcher: fuseiso pid: 26065
ORB Launcher: mount_dir_squashfs = /tmp/tmp.EDZ5qUTVfG
ORB Launcher: Trying to mount app.squashfs with squashfuse...
ORB Launcher: squashfuse pid: 26073
ORB Launcher: Starting autorun.sh from app.squashfs from vlc_2.2.2_portable_64bits.orb
ORB Portable App Starter: script dir: /tmp/tmp.EDZ5qUTVfG
Running vlc (without arguments) ...
VLC media player 2.2.2 Weatherwax (revision 2.2.2-0-g6259d80)
[00007ff9b7f99088] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
pci id for fd 25: 80ee:beef, driver (null)
libGL error: core dri or dri2 extension not found
libGL error: failed to load driver: vboxvideo

Note: Above are some errors probably because I run it using VirtualBox. But VLC Media Player application starts up and working fine.
9. Close down VLC Media Player.
10. Now start the same program by prefixing firejail:
firejail orb vlc_2.2.2_portable_64bits.orb
Bellow info is outputed but VLC Media Player never starts up.

Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 26409, child pid 26410

Child process initialized
Starting ORB Launcher 0.1.047...
Homepage: www.orbital-apps.com

ORB Launcher: file_path: /home/igor/Downloads/vlc_2.2.2_portable_64bits.orb
ORB Launcher: OK, file exists...
ORB Launcher: OK, file is readable...
ORB Launcher: Architecture set to: x86_64
ORB_SPECIFICATION_VERSION=0.0.2
ORB_TOTAL_SIZE_BYTES=39370752
ORB_CREATION_TIMESTAMP_UNIX=1463608756
ORB_IS_PORTABLE_APP=true
ORB_METADATA_END=
ORB Launcher: ORB_TOTAL_SIZE_BYTES: 39370752
ORB Launcher: ORB_CREATION_TIMESTAMP_UNIX: 1463608756
ORB Launcher: OK, file size is correct
ALWAYS_CHECK_WHITELIST=false
ALWAYS_WARN_ABOUT_UNTRUSTED_FILES=false
ORB Launcher: Skipping the whitelist_check
ORB Launcher: Using the normal home at ( /home/igor )
ORB Launcher: Will not check if file is trusted or not, based on configuration.
ORB Launcher: mount_dir_iso = /tmp/tmp.b8XYWbrq65
ORB Launcher: Trying to mount file with fuseiso...
/usr/bin/orb: line 450:  6777 Bad system call         $fuseiso_binary "$file_path" "$mount_dir_iso" -o allow_root,ro,nosuid
ORB Launcher: There was a problem mounting the file with fuseiso
ORB Launcher: Running vlc_2.2.2_portable_64bits.orb directly...
ORB Launcher: OK, ORB file is marked as executable...
ORB Launcher: ORB file was not recognized neither as a bash nor sh script, it is not possible to run it.
ORB Launcher: Exiting without running the file...
ORB Launcher: Un-mounting mount_dir_iso with fusermount ( /tmp/tmp.b8XYWbrq65 )
ORB Launcher has finished and will now exit.

parent is shutting down, bye...

It looks to me that some special firejail profile should be created for OrbitApps portable.
Regards

Originally created by @igor2x on GitHub (May 19, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/527 Hi, OrbitalApps are designed to work on Ubuntu 16.04 Desktop 64-bit. Other Linux distributions are not tested and may not work. 1. On Ubuntu 16.04 Desktop 64-bit I installed firejail from official repository. 2. Display firejail version: `firejail --version` Output is: firejail version 0.9.38 3. From OrbitalApps web page: https://www.orbital-apps.com/ download ISO file. Direct link currently is: https://www.orbital-apps.com/files/orb-launcher/orb-launcher_0.1.047.iso 4. Save ISO file on your computer. 5. Right click on ISO file and select Open With | Disk Image Mounter. 6. Click on Run button and supply root password to mount image. 7. That's it about installing program. Now download one of the applications from: https://www.orbital-apps.com/blog/2016/portable-apps-for-ubuntu-16-04 I have downloaded VLC Media Player from: https://www.orbital-apps.com/download/portable_apps_linux/vlc/ with direct download link: https://www.orbital-apps.com/download/portable_apps_linux/vlc/1463608756/vlc_2.2.2_portable_64bits.orb 8. Rigth click on .orb file and select Open With ORB Launcher. VLC Media Player should be started. OK, close it down. 9. Open Terminal and type in: `orb vlc_2.2.2_portable_64bits.orb` And application outputs the following info and applications starts up successfully. ``` Starting ORB Launcher 0.1.047... Homepage: www.orbital-apps.com ORB Launcher: file_path: /home/igor/Downloads/vlc_2.2.2_portable_64bits.orb ORB Launcher: OK, file exists... ORB Launcher: OK, file is readable... ORB Launcher: Architecture set to: x86_64 ORB_SPECIFICATION_VERSION=0.0.2 ORB_TOTAL_SIZE_BYTES=39370752 ORB_CREATION_TIMESTAMP_UNIX=1463608756 ORB_IS_PORTABLE_APP=true ORB_METADATA_END= ORB Launcher: ORB_TOTAL_SIZE_BYTES: 39370752 ORB Launcher: ORB_CREATION_TIMESTAMP_UNIX: 1463608756 ORB Launcher: OK, file size is correct ALWAYS_CHECK_WHITELIST=false ALWAYS_WARN_ABOUT_UNTRUSTED_FILES=false ORB Launcher: Skipping the whitelist_check ORB Launcher: Using the normal home at ( /home/igor ) ORB Launcher: Will not check if file is trusted or not, based on configuration. ORB Launcher: mount_dir_iso = /tmp/tmp.H7xhvppV3T ORB Launcher: Trying to mount file with fuseiso... ORB Launcher: fuseiso pid: 26065 ORB Launcher: mount_dir_squashfs = /tmp/tmp.EDZ5qUTVfG ORB Launcher: Trying to mount app.squashfs with squashfuse... ORB Launcher: squashfuse pid: 26073 ORB Launcher: Starting autorun.sh from app.squashfs from vlc_2.2.2_portable_64bits.orb ORB Portable App Starter: script dir: /tmp/tmp.EDZ5qUTVfG Running vlc (without arguments) ... VLC media player 2.2.2 Weatherwax (revision 2.2.2-0-g6259d80) [00007ff9b7f99088] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. pci id for fd 25: 80ee:beef, driver (null) libGL error: core dri or dri2 extension not found libGL error: failed to load driver: vboxvideo ``` Note: Above are some errors probably because I run it using VirtualBox. But VLC Media Player application starts up and working fine. 9. Close down VLC Media Player. 10. Now start the same program by prefixing firejail: `firejail orb vlc_2.2.2_portable_64bits.orb` Bellow info is outputed but VLC Media Player never starts up. ``` Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 26409, child pid 26410 Child process initialized Starting ORB Launcher 0.1.047... Homepage: www.orbital-apps.com ORB Launcher: file_path: /home/igor/Downloads/vlc_2.2.2_portable_64bits.orb ORB Launcher: OK, file exists... ORB Launcher: OK, file is readable... ORB Launcher: Architecture set to: x86_64 ORB_SPECIFICATION_VERSION=0.0.2 ORB_TOTAL_SIZE_BYTES=39370752 ORB_CREATION_TIMESTAMP_UNIX=1463608756 ORB_IS_PORTABLE_APP=true ORB_METADATA_END= ORB Launcher: ORB_TOTAL_SIZE_BYTES: 39370752 ORB Launcher: ORB_CREATION_TIMESTAMP_UNIX: 1463608756 ORB Launcher: OK, file size is correct ALWAYS_CHECK_WHITELIST=false ALWAYS_WARN_ABOUT_UNTRUSTED_FILES=false ORB Launcher: Skipping the whitelist_check ORB Launcher: Using the normal home at ( /home/igor ) ORB Launcher: Will not check if file is trusted or not, based on configuration. ORB Launcher: mount_dir_iso = /tmp/tmp.b8XYWbrq65 ORB Launcher: Trying to mount file with fuseiso... /usr/bin/orb: line 450: 6777 Bad system call $fuseiso_binary "$file_path" "$mount_dir_iso" -o allow_root,ro,nosuid ORB Launcher: There was a problem mounting the file with fuseiso ORB Launcher: Running vlc_2.2.2_portable_64bits.orb directly... ORB Launcher: OK, ORB file is marked as executable... ORB Launcher: ORB file was not recognized neither as a bash nor sh script, it is not possible to run it. ORB Launcher: Exiting without running the file... ORB Launcher: Un-mounting mount_dir_iso with fusermount ( /tmp/tmp.b8XYWbrq65 ) ORB Launcher has finished and will now exit. parent is shutting down, bye... ``` It looks to me that some special firejail profile should be created for OrbitApps portable. Regards
gitea-mirror commented 2026-05-05 05:42:31 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 20, 2016):

The program is crashed by seccomp. They try to do a mount syscall. If you disable seccomp in the profile file, then you would also need to disable capabilities in order to give the program administrative rights, because they also run SUID binaries to mount the ISO filesystem. The bad part comes when you start running the programs in the ISO filesystem. There can be anything in there, and they have admin rights.

I would stay away form this type of applications, they are the modern equivalent of clicking on email attachments.

<!-- gh-comment-id:220594637 --> @netblue30 commented on GitHub (May 20, 2016): The program is crashed by seccomp. They try to do a mount syscall. If you disable seccomp in the profile file, then you would also need to disable capabilities in order to give the program administrative rights, because they also run SUID binaries to mount the ISO filesystem. The bad part comes when you start running the programs in the ISO filesystem. There can be anything in there, and they have admin rights. I would stay away form this type of applications, they are the modern equivalent of clicking on email attachments.
gitea-mirror commented 2026-05-05 05:42:34 -06:00
Author
Owner
Copy link

@igor2x commented on GitHub (May 21, 2016):

Thanks a lot for looking into this problem and providing your precious opinion. I just saw an article on web about portable applications. I love idea of PortableApps.com portable applications on Windows, you know running application from USB key without installation, where no superuser is required to run applications and all of the config files are saved on USB key, excellent idea for portability. But as it looks like OrbitalApps portable applications on Ubuntu 16.04 the idea is the same, but implementation is pretty much very different.

If I understand you correctly in the case of OrbitalApps portable application it is not a case for slightly adjust one of the Firejail profile to disable insignificant security features in Firejail, but critical component has to be disabled (allowing super user access). In this case there is very difficult or impossible to jail such an application. Application having superuser access is in no real point of jailing it anyway. Using this kind of portable application it is in no way possible to have portability and security at the same time. User concerned about security like me should not use OrbitalApps portable applications, because it is impossible to secure them properly like jailing them.

You can close this problem request with some status of not been possible to securely fix the problem and so problem report is irrelevant to Firejail.

Thanks a million for your precious opinion.

<!-- gh-comment-id:220760678 --> @igor2x commented on GitHub (May 21, 2016): Thanks a lot for looking into this problem and providing your precious opinion. I just saw an article on web about portable applications. I love idea of PortableApps.com portable applications on Windows, you know running application from USB key without installation, where no superuser is required to run applications and all of the config files are saved on USB key, excellent idea for portability. But as it looks like OrbitalApps portable applications on Ubuntu 16.04 the idea is the same, but implementation is pretty much very different. If I understand you correctly in the case of OrbitalApps portable application it is not a case for slightly adjust one of the Firejail profile to disable insignificant security features in Firejail, but critical component has to be disabled (allowing super user access). In this case there is very difficult or impossible to jail such an application. Application having superuser access is in no real point of jailing it anyway. Using this kind of portable application it is in no way possible to have portability and security at the same time. User concerned about security like me should not use OrbitalApps portable applications, because it is impossible to secure them properly like jailing them. You can close this problem request with some status of not been possible to securely fix the problem and so problem report is irrelevant to Firejail. Thanks a million for your precious opinion.
gitea-mirror commented 2026-05-05 05:42:38 -06:00
Author
Owner
Copy link

@pcx862 commented on GitHub (May 22, 2016):

Hi, I'm the lead developer of ORB Applications and would like to clear some misconceptions:
*By design, our "ORB Launcher" never runs as root
*By design, we never use SUID
*By design, our apps don't run as root
*By design, the sudo password is always expired, so the ISO contents can never take advantage of the sudo password in the cache

In addition, not just the the ORB/ISO itself is cryptographically signed, but the contents are also signed (a file with all the SHA512 hashes is PGP-signed)

We believe we have a robust multi-layered security model, as can be seen here:
https://www.orbital-apps.com/security

Having clarified that, we are very interested in making our apps compatible with firejail, and even further, we plan to integrate firejail and enable sandboxing by default.

Regarding this specific issue, it seems if (non-root) FUSE operations (mount) can be sandboxed with seccomp, everything else should work perfectly.
Are non-root FUSE operations blocked by design? Is there a way to "whitelist" FUSE operations but leave everything else enabled?

Thanks in advance for a possible solution,
Peter M

<!-- gh-comment-id:220861277 --> @pcx862 commented on GitHub (May 22, 2016): Hi, I'm the lead developer of ORB Applications and would like to clear some misconceptions: *By design, our "ORB Launcher" never runs as root *By design, we never use SUID *By design, our apps don't run as root *By design, the sudo password is always expired, so the ISO contents can never take advantage of the sudo password in the cache In addition, not just the the ORB/ISO itself is cryptographically signed, but the contents are also signed (a file with all the SHA512 hashes is PGP-signed) We believe we have a robust multi-layered security model, as can be seen here: https://www.orbital-apps.com/security Having clarified that, we are very interested in making our apps compatible with firejail, and even further, we plan to integrate firejail and enable sandboxing by default. Regarding this specific issue, it seems if (non-root) FUSE operations (mount) can be sandboxed with seccomp, everything else should work perfectly. Are non-root FUSE operations blocked by design? Is there a way to "whitelist" FUSE operations but leave everything else enabled? Thanks in advance for a possible solution, Peter M
gitea-mirror commented 2026-05-05 05:42:40 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 23, 2016):

Sorry if I went overboard in my previous comment.

FUSE ends up calling a SUID binary (/bin/fusermount) to mount the filesystem. In order to run it, you would need CAP_SYS_ADMIN capability enabled (man 7 capabilities). All capabilities are disabled by the sandbox. You would also need to disable seccomp. seccomp uses an obscure kernel feature, no_new_privs https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt , for its own protection. This also disables SUID binaries.

The way it could work, in your starter program after FUSE mounting, start the application in the sandbox. Instead of "vlc" you would need to start "/usr/bin/firejail vlc". If the user doesn't have firejail installed, you just start "vlc" as usual. Or you can open a dialog window and ask the user, but basically it should work.

<!-- gh-comment-id:221049058 --> @netblue30 commented on GitHub (May 23, 2016): Sorry if I went overboard in my previous comment. FUSE ends up calling a SUID binary (/bin/fusermount) to mount the filesystem. In order to run it, you would need CAP_SYS_ADMIN capability enabled (man 7 capabilities). All capabilities are disabled by the sandbox. You would also need to disable seccomp. seccomp uses an obscure kernel feature, no_new_privs https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt , for its own protection. This also disables SUID binaries. The way it could work, in your starter program after FUSE mounting, start the application in the sandbox. Instead of "vlc" you would need to start "/usr/bin/firejail vlc". If the user doesn't have firejail installed, you just start "vlc" as usual. Or you can open a dialog window and ask the user, but basically it should work.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#370
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?