[PR #2186] [MERGED] Fix issue #2148: Make sure firejail can find helper programs in sandbox regardless of options. #4212

New issue

Closed

opened 2026-05-05 10:15:52 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:15:52 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/2186
Author: @crass
Created: 10/13/2018
Status: ✅ Merged
Merged: 10/13/2018
Merged by: @netblue30

Base: master ← Head: fix-2148-always-have-helpers-in-sandbox

📝 Commits (1)

4017e8a Fix issue #2148: Make sure firejail can find helper programs in sandbox regardless of options.

📊 Changes

6 files changed (+38 additions, -22 deletions)

View changed files

📝 src/firejail/bandwidth.c (+3 -3)
📝 src/firejail/firejail.h (+14 -13)
📝 src/firejail/fs_trace.c (+1 -1)
📝 src/firejail/main.c (+9 -2)
📝 src/firejail/output.c (+3 -3)
📝 src/firejail/preproc.c (+8 -0)

📄 Description

These changes allow firejail to always be able to find and run its helper libraries even when they are installed in a location that would otherwise be inaccessible in the sandbox (eg. under ${HOME} or /media when disable-mnt is enabled), which fixes #2148. The basic idea behind the implementation is to first unshare firejail's mount namespace and make all mounts private. Then early on we bind-mount LIBDIR, where the helpers programs are actually stored, to /run/firejail/lib and have all the helpers be run from there.

Despite there being a fair amount of lines to the changeset, the magic really happens in only a few lines. The unsharing of the mount namespace and making mounts private happens in src/firejail/main.c line 883-886, and the bind-mount of LIBDIR in src/firejail/preproc.c lines 77-78.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/2186 **Author:** [@crass](https://github.com/crass) **Created:** 10/13/2018 **Status:** ✅ Merged **Merged:** 10/13/2018 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `fix-2148-always-have-helpers-in-sandbox` --- ### 📝 Commits (1) - [`4017e8a`](https://github.com/netblue30/firejail/commit/4017e8a1359208e149b2eac10900987acd4a6f9e) Fix issue #2148: Make sure firejail can find helper programs in sandbox regardless of options. ### 📊 Changes **6 files changed** (+38 additions, -22 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/bandwidth.c` (+3 -3) 📝 `src/firejail/firejail.h` (+14 -13) 📝 `src/firejail/fs_trace.c` (+1 -1) 📝 `src/firejail/main.c` (+9 -2) 📝 `src/firejail/output.c` (+3 -3) 📝 `src/firejail/preproc.c` (+8 -0) </details> ### 📄 Description These changes allow firejail to always be able to find and run its helper libraries even when they are installed in a location that would otherwise be inaccessible in the sandbox (eg. under `${HOME}` or `/media` when `disable-mnt` is enabled), which fixes #2148. The basic idea behind the implementation is to first unshare firejail's mount namespace and make all mounts private. Then early on we bind-mount `LIBDIR`, where the helpers programs are actually stored, to `/run/firejail/lib` and have all the helpers be run from there. Despite there being a fair amount of lines to the changeset, the magic really happens in only a few lines. The unsharing of the mount namespace and making mounts private happens in `src/firejail/main.c` line 883-886, and the bind-mount of `LIBDIR` in `src/firejail/preproc.c` lines 77-78. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:15:52 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4212

No description provided.

Rows
Columns