mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #608] whitelist and private-dev combination #424
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#424
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @weeshy on GitHub (Jul 2, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/608
I really like idea of clean /dev directory, but I need access to some devices, that is not added by deafult with --private-dev option. I tried to whitelist them, and get empty /dev directory as result.
It would be great, if that options would cooperate with less devastation.
@Fred-Barclay commented on GitHub (Jul 2, 2016):
Can you give an example so we can see what you did?
I suspect that you might need to
noblacklistthem too but that's just speculation at this point. ;)@weeshy commented on GitHub (Jul 2, 2016):
example: I want private /dev, but I need /dev/nvidia0 /dev/nvidiactl /dev/nvidia-modeset for optirun to work correctly.
@Fred-Barclay commented on GitHub (Jul 2, 2016):
Sorry--what I mean was like
firejail --private-dev whitelist=/some/odd/directoryor whatever command you used. 😉@weeshy commented on GitHub (Jul 2, 2016):
firejail --private-dev --whitelist=/dev/nvidia0
It gives empty /dev/ directory
@Fred-Barclay commented on GitHub (Jul 3, 2016):
Try this instead:
firejail --whitelist=/dev/nvidia0 --whitelist=/dev/nvidiactl --whitelist=/dev/nvidia-modesetThese three directories will be the only ones visible in /dev/.
After some testing it appears that whitelist and private-dev are mutually exclusive; i.e. whitelist overrides private-dev. I'm not sure why this is (besides the nature of a whitelist being what it is) but I rarely use the private-* options. Maybe someone else with more experience can explain the technical details and/or correct where I'm wrong?
@netblue30 commented on GitHub (Jul 3, 2016):
The solution is to bring in private-dev all the nvidia devices. So far I have /dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm. I'll also bring in /dev/snd for sound. If I am missing something please let me know.
@weeshy commented on GitHub (Jul 3, 2016):
firejail --whitelist works as intented: I just manually specified all devices that are normally is visible under private-dev and add nvidia devices to the list
@netblue30 commented on GitHub (Jul 3, 2016):
Yes, --whitelist will fix it for now, but I still have to bring in by default nvidia drivers in --private-dev. Anyway, thanks for bringing up this issue.
@netblue30 commented on GitHub (Jul 10, 2016):
I put the nvidia/private-dev thing on my todo list for now.
@nextime commented on GitHub (Aug 1, 2016):
In debian this issue brings some trubbles. As in debian /dev/shm is a symlink to /run/shm, if i use a list of --whitelist to reproduce the behavior of --private-dev i get an error on /dev/shm, and as i need also /dev/shm other than /dev/nvidia*, this seems a stopping issue for me
@netblue30 commented on GitHub (Aug 2, 2016):
Looking into it, thanks.
@nextime commented on GitHub (Aug 2, 2016):
Just as a work-around in case anyone fall in this issue before a proper fix is found/implemented, i actually use this in /etc/rc.local:
rm /dev/shm
mkdir /dev/shm
mount --bind /run/shm /dev/shm
This way we override the debian/devuan default of having /dev/shm as a synlink by actively remove it and recreate it as a bind mount of /run/shm, and then firejail works with --whitelist /dev/shm as intended.
@nextime commented on GitHub (Aug 3, 2016):
UPDATE: same issue ( whitelist a symlink outside the same dir ) in debian and devuan apply also to things in /var/run ( for example, to whitelist /var/run/pcscd to permit use of smartcard authentication ) as /var/run is a symlink to /run
Same workaround as for /dev/shm ( so, remove the symlink and bind mount /run in /var/run in rc.local ) works.
@chiraag-nataraj commented on GitHub (Jul 16, 2018):
FWIW, we have
--keep-dev-shmnow, which keeps the original/dev/shm. I don't know if that solves the issue given here though. And yes,--keep-dev-shmis compatible with--private-dev.@chiraag-nataraj commented on GitHub (Jul 30, 2018):
Closed due to inactivity. @nextime feel free to re-open if the workaround listed here doesn't work.