mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #690] Profile for symlinked programs #474
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#474
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @reinerh on GitHub (Aug 7, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/690
I just noticed a test failure of strings.exp in a newly setup VM.
It turns out that the reason is that strings is symlinked to x86_64-linux-gnu-strings and firejail is trying to load the profile for x86_64-linux-gnu-strings, which does not exist, so it uses the server profile.
I can't think of any security concerns to fall back to the profile of the symlink source, when the profile for the symlink destination does not exist, if both are in one of the standard binary paths (or even any root-owned path?).
@netblue30 commented on GitHub (Aug 9, 2016):
Let's just remove strings profile for now. The issue of falling back to the symlink source profile came up earlier, but I don't remember why I didn't go for it.
@netblue30 commented on GitHub (Aug 11, 2016):
OK, this seems to be something new in Debian unstable, in jessie is still a real executable. I'll add a profile for x86_64-linux-gnu-strings.
@reinerh commented on GitHub (Aug 11, 2016):
On Thu, Aug 11, 2016 at 04:07:42AM -0700, netblue30 wrote:
I'm not sure if that's a good idea.
The name varies with each architecture, and it's not only strings, but
also the other binutils.
I think it would be better to have only a profile for strings, and use
this one, even when it is a symlink (in a known path).
@reinerh commented on GitHub (Aug 24, 2016):
The symlink issue is also biting Ubuntu users [1].
firefox (and thunderbird) is a symlink to a firefox.sh shell script/wrapper, where firejail will not use the firefox profile.
1: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1616334
@netblue30 commented on GitHub (Aug 25, 2016):
Thanks for letting me know. I'll bring in a fix as you suggested on mainline branch.
Ubuntu user reporting the bug runs 0.9.38. I have a fix in 0.9.40, it basically picks up the profile based on the executable name up to the first dot, so firefox.sh will pick up firefox profile correctly.
There's something else going on:
I started a 0.9.38 long term support branch, with only small fixes and security problems. I'll put in the same fix I have in 0.9.40 and release it by the end of the week. You can direct the user to download this version (I'll have 32 and 64 bit deb packages) or you can direct him to download directly 0.9.40.
@netblue30 commented on GitHub (Aug 25, 2016):
Fixed!