github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #730] Wishlist: easier way to allow additional system calls #495

New issue
Closed
opened 2026-05-05 05:58:32 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 05:58:32 -06:00
Owner
Copy link

Originally created by @lheckemann on GitHub (Aug 18, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/730

For debugging software within jails, I like to be able to use tools like strace and gdb, which use the ptrace system call. However, I currently don't know of a way of allowing ptrace while keeping seccomp enabled without copying the default list of blocked system calls and removing ptrace, which makes for extremely unwieldy command lines. Something like --seccomp.blacklist=!ptrace or --seccomp.allow=ptrace would be nice (as opposed to --seccomp.keep=ptrace which seems to allow nothing but ptrace...).

Or would it make more sense to use gdb on firejail and skip ahead to the exec system call when doing this?

Originally created by @lheckemann on GitHub (Aug 18, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/730 For debugging software within jails, I like to be able to use tools like strace and gdb, which use the `ptrace` system call. However, I currently don't know of a way of allowing ptrace while keeping seccomp enabled without copying the default list of blocked system calls and removing ptrace, which makes for extremely unwieldy command lines. Something like `--seccomp.blacklist=!ptrace` or `--seccomp.allow=ptrace` would be nice (as opposed to `--seccomp.keep=ptrace` which seems to allow nothing but ptrace...). Or would it make more sense to use gdb on firejail and skip ahead to the `exec` system call when doing this?
gitea-mirror 2026-05-05 05:58:32 -06:00
gitea-mirror commented 2026-05-05 05:58:38 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Aug 19, 2016):

Would --seccomp.keep=ptrace do what you're looking for?

 --seccomp.keep=syscall,syscall,syscall
              Enable seccomp filter, and whitelist the syscalls specified by the command.

              Example:
              $ firejail --shell=none --seccomp.keep=poll,select,[...] transmission-gtk
<!-- gh-comment-id:240924344 --> @Fred-Barclay commented on GitHub (Aug 19, 2016): Would `--seccomp.keep=ptrace` do what you're looking for? ``` --seccomp.keep=syscall,syscall,syscall Enable seccomp filter, and whitelist the syscalls specified by the command. Example: $ firejail --shell=none --seccomp.keep=poll,select,[...] transmission-gtk ```
gitea-mirror commented 2026-05-05 05:58:40 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Aug 19, 2016):

That results in the following seccomp filter:

  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  WHITELIST 105 setuid
  WHITELIST 106 setgid
  WHITELIST 116 setgroups
  WHITELIST 32 dup
  WHITELIST 101 ptrace
  KILL_PROCESS

Which allows nothing but ptrace, causing such things as executing a shell, opening a file, or even writing to a previously opened file to fail. I meant to write --seccomp.keep, not --seccomp.whitelist (which doesn't exist) in the initial comment (fixed).

<!-- gh-comment-id:240964355 --> @lheckemann commented on GitHub (Aug 19, 2016): That results in the following seccomp filter: ``` VALIDATE_ARCHITECTURE EXAMINE_SYSCAL WHITELIST 105 setuid WHITELIST 106 setgid WHITELIST 116 setgroups WHITELIST 32 dup WHITELIST 101 ptrace KILL_PROCESS ``` Which allows nothing but ptrace, causing such things as executing a shell, opening a file, or even writing to a previously opened file to fail. I meant to write `--seccomp.keep`, not `--seccomp.whitelist` (which doesn't exist) in the initial comment (fixed).
gitea-mirror commented 2026-05-05 05:58:42 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 20, 2016):

Unfortunately, just allowing ptrace syscall will not be enough. It also needs to be able to run SUID binaries inside the sandbox - strace is SUID. This is how you can run it:

$ sudo strace -f firejail --noprofile application

Or you can just start a sandbox with --noprofile and run strace inside the sandbox:

$ firejail --noprofile
Parent pid 9690, child pid 9691
Child process initialized
netblue@debian:~/work/github/firejail$ strace -f application

I'll add a description in FAQ.

<!-- gh-comment-id:241197581 --> @netblue30 commented on GitHub (Aug 20, 2016): Unfortunately, just allowing ptrace syscall will not be enough. It also needs to be able to run SUID binaries inside the sandbox - strace is SUID. This is how you can run it: ``` $ sudo strace -f firejail --noprofile application ``` Or you can just start a sandbox with --noprofile and run strace inside the sandbox: ``` $ firejail --noprofile Parent pid 9690, child pid 9691 Child process initialized netblue@debian:~/work/github/firejail$ strace -f application ``` I'll add a description in FAQ.
gitea-mirror commented 2026-05-05 05:58:44 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Aug 20, 2016):

strace isn't SUID on my system, and I don't see any reason why it would need to be.
firejail --ignore=seccomp --noblacklist=/usr/bin/strace strace echo hello works just fine for me...

<!-- gh-comment-id:241209390 --> @lheckemann commented on GitHub (Aug 20, 2016): strace isn't SUID on my system, and I don't see any reason why it would need to be. `firejail --ignore=seccomp --noblacklist=/usr/bin/strace strace echo hello` works just fine for me...
gitea-mirror commented 2026-05-05 05:58:46 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 20, 2016):

You are right, I forgot about the blacklist! I'll bring a command line flag in, something like "firejail --debug-ptrace [...] application"

<!-- gh-comment-id:241226555 --> @netblue30 commented on GitHub (Aug 20, 2016): You are right, I forgot about the blacklist! I'll bring a command line flag in, something like "firejail --debug-ptrace [...] application"
gitea-mirror commented 2026-05-05 05:58:48 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Aug 22, 2016):

Wouldn't it be better to have a more generic option like --seccomp.add=ptrace so that we can make use of the standard blacklist, unblocking individual calls?

EDIT: would --allow-debuggers maybe be a better name for the option than --debug-ptrace if you decide to go with that route? Its function being allowing the ptrace syscall and disabling blacklisting for strace, gdb, ltrace, etc?

<!-- gh-comment-id:241326061 --> @lheckemann commented on GitHub (Aug 22, 2016): Wouldn't it be better to have a more generic option like `--seccomp.add=ptrace` so that we can make use of the standard blacklist, unblocking individual calls? EDIT: would `--allow-debuggers` maybe be a better name for the option than `--debug-ptrace` if you decide to go with that route? Its function being allowing the ptrace syscall and disabling blacklisting for strace, gdb, ltrace, etc?
gitea-mirror commented 2026-05-05 05:58:49 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 22, 2016):

Wouldn't it be better to have a more generic option like --seccomp.add=ptrace so that we can make use of the standard blacklist, unblocking individual calls?

Probably, but it will complicate the code - we are still SUID, so we need to keep it as simple as possible.
OK, it will be --allow-debuggers

<!-- gh-comment-id:241384799 --> @netblue30 commented on GitHub (Aug 22, 2016): > Wouldn't it be better to have a more generic option like --seccomp.add=ptrace so that we can make use of the standard blacklist, unblocking individual calls? Probably, but it will complicate the code - we are still SUID, so we need to keep it as simple as possible. OK, it will be --allow-debuggers
gitea-mirror commented 2026-05-05 05:58:52 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 22, 2016):

All set, you can try it out.

$ man firejail
[...]
      --allow-debuggers
              Allow tools such as strace and gdb inside the sandbox.

              Example:
              $  firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
[...]
<!-- gh-comment-id:241550074 --> @netblue30 commented on GitHub (Aug 22, 2016): All set, you can try it out. ``` $ man firejail [...] --allow-debuggers Allow tools such as strace and gdb inside the sandbox. Example: $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox [...] ```
gitea-mirror commented 2026-05-05 05:58:53 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Aug 23, 2016):

Great, thanks!

<!-- gh-comment-id:241701525 --> @lheckemann commented on GitHub (Aug 23, 2016): Great, thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#495
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?