github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #737] lots of terms in disabled common. regexp? #501

New issue

Closed

opened 2026-05-05 05:59:29 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 05:59:29 -06:00

Owner

Originally created by @xahare on GitHub (Aug 21, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/737

would this regexp work? you missed xterm and rxvt in the list.

# disable terminals running as server resulting in sandbox escape
blacklist ${PATH}/*term*
blacklist ${PATH}/*rxvt*

Originally created by @xahare on GitHub (Aug 21, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/737 would this regexp work? you missed xterm and rxvt in the list. ``` # disable terminals running as server resulting in sandbox escape blacklist ${PATH}/*term* blacklist ${PATH}/*rxvt* ```

gitea-mirror

2026-05-05 05:59:29 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:59:36 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Aug 21, 2016):

G'day xahare! I was the one who blacklisted those terminals (so the blame for missing any belongs to me). I don't know anything about rxvt, but I do know that xterm did not escape the sandbox and thus doesn't need to be blacklisted in /etc/disable-common.inc.

Here's a short test you can use to see if a terminal program is capable of escaping firejail and needs to be blacklisted:

firejail <terminal-program>
In the new terminal window that should come up, try the following:
ping -c 5 8.8.8.8

If you get a message ping: icmp open socket: Operation not permitted then the terminal cannot escape the sandbox (at least not by this method) and it does not need to be blacklisted in etc/disable-common.inc. If on the other hand you ping 8.8.8.8 (or another IP), then the terminal should be blacklisted.

Hope this helps! 😄

@Fred-Barclay commented on GitHub (Aug 21, 2016): G'day xahare! I was the one who blacklisted those terminals (so the blame for missing any belongs to me). I don't know anything about rxvt, but I do know that xterm did not escape the sandbox and thus doesn't need to be blacklisted in /etc/disable-common.inc. Here's a short test you can use to see if a terminal program is capable of escaping firejail and needs to be blacklisted: `firejail <terminal-program>` In the new terminal window that should come up, try the following: `ping -c 5 8.8.8.8` If you get a message `ping: icmp open socket: Operation not permitted` then the terminal cannot escape the sandbox (at least not by this method) and it does not need to be blacklisted in etc/disable-common.inc. If on the other hand you ping 8.8.8.8 (or another IP), then the terminal should be blacklisted. Hope this helps! :smile:

gitea-mirror commented

2026-05-05 05:59:37 -06:00

Author

Owner

@xahare commented on GitHub (Aug 21, 2016):

it seems blunt to make a list based on properties that can change out from under us or vary by distro. there must be a more programatic way. what causes those terminals to escape? maybe that can be blocked.

if nothing else, some automated test at boot could write those files.

@xahare commented on GitHub (Aug 21, 2016): it seems blunt to make a list based on properties that can change out from under us or vary by distro. there must be a more programatic way. what causes those terminals to escape? maybe that can be blocked. if nothing else, some automated test at boot could write those files.

gitea-mirror commented

2026-05-05 05:59:40 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Aug 21, 2016):

I agree, but unfortunately that seems to be the best way right now. These have been tested on multiple distros so I'm pretty confident that the patch works for all distros.
You may be interested in #472 . If so, pay particular attention to what @netblue30 says. The real problem lies with these terminals, not firejail. The most we can do is patch bad behaviour, not prevent it.

@Fred-Barclay commented on GitHub (Aug 21, 2016): I agree, but unfortunately that seems to be the best way right now. These have been tested on multiple distros so I'm pretty confident that the patch works for all distros. You may be interested in #472 . If so, pay particular attention to what @netblue30 says. The real problem lies with these terminals, not firejail. The most we can do is patch bad behaviour, not prevent it.

gitea-mirror commented

2026-05-05 05:59:43 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 22, 2016):

Some terminals allow the user to escape the sandbox, this is why we disabled some of them. xterm and rxvt are safe.

@netblue30 commented on GitHub (Aug 22, 2016): Some terminals allow the user to escape the sandbox, this is why we disabled some of them. xterm and rxvt are safe.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#501

No description provided.

Rows
Columns