[PR #6504] [CLOSED] feature: create the link only if its endpoint is available #6045

New issue

Closed

opened 2026-05-05 10:49:40 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:49:40 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/6504
Author: @i-pankrat
Created: 10/10/2024
Status: ❌ Closed

Base: master ← Head: delayed-links

📝 Commits (1)

21e74bb feature: create the link only if its endpoint is available

📊 Changes

7 files changed (+258 additions, -17 deletions)

View changed files

📝 src/firejail/firejail.h (+15 -0)
📝 src/firejail/fs.c (+2 -0)
📝 src/firejail/fs_etc.c (+22 -7)
📝 src/firejail/fs_whitelist.c (+5 -0)
📝 src/firejail/profile.c (+116 -0)
📝 src/firejail/sandbox.c (+19 -10)
📝 src/firejail/util.c (+79 -0)

📄 Description

This PR is intended to discuss the operation of the --private-etc option. Right now, for most files, a copy of the resolved file ((resolved path) is created in /etc. But this is not always a good way, as for example with the hardcoded value of /etc/mtab. But there are also files that in theory can be changed while the process is running in the sandbox. The process will not know about these changes until the sandbox is restarted, e.g. localtime, resolv.conf. If the time zone changes, localtime will change.

localtime without sandbox on my machine:

lrwxrwxrwx   1 root root       33 Jan 31  2024 localtime -> /usr/share/zoneinfo/Europe/Moscow

localtime in sandbox on my machine:

ilya@pankrat:/etc$ firejail --private-etc=localtime
-rw-r--r--  1 nobody nogroup   1535 Oct 10 13:11 localtime

Moreover, it is intuitively unexpected and seems unsafe that a link file in /etc/ is created if some intermediate link or resolved file is not available in the sandbox. I would expect firejail to send at least a warning or not just create a file in /etc/ in such a case. Example with localtime linked to /usr/share/zoneinfo/Europe/Moscow, /usr/share/zoneinfo is blacklisted and /etc/localtime is available:

ilya@pankrat:/etc$ firejail --private-etc=localtime --blacklist=/usr/share/zoneinfo
ilya@pankrat:/etc$ ls -la | grep localtime
-rw-r--r--  1 nobody nogroup   1535 Oct 10 13:14 localtime
ilya@pankrat:/etc$ ls /usr/share/zoneinfo
ls: cannot open directory '/usr/share/zoneinfo': Permission denied

The PR offers a solution to two problems:

Creates links for files from /etc
Does not create files for /etc links if any of the intermediate paths are unavailable

I haven't fixed the tests yet. Let's discuss what you think about it.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/6504 **Author:** [@i-pankrat](https://github.com/i-pankrat) **Created:** 10/10/2024 **Status:** ❌ Closed **Base:** `master` ← **Head:** `delayed-links` --- ### 📝 Commits (1) - [`21e74bb`](https://github.com/netblue30/firejail/commit/21e74bb33273e83ed323cfde1edc3391d16debe9) feature: create the link only if its endpoint is available ### 📊 Changes **7 files changed** (+258 additions, -17 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/firejail.h` (+15 -0) 📝 `src/firejail/fs.c` (+2 -0) 📝 `src/firejail/fs_etc.c` (+22 -7) 📝 `src/firejail/fs_whitelist.c` (+5 -0) 📝 `src/firejail/profile.c` (+116 -0) 📝 `src/firejail/sandbox.c` (+19 -10) 📝 `src/firejail/util.c` (+79 -0) </details> ### 📄 Description This PR is intended to discuss the operation of the `--private-etc` option. Right now, for most files, a copy of the resolved file ((resolved path) is created in /etc. But this is not always a good way, as for example with the hardcoded value of `/etc/mtab`. But there are also files that in theory can be changed while the process is running in the sandbox. The process will not know about these changes until the sandbox is restarted, e.g. `localtime`, `resolv.conf`. If the time zone changes, localtime will change. localtime without sandbox on my machine: ```sh lrwxrwxrwx 1 root root 33 Jan 31 2024 localtime -> /usr/share/zoneinfo/Europe/Moscow ``` localtime in sandbox on my machine: ```sh ilya@pankrat:/etc$ firejail --private-etc=localtime -rw-r--r-- 1 nobody nogroup 1535 Oct 10 13:11 localtime ``` Moreover, it is intuitively unexpected and seems unsafe that a link file in /etc/ is created if some intermediate link or resolved file is not available in the sandbox. I would expect firejail to send at least a warning or not just create a file in /etc/ in such a case. Example with localtime linked to /usr/share/zoneinfo/Europe/Moscow, /usr/share/zoneinfo is blacklisted and /etc/localtime is available: ```sh ilya@pankrat:/etc$ firejail --private-etc=localtime --blacklist=/usr/share/zoneinfo ilya@pankrat:/etc$ ls -la | grep localtime -rw-r--r-- 1 nobody nogroup 1535 Oct 10 13:14 localtime ilya@pankrat:/etc$ ls /usr/share/zoneinfo ls: cannot open directory '/usr/share/zoneinfo': Permission denied ``` The PR offers a solution to two problems: 1. Creates links for files from /etc 2. Does not create files for /etc links if any of the intermediate paths are unavailable I haven't fixed the tests yet. Let's discuss what you think about it. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:49:40 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6045

No description provided.

Rows
Columns