github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1098] Cannot whitelist symlinks that point outside home directory #752

New issue
Closed
opened 2026-05-05 06:34:19 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 06:34:19 -06:00
Owner
Copy link

Originally created by @lheckemann on GitHub (Feb 11, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1098

I'm on NixOS, and I want to whitelist ~/.nix-profile (symlink to /nix/var/nix/profiles/per-user/linus/profile) for read-only access (so the symlink cannot be modified from inside the jail). However, this no longer works in firejail 0.9.44.4; it worked in the previous version I had installed, which I believe was 0.9.44.2.

Originally created by @lheckemann on GitHub (Feb 11, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1098 I'm on NixOS, and I want to whitelist `~/.nix-profile` (symlink to `/nix/var/nix/profiles/per-user/linus/profile`) for read-only access (so the symlink cannot be modified from inside the jail). However, this no longer works in firejail 0.9.44.4; it worked in the previous version I had installed, which I believe was 0.9.44.2.
gitea-mirror 2026-05-05 06:34:19 -06:00
gitea-mirror commented 2026-05-05 06:34:24 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 11, 2017):

The directory your link points to, needs to be owned by the regular user starting the sandbox. If it is owned by root, it will refuse to build the link and print a "Error: invalid whitelist path ..." message. You can still make the directory read-only (chmod 511 directory).

<!-- gh-comment-id:279145517 --> @netblue30 commented on GitHub (Feb 11, 2017): The directory your link points to, needs to be owned by the regular user starting the sandbox. If it is owned by root, it will refuse to build the link and print a "Error: invalid whitelist path ..." message. You can still make the directory read-only (chmod 511 directory).
gitea-mirror commented 2026-05-05 06:34:26 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Feb 12, 2017):

Is it not possible to make the symlink itself visible inside the sandbox? I want it available even though the (final) target is owned by root (and should remain so).

<!-- gh-comment-id:279197053 --> @lheckemann commented on GitHub (Feb 12, 2017): Is it not possible to make the symlink itself visible inside the sandbox? I want it available even though the (final) target is owned by root (and should remain so).
gitea-mirror commented 2026-05-05 06:34:30 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 12, 2017):

OK, I put a fix on mainline git. Grab the new version, open /etc/firejail/firejail.config and add "follow-symlink-as-user no".

<!-- gh-comment-id:279225889 --> @netblue30 commented on GitHub (Feb 12, 2017): OK, I put a fix on mainline git. Grab the new version, open /etc/firejail/firejail.config and add "follow-symlink-as-user no".
gitea-mirror commented 2026-05-05 06:34:33 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Feb 12, 2017):

Awesome, thanks! I'll try it out later.

<!-- gh-comment-id:279228283 --> @lheckemann commented on GitHub (Feb 12, 2017): Awesome, thanks! I'll try it out later.
gitea-mirror commented 2026-05-05 06:34:35 -06:00
Author
Owner
Copy link

@tilpner commented on GitHub (Mar 6, 2017):

@netblue30 Could you please reopen this issue?

@lheckemann mentioned on IRC that he hasn't actually tried the fix yet, and it doesn't seem to fix the problem for me

I added follow-symlink-as-user no into /etc/firejail/firejail.config and ~/.config/firejail/firejail.config, but firejail still errors with Error: invalid whitelist path for anything that links to /nix/store/*.

There's no indication firejail even reads those files, possibly because they're both symlinks again. Putting invalid lines into both of them ("foobar") doesn't cause invocations with --debug to print anything related.

» ls -l /etc/firejail/firejail.config
lrwxrwxrwx 1 root root 36 Mar  6 15:13 /etc/firejail/firejail.config -> /etc/static/firejail/firejail.config
» ls -l .config/firejail
lrwxrwxrwx 1 till users 61 Mar  6 16:12 .config/firejail -> /nix/var/nix/profiles/per-user/till/nix-home/.config/firejail
» ls -l .config/firejail/firejail.config
-r--r--r-- 1 root root 3095 Jan  1  1970 .config/firejail/firejail.config

Would this cause firejail to not read the config? Unfortunately strace-ing firejail triggers sandbox detection...

<!-- gh-comment-id:284446409 --> @tilpner commented on GitHub (Mar 6, 2017): @netblue30 Could you please reopen this issue? @lheckemann mentioned on IRC that he hasn't actually tried the fix yet, and it doesn't seem to fix the problem for me I added `follow-symlink-as-user no` into `/etc/firejail/firejail.config` and `~/.config/firejail/firejail.config`, but firejail still errors with `Error: invalid whitelist path` for anything that links to `/nix/store/*`. There's no indication firejail even reads those files, possibly because they're both symlinks again. Putting invalid lines into both of them ("foobar") doesn't cause invocations with `--debug` to print anything related. ```shell » ls -l /etc/firejail/firejail.config lrwxrwxrwx 1 root root 36 Mar 6 15:13 /etc/firejail/firejail.config -> /etc/static/firejail/firejail.config » ls -l .config/firejail lrwxrwxrwx 1 till users 61 Mar 6 16:12 .config/firejail -> /nix/var/nix/profiles/per-user/till/nix-home/.config/firejail » ls -l .config/firejail/firejail.config -r--r--r-- 1 root root 3095 Jan 1 1970 .config/firejail/firejail.config ``` Would this cause firejail to not read the config? Unfortunately strace-ing firejail triggers sandbox detection...
gitea-mirror commented 2026-05-05 06:34:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 7, 2017):

I'll try it out.

<!-- gh-comment-id:284766136 --> @netblue30 commented on GitHub (Mar 7, 2017): I'll try it out.
gitea-mirror commented 2026-05-05 06:34:39 -06:00
Author
Owner
Copy link

@vtpoet commented on GitHub (Mar 26, 2017):

Also had this problem. (All my home folders are symlnked to a separate partition.) Added your PPA and updated. Works now. Thanks!

<!-- gh-comment-id:289285542 --> @vtpoet commented on GitHub (Mar 26, 2017): Also had this problem. (All my home folders are symlnked to a separate partition.) Added your PPA and updated. Works now. Thanks!
gitea-mirror commented 2026-05-05 06:34:41 -06:00
Author
Owner
Copy link

@tex commented on GitHub (Apr 8, 2017):

@vtpoet what is PPA?
I have the same problem, how to fix it?

<!-- gh-comment-id:292742054 --> @tex commented on GitHub (Apr 8, 2017): @vtpoet what is PPA? I have the same problem, how to fix it?
gitea-mirror commented 2026-05-05 06:34:42 -06:00
Author
Owner
Copy link

@vtpoet commented on GitHub (Apr 8, 2017):

Hi Tex,

You can use the PPA if you're using an Ubuntu-based system. The PPA is here:

https://launchpad.net/~deki/+archive/ubuntu/firejail

If you're using Debian, you can still install the app at the PPA but it's a bit more complicated. For information on what a PPA is, try this:

https://askubuntu.com/questions/4983/what-are-ppas-and-how-do-i-use-them

<!-- gh-comment-id:292746164 --> @vtpoet commented on GitHub (Apr 8, 2017): Hi Tex, You can use the PPA if you're using an Ubuntu-based system. The PPA is here: https://launchpad.net/~deki/+archive/ubuntu/firejail If you're using Debian, you can still install the app at the PPA but it's a bit more complicated. For information on what a PPA is, try this: https://askubuntu.com/questions/4983/what-are-ppas-and-how-do-i-use-them
gitea-mirror commented 2026-05-05 06:34:44 -06:00
Author
Owner
Copy link

@tex commented on GitHub (Apr 8, 2017):

Thank you. Unfortunately I'm running NixOs right now.

<!-- gh-comment-id:292746596 --> @tex commented on GitHub (Apr 8, 2017): Thank you. Unfortunately I'm running NixOs right now.
gitea-mirror commented 2026-05-05 06:34:46 -06:00
Author
Owner
Copy link

@vtpoet commented on GitHub (Apr 8, 2017):

Yeah, that's the downside to these niche linux distros.

If you're really determined, you still might be able to compile the PPA's version on NixOS by using the source code. I've done it myself and it's not hard (once you know how). It's installing all the dependencies and finding a reliable and well-constructed guide that's time consuming.

<!-- gh-comment-id:292747703 --> @vtpoet commented on GitHub (Apr 8, 2017): Yeah, that's the downside to these niche linux distros. If you're really determined, you still might be able to compile the PPA's version on NixOS by using the source code. I've done it myself and it's not hard (once you know how). It's installing all the dependencies and finding a reliable and well-constructed guide that's time consuming.
gitea-mirror commented 2026-05-05 06:34:49 -06:00
Author
Owner
Copy link

@lheckemann commented on GitHub (Apr 9, 2017):

Try

git clone https://github.com/netblue30/firejail
nix-build -E "with import {}; firejail.overrideAttrs (orig: {src = ./firejail;})"

<!-- gh-comment-id:292756325 --> @lheckemann commented on GitHub (Apr 9, 2017): Try git clone https://github.com/netblue30/firejail nix-build -E "with import <nixpkgs> {}; firejail.overrideAttrs (orig: {src = ./firejail;})"
gitea-mirror commented 2026-05-05 06:34:50 -06:00
Author
Owner
Copy link

@vtpoet commented on GitHub (Mar 27, 2019):

Can you reopen this? I bumped into this issue again when I moved my .cache directory to a larger partition. Long story short: My system partition is relatively small so I opt to symbolically link my home folders, including .cache, to a larger partition. (My .cache directory can get to be several gigabytes in size.) Starting up firejail, I get the invalid whitelist error:

Error: invalid whitelist path /home/vtpoet/.cache/mozilla/firefox
Error: proc 28004 cannot sync with peer: unexpected EOF
<!-- gh-comment-id:477143289 --> @vtpoet commented on GitHub (Mar 27, 2019): Can you reopen this? I bumped into this issue again when I moved my .cache directory to a larger partition. Long story short: My system partition is relatively small so I opt to symbolically link my home folders, including .cache, to a larger partition. (My .cache directory can get to be several gigabytes in size.) Starting up firejail, I get the invalid whitelist error: ``` Error: invalid whitelist path /home/vtpoet/.cache/mozilla/firefox Error: proc 28004 cannot sync with peer: unexpected EOF ```
gitea-mirror commented 2026-05-05 06:34:51 -06:00
Author
Owner
Copy link

@vtpoet commented on GitHub (Mar 27, 2019):

Nevermind. Fixed. Turns out it was a permission problem. When I used root to move the .cache folder, the permissions, naturally enough, were assigned to root. Nothing Chown couldn't fix.

<!-- gh-comment-id:477147430 --> @vtpoet commented on GitHub (Mar 27, 2019): Nevermind. Fixed. Turns out it was a permission problem. When I used root to move the .cache folder, the permissions, naturally enough, were assigned to root. Nothing Chown couldn't fix.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#752
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?