mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #1238] default bind mounts and noexec option #841
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#841
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @SYN-cook on GitHub (Apr 21, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1238
noexec /tmpandnoexec ${HOME}don't necessarily block execution completely, I see few folders still allowing it:Since noexec options are being used in profiles, it would be nice to close loopholes for the standard configuration.
~/.local/share can be easily handled in disable-common.inc. And the .X11-unix and pulse folders should be also safe for remounting with a noexec flag.
@SkewedZeppelin commented on GitHub (Apr 21, 2017):
Why does 'noexec ${HOME}' not apply to ~/.local/share? Also this will break a few profiles such as Steam, which stores itself there.
@SYN-cook commented on GitHub (Apr 21, 2017):
@SpotComms Did you try running e.g.
findmntinside the jail? It would be interesting if you can't reproduce it, I have seen it on different systems.If besides Steam more programs install themselves to ~/.local/share, maybe an alternative implementation could be to tie all remounting works to the noexec options, instead of remounting the folders noexec from the beginning.
@SkewedZeppelin commented on GitHub (Apr 21, 2017):
You are correct, I was just wondering why 'noexec ${HOME}' doesn't apply recursively as I assumed it did.
Edit: noexec just does the one directory specified, none of the other directories end up with noexec. That seems pretty useless. @netblue30 please make noexec recursively apply.@SYN-cook commented on GitHub (Apr 21, 2017):
@SpotComms On my current setup (I'm on a trip and unfortunately can't try many things), the noexec option is enforced recursively, except for those three folders mentioned in the first comment.... e.g. I go to a random subfolder and try to run an executable, I am told I don't have permissions to do so.
Is it possible for you to execute programs/scripts in subfolders?
@SkewedZeppelin commented on GitHub (Apr 21, 2017):
@SYN-cook Okay so while 'findmnt' only shows the 'noexec' option for /home/user and not for any subdirectories, I cannot execute under ~, ~/.config. I can however execute under ~/.local/share. So yes you are again correct. I created #1242 as an alternative solution.
@SYN-cook commented on GitHub (Apr 21, 2017):
👍 Cool! So let's see what netblue30 says
@netblue30 commented on GitHub (Apr 22, 2017):
I'll play a little bit with noexec on ~/.config/pulse and /tmp/.X11-unix and put them disable-common.inc.