github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1388] 2 gotchas with whitelist (ending / and origin dir of a symlinked file) #949

New issue
Closed
opened 2026-05-05 07:12:36 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 07:12:36 -06:00
Owner
Copy link

Originally created by @liloman on GitHub (Jul 16, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1388

Hi,

Another round of problems solving: :)

  1. If you type a dir with a ending / it doesn't work
whitelist ~/mydir/

I reckon It should work as usual.

  1. When you whitelist symlinked files it doesn't whitelist the origin dir.
$mkdir test;  echo hiiiiii > test/myfile
$ln -s test/ test-sym
$ls test-sym/
myfile

And then in your profile:

whitelist test-sym/myfile

It properly whitelists:
test/
test/myfile

But it doesn't whitelist:
test-sym/

This scenario is my normal setting. :)

Cheers and greetings. :)

Originally created by @liloman on GitHub (Jul 16, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1388 Hi, Another round of problems solving: :) 1. If you type a dir with a ending / it doesn't work ```bash whitelist ~/mydir/ ``` I reckon It should work as usual. 2. When you whitelist symlinked files it doesn't whitelist the origin dir. ```bash $mkdir test; echo hiiiiii > test/myfile $ln -s test/ test-sym $ls test-sym/ myfile ``` And then in your profile: ```bash whitelist test-sym/myfile ``` It properly whitelists: test/ test/myfile But it doesn't whitelist: test-sym/ This scenario is my normal setting. :) Cheers and greetings. :)
gitea-mirror 2026-05-05 07:12:36 -06:00
gitea-mirror commented 2026-05-05 07:12:40 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Nov 8, 2017):

G'day @liloman !
1 works normally on my system. I haven't been able to test # 2 yet.
Since we've had the 0.9.50 release after your post, would it be possible for you to test this again and see if the problems remain?
Thanks!
Fred

<!-- gh-comment-id:342690232 --> @Fred-Barclay commented on GitHub (Nov 8, 2017): G'day @liloman ! 1 works normally on my system. I haven't been able to test # 2 yet. Since we've had the 0.9.50 release after your post, would it be possible for you to test this again and see if the problems remain? Thanks! Fred
gitea-mirror commented 2026-05-05 07:12:41 -06:00
Author
Owner
Copy link

@liloman commented on GitHub (Nov 9, 2017):

➬firejail --version
firejail version 0.9.51

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is disabled
- git install support is disabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is disabled

I confirm that I still have the two issues.

I can't whitelist a dir ending with "/" and It doesn't whitelist the realpath of the symlink. :)

Cheers and thanks!!!

<!-- gh-comment-id:343275757 --> @liloman commented on GitHub (Nov 9, 2017): ➬firejail --version firejail version 0.9.51 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is disabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is disabled I confirm that I still have the two issues. I can't whitelist a dir ending with "/" and It doesn't whitelist the realpath of the symlink. :) Cheers and thanks!!!
gitea-mirror commented 2026-05-05 07:12:44 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Nov 10, 2017):

What distro is this?

<!-- gh-comment-id:343348039 --> @Fred-Barclay commented on GitHub (Nov 10, 2017): What distro is this?
gitea-mirror commented 2026-05-05 07:12:47 -06:00
Author
Owner
Copy link

@liloman commented on GitHub (Nov 15, 2017):

Fedora 24.

<!-- gh-comment-id:344708886 --> @liloman commented on GitHub (Nov 15, 2017): Fedora 24.
gitea-mirror commented 2026-05-05 07:12:48 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Nov 16, 2017):

You know that Fedora 24 is EOL?

See https://fedoramagazine.org/fedora-24-eol/

<!-- gh-comment-id:344958439 --> @curiosity-seeker commented on GitHub (Nov 16, 2017): You know that Fedora 24 is EOL? See https://fedoramagazine.org/fedora-24-eol/
gitea-mirror commented 2026-05-05 07:12:49 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 20, 2018):

@liloman Is this still an issue?

<!-- gh-comment-id:414359811 --> @chiraag-nataraj commented on GitHub (Aug 20, 2018): @liloman Is this still an issue?
gitea-mirror commented 2026-05-05 07:12:50 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2018):

Closing for inactivity. @liloman, please feel free to re-open if you still have this issue.

<!-- gh-comment-id:415117159 --> @chiraag-nataraj commented on GitHub (Aug 22, 2018): Closing for inactivity. @liloman, please feel free to re-open if you still have this issue.
gitea-mirror commented 2026-05-05 07:12:52 -06:00
Author
Owner
Copy link

@bircoph commented on GitHub (Oct 31, 2018):

I have issue №2 with firejail-0.9.56 on Gentoo:

I have some directories in $HOME an symlinks, e.g.:
.config -> .private/.config

And now whitelists and blacklists for files within .config doesn't work properly:
$ firejail --profile=/etc/firejail/firefox.profile bash:

$ ls -al .config
total 0
drwx------ 3 andrew andrew  60 Oct 31 23:52 .
drwx------ 7 andrew andrew 280 Oct 31 23:52 ..
drwx------ 2 andrew andrew  40 Oct 31 23:52 dconf
$ ls -al .private/.config
total 72
drwxr-xr-x  7 andrew andrew   200 Oct 31 23:52 .
drwxr-xr-x 10 andrew andrew   200 Oct 31 23:52 ..
-rw-r--r--  1 andrew andrew 41149 Sep 30 21:53 Trolltech.conf
drwx------  2 andrew andrew  4096 Oct 29 03:45 dconf
drwx------  2 andrew andrew  4096 Oct 29 03:56 gtk-2.0
drwxr-xr-x  2 andrew andrew  4096 Oct 31 22:07 gtk-3.0
drwx------  3 andrew andrew  4096 Feb 14  2014 ibus
-rw-------  1 andrew andrew   102 Mar 13  2017 mimeapps.list
drwxr-xr-x  4 andrew andrew  4096 Sep 30 21:53 qt5ct
-rw-------  1 andrew andrew   695 Jun  8  2016 user-dirs.dirs

As can be seen files within .private/.config are set normally, but .config symlinks is not preserved. The only dir "dconf" is there because of the following in whitelist-common.inc:

# dconf
mkdir ${HOME}/.config/dconf
whitelist ${HOME}/.config/dconf

If I comment mkdir line, then .config directory is not created at all.

For now as a workaround I added a script which creates all necessary symlinks before running firefox, but this affects other applications as well and the bug is very annoying. Please fix it by preserving all parent symlinks when necessary.

<!-- gh-comment-id:434845362 --> @bircoph commented on GitHub (Oct 31, 2018): I have issue №2 with firejail-0.9.56 on Gentoo: I have some directories in $HOME an symlinks, e.g.: `.config -> .private/.config` And now whitelists and blacklists for files within .config doesn't work properly: `$ firejail --profile=/etc/firejail/firefox.profile bash:` ``` $ ls -al .config total 0 drwx------ 3 andrew andrew 60 Oct 31 23:52 . drwx------ 7 andrew andrew 280 Oct 31 23:52 .. drwx------ 2 andrew andrew 40 Oct 31 23:52 dconf $ ls -al .private/.config total 72 drwxr-xr-x 7 andrew andrew 200 Oct 31 23:52 . drwxr-xr-x 10 andrew andrew 200 Oct 31 23:52 .. -rw-r--r-- 1 andrew andrew 41149 Sep 30 21:53 Trolltech.conf drwx------ 2 andrew andrew 4096 Oct 29 03:45 dconf drwx------ 2 andrew andrew 4096 Oct 29 03:56 gtk-2.0 drwxr-xr-x 2 andrew andrew 4096 Oct 31 22:07 gtk-3.0 drwx------ 3 andrew andrew 4096 Feb 14 2014 ibus -rw------- 1 andrew andrew 102 Mar 13 2017 mimeapps.list drwxr-xr-x 4 andrew andrew 4096 Sep 30 21:53 qt5ct -rw------- 1 andrew andrew 695 Jun 8 2016 user-dirs.dirs ``` As can be seen files within .private/.config are set normally, but .config symlinks is not preserved. The only dir "dconf" is there because of the following in whitelist-common.inc: ``` # dconf mkdir ${HOME}/.config/dconf whitelist ${HOME}/.config/dconf ``` If I comment mkdir line, then .config directory is not created at all. For now as a workaround I added a script which creates all necessary symlinks before running firefox, but this affects other applications as well and the bug is very annoying. Please fix it by preserving all parent symlinks when necessary.
gitea-mirror commented 2026-05-05 07:12:53 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Oct 31, 2018):

@bircoph if you are using ecryptfs for that .private directory, consider switching to full home directory encryption (ecryptfs-migrate-home) instead as cleaner workaround for now.

slight ot: also see https://defuse.ca/audits/ecryptfs.htm

<!-- gh-comment-id:434850474 --> @SkewedZeppelin commented on GitHub (Oct 31, 2018): @bircoph if you are using ecryptfs for that .private directory, consider switching to full home directory encryption (ecryptfs-migrate-home) instead as cleaner workaround for now. slight ot: also see https://defuse.ca/audits/ecryptfs.htm
gitea-mirror commented 2026-05-05 07:12:54 -06:00
Author
Owner
Copy link

@bircoph commented on GitHub (Oct 31, 2018):

No, I do not use ecryptfs. I use LUKS, though I do not want to encrypt full home due to various reasons.

<!-- gh-comment-id:434859186 --> @bircoph commented on GitHub (Oct 31, 2018): No, I do not use ecryptfs. I use LUKS, though I do not want to encrypt full home due to various reasons.
gitea-mirror commented 2026-05-05 07:12:55 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

LUKS shouldn't affect this. Is this still an issue?

<!-- gh-comment-id:494206216 --> @chiraag-nataraj commented on GitHub (May 21, 2019): LUKS shouldn't affect this. Is this still an issue?
gitea-mirror commented 2026-05-05 07:12:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 22, 2019):

@liloman @bircoph
I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:523850058 --> @rusty-snake commented on GitHub (Aug 22, 2019): @liloman @bircoph I'm closing here due to inactivity, please fell free to reopen if you still have this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#949
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?