Bug#983746: firejail: with --private=, an existing "bin" directory is read-only

2021-03-01 Thread Vincent Lefevre 
On 2021-03-02 01:29:19 +0100, Reiner Herrmann wrote:
> I've raised the question upstream what the intended behaviour of ${HOME}
> is, whether is should apply to the private home as well or not.
> I can imagine that one would also be interested in having ${HOME} rules
> apply to the private directory. You could still have sensitive files
> inside a private home directory that you want to protect from
> processes running in there.

I would have thought that the typical use is to create a directory,
copy a minimum number of (non-confidential) files in it, and do
all the dirty work in it via "firejail --private=". I do that for
testing actively developed 3rd party software, and this needs
something like "make install" each time the software is updated.
If bin is read-only, this doesn't work.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#983746: firejail: with --private=, an existing "bin" directory is read-only

2021-03-01 Thread Reiner Herrmann 
Control: forward -1 https://github.com/netblue30/firejail/issues/4026
Control: severity -1 normal

Hi Vincent,

On Tue, Mar 02, 2021 at 12:22:09AM +0100, Vincent Lefevre wrote:
> This is misused in the case of a private home directory. This rule
> should apply against the original home directory, not the private
> home directory.
> 
> The same should apply to all the other "read-only ${HOME}/..." rules
> as well.

I've raised the question upstream what the intended behaviour of ${HOME}
is, whether is should apply to the private home as well or not.
I can imagine that one would also be interested in having ${HOME} rules
apply to the private directory. You could still have sensitive files
inside a private home directory that you want to protect from
processes running in there.

Kind regards,
  Reiner


signature.asc
Description: PGP signature

Bug#983746: firejail: with --private=, an existing "bin" directory is read-only

2021-03-01 Thread Vincent Lefevre 
On 2021-03-01 19:25:22 +0100, Reiner Herrmann wrote:
> Hi Vincent,
> 
> On Mon, Mar 01, 2021 at 02:49:32AM +0100, Vincent Lefevre wrote:
> > When using --private=, an existing "bin" directory in 
> > is read-only. This is silly: this means that one cannot restart
> > a firejail session:
> > 
> [...]
> > 
> > I don't see the point to have "bin" read-only in this case, as the
> > purpose of "--private=" is that this "bin" directory is specific to
> > the firejail session.
> 
> The reason why the bin directory is mounted read-only is the
> disable-common.inc file that is included in the default and many other
> profiles:
>   read-only ${HOME}/bin

AFAIK, the goal of this line is to make bin from the user's home
directory read-only. This is useful as a general rule, where the
user's home directory in the jail is the same as the normal one
(it seems that disable-common.inc is included by all profiles).

This is misused in the case of a private home directory. This rule
should apply against the original home directory, not the private
home directory.

The same should apply to all the other "read-only ${HOME}/..." rules
as well.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#983746: firejail: with --private=, an existing "bin" directory is read-only

2021-03-01 Thread Reiner Herrmann 
Hi Vincent,

On Mon, Mar 01, 2021 at 02:49:32AM +0100, Vincent Lefevre wrote:
> When using --private=, an existing "bin" directory in 
> is read-only. This is silly: this means that one cannot restart
> a firejail session:
> 
[...]
> 
> I don't see the point to have "bin" read-only in this case, as the
> purpose of "--private=" is that this "bin" directory is specific to
> the firejail session.

The reason why the bin directory is mounted read-only is the
disable-common.inc file that is included in the default and many other
profiles:
  read-only ${HOME}/bin

It's writable the first time, because it does not exist yet when the
jail is created.

If you want to allow writing in this directory, you can add a local
override in the file /etc/firejail/disable-common.local with this line:
  ignore read-only ${HOME}/bin

Alternatively you can create your own profile that does not include
disable-common.inc.

Kind regards,
  Reiner


signature.asc
Description: PGP signature

Bug#983746: firejail: with --private=, an existing "bin" directory is read-only

2021-02-28 Thread Vincent Lefevre 
Package: firejail
Version: 0.9.64.4-2
Severity: important

When using --private=, an existing "bin" directory in 
is read-only. This is silly: this means that one cannot restart
a firejail session:

zira:~> firejail --private=$HOME/fj-test zsh
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 685072, child pid 685073
Child process initialized in 47.87 ms
zira% mkdir bin
zira% touch bin/foo
zira% ls -l bin
total 0
-rw-r--r-- 1 vinc17 vinc17 0 2021-03-01 02:32:19 foo
zira% 

Parent is shutting down, bye...

zira:~> firejail --private=$HOME/fj-test zsh
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 685097, child pid 685098
Child process initialized in 51.94 ms
zira% touch bin/blah
touch: cannot touch 'bin/blah': Read-only file system

I don't see the point to have "bin" read-only in this case, as the
purpose of "--private=" is that this "bin" directory is specific to
the firejail session.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail depends on:
ii  libapparmor1  2.13.6-9
ii  libc6 2.31-9
ii  libselinux1   3.1-3

Versions of packages firejail recommends:
ii  firejail-profiles  0.9.64.4-2
ii  iproute2   5.10.0-4
ii  iptables   1.8.7-1
ii  xauth  1:1.1-1
ii  xdg-dbus-proxy 0.1.2-2
ii  xpra   3.0.13+dfsg1-1
ii  xvfb   2:1.20.10-3

firejail suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)