Closed curiositycasualty closed 4 years ago
For the moment, I'm willfully ignoring the libraries potentially compiled/installed by installed R packages
You can choose that location, for example when I was making a profile, R choose the my shell dir working directory, private-lib
is unwritable so it installed packages to ~/R/x86_64-pc-linux-gnu-library/4.0/
. This will need to set noexec
home and tmp (the packages are downloaded to /tmp/RTmpXXXX).
Where I'm stuck is trying to construct a profile with a private-bin and a private-lib that accommodates /usr/lib/R/bin/exec/R's runtime libraries...
You can express directories relative to /lib
to private-lib
: Here's mine that I used to download: install.packages("Rcmdr", dependencies=TRUE)
private-lib R,libreadline.so.8,libblas.so.3,libpcre2-8.so.0,libpcre2-8.so.0,liblzma.so.5,libbz2.so.1.0,libz.so.1,libtirpc.so.3,libtirpc.so.3,libicuuc.so.67,libicui18n.so.67,libgomp.so.1,liblapack.so.3,libcurl.so.4,libtiff.so.5
and my:
private-bin R,bash,less,lessecho,sh,uname,which,rm,tar,sed,mv
private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,inputrc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,os-release,mime.types,nsswitch.conf,pki,resolv.conf,R,Renviron.site,Rprofile.site,selinux,ssl,sysless
The three above probably need some refining...
I think, making a profile for it doesn't seem practical,since it acts as a package manager too, it'll need exeutables/libs to be listed depending on the package you install and this profile won't be portable to another system/distro. And private-lib
only works on amd64 I think.
I guess I should close the loop. Thank you @kortewegdevries for your suggestions.
What I ended up doing was using ldd
on /usr/lib/R/bin/exec/R
to generate a list of libs for a firejail profile. In my case:
exec_R_libs: %x(ldd /usr/lib/R/bin/exec/R).lines.map do |line|
line.match(/\/([^ \/]+)(?: \(0x)/)
end.reject(&:nil?).map{|match| match[1]}.join(',')
This is for my very narrow use-case of an <app>
that is a tomcat application w/ R script and execution integration.
Not pictured here:
br0
interface/usr/local/bin/shims/uname
replacement (because R can be dumb)restricted-network no
in /etc/firejail/firejail.config
to allow for net br0
echo 0 > /proc/sys/net/ipv4/ip_forward
so that localhost is the only reachable thing via br0
/etc/firejail/R.hosts
file so that the sandbox can do some DNS resolution "transparently"/etc/apparmor.d/use.bin.R
apparmor profile covering R
and Rscript
In so far as I can tell, it supports xvfb
use and pandoc's pdf
generation.
# Firejail profile for R
# Description: general markup converter
name r-sandbox
join-or-start r-sandbox
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
# breaks pdf output
# include whitelist-usr-share-common.inc
# although its tempting to use pre-baked profiles, many include "net none"
# which overlaps with our R profile
# include pandoc.profile
# needed since tomcat user shell is /bin/false
shell none
env R_HOME=/usr/lib/R
env R_HOME_DIR=/usr/lib/R
env CURLOPT_TIMEOUT=3
env CURLOPT_VERBOSE=1
nodvd
nosound
noautopulse
notv
nou2f
no3d
noroot
quiet
machine-id
x11 xvfb
hostname sandbox
hosts-file /etc/firejail/R.hosts
net br0
private-bin R,Rscript,basename,bash,bzip2,cat,curl,dash,mktexfmt,pandoc,pdflatex,pdftex,rm,sed,sh,tar,unzip,wget,which,zip,shims/uname
private-etc R,alternatives,ca-certificates,host.conf,hostname,hosts,inputrc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,mime.types,nsswitch.conf,os-release,pki,resolv.conf,selinux,ssl,localtime,fonts,services,pandoc,texmf,texlive
private-lib R,R/modules/*.so,R/library/*/libs/*.so,R/site-library/*/libs/*.so,libR.so,libc.so.6,libblas.so.3,libm.so.6,libreadline.so.8,libpcre.so.3,liblzma.so.5,libbz2.so.1.0,libz.so.1,libdl.so.2,libicuuc.so.66,libicui18n.so.66,libgomp.so.1,libpthread.so.0,ld-linux-x86-64.so.2,libtinfo.so.6,libicudata.so.66,libstdc++.so.6,libgcc_s.so.1,x86_64-linux-gnu/openblas-pthread/libblas.so.3,x86_64-linux-gnu/lapack/liblapack.so.3
private-tmp
private-dev
whitelist /usr/share/pandoc
whitelist /var/lib/pandoc
whitelist /usr/share/texmf
whitelist /var/lib/texmf
whitelist /usr/share/texlive
whitelist /var/lib/texlive
read-only /usr/local/share/R
read-write /<app>/tomcat-tmp/reports_temp
read-only /<app>/<app>/files
noexec /tmp
noexec ${HOME}
I've been tasked with sandboxing R (on Ubuntu 20.04). I've already got a trustworthy AppArmor profile that seems to fit over-top of firejail correctly; except AppArmor doesn't offer much in the way of network-sandboxing and my sandboxed R ultimately needs to be able to talk to a webserver on localhost over ports
80
and443
. So firejail's networking capability and/etc/firejail/webserver.net
piqued my interest. The webserver's R integration is either through an R package/client (needing to talk to localhost on ports80
and443
), And/or writing an R script and input files to disk, executing the R script, and then reading the output file generated by executing the R script. The firejail sandboxing needs to support both methods.However, I think I'm running into a devilishly devised snare caused by a combination of R's overlapping binary names and firejail's generous
private-*
search behaviour.R essentially has a single, binary interpreter:
/usr/lib/R/bin/exec/R
but wraps it in a handful of shell scripts, some of which are also namedR
(like:/usr/bin/R
and/usr/lib/R/bin/R
):For the moment, I'm willfully ignoring the libraries potentially compiled/installed by installed R packages, which generally wind up in a
lib
dir under the package's own dir within/usr/local/lib/R/site-library
:Where I'm stuck is trying to construct a profile with a
private-bin
and aprivate-lib
that accommodates/usr/lib/R/bin/exec/R
's runtime libraries:It seems to me that binaries along
private-bin
and libs alongprivate-lib
paths are scanned withldd
to collect runtime library requirements, but since the R interpreter sits under/usr/lib/...
, I'm unable to add it to aprivate-bin
line in my profile.I'm also concerned that upon finding multiple "
R
"s, firejail is overwriting them when placing them into the jail-- as there seems to be an implicit assumption that there will only ever be 1 binary of a given name (or there only the first binary of a given name will be added to the jail) found along PATH.I'm in a special kind of hell. Please help me.