Open matu3ba opened 3 years ago
looks like a wild pointer to me. The only occurence of after
is in build_profile.c on line 95: printf("--- Built profile beings after this line ---\n");
Is there a way to run firejail within valgrind or do I need to use gdb for this?
UPDATED description.
Is there a way to run firejail within valgrind or do I need to use gdb for this?
Maybe this is helpful https://github.com/netblue30/firejail/wiki/Debugging-Firejail#advanced-troubleshooting.
ASAN build would be nice too however I did not make it work so far.
Just run fbuilder
manually. It will be much easier to debug.
/usr/lib64/firejail/fbuilder nvim
(probably)
ASAN build would be nice too however I did not make it work so far.
+1 I also tried a while back but didn't make it past an endless loop in the instrumented binary.
nvm. I should not use mold for this stuff.
~~The binary seems very messed up. valgrind cant read the debug sections. Can you confirm this?
Changing common.mk
by removing -O2
did not change this for me.~~
objdump -h fbuilder
returns very oddly looking 2 .rodata sections
12 .rodata 00000202 0000000000001a50 0000000000001a50 00001a50 2**4
CONTENTS, ALLOC, LOAD, READONLY, DATA
13 .rodata 00001260 0000000000001c60 0000000000001c60 00001c60 2**4
CONTENTS, ALLOC, LOAD, READONLY, DATA
~~and valgrind has problem to read the debug data:
valgrind --leak-check=full -s ./fbuilder ~/.local/nvim/bin/nvim +q
~~
Building with -fanalyzer
(gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)
) finds
Description
Path handling for
firejail --build nvim
is broken.Steps to Reproduce
Steps to reproduce the behavior
LANG=C firejail --build nvim
allow ${HOME}/.local/share/nvim/site/after,/etc/xdg/nvim/after,/home/misterspoon/.config/kdedefaults/nvim/after,/home/misterspoon/.config/nvim/after/start
Expected behavior
There should be never invalid paths generated. I hope this code is not used elsewhere.
Actual behavior
site/after,/ ... nvim/after, and especially
/kdedefaults/nvim/after,
looks broken. Invalid path generated.Additional context
PATH contains the path to nvim installation from source. I have a file $HOME/.local/share/nvim/site/pack/packer/start/coq_nvim/.vars/runtime/lib/python3.9/site-packages/pip/_vendor/tenacity/after.py and $HOME/.local/share/nvim/site/pack/packer/start/coq_nvim/.vars/runtime/lib/python3.9/site-packages/pip/_vendor/tenacity/pycache/after.cpython-39.pyc.
Environment
firejail --version
). master with commit 32fb5edd557d64945a39393e8c4fe8ba7fed4d93Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
Output of
firejail --build nvim
``` # Firejail profile for nvim # Persistent local customizations #include nvim.local # Persistent global definitions #include globals.local ### Basic Blacklisting ### ### Enable as many of them as you can! A very important one is ### "disable-exec.inc". This will make among other things your home ### and /tmp directories non-executable. include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg #include disable-devel.inc # development tools such as gcc and gdb #include disable-exec.inc # non-executable directories such as /var, /tmp, and /home #include disable-interpreters.inc # perl, python, lua etc. include disable-programs.inc # user configuration for programs such as firefox, vlc etc. #include disable-shell.inc # sh, bash, zsh etc. #include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music ### Home Directory Whitelisting ### ### If something goes wrong, this section is the first one to comment out. ### Instead, you'll have to relay on the basic blacklisting above. allow ${HOME}/.local/nvim/lib/nvim allow ${HOME}/.gitconfig allow ${HOME}/.config/git allow ${HOME}/.local/nvim/lib/nvim/plugin allow ${HOME}/.local/share/nvim allow ${HOME}/.local/share/nvim/site/plugin allow ${HOME}/.local/share/nvim/site/after/pack allow ${HOME}/.local/share/nvim/site/after/start allow ${HOME}/.local/nvim/lib/nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/zig.vim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/zig.vim/ftdetect/ allow ${HOME}/.local/share/nvim/site/pack/packer/start/which-key.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/todo-comments.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope-project.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope-fzf-native.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/popup.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/plenary.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/packer.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/one-small-step-for-vimkind/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/nvim-luadev/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/nvim-lspconfig/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/material.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/lightspeed.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/gitsigns.nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/coq_nvim/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/coq_nvim/ftdetect/ allow ${HOME}/.local/share/nvim/site/pack/packer/start/coq.artifacts/ftdetect allow ${HOME}/.local/share/nvim/site/ftdetect allow ${HOME}/.local/share/nvim/site/pack/packer/start/material.nvim/lua/material allow ${HOME}/.local/share/nvim/site/pack/packer/start/material.nvim/colors allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope-project.nvim/lua/telescope/_extensions allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope-fzf-native.nvim/lua allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope-fzf-native.nvim/lua/telescope/_extensions allow ${HOME}/.local/share/nvim/site/pack/packer/start/plenary.nvim/lua/plenary allow ${HOME}/.local/share/nvim/site/pack/packer/start/telescope.nvim/lua/telescope allow ${HOME}/.local/share/nvim/site/pack/packer/start/nvim-lspconfig/lua allow ${HOME}/.local/share/nvim/site/pack/packer/start/packer.nvim/lua allow ${HOME}/.local/share/nvim/site/after,/etc/xdg/nvim/after,/home/misterspoon/.config/kdedefaults/nvim/after,/home/misterspoon/.config/nvim/after/start allow ${HOME}/.local/share/nvim/site/after,/etc/xdg/nvim/after,/home/misterspoon/.config/kdedefaults/nvim/after,/home/misterspoon/.config/nvim/after/pack allow ${HOME}/.local/nvim/lib/nvim/start allow ${HOME}/.local/nvim/lib/nvim/pack allow ${HOME}/.local/share/nvim/site/start allow ${HOME}/.local/share/nvim/site/pack/packer/start/ allow ${HOME}/.local/share/nvim/site/pack/ allow ${HOME}/.config/nvim allow ${HOME}/.local/nvim/share/nvim allow ${HOME}/.config/kdedefaults/nvim allow ${HOME}/.terminfo/78 allow ${HOME}/.terminfo/x allow ${HOME}/.cache/nvim include whitelist-common.inc ### Filesystem Whitelisting ### allow /usr/share/nvim allow /usr/share/terminfo include whitelist-usr-share-common.inc include whitelist-var-common.inc #apparmor # if you have AppArmor running, try this one! caps.drop all ipc-namespace netfilter #no3d # disable 3D acceleration #nodvd # disable DVD and CD devices #nogroups # disable supplementary user groups #noinput # disable input devices nonewprivs noroot #notv # disable DVB TV devices #nou2f # disable U2F devices #novideo # disable video capture devices protocol unix, net none seccomp shell none tracelog #disable-mnt # no access to /mnt, /media, /run/mount and /run/media private-bin tmux,python3.9,git #private-cache # run with an empty ~/.cache directory private-dev private-etc gitconfig,xdg, #private-lib #private-tmp # File accessed in /tmp directory: # /tmp/nvimKbSKzZ/, #dbus-user none #dbus-system none #memory-deny-write-execute ```