search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.71k stars 559 forks source link

firefox: cannot access /proc/self/map_files: Permission denied #4623

Open muziker opened 2 years ago

muziker commented 2 years ago

Description

It's less of a bug, more of wondering why firejail does this with firefox

Steps to Reproduce

  1. start firejail firefox as user
  2. ls /proc/pid of all instances of firefox
  3. cd /proc/pid of a firefox instance as user
  4. ls -l map_files : permission denied

Expected behavior

The directory is listed as user:user as the owner and group owner. An ls should show all mapped files

Actual behavior

It does not allow the user which started firejail firefox to list all the mapped files

Behavior without a profile

Starting firefox manually allows listing of the mapped files

Additional context

When using firejail to start firefox, to check outgoing socket connects, an lsof -i is used to show active connects. However lsof -i does not work when used together with firejail. Looking into /proc shows namespace isolation stops proper output of lsof -i, and related directories like the map_files are not readable by the user.

Environment

Ubuntu 20.04 , firefox 93.0 from repo, firejail 0.9.62 from repo.

rusty-snake commented 2 years ago

ping, there's a discussion in #5035.