Unexpected TAB-completion behaviour in GDB that's hard to trace to the .inputrc and --tab options.

[blaa]

Description

GDB within firejail (I use jails for many things, including development) doesn't have working TAB-completion. Still, completion works in ZSH, Emacs, IPython, or the same GDB outside the jail.

Steps to Reproduce

1. Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir

2. firejail out of thin air creates .inputrc file with a single line set disable-completion on

3. This causes GDB (readline in general) to drop TAB-completion.

Expected behavior

Tab-completion in GDB within jail and outside working the same unless I explicitly ask to alter behaviour.

I'd expect jail software to not mess with readline configuration. I wasn't expecting this, didn't turn it on (with profile, option or anything else) and was flabbergasted for over 3 hours trying to solve it. I've checked various TERM options, stty, straced gdb process, etc.

My main problem was how to "find" the culprit. I was mostly searching for GDB related information which was a mistake. I should have searched for readline. But GDB was the only thing that didn't work (zsh worked, ipython, emacs every other thing I used was OK).

Manual doesn't have IMHO good description of the case:

--tab  Enable shell tab completion in sandboxes using private or whitelisted home directories.

Why doesn't it speak about .inputrc? Readline? Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.

Why is "notab" a default? Does it impact "security"? How?

Actual behavior

GDB doesn't auto-complete and instead of coding I'm debugging gdb. It's difficult issue to google. It should "just work". I was trying for 3 hours various TERM= options, stty, stracing GDB behaviour to no avail. Only after copying /etc/inputrc to ~/.inputrc (in jail) I fixed that, and later noticed that the file WAS THERE BEFORE COPYING, although I haven't created it. I've never messed with this file before so I didn't expect that.

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [ ] NO: The program has a profile. (I don't need profiles here)
• [x] I have performed a short search for similar issues (to avoid opening a duplicate). (I DID!)

Log

bla@rix ~/_jails λ mkdir xxx; firejail --noprofile --disable-mnt --private=./xxx --hostname=xxx --name=xxx --private-tmp zsh
Parent pid 141434, child pid 141435
Warning: not remounting /var/lib/docker/btrfs
Warning: not remounting /var/lib/docker/btrfs
Child process initialized in 31.64 ms
bla@xxx ~ λ cat .inputrc   
set disable-completion on

[glitsj16]

Create new jail: firejail --noprofile --disable-mnt --name=somename --private=newdir

The --tab option works with --private but not with --private=foo. This could be made more clear in the man page, I agree.

See https://github.com/netblue30/firejail/issues/5204 for discussion and workaround.

[rusty-snake]

Why doesn't it speak about .inputrc? Readline?

Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation.

Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.

The notab behaviour is only triggered if you use whitelist ${HOME}/foo or --private=${HOME}/foo i.e. if the sandbox does not use your real home.

Why is "notab" a default? Does it impact "security"? How?

If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).

[blaa]

Why doesn't it speak about .inputrc? Readline?

Because that's implementation details. And the manpage is an end-user documentation that should focus on usage and results. The implementation can be documented in a seperate/integrated developer documentation.

.xinputrc might be in fact implementation detail - agreed. The fact that it changes behaviour of all readline-driven applications is not. Man page is not right when it says 'shell tab completion'. Especially since it doesn't alter zsh behaviour.

I'm a user here and have a completely user perspective, wouldn't find it in developer documentation without a hint in a man page.

Why does it say something about directories? How does it relate to directories at all? In bash - maybe, but that's a much wider option.

The notab behaviour is only triggered if you use whitelist ${HOME}/foo or --private=${HOME}/foo i.e. if the sandbox does not use your real home.

Ok! Thanks. I was confused and misread that it alters completion in some whitelisted set of directories. Maybe instead of sandboxes using private or whitelisted home directories something like: that use private ... ? Still, that's a detail.

Why is "notab" a default? Does it impact "security"? How?

If someone can me explain this ... Or show me the discussion for this feature-request. Or tell me why this bad UX is the default, but only sometimes (=security requires always).

Especially since it's not enforced. Application can clear the .xinputrc or alter it and revert the behaviour. And it doesn't even work for all shells.