rusty-snake
commented
1 year ago AA has it's own configuration that hasn't any integration with other commands be it seccomp, caps, noexec or read-only. Labeling as enhancemnt.
Open NetSysFire opened 1 year ago
rusty-snake
commented
1 year ago AA has it's own configuration that hasn't any integration with other commands be it seccomp, caps, noexec or read-only. Labeling as enhancemnt.
glitsj16
commented
1 year ago @NetSysFire Hello. I've installed this from AUR yesterday and ran parsecd via firejail for a while with an as-is parsecd.profile (so needing all the steps to reproduce). Sadly I cannot reproduce anything of what was reported in #5646.
I noticed when ctrl+c'ing the application it complains of mty_sleep: 'nanosleep' failed with errno 4 and in the journal: Feb 11 17:59:16 archlinux kernel: audit: type=1300 audit(1676134756.097:498): arch=c000003e syscall=234 success=no exit=-13 a0=c a1=c a2=f a3=8 items=0 ppid=7627 pid=7639 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=2 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined key=(null) But i explicitely noblacklisted that syscall with !tgkill
Ctrl+c'ing acts without any complaints and nothing shows up in journalcl either. Did you make any changes to /etc/apparmor.d/firejail-default, or have a custom /etc/apparmor.d/local/firejail-default that might throw some light on this issue?
NetSysFire
commented
1 year ago Output of running parsecd and ctrl+c'ing after:
$ firejail parsecd
Reading profile /etc/firejail/parsecd.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !tgkill, check list: @default-keep, prelist: unknown,
Parent pid 3235017, child pid 3235018
2 programs installed in 3.50 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !tgkill, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 124.41 ms
[D 2023-03-02 12:02:42] log: Parsec release9 (150-86e)
^C
Parent received signal 2, shutting down the child process...
[D 2023-03-02 12:02:45] mty_sleep: 'nanosleep' failed with errno 4
Child received signal 2, shutting down the sandbox...
[D 2023-03-02 12:02:45] mty_sleep: 'nanosleep' failed with errno 4
Parent is shutting down, bye...local firejail-default:
$ cat /etc/apparmor.d/local/firejail-default
# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/apparmor.d/local/README.
# Here are some examples to allow running programs from home directory.
# Don't enable all of these, just pick a specific one or write a custom rule
# instead as done below for torbrowser-launcher.
#owner @HOME/** ix,
#owner @HOME/bin/** ix
#owner @HOME/.local/bin/** ix
# Uncomment to opt-in to apparmor for brave + ipfs
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
# Uncomment to opt-in to apparmor for brave + tor
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
# Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm)
#owner @{HOME}/.mozilla/firefox/*/gm*/** ix,
# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,firejail-default:
$ cat /etc/apparmor.d/firejail-default
#########################################
# Generic Firejail AppArmor profile
#########################################
# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
# and <abstractions/dbus-session-strict>.
#include <tunables/global>
##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
# Add rule in order to avoid dbus-*=filter breakage (#3432)
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
##########
# With ptrace it is possible to inspect and hijack running programs.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=@{profile_name},
ptrace (read,readby) peer=@{profile_name}//&unconfined,
##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,
##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
# Allow writing to /var/mail and /var/spool/mail (for mail clients)
# Uncomment to enable
#owner /var/{mail,spool/mail}/** w,
# Allow writing to removable media
owner /{,var/}run/media/** w,
# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
# Allow access to avahi-daemon socket.
/{,var/}run/avahi-daemon/socket w,
# Allow access to pcscd socket (smartcards)
/{,var/}run/pcscd/pcscd.comm w,
# Needed for browser self-sandboxing
owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
# Needed for electron apps
/proc/@{PID}/comm w,
# Needed for nslookup, dig, host
/proc/@{PID}/task/@{PID}/comm w,
# Used by chromium
owner /proc/@{PID}/oom_score_adj w,
owner /proc/@{PID}/clear_refs w,
##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
# or similar to /etc/apparmor.d/local/firejail-default (without the quotes).
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,
# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
##########
# Blacklist specific sensitive paths.
##########
deny /**/.fscrypt/ rw,
deny /**/.fscrypt/** rwklmx,
deny /**/.snapshots/ rw,
deny /**/.snapshots/** rwklmx,
##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark, tcpdump etc
network bluetooth,
network packet,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),
##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
# The list of recognized capabilities varies from one apparmor version to another.
# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
# We allow all caps by default and remove the ones we don't like:
capability,
deny capability audit_write,
deny capability audit_control,
deny capability mac_override,
deny capability mac_admin,
# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-default>
}journalctl -r from just now:
Mar 02 12:02:45 archlinux kernel: audit: type=1327 audit(1677754965.693:28947): proctitle="parsecd"
Mar 02 12:02:45 archlinux kernel: audit: type=1300 audit(1677754965.693:28947): arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=f a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux kernel: audit: type=1400 audit(1677754965.693:28947): apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=term peer="firejail-default//&unconfined"
Mar 02 12:02:45 archlinux audit: PROCTITLE proctitle="parsecd"
Mar 02 12:02:45 archlinux audit[3235034]: SYSCALL arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=f a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux audit[3235034]: AVC apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=term peer="firejail-default//&unconfined"
Mar 02 12:02:45 archlinux kernel: audit: type=1327 audit(1677754965.683:28946): proctitle="parsecd"
Mar 02 12:02:45 archlinux kernel: audit: type=1300 audit(1677754965.683:28946): arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=2 a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux kernel: audit: type=1400 audit(1677754965.683:28946): apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=int peer="firejail-default//&unconfined"
Mar 02 12:02:45 archlinux audit: PROCTITLE proctitle="parsecd"
Mar 02 12:02:45 archlinux audit[3235034]: SYSCALL arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=2 a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux audit[3235034]: AVC apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=int peer="firejail-default//&unconfined"Validation I did not touch anything (/etc/apparmor.d/firejail-default is not listed because it is not a backup file and thus apparently not tracked):
pacman -Qii firejail
Name : firejail
Version : 0.9.72-1
Description : Linux namespaces sandbox program
Architecture : x86_64
URL : https://github.com/netblue30/firejail
Licenses : GPL2
Groups : None
Provides : None
Depends On : apparmor
Optional Deps : xdg-dbus-proxy: for D-Bus filtering [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 2.38 MiB
Packager : T.J. Townsend <blakkheim@archlinux.org>
Build Date : Mon 16 Jan 2023 05:18:57 PM CET
Install Date : Sat 04 Feb 2023 10:11:54 AM CET
Install Reason : Explicitly installed
Install Script : Yes
Validated By : Signature
Backup Files :
UNMODIFIED /etc/apparmor.d/local/firejail-default
MODIFIED /etc/firejail/firecfg.config
MODIFIED /etc/firejail/firejail.config
UNMODIFIED /etc/firejail/login.users-Qkk firejail also only reports /etc/firejail stuff to have changed:
backup file: firejail: /etc/firejail/firecfg.config (Modification time mismatch)
backup file: firejail: /etc/firejail/firecfg.config (Size mismatch)
backup file: firejail: /etc/firejail/firecfg.config (MD5 checksum mismatch)
backup file: firejail: /etc/firejail/firecfg.config (SHA256 checksum mismatch)
backup file: firejail: /etc/firejail/firejail.config (Modification time mismatch)
backup file: firejail: /etc/firejail/firejail.config (Size mismatch)
backup file: firejail: /etc/firejail/firejail.config (MD5 checksum mismatch)
backup file: firejail: /etc/firejail/firejail.config (SHA256 checksum mismatch)
firejail: 1338 total files, 0 altered filesThanks for posting your firejail-default files. Both are unedited, exact copies of what we have in git allright. So that's not an avenue for trying to debug.
Validation I did not touch anything (/etc/apparmor.d/firejail-default is not listed because it is not a backup file and thus apparently not tracked):
Yep, that makes sense from a packaging point of view. Users are supposed to make their changes to /etc/apparmor.d/firejail-default in /etc/apparmor.d/local/firejail-default. Again, no clues what might cause the differences we're both getting with parsecd.
At the moment I only have a long shot idea on how to proceed, and that's audit rules. I do have a few extra's in /etc/audit/rules.d. But those are copies of the examples under /usr/share/audit/sample-rules (meaning I didn't change their content and definately nothing is in there that relates to parsec AFAICT)... Perhaps you can double-check your /etc/audit/audit.rules and whether journalctl reports anything 'fishy' about those. A quick journalctl | grep audit.rules and journalctl | grep augenrules should clear up whether that's involved here or not.
glitsj16
commented
1 year ago I'm out of ideas. Still unable to reproduce after testing without my audit/apparmor customizations. Running a quick seccomp check confirms the tgkill syscall is allowed in the sandbox:
$ firejail --name=parsecd /usr/bin/parsecd
[D 2023-03-02 15:15:20] log: Parsec release17 (150-87)
[D 2023-03-02 15:16:10] login_pre_frame: Auth success: Standardin anoter terminal:
rusty-snake
commented
1 year ago Note that the usage of nanosleep can depend on libc version, architecture, kernel, ... rather low level details.
NetSysFire
commented
1 year ago At the moment I only have a long shot idea on how to proceed, and that's audit rules.
I have no custom audit rules. Both of your journalctl | grep commands do not return anything either. Also pacman -Qkk audit says audit: 206 total files, 0 altered files, too.
Description
See https://github.com/netblue30/firejail/pull/5646#pullrequestreview-1287071576
CC @glitsj16 because its theirs.
Steps to Reproduce
In that specific case:
seccomp !tgkillapparmortgkill, regardless of seccomp settings.Expected behavior
AppArmor using firejails seccomp list or it not filtering syscalls when that profile is already using seccomp.
Actual behavior
AppArmor does syscall filtering no matter what seccomp shenanigans are done in the profile, resulting in issues because some syscalls are still blocked.
Behavior without a profile
n/a
Additional context
n/a
Environment
Checklist
/usr/bin/vlc) "fixes" it).https://github.com/netblue30/firejail/issues/1139)browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.--profile=PROFILENAMEto set the right profile. (Only relevant for AppImages)Log
See PR.