Open Lizhijian-123 opened 1 year ago
rusty-snake
commented
1 year ago I want to use firejail to realize the function that the files in the sandbox cannot be transferred outside.
From a process inside of the sandbox or outside? The laterone is impossible.
kmk3
commented
1 year ago (Offtopic)
@Lizhijian-123
Please see the following links for how to format code blocks in markdown:
Lizhijian-123
commented
1 year ago (Offtopic)
@Lizhijian-123
Please see the following links for how to format code blocks in markdown:
Thanks,get it
Lizhijian-123
commented
1 year ago I want to use firejail to realize the function that the files in the sandbox cannot be transferred outside.
From a process inside of the sandbox or outside? The laterone is impossible.
Thank you for your reply. Please allow me to rephrase my question, as my original wording and expression may not have been accurate.
I'd like to run nautilus within a Firejail sandbox and restrict file movement from inside the sandbox to the outside. I would like to inquire if there is a way to prohibit the copying of files from within the sandbox to /run and /dev?
The command I'm using is: "firejail --private=/root/kkk --read-only=/ --env=GTK_THEME=Adwaita:dark --noprofile nautilus".
There are files "a.txt" and "c.txt" in the "/root/kkk" directory.
[root@localhost kkk]# ls
a.txt c.txt
Then I run the command:
[root@localhost kkk]# firejail --private=/root/kkk --read-only=/ --env=GTK_THEME=Adwaita:dark --noprofile nautilus
firejail version 0.9.73
Parent pid 3135, child pid 3136
The new log directory is /proc/3136/root/var/log
Child process initialized in 24.32 ms
** (nautilus:3): WARNING **: 09:56:15.846: Unable to get contents of the bookmarks file: 打开文件 /root/.gtk-bookmarks 时出错:No such file or directoryIn this command, I have configured the "/" directory as read-only in order to limit the movement of files within the sandbox (primarily those located under the root directory) into folders within the "/" directory. This is necessary because the contents of the "/" directory are shared between the sandbox and the outside environment.
However, I have noticed that even though I have set the root directory to be read-only, files from within the sandbox can still be copied to the /run and /dev directories. Please take a look at the following execution results.
[root@localhost ~]# ls
a.txt c.txt
[root@localhost ~]# cp a.txt /run //Copying successful.
[root@localhost ~]# cp a.txt /dev //Copying successful.
[root@localhost ~]# cp a.txt /bin //Copying failure
cp: 无法创建普通文件"/bin/a.txt": 只读文件系统I tried adding /run and /dev to the blacklist, but it had no effect. I would like to inquire if there is a way to prohibit the copying of files from within the sandbox to /run and /dev.
I want to realize that the content under /root in the sandbox is consistent with the content under /root in the user space, but isolated, that is, the modifications I make in the sandbox will not be synchronized to the user space /root.
As described above, when I set --private=/root/kkk, any actions performed within the sandbox, such as deleting or creating files, will be synchronized with the /root/kkk directory in the user space. However, if I set --private-home=/root/kkk, any actions performed within the sandbox will not be synchronized with the /root/kkk directory in the user space. This is a great feature, but using --private-home=/root results in an error, indicating that it is not possible to include the entire /root directory in the sandbox when using --private-home.
Is there any way to achieve the goal of copying the contents of the user's /root directory into the sandbox under /root and ensuring that modifications made within the sandbox do not synchronize with the user's /root directory? I have attempted to use mounting as a solution.
Lizhijian-123
commented
1 year ago I want to use firejail to realize the function that the files in the sandbox cannot be transferred outside.
From a process inside of the sandbox or outside? The laterone is impossible.
inside the sandbox
glitsj16
commented
1 year ago Sandboxing GUI file managers (like Nautilus) is an exercise in futility IMO. That's one of the reasons we don't enable any file managers by default in firecfg. We've had questions about this topic before. A search through our repo could provide you with some more context. Additionally, attempting to run it as root is bound to run into obstacles:
You can change that limit, but do you really want to waste all that RAM?
I'm not entirely sure about the use-case, but IMO using a 'regular' bind mount as read-only technique without Firejail seems less stressful (to the OS and its user both). Have you tried to look into that yet?
Lizhijian-123
commented
1 year ago Sandboxing GUI file managers (like Nautilus) is an exercise in futility IMO. That's one of the reasons we don't enable any file managers by default in firecfg. We've had questions about this topic before. A search through our repo could provide you with some more context. Additionally, attempting to run it as root is bound to run into obstacles:
You can change that limit, but do you really want to waste all that RAM?
I'm not entirely sure about the use-case, but IMO using a 'regular' bind mount as read-only technique without Firejail seems less stressful (to the OS and its user both). Have you tried to look into that yet? Thank you for your reply. Do you mean, I can only copy a maximum of 500M using commands like --private-home, or is it in RAM? This is surprising.
I mount the /root directory into the sandbox by read-only, so that the contents of /root can be seen but not modified in the sandbox. The effect of this is not bad, but it is not a satisfactory solution. As people know firejail is a great work, thanks for your contributions, I need to spend more time to learn how to use firejail, it's a little hard for me,thank you.
rusty-snake
commented
1 year ago Can you explain more on your thread model. Because if you want to secure this against malicious code, you have to do more. What about D-Bus, it can be used to write files too; If you run as root, the program can just remount,rw the directories. What's your result with --read-only=/*?
Lizhijian-123
commented
1 year ago Can you explain more on your thread model. Because if you want to secure this against malicious code, you have to do more. What about D-Bus, it can be used to write files too; If you run as root, the program can just
remount,rwthe directories. What's your result with--read-only=/*?
My goal is to implement everything in the sandbox that can see the user space, but I can't move the things in the sandbox to outside the sandbox, so I did a few things:
I want to use firejail to realize the function that the files in the sandbox cannot be transferred outside. I use the --read-only=/ command, but I can still copy the files in the sandbox to the /run and /dev directories. How can I set it up? Make /run and /dev read-only in the sandbox? `[root@localhost myroot]# firejail --noprofile --private=/root/lzj/ --read-only=/ firejail version 0.9.73
Parent pid 2771, child pid 2772 The new log directory is /proc/2772/root/var/log Child process initialized in 113.43 ms [root@localhost ~]# ls bcd b.txt myroot [root@localhost ~]# cp b.txt /run [root@localhost ~]# cp b.txt /dev [root@localhost ~]# cp b.txt /etc cp: 无法创建普通文件"/etc/b.txt": 只读文件系统 [root@localhost ~]#
In addition, I use --private=/root/lzj, my behavior in the sandbox will be saved outside the sandbox, such as creating a new file, when the sandbox is closed, the file under /root/lzj/ still exists. --private-home=/root/lzj can solve this problem, but --private-home=/root will fail, is there a way to solve this?[root@localhost ~]# firejail --private-home=/root Reading profile /root/.config/firejail/server.profile Reading profile /root/.config/firejail/disable-common.inc Reading profile /root/.config/firejail/disable-programs.inc Reading profile /root/.config/firejail/disable-write-mnt.inc Reading profile /root/.config/firejail/disable-xdg.incNote: you can use --noprofile to disable server.profile
firejail version 0.9.73
Parent pid 2961, child pid 2962 The new log directory is /proc/2962/root/var/log Error: invalid file /root Error: proc 2961 cannot sync with peer: unexpected EOF Peer 2962 unexpectedly exited with status 1 [root@localhost ~]# `