search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.81k stars 567 forks source link

Add support for running inside distrobox #6144

Open neurodiverseEsoteric opened 10 months ago

neurodiverseEsoteric commented 10 months ago

I tried running ˋfirejail --force ---private librewolfˋ inside a distrobox of archlinux on a fedora-based distro which doesn't offer librewolf at all, but firejail still ignored everything for being run inside of a "sandbox..."

rusty-snake commented 10 months ago

How old is your firejail?

You should upgrade to fix multiple vulnerabilities.

rusty-snake commented 10 months ago

Regarding LW: https://librewolf.net/installation/fedora/ https://librewolf.net/installation/linux/

neurodiverseEsoteric commented 10 months ago

@rusty-snake

It's archlinux, it shouldn't be that old

neurodiverseEsoteric commented 10 months ago

@rusty-snake

That defeats the purpose of avoiding all host system and app breakages being blamed on my installing outsider software (it's not just librewolf)

glitsj16 commented 10 months ago

I tried running ˋfirejail --force ---private librewolfˋ inside a distrobox of archlinux on a fedora-based distro which doesn't offer librewolf at all, but firejail still ignored everything for being run inside of a "sandbox..."

(1) I'm assuming the triple dash in ---private is a typo and isn't the actual command you ran. (2) Firejail dropped the --force option since version 0.9.54: https://github.com/netblue30/firejail/blob/db09546f2946c921da1b07d9d3569c287238989b/RELNOTES#L490-L491

For example, when running firejail --force --private librewolf on Arch Linux with 0.9.72, you should see:

Error: invalid --force command line option

Not sure what the actual problem is. Can you rephrase your issue?

neurodiverseEsoteric commented 10 months ago

Oh if it did throw that error i didn't see it...how do I put --force back in?

rusty-snake commented 10 months ago

4c71ddbcd https://github.com/turgs/firejail-force

neurodiverseEsoteric commented 10 months ago

ok thanks

rusty-snake commented 10 months ago

FWIW, the following contaiers are supported container=(lxc|docker|lxc-libvirt|systemd-nspawn|rkt) firejail ... according to

https://github.com/netblue30/firejail/blob/db09546f2946c921da1b07d9d3569c287238989b/src/firejail/no_sandbox.c#L29-L38

neurodiverseEsoteric commented 10 months ago

Wait nob that release is a thouzandoulus years old...

neurodiverseEsoteric commented 10 months ago

FWIW, the following contaiers are supported container=(lxc|docker|lxc-libvirt|systemd-nspawn|rkt) firejail ... according to

https://github.com/netblue30/firejail/blob/db09546f2946c921da1b07d9d3569c287238989b/src/firejail/no_sandbox.c#L29-L38

What would happen if I just naively added distrobox to the list?

rusty-snake commented 10 months ago

Either it works or it does not work.

neurodiverseEsoteric commented 10 months ago

It didn't work, firejail still detects a sandbox...

rusty-snake commented 10 months ago

https://github.com/netblue30/firejail/blob/db09546f2946c921da1b07d9d3569c287238989b/src/firejail/no_sandbox.c#L41-L47

That's the first check, if it still detects a sandbox you added the wrong value.

neurodiverseEsoteric commented 10 months ago

Ah, it might be one of these pod-based labels:

https://github.com/89luca89/distrobox/blob/3435f4d27070a99668bfa29a3e508db4ecc09009/distrobox-create#L441-L469

(how did you get the code preview thing?)

neurodiverseEsoteric commented 10 months ago

Okay I added the right values, but...

Reading profile /usr/local/etc/firejail/librewolf.profile
Reading profile /usr/local/etc/firejail/firefox-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-proc.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-run-common.inc
Reading profile /usr/local/etc/firejail/whitelist-runuser-common.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
firejail version 0.9.73

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own io.gitlab.librewolf.*" and 1 other dbus-user filter rule.
Parent pid 15028, child pid 15029
Warning: cannot find /var/run/utmp
Error: cannot create /dev/zero device: Operation not permitted
Error: proc 15028 cannot sync with peer: unexpected EOF
Peer 15029 unexpectedly exited with status 1
neurodiverseEsoteric commented 10 months ago

Does podman support need to be added into firejail?

rusty-snake commented 10 months ago
  1. Try if --profile=noprofile works.
  2. Try rootfull podman with --privileged and --security-opt=label=disable --security-opt=seccomp=unconfined
neurodiverseEsoteric commented 10 months ago

By rootful podman you mean run distrobox with the --root flag?

rusty-snake commented 10 months ago

I never used distrobox but firejail might not work inside rootless podman (https://github.com/containers/podman#rootless).

neurodiverseEsoteric commented 10 months ago

Distrobox keeps freezing the entire OS whever I try creating a rootful container...and the podman command used to "enter" the container, ˋpodman exec,ˋ doesn't take the "--security-opt" flag, anyway...