search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.83k stars 568 forks source link

Cannot mount usb flash drive (modprobe.d) #6389

Closed luckylinux closed 5 months ago

luckylinux commented 5 months ago

Description

Describe the bug Weird issues started occurring when I enabled firejail (and switched apparmor to enforcing mode).

I cannot mount an external USB Flashdrive anymore. I believe also external Hard Drives are affected.

Steps to Reproduce

Steps to reproduce the behavior

  1. Plug USB Drive in
  2. 
root@HOST:/# lsusb
...
Bus 003 Device 010: ID 090c:1000 Silicon Motion, Inc. - Taiwan (formerly Feiya Technology Corp.) Flash Drive
...

root@HOST:/# dmesg ... [ 2016.596006] usb 3-6: USB disconnect, device number 9 [ 2016.596810] systemd-journald[2068]: sd-device: Failed to chase symlinks in "/sys/dev/char/189:264". [ 2019.499524] usb 3-6: new high-speed USB device number 10 using xhci_hcd [ 2019.627454] usb 3-6: New USB device found, idVendor=090c, idProduct=1000, bcdDevice=11.00 [ 2019.627469] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 2019.627477] usb 3-6: Product: Flash Drive [ 2019.627484] usb 3-6: Manufacturer: Samsung [ 2019.627489] usb 3-6: SerialNumber: 0372221080004100 ...

root@HOST:/# ls -l /dev/disk/by-id/

!!! not listed !!!


### Expected behavior

_What you expected to happen_
USB Storage Drives should work correctly.

External USB Audio Card works correctly for Instance.

### Actual behavior

_What actually happened_
USB Storage Drive doesn't work.

### Behavior without a profile

_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a
terminal?_
Unsure.

### Additional context

_Any other detail that may help to understand/debug the problem_
Output of `sysctl -a` attached.

### Environment
- Ubuntu GNU/Linux 24.04 Noble AMD64
- Firejail version (`firejail --version`): firejail version 0.9.72
- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): N/A

### Checklist

<!--
Note: Items are checked with an "x", like so:

- [x] This is a checked item.
-->

- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
- [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
- [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
  - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

### Log

<details>
<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary>
<p>

output goes here


</p>
</details>

<details>
<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
<p>

<!-- If the output is too long to embed it into the comment,
     create a secret gist at https://gist.github.com/ and link it here. -->

output goes here



</p>
</details>
luckylinux commented 5 months ago

sysctl.txt

kmk3 commented 5 months ago

I cannot mount an external USB Flashdrive anymore.

It seems highly unlikely that this would be caused by firejail.

(and switched apparmor to enforcing mode).

Does the problem still happens without that?

If yes, does it still happen after running sudo firecfg --clean and uninstalling firejail?

luckylinux commented 5 months ago

I'm pretty sure I tried to "lower" the apparmor settings but it didn't make a difference.

So far I had to use the Laptop (which has a less enforcing apparmor policy and other hardening Settings) when I wanted NFS or an External USB Flashdrive.

On the other side apparmor is supposed to be in enforcing mode by default on Ubuntu nowadays, so I'm a bit surprised that there isn't a Profile shipped for it, if that is the case.

And I do NOT know how to create one to be honest ...

kmk3 commented 5 months ago

Does the problem still happen after running sudo firecfg --clean, uninstalling firejail and rebooting?

luckylinux commented 5 months ago

I'm a bit wary of doing that to be honest, given all the trouble it took just to set it up.

Aren't there other alternatives ?

Unfortunately, whatever is causing these issues, isn't being logged much if at all.

kmk3 commented 5 months ago

I'm a bit wary of doing that to be honest, given all the trouble it took just to set it up.

How was firejail set up?

What other changes were done to the system?

Note that firecfg(1) says that firecfg "automatically loads and forces the AppArmor profile "firejail-default"", so it could be related, though I think that this loading should not survive a reboot.

This is the command used:

/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default /etc/apparmor.d/firejail-default

Does running the following command (to remove the profile) change anything?

sudo /sbin/apparmor_parser -R /etc/apparmor.d/firejail-default /etc/apparmor.d/firejail-default

If not, is there any change if you run sudo firecfg --clean and reboot without uninstalling firejail?

Aren't there other alternatives ?

Unfortunately, whatever is causing these issues, isn't being logged much if at all.

Other than firecfg loading the apparmor profile, note that firejail itself is only executed when you call it; there is no daemon running in the background or anything.

So it will only be of relevance if you call it directly or if you call something that calls it indirectly.

sudo firecfg creates symlinks in /usr/local/bin and .desktop files in ~/.local/share/applications.

But as far as I know it does not create them for privileged system binaries (certainly not for binaries related to apparmor or systemd).

luckylinux commented 5 months ago

Weird Result:

root@HOST:/# sudo /sbin/apparmor_parser -R /etc/apparmor.d/firejail-default /etc/apparmor.d/firejail-default
/sbin/apparmor_parser: Unable to remove "firejail-default".  Profile doesn't exist
/sbin/apparmor_parser: Unable to remove "firejail-default".  Profile doesn't exist

I cannot reboot right now, it will be tomorrow. I ran the command though:

sudo firecfg --clean

So far, NFS nor USB Disks are working yet.

Might be some of the other sysctl :disappointed:. There was some associated Kernel+Network Hardening I did, but I think the issues started AFTER I also introduced Firejail.

kmk3 commented 5 months ago

Weird Result:

root@HOST:/# sudo /sbin/apparmor_parser -R /etc/apparmor.d/firejail-default /etc/apparmor.d/firejail-default
/sbin/apparmor_parser: Unable to remove "firejail-default".  Profile doesn't exist
/sbin/apparmor_parser: Unable to remove "firejail-default".  Profile doesn't exist

Where was firejail installed to?

What is the output of which -a firejail?

How about the following command:

sudo /sbin/apparmor_parser -R /etc/apparmor.d/firejail-default /usr/local/etc/apparmor.d/firejail-default
luckylinux commented 5 months ago

Yeah maybe I found out the issue for this specific Case ....

In /etc/modprobe.d/hardening-filesystems.conf I was blacklisting:

install nfs /bin/false
install nfsv3 /bin/false
install nfsv4 /bin/false

Furthermore in /etc/modprobe.d/hardening-other.conf I was blacklisting:

install usb-storage /bin/false

I still need to rebuild initramfs and reboot to test whether the Issue will be solved though.

luckylinux commented 5 months ago

I can confirm, removing those entries and rebuilding the initramfs and possibly GRUB Configuration & Rebooting solved the Issue:

update-initramfs -k all -u ; update-grub ; update-initramfs -k all -u ; update-grub ; reboot

I can now mount NFS Mounts and get USB Flashdrives to mount (automounted on Ubuntu using Udisk2 I believe).

So yeah, not firejail Fault at all. Just another part of the Hardening Process that caused this.

Sorry for the Trouble :disappointed:.